package org.restheart.security.interceptors;

import com.google.gson.JsonArray;
import com.google.gson.JsonElement;
import com.google.gson.JsonPrimitive;
import com.jayway.jsonpath.JsonPath;
import com.jayway.jsonpath.Predicate;
import io.undertow.attribute.ExchangeAttributes;
import java.util.Optional;
import org.bson.BsonArray;
import org.bson.BsonDocument;
import org.bson.BsonValue;
import org.restheart.exchange.MongoRequest;
import org.restheart.exchange.MongoResponse;
import org.restheart.plugins.Inject;
import org.restheart.plugins.InterceptPoint;
import org.restheart.plugins.MongoInterceptor;
import org.restheart.plugins.OnInit;
import org.restheart.plugins.PluginsRegistry;
import org.restheart.plugins.RegisterPlugin;
import org.restheart.security.authenticators.MongoRealmAuthenticator;
import org.restheart.security.authorizers.MongoAclAuthorizer;
import org.restheart.utils.BsonUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RegisterPlugin(name = "rootRoleGuard", description = "forbids creating or updating mongoRealmAuthenticator accounts with the root-role of the mongoAclAuthorizer", interceptPoint = InterceptPoint.REQUEST_AFTER_AUTH, enabledByDefault = true, priority = 11)
/* loaded from: input_file:org/restheart/security/interceptors/RootRoleGuard.class */
public class RootRoleGuard implements MongoInterceptor {
    private static final Logger LOGGER = LoggerFactory.getLogger(RootRoleGuard.class);

    @Inject("registry")
    PluginsRegistry registry;
    private boolean enabled = true;
    private String rootRole = null;
    private String usersDb = null;
    private String usersCollection = null;
    private String jsonPathRoles = null;

    @OnInit
    public void init() {
        Optional findFirst = this.registry.getAuthenticators().stream().filter((v0) -> {
            return v0.isEnabled();
        }).map((v0) -> {
            return v0.getInstance();
        }).filter(authenticator -> {
            return authenticator instanceof MongoRealmAuthenticator;
        }).map(authenticator2 -> {
            return (MongoRealmAuthenticator) authenticator2;
        }).findFirst();
        Optional findFirst2 = this.registry.getAuthorizers().stream().filter((v0) -> {
            return v0.isEnabled();
        }).map((v0) -> {
            return v0.getInstance();
        }).filter(authorizer -> {
            return authorizer instanceof MongoAclAuthorizer;
        }).map(authorizer2 -> {
            return (MongoAclAuthorizer) authorizer2;
        }).findFirst();
        if (!findFirst2.isPresent() || !findFirst.isPresent()) {
            this.enabled = false;
            return;
        }
        MongoAclAuthorizer mongoAclAuthorizer = (MongoAclAuthorizer) findFirst2.get();
        MongoRealmAuthenticator mongoRealmAuthenticator = (MongoRealmAuthenticator) findFirst.get();
        this.rootRole = mongoAclAuthorizer.rootRole();
        this.usersDb = mongoRealmAuthenticator.getUsersDb();
        this.usersCollection = mongoRealmAuthenticator.getUsersCollection();
        this.jsonPathRoles = mongoRealmAuthenticator.getJsonPathRoles();
    }

    public void handle(MongoRequest mongoRequest, MongoResponse mongoResponse) throws Exception {
        BsonValue content = mongoRequest.getContent();
        if ((content instanceof BsonArray) && check((BsonArray) content)) {
            logWarning(mongoRequest);
            mongoResponse.setInError(403, "Forbidden. The request has been logged.");
        } else if ((content instanceof BsonDocument) && check((BsonDocument) content)) {
            logWarning(mongoRequest);
            mongoResponse.setInError(403, "Forbidden. The request has been logged.");
        }
    }

    private void logWarning(MongoRequest mongoRequest) {
        String name = mongoRequest.isAuthenticated() ? mongoRequest.getAuthenticatedAccount().getPrincipal().getName() : "unknown";
        LOGGER.warn("{} with roles {} tried to set an account with roles array ({}) containing the root-role ({}). Remote IP={}, X-Forwared-For Header={}, content={}", new Object[]{name, mongoRequest.isAuthenticated() ? mongoRequest.getAuthenticatedAccount().getRoles() : "$unauthenticated", this.jsonPathRoles, this.rootRole, ExchangeAttributes.remoteIp().readAttribute(mongoRequest.getExchange()), mongoRequest.getHeader("X-Forwarded-For"), BsonUtils.toJson(mongoRequest.getContent())});
    }

    private boolean check(BsonArray bsonArray) {
        return bsonArray.stream().filter(bsonValue -> {
            return bsonValue.isDocument();
        }).map(bsonValue2 -> {
            return bsonValue2.asDocument();
        }).anyMatch(bsonDocument -> {
            return check(bsonDocument);
        });
    }

    private boolean check(BsonDocument bsonDocument) {
        return contains(roles(bsonDocument), this.rootRole);
    }

    private JsonArray roles(BsonDocument bsonDocument) {
        try {
            Object read = JsonPath.read((JsonElement) JsonPath.read(bsonDocument.toJson(), "$", new Predicate[0]), this.jsonPathRoles, new Predicate[0]);
            return read instanceof JsonArray ? (JsonArray) read : new JsonArray();
        } catch (Throwable th) {
            return new JsonArray();
        }
    }

    private boolean contains(JsonArray jsonArray, String str) {
        return jsonArray.contains(new JsonPrimitive(str));
    }

    public boolean resolve(MongoRequest mongoRequest, MongoResponse mongoResponse) {
        return this.enabled && mongoRequest.isWriteDocument() && mongoRequest.getDBName().equals(this.usersDb) && mongoRequest.getCollectionName().equals(this.usersCollection);
    }
}
