package org.sdase.commons.spring.boot.web.auth.opa;

import io.opentracing.Scope;
import io.opentracing.Span;
import io.opentracing.Tracer;
import io.opentracing.tag.Tags;
import java.util.Collection;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import org.sdase.commons.spring.boot.web.auth.opa.model.OpaResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.ApplicationContext;
import org.springframework.security.access.AccessDecisionVoter;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.core.Authentication;
import org.springframework.security.web.FilterInvocation;
import org.springframework.stereotype.Component;
import org.springframework.web.client.ResourceAccessException;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.context.request.RequestContextHolder;

@Component
/* loaded from: input_file:org/sdase/commons/spring/boot/web/auth/opa/OpaAccessDecisionVoter.class */
public class OpaAccessDecisionVoter implements AccessDecisionVoter<FilterInvocation> {
    static final String CONSTRAINTS_ATTRIBUTE = OpaAccessDecisionVoter.class.getName() + ".constraints";
    private static final Logger LOG = LoggerFactory.getLogger(OpaAccessDecisionVoter.class);
    private final boolean disableOpa;
    private final String opaRequestUrl;
    private final OpaRequestBuilder opaRequestBuilder;
    private final RestTemplate opaRestTemplate;
    private final Tracer tracer;

    public OpaAccessDecisionVoter(@Value("${opa.disable:false}") boolean z, @Value("${opa.base.url:http://localhost:8181}") String str, @Value("${opa.policy.package:}") String str2, OpaRequestBuilder opaRequestBuilder, @Qualifier("opaRestTemplate") RestTemplate restTemplate, ApplicationContext applicationContext, Tracer tracer) {
        this.disableOpa = z;
        this.opaRestTemplate = restTemplate;
        this.tracer = tracer;
        this.opaRequestUrl = createOpaRequestUri(str, createOpaPackageName(str2, applicationContext));
        this.opaRequestBuilder = opaRequestBuilder;
        if (this.disableOpa) {
            LOG.warn("OPA is disabled. Access will be granted always.");
        }
    }

    public boolean supports(ConfigAttribute configAttribute) {
        return true;
    }

    public boolean supports(Class<?> cls) {
        return FilterInvocation.class.isAssignableFrom(cls);
    }

    public int vote(Authentication authentication, FilterInvocation filterInvocation, Collection<ConfigAttribute> collection) {
        HttpServletRequest httpRequest = filterInvocation.getHttpRequest();
        Span start = this.tracer.buildSpan("authorizeUsingOpa").withTag("opa.allow", false).withTag(Tags.COMPONENT, "OpaAuthFilter").start();
        try {
            Scope activate = this.tracer.scopeManager().activate(start);
            try {
                if (this.disableOpa) {
                    int handleOpaDisabled = handleOpaDisabled(httpRequest);
                    if (activate != null) {
                        activate.close();
                    }
                    return handleOpaDisabled;
                }
                OpaResponse authorizeWithOpa = authorizeWithOpa(httpRequest);
                if (authorizeWithOpa == null) {
                    LOG.warn("Invalid response from OPA. Maybe the policy path or the response format is not correct");
                    if (activate != null) {
                        activate.close();
                    }
                    start.finish();
                    return 0;
                }
                start.setTag("opa.allow", authorizeWithOpa.isAllow());
                if (!authorizeWithOpa.isAllow()) {
                    if (activate != null) {
                        activate.close();
                    }
                    start.finish();
                    return 0;
                }
                storeConstraints(authorizeWithOpa);
                if (activate != null) {
                    activate.close();
                }
                start.finish();
                return 1;
            } finally {
            }
        } finally {
            start.finish();
        }
    }

    private void storeConstraints(OpaResponse opaResponse) {
        try {
            RequestContextHolder.currentRequestAttributes().setAttribute(CONSTRAINTS_ATTRIBUTE, opaResponse, 0);
        } catch (IllegalStateException | NullPointerException e) {
        }
    }

    private OpaResponse authorizeWithOpa(HttpServletRequest httpServletRequest) {
        try {
            return (OpaResponse) this.opaRestTemplate.postForObject(this.opaRequestUrl, this.opaRequestBuilder.buildRequestPayload(httpServletRequest), OpaResponse.class, new Object[0]);
        } catch (ResourceAccessException e) {
            LOG.warn("Failed to access OPA", e);
            return null;
        }
    }

    private int handleOpaDisabled(HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getUserPrincipal() != null) {
            return 1;
        }
        LOG.warn("OPA is disabled. Access is granted for anonymous user without constraints.");
        return 1;
    }

    private String createOpaRequestUri(String str, String str2) {
        return String.format("%s/v1/data/%s", str.trim(), createPolicyPathFromPackage(str2));
    }

    private String createPolicyPathFromPackage(String str) {
        return String.join("/", str.split("\\.")).trim();
    }

    private String createOpaPackageName(String str, ApplicationContext applicationContext) {
        if (!str.isBlank()) {
            return str;
        }
        Map beansWithAnnotation = applicationContext.getBeansWithAnnotation(SpringBootApplication.class);
        Optional findFirst = beansWithAnnotation.keySet().stream().findFirst();
        Objects.requireNonNull(beansWithAnnotation);
        return (String) findFirst.map((v1) -> {
            return r1.get(v1);
        }).map((v0) -> {
            return v0.getClass();
        }).map((v0) -> {
            return v0.getPackageName();
        }).orElse(str);
    }

    public /* bridge */ /* synthetic */ int vote(Authentication authentication, Object obj, Collection collection) {
        return vote(authentication, (FilterInvocation) obj, (Collection<ConfigAttribute>) collection);
    }
}
