package io.crnk.security;

import io.crnk.core.engine.query.QueryContext;
import io.crnk.core.engine.registry.RegistryEntry;
import io.crnk.core.engine.security.SecurityProvider;
import io.crnk.core.engine.security.SecurityProviderContext;
import io.crnk.core.exception.RepositoryNotFoundException;
import io.crnk.core.module.Module;
import io.crnk.core.repository.BulkResourceRepository;
import io.crnk.core.repository.ManyRelationshipRepository;
import io.crnk.core.repository.OneRelationshipRepository;
import io.crnk.core.repository.ResourceRepository;
import io.crnk.core.repository.foward.ForwardingRelationshipRepository;
import io.crnk.core.utils.Supplier;
import io.crnk.security.internal.DataRoomBulkResourceFilter;
import io.crnk.security.internal.DataRoomMatcher;
import io.crnk.security.internal.DataRoomRelationshipFilter;
import io.crnk.security.internal.DataRoomResourceFilter;
import io.crnk.security.internal.SecurityRepositoryFilter;
import io.crnk.security.internal.SecurityResourceFilter;
import io.crnk.security.repository.CallerPermissionRepository;
import io.crnk.security.repository.RolePermissionRepository;
import io.crnk.security.repository.RoleRepository;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/crnk/security/SecurityModule.class */
public class SecurityModule implements Module {
    protected static final String ANY_ROLE = "ANY";
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) SecurityModule.class);
    private Map<String, Map<String, ResourcePermission>> permissions;
    private Module.ModuleContext moduleContext;
    private SecurityConfig config;
    private DataRoomMatcher matcher;
    private Supplier<Boolean> enabled = new Supplier<Boolean>() { // from class: io.crnk.security.SecurityModule.1
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // io.crnk.core.utils.Supplier
        public Boolean get() {
            return Boolean.TRUE;
        }
    };
    private SecurityProvider callerSecurityProvider = new SecurityProvider() { // from class: io.crnk.security.SecurityModule.2
        @Override // io.crnk.core.engine.security.SecurityProvider
        public boolean isUserInRole(String str, SecurityProviderContext securityProviderContext) {
            return SecurityModule.this.isUserInRole(securityProviderContext.getQueryContext(), str);
        }

        @Override // io.crnk.core.engine.security.SecurityProvider
        public boolean isAuthenticated(SecurityProviderContext securityProviderContext) {
            return SecurityModule.this.moduleContext.getSecurityProvider().isAuthenticated(securityProviderContext);
        }
    };

    protected SecurityModule() {
    }

    protected SecurityModule(SecurityConfig securityConfig) {
        this.config = securityConfig;
    }

    public DataRoomMatcher getDataRoomMatcher() {
        return this.matcher;
    }

    public static SecurityModule newServerModule(SecurityConfig securityConfig) {
        return new SecurityModule(securityConfig);
    }

    public static SecurityModule newClientModule() {
        return new SecurityModule(null);
    }

    private static void configureRule(Map<String, Map<String, ResourcePermission>> map, String str, String str2, ResourcePermission resourcePermission) {
        Map<String, ResourcePermission> map2 = map.get(str);
        if (map2 == null) {
            map2 = new HashMap();
            map.put(str, map2);
        }
        ResourcePermission resourcePermission2 = map2.get(str2);
        ResourcePermission resourcePermission3 = resourcePermission;
        if (resourcePermission2 != null) {
            resourcePermission3 = resourcePermission2.or(resourcePermission);
        }
        map2.put(str2, resourcePermission3);
        LOGGER.debug("configure rule for resourceType={} role={} permission={}", str, str2, resourcePermission);
    }

    private static ResourcePermission updateMissingPermissions(ResourcePermission resourcePermission, ResourcePermission resourcePermission2) {
        return resourcePermission.and(resourcePermission.xor(resourcePermission2));
    }

    public void setEnabled(boolean z) {
        setEnabled(() -> {
            return Boolean.valueOf(z);
        });
    }

    public boolean isEnabled() {
        boolean booleanValue = this.enabled.get().booleanValue();
        LOGGER.debug("enabled={}", Boolean.valueOf(booleanValue));
        return booleanValue;
    }

    public void setEnabled(Supplier<Boolean> supplier) {
        this.enabled = supplier;
    }

    @Override // io.crnk.core.module.Module
    public String getModuleName() {
        return "security";
    }

    protected void checkInit() {
        if (this.config == null || this.permissions != null) {
            return;
        }
        reconfigure(this.config);
    }

    public void reconfigure(SecurityConfig securityConfig) {
        Class<?> resourceClass;
        this.config = securityConfig;
        LOGGER.debug("reconfiguring with {} rules", Integer.valueOf(securityConfig.getRules().size()));
        HashMap hashMap = new HashMap();
        for (SecurityRule securityRule : securityConfig.getRules()) {
            String resourceType = securityRule.getResourceType();
            if (resourceType == null && (resourceClass = securityRule.getResourceClass()) != null) {
                resourceType = toType(resourceClass);
            }
            if (resourceType == null) {
                Iterator<RegistryEntry> it = this.moduleContext.getResourceRegistry().getEntries().iterator();
                while (it.hasNext()) {
                    configureRule(hashMap, it.next().getResourceInformation().getResourceType(), securityRule.getRole(), securityRule.getPermission());
                }
            } else {
                if (this.moduleContext.getResourceRegistry().getEntry(resourceType) == null) {
                    throw new RepositoryNotFoundException(resourceType);
                }
                configureRule(hashMap, resourceType, securityRule.getRole(), securityRule.getPermission());
            }
        }
        this.permissions = hashMap;
    }

    public SecurityConfig getConfig() {
        return this.config;
    }

    @Override // io.crnk.core.module.Module
    public void setupModule(Module.ModuleContext moduleContext) {
        this.moduleContext = moduleContext;
        if (this.config != null) {
            moduleContext.addRepositoryFilter(new SecurityRepositoryFilter(this));
            moduleContext.addResourceFilter(new SecurityResourceFilter(this, moduleContext));
            if (this.config.isExposeRepositories()) {
                moduleContext.addRepository(new RolePermissionRepository(this));
                moduleContext.addRepository(new CallerPermissionRepository(this));
                moduleContext.addRepository(new RoleRepository(this));
            }
            if (this.config.getDataRoomFilter() == null || !this.config.getPerformDataRoomChecks()) {
                this.matcher = new DataRoomMatcher(() -> {
                    return (querySpec, httpMethod, securityProvider) -> {
                        return querySpec;
                    };
                }, this.callerSecurityProvider);
                return;
            }
            this.matcher = new DataRoomMatcher(() -> {
                return this.config.getDataRoomFilter();
            }, this.callerSecurityProvider);
            LOGGER.debug("registering dataroom filter {}", this.config.getDataRoomFilter());
            moduleContext.addRepositoryDecoratorFactory(obj -> {
                if (obj instanceof BulkResourceRepository) {
                    return new DataRoomBulkResourceFilter((BulkResourceRepository) obj, this.matcher);
                }
                if (obj instanceof ResourceRepository) {
                    return new DataRoomResourceFilter((ResourceRepository) obj, this.matcher);
                }
                if (obj instanceof ForwardingRelationshipRepository) {
                    return obj;
                }
                if ((obj instanceof OneRelationshipRepository) || (obj instanceof ManyRelationshipRepository)) {
                    return new DataRoomRelationshipFilter(obj, this.matcher);
                }
                LOGGER.warn("no dataroom support for unknown repository {}", obj);
                return obj;
            });
        }
    }

    public boolean isAllowed(QueryContext queryContext, Class<?> cls, ResourcePermission resourcePermission) {
        return isAllowed(queryContext, toType(cls), resourcePermission);
    }

    public boolean isAllowed(QueryContext queryContext, String str, ResourcePermission resourcePermission) {
        ResourcePermission missingPermissions = getMissingPermissions(str, resourcePermission, this.callerSecurityProvider, toSecurityContext(queryContext));
        boolean isEmpty = missingPermissions.isEmpty();
        if (isEmpty) {
            LOGGER.debug("isAllowed returns {} for permission {}", Boolean.valueOf(isEmpty), resourcePermission);
        } else {
            LOGGER.debug("isAllowed returns {} for permission {} due to missing permission {}", Boolean.valueOf(isEmpty), resourcePermission, missingPermissions);
        }
        return isEmpty;
    }

    public ResourcePermission getCallerPermissions(QueryContext queryContext, String str) {
        return getMissingPermissions(str, ResourcePermission.ALL, this.callerSecurityProvider, toSecurityContext(queryContext)).xor(ResourcePermission.ALL);
    }

    private SecurityProviderContext toSecurityContext(QueryContext queryContext) {
        return () -> {
            return queryContext;
        };
    }

    public ResourcePermission getRolePermissions(QueryContext queryContext, String str, final String str2) {
        return getMissingPermissions(str, ResourcePermission.ALL, new SecurityProvider() { // from class: io.crnk.security.SecurityModule.3
            @Override // io.crnk.core.engine.security.SecurityProvider
            public boolean isUserInRole(String str3, SecurityProviderContext securityProviderContext) {
                return str2.equals(str3) || str3.equals(SecurityModule.ANY_ROLE);
            }

            @Override // io.crnk.core.engine.security.SecurityProvider
            public boolean isAuthenticated(SecurityProviderContext securityProviderContext) {
                throw new UnsupportedOperationException("not implemented");
            }
        }, toSecurityContext(queryContext)).xor(ResourcePermission.ALL);
    }

    private ResourcePermission getMissingPermissions(String str, ResourcePermission resourcePermission, SecurityProvider securityProvider, SecurityProviderContext securityProviderContext) {
        if (!isEnabled()) {
            return ResourcePermission.EMPTY;
        }
        checkInit();
        Map<String, ResourcePermission> map = this.permissions.get(str);
        ResourcePermission resourcePermission2 = resourcePermission;
        if (map != null) {
            for (Map.Entry<String, ResourcePermission> entry : map.entrySet()) {
                String key = entry.getKey();
                ResourcePermission and = entry.getValue().and(resourcePermission);
                if ((!and.isEmpty()) && securityProvider.isUserInRole(key, securityProviderContext)) {
                    resourcePermission2 = updateMissingPermissions(resourcePermission2, and);
                    if (resourcePermission2.isEmpty()) {
                        break;
                    }
                }
            }
        }
        return resourcePermission2;
    }

    public ResourcePermission getResourcePermission(QueryContext queryContext, Class<?> cls) {
        return getResourcePermission(queryContext, toType(cls));
    }

    public ResourcePermission getResourcePermission(QueryContext queryContext, String str) {
        checkInit();
        if (!isEnabled()) {
            return ResourcePermission.ALL;
        }
        Map<String, ResourcePermission> map = this.permissions.get(str);
        ResourcePermission resourcePermission = ResourcePermission.EMPTY;
        if (map != null) {
            for (Map.Entry<String, ResourcePermission> entry : map.entrySet()) {
                if (isUserInRole(queryContext, entry.getKey())) {
                    resourcePermission = resourcePermission.or(entry.getValue());
                }
            }
        }
        return resourcePermission;
    }

    public boolean isUserInRole(QueryContext queryContext, String str) {
        if (!isEnabled()) {
            throw new IllegalStateException("security module is disabled");
        }
        checkInit();
        boolean z = str.equals(ANY_ROLE) || this.moduleContext.getSecurityProvider().isUserInRole(str, toSecurityContext(queryContext));
        LOGGER.debug("isUserInRole returns {} for role {}", Boolean.valueOf(z), str);
        return z;
    }

    private <T> String toType(Class<T> cls) {
        RegistryEntry entry = this.moduleContext.getResourceRegistry().getEntry((Class<?>) cls);
        if (entry == null) {
            throw new RepositoryNotFoundException(cls);
        }
        return entry.getResourceInformation().getResourceType();
    }

    public SecurityProvider getCallerSecurityProvider() {
        return this.callerSecurityProvider;
    }
}
