package org.restcomm.connect.http;

import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.sdp.SdpConstants;
import javax.servlet.ServletContext;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.core.Context;
import org.apache.commons.configuration.Configuration;
import org.apache.commons.lang.NotImplementedException;
import org.apache.log4j.Logger;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.authz.SimpleRole;
import org.apache.shiro.authz.permission.WildcardPermissionResolver;
import org.mobicents.servlet.restcomm.dao.exceptions.AccountHierarchyDepthCrossed;
import org.restcomm.connect.commons.dao.Sid;
import org.restcomm.connect.dao.AccountsDao;
import org.restcomm.connect.dao.DaoManager;
import org.restcomm.connect.dao.entities.Account;
import org.restcomm.connect.extension.api.ApiRequest;
import org.restcomm.connect.extension.api.ExtensionType;
import org.restcomm.connect.extension.api.RestcommExtensionGeneric;
import org.restcomm.connect.extension.controller.ExtensionController;
import org.restcomm.connect.http.exceptions.AuthorizationException;
import org.restcomm.connect.http.exceptions.InsufficientPermission;
import org.restcomm.connect.http.exceptions.NotAuthenticated;
import org.restcomm.connect.http.exceptions.OperatedAccountMissing;
import org.restcomm.connect.identity.AuthOutcome;
import org.restcomm.connect.identity.IdentityContext;
import org.restcomm.connect.identity.UserIdentityContext;
import org.restcomm.connect.identity.shiro.RestcommRoles;

/* loaded from: input_file:WEB-INF/lib/restcomm-connect.http-8.0.0.1114.jar:org/restcomm/connect/http/SecuredEndpoint.class */
public abstract class SecuredEndpoint extends AbstractEndpoint {
    protected Logger logger = Logger.getLogger(SecuredEndpoint.class);
    protected UserIdentityContext userIdentityContext;
    protected AccountsDao accountsDao;
    protected IdentityContext identityContext;

    @Context
    protected ServletContext context;

    @Context
    HttpServletRequest request;
    protected List<RestcommExtensionGeneric> extensions;

    /* loaded from: input_file:WEB-INF/lib/restcomm-connect.http-8.0.0.1114.jar:org/restcomm/connect/http/SecuredEndpoint$SecuredType.class */
    public enum SecuredType {
        SECURED_APP,
        SECURED_ACCOUNT,
        SECURED_STANDARD
    }

    public SecuredEndpoint() {
    }

    public SecuredEndpoint(ServletContext servletContext, HttpServletRequest httpServletRequest) {
        this.context = servletContext;
        this.request = httpServletRequest;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.restcomm.connect.http.AbstractEndpoint
    public void init(Configuration configuration) {
        super.init(configuration);
        this.accountsDao = ((DaoManager) this.context.getAttribute(DaoManager.class.getName())).getAccountsDao();
        this.identityContext = (IdentityContext) this.context.getAttribute(IdentityContext.class.getName());
        this.userIdentityContext = new UserIdentityContext(this.request, this.accountsDao);
        this.extensions = ExtensionController.getInstance().getExtensions(ExtensionType.RestApi);
        if (!this.logger.isInfoEnabled() || this.extensions == null) {
            return;
        }
        this.logger.info("RestAPI extensions: " + (this.extensions != null ? Integer.valueOf(this.extensions.size()) : SdpConstants.RESERVED));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkAuthenticatedAccount() {
        if (this.userIdentityContext.getEffectiveAccount() == null) {
            throw new NotAuthenticated();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isSuperAdmin() {
        return this.userIdentityContext.getEffectiveAccount().getParentSid() == null && this.userIdentityContext.getEffectiveAccount().getStatus().equals(Account.Status.ACTIVE);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void checkPermission(String str) {
        if (checkPermission(str, this.userIdentityContext.getEffectiveAccountRoles()) != AuthOutcome.OK) {
            throw new InsufficientPermission();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isSecuredByPermission(String str) {
        try {
            checkPermission(str);
            return true;
        } catch (AuthorizationException e) {
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void secure(Account account, String str) throws AuthorizationException {
        secure(account, str, SecuredType.SECURED_STANDARD);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void secure(Account account, String str, SecuredType securedType) throws AuthorizationException {
        checkAuthenticatedAccount();
        checkPermission(str);
        if (account == null) {
            throw new OperatedAccountMissing();
        }
        if (securedType == SecuredType.SECURED_STANDARD) {
            if (secureLevelControl(account, null) != AuthOutcome.OK) {
                throw new InsufficientPermission();
            }
        } else if (securedType == SecuredType.SECURED_APP) {
            if (secureLevelControlApplications(account, null) != AuthOutcome.OK) {
                throw new InsufficientPermission();
            }
        } else if (securedType == SecuredType.SECURED_ACCOUNT && secureLevelControlAccounts(account) != AuthOutcome.OK) {
            throw new InsufficientPermission();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void secure(Account account, Sid sid, SecuredType securedType) throws AuthorizationException {
        checkAuthenticatedAccount();
        if (account == null) {
            throw new OperatedAccountMissing();
        }
        String sid2 = sid == null ? null : sid.toString();
        if (securedType == SecuredType.SECURED_APP) {
            if (secureLevelControlApplications(account, sid2) != AuthOutcome.OK) {
                throw new InsufficientPermission();
            }
        } else if (securedType == SecuredType.SECURED_STANDARD) {
            if (secureLevelControl(account, sid2) != AuthOutcome.OK) {
                throw new InsufficientPermission();
            }
        } else {
            if (securedType != SecuredType.SECURED_ACCOUNT) {
                throw new NotImplementedException();
            }
            throw new IllegalStateException("Account security is not supported when using sub-resources");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean hasAccountRole(String str) {
        if (this.userIdentityContext.getEffectiveAccount() != null) {
            return this.userIdentityContext.getEffectiveAccountRoles().contains(str);
        }
        return false;
    }

    private AuthOutcome checkPermission(String str, Set<String> set) {
        String next;
        SimpleRole role;
        if (set.contains(getAdministratorRole())) {
            return AuthOutcome.OK;
        }
        Permission resolvePermission = new WildcardPermissionResolver().resolvePermission(str);
        RestcommRoles restcommRoles = this.identityContext.getRestcommRoles();
        Iterator<String> it = set.iterator();
        while (it.hasNext() && (role = restcommRoles.getRole((next = it.next()))) != null) {
            for (Permission permission : role.getPermissions()) {
                if (permission.implies(resolvePermission)) {
                    if (this.logger.isDebugEnabled()) {
                        this.logger.debug("Granted access by permission " + permission.toString());
                    }
                    return AuthOutcome.OK;
                }
            }
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Role " + next + " does not allow " + str);
            }
        }
        return AuthOutcome.FAILED;
    }

    private AuthOutcome secureLevelControl(Account account, String str) {
        Account effectiveAccount = this.userIdentityContext.getEffectiveAccount();
        String str2 = null;
        if (effectiveAccount != null) {
            str2 = effectiveAccount.getSid().toString();
        }
        String str3 = null;
        if (account != null) {
            str3 = account.getSid().toString();
        }
        if (str != null && !str.equals(str3)) {
            return AuthOutcome.FAILED;
        }
        if (str2.equals(str3)) {
            return AuthOutcome.OK;
        }
        if (account.getParentSid() == null || (!account.getParentSid().toString().equals(str2) && !this.accountsDao.getAccountLineage(account).contains(str2))) {
            return AuthOutcome.FAILED;
        }
        return AuthOutcome.OK;
    }

    private AuthOutcome secureLevelControlApplications(Account account, String str) {
        return secureLevelControl(account, str);
    }

    private AuthOutcome secureLevelControlAccounts(Account account) throws AccountHierarchyDepthCrossed {
        Account effectiveAccount = this.userIdentityContext.getEffectiveAccount();
        String sid = effectiveAccount.getSid().toString();
        String sid2 = account.getSid().toString();
        if (!getAdministratorRole().equals(effectiveAccount.getRole())) {
            return sid.equals(sid2) ? AuthOutcome.OK : AuthOutcome.FAILED;
        }
        if (sid.equals(sid2)) {
            return AuthOutcome.OK;
        }
        if (account.getParentSid() == null || (!account.getParentSid().toString().equals(sid) && !this.accountsDao.getAccountLineage(account).contains(sid))) {
            return AuthOutcome.FAILED;
        }
        return AuthOutcome.OK;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getAdministratorRole() {
        return "Administrator";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean executePreApiAction(ApiRequest apiRequest) {
        if (this.extensions == null || this.extensions.size() <= 0) {
            return true;
        }
        for (RestcommExtensionGeneric restcommExtensionGeneric : this.extensions) {
            if (restcommExtensionGeneric.isEnabled() && !restcommExtensionGeneric.preApiAction(apiRequest).isAllowed()) {
                return false;
            }
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean executePostApiAction(ApiRequest apiRequest) {
        return false;
    }
}
