package org.cloudfoundry.multiapps.controller.web.security;

import java.text.MessageFormat;
import java.util.List;
import java.util.UUID;
import javax.inject.Inject;
import javax.inject.Named;
import javax.servlet.http.HttpServletRequest;
import org.cloudfoundry.client.lib.CloudControllerClient;
import org.cloudfoundry.multiapps.common.SLException;
import org.cloudfoundry.multiapps.controller.core.auditlogging.AuditLoggingProvider;
import org.cloudfoundry.multiapps.controller.core.cf.CloudControllerClientProvider;
import org.cloudfoundry.multiapps.controller.core.helpers.ClientHelper;
import org.cloudfoundry.multiapps.controller.core.model.CachedMap;
import org.cloudfoundry.multiapps.controller.core.model.CloudTarget;
import org.cloudfoundry.multiapps.controller.core.util.ApplicationConfiguration;
import org.cloudfoundry.multiapps.controller.core.util.UserInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.web.server.ResponseStatusException;

@Named
/* loaded from: input_file:org/cloudfoundry/multiapps/controller/web/security/AuthorizationChecker.class */
public class AuthorizationChecker {
    private static final Logger LOGGER = LoggerFactory.getLogger(AuthorizationChecker.class);
    private CachedMap<UUID, List<UUID>> spaceDevelopersCache = null;
    private final CloudControllerClientProvider clientProvider;
    private final ApplicationConfiguration applicationConfiguration;

    @Inject
    public AuthorizationChecker(CloudControllerClientProvider cloudControllerClientProvider, ApplicationConfiguration applicationConfiguration) {
        this.clientProvider = cloudControllerClientProvider;
        this.applicationConfiguration = applicationConfiguration;
        initSpaceDevelopersCache();
    }

    private synchronized void initSpaceDevelopersCache() {
        if (this.spaceDevelopersCache != null) {
            return;
        }
        this.spaceDevelopersCache = new CachedMap<>(this.applicationConfiguration.getSpaceDeveloperCacheExpirationInSeconds().intValue());
    }

    public void ensureUserIsAuthorized(HttpServletRequest httpServletRequest, UserInfo userInfo, CloudTarget cloudTarget, String str) {
        try {
            if (!checkPermissions(userInfo, cloudTarget.getOrganizationName(), cloudTarget.getSpaceName(), isGetRequest(httpServletRequest))) {
                failWithForbiddenStatus(MessageFormat.format("Not authorized to perform operation \"{0}\" in organization \"{1}\" and space \"{2}\"", str, cloudTarget.getOrganizationName(), cloudTarget.getSpaceName()));
            }
        } catch (SLException e) {
            failWithUnauthorizedStatus(MessageFormat.format("Could not check for permission to perform operation \"{0}\" in organization \"{1}\" and space \"{2}\"", str, cloudTarget.getOrganizationName(), cloudTarget.getSpaceName()));
        }
    }

    public void ensureUserIsAuthorized(HttpServletRequest httpServletRequest, UserInfo userInfo, String str, String str2) {
        try {
            if (!checkPermissions(userInfo, str, isGetRequest(httpServletRequest))) {
                failWithForbiddenStatus(MessageFormat.format("Not authorized to perform operation \"{0}\" in space with ID \"{1}\"", str2, str));
            }
        } catch (SLException e) {
            failWithUnauthorizedStatus(MessageFormat.format("Could not check for permission to perform operation \"{0}\" in space with ID \"{1}\"", str2, str));
        }
    }

    private boolean isGetRequest(HttpServletRequest httpServletRequest) {
        return HttpMethod.GET.matches(httpServletRequest.getMethod());
    }

    boolean checkPermissions(UserInfo userInfo, String str, String str2, boolean z) {
        if (hasAdminScope(userInfo)) {
            return true;
        }
        CloudControllerClient controllerClient = this.clientProvider.getControllerClient(userInfo.getName());
        return hasPermissions(controllerClient, UUID.fromString(userInfo.getId()), str, str2, z) && hasAccess(controllerClient, str, str2);
    }

    boolean checkPermissions(UserInfo userInfo, String str, boolean z) {
        if (hasAdminScope(userInfo)) {
            return true;
        }
        return hasPermissions(this.clientProvider.getControllerClient(userInfo.getName()), UUID.fromString(userInfo.getId()), convertSpaceIdToUUID(str), z);
    }

    private UUID convertSpaceIdToUUID(String str) {
        UUID uuid = null;
        try {
            uuid = UUID.fromString(str);
        } catch (IllegalArgumentException e) {
            failWithNotFoundStatus(e.getMessage());
        }
        return uuid;
    }

    private boolean hasPermissions(CloudControllerClient cloudControllerClient, UUID uuid, UUID uuid2, boolean z) {
        if (isUserInSpaceDevelopersUsingCache(cloudControllerClient, uuid, uuid2) || isUserInSpaceDevelopersAfterCacheRefresh(cloudControllerClient, uuid, uuid2)) {
            return true;
        }
        if (z) {
            return isUserInSpaceAuditors(cloudControllerClient, uuid, uuid2) || isUserInSpaceManagers(cloudControllerClient, uuid, uuid2);
        }
        return false;
    }

    private boolean isUserInSpaceAuditors(CloudControllerClient cloudControllerClient, UUID uuid, UUID uuid2) {
        return cloudControllerClient.getSpaceAuditors(uuid2).contains(uuid);
    }

    private boolean isUserInSpaceManagers(CloudControllerClient cloudControllerClient, UUID uuid, UUID uuid2) {
        return cloudControllerClient.getSpaceManagers(uuid2).contains(uuid);
    }

    private boolean isUserInSpaceDevelopersUsingCache(CloudControllerClient cloudControllerClient, UUID uuid, UUID uuid2) {
        return ((List) this.spaceDevelopersCache.get(uuid2, () -> {
            return cloudControllerClient.getSpaceDevelopers(uuid2);
        })).contains(uuid);
    }

    private boolean isUserInSpaceDevelopersAfterCacheRefresh(CloudControllerClient cloudControllerClient, UUID uuid, UUID uuid2) {
        return ((List) this.spaceDevelopersCache.forceRefresh(uuid2, () -> {
            return cloudControllerClient.getSpaceDevelopers(uuid2);
        })).contains(uuid);
    }

    private boolean hasPermissions(CloudControllerClient cloudControllerClient, UUID uuid, String str, String str2, boolean z) {
        if (cloudControllerClient.getSpaceDevelopers(str, str2).contains(uuid)) {
            return true;
        }
        if (!z) {
            return false;
        }
        if (cloudControllerClient.getSpaceAuditors(str, str2).contains(uuid)) {
            return true;
        }
        return cloudControllerClient.getSpaceManagers(str, str2).contains(uuid);
    }

    private boolean hasAccess(CloudControllerClient cloudControllerClient, String str, String str2) {
        return cloudControllerClient.getSpace(str, str2, false) != null;
    }

    private boolean hasAdminScope(UserInfo userInfo) {
        return userInfo.getToken().getScope().contains("cloud_controller.admin");
    }

    private void failWithNotFoundStatus(String str) {
        failWithStatus(HttpStatus.NOT_FOUND, str);
    }

    private void failWithUnauthorizedStatus(String str) {
        failWithStatus(HttpStatus.UNAUTHORIZED, str);
    }

    private void failWithForbiddenStatus(String str) {
        failWithStatus(HttpStatus.FORBIDDEN, str);
    }

    private static void failWithStatus(HttpStatus httpStatus, String str) {
        LOGGER.warn(str);
        AuditLoggingProvider.getFacade().logSecurityIncident(str);
        throw new ResponseStatusException(httpStatus, str);
    }

    public ClientHelper getClientHelper(CloudControllerClient cloudControllerClient) {
        return new ClientHelper(cloudControllerClient);
    }
}
