package org.cloudfoundry.multiapps.controller.web.security;

import com.sap.cloudfoundry.client.facade.CloudCredentials;
import com.sap.cloudfoundry.client.facade.domain.UserRole;
import com.sap.cloudfoundry.client.facade.oauth2.OAuth2AccessTokenWithAdditionalInfo;
import java.text.MessageFormat;
import java.time.Duration;
import java.util.Set;
import java.util.UUID;
import javax.inject.Inject;
import javax.inject.Named;
import javax.servlet.http.HttpServletRequest;
import org.cloudfoundry.multiapps.common.SLException;
import org.cloudfoundry.multiapps.controller.core.cf.CloudControllerClientFactory;
import org.cloudfoundry.multiapps.controller.core.cf.clients.CfRolesGetter;
import org.cloudfoundry.multiapps.controller.core.cf.clients.WebClientFactory;
import org.cloudfoundry.multiapps.controller.core.model.CachedMap;
import org.cloudfoundry.multiapps.controller.core.security.token.TokenService;
import org.cloudfoundry.multiapps.controller.core.util.ApplicationConfiguration;
import org.cloudfoundry.multiapps.controller.core.util.UserInfo;
import org.cloudfoundry.multiapps.controller.persistence.model.CloudTarget;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.web.server.ResponseStatusException;

@Named
/* loaded from: input_file:org/cloudfoundry/multiapps/controller/web/security/AuthorizationChecker.class */
public class AuthorizationChecker implements DisposableBean {
    private static final Logger LOGGER = LoggerFactory.getLogger(AuthorizationChecker.class);
    private CachedMap<SpaceWithUser, Set<UserRole>> userRolesCache = null;
    private final CloudControllerClientFactory clientFactory;
    private final TokenService tokenService;
    private final ApplicationConfiguration configuration;
    private final WebClientFactory webClientFactory;

    @Inject
    public AuthorizationChecker(CloudControllerClientFactory cloudControllerClientFactory, TokenService tokenService, ApplicationConfiguration applicationConfiguration, WebClientFactory webClientFactory) {
        this.clientFactory = cloudControllerClientFactory;
        this.tokenService = tokenService;
        this.webClientFactory = webClientFactory;
        this.configuration = applicationConfiguration;
        initSpaceDevelopersCache(applicationConfiguration);
    }

    private void initSpaceDevelopersCache(ApplicationConfiguration applicationConfiguration) {
        if (this.userRolesCache != null) {
            return;
        }
        this.userRolesCache = new CachedMap<>(Duration.ofSeconds(applicationConfiguration.getSpaceDeveloperCacheExpirationInSeconds().intValue()));
    }

    public void ensureUserIsAuthorized(HttpServletRequest httpServletRequest, UserInfo userInfo, CloudTarget cloudTarget, String str) {
        try {
            if (!checkPermissions(userInfo, cloudTarget.getOrganizationName(), cloudTarget.getSpaceName(), isGetRequest(httpServletRequest))) {
                failWithForbiddenStatus(MessageFormat.format("Not authorized to perform operation \"{0}\" in organization \"{1}\" and space \"{2}\"", str, cloudTarget.getOrganizationName(), cloudTarget.getSpaceName()));
            }
        } catch (SLException e) {
            failWithUnauthorizedStatus(MessageFormat.format("Could not check for permission to perform operation \"{0}\" in organization \"{1}\" and space \"{2}\"", str, cloudTarget.getOrganizationName(), cloudTarget.getSpaceName()));
        }
    }

    public void ensureUserIsAuthorized(HttpServletRequest httpServletRequest, UserInfo userInfo, String str, String str2) {
        try {
            if (!checkPermissions(userInfo, str, isGetRequest(httpServletRequest))) {
                failWithForbiddenStatus(MessageFormat.format("Not authorized to perform operation \"{0}\" in space with ID \"{1}\"", str2, str));
            }
        } catch (SLException e) {
            failWithUnauthorizedStatus(MessageFormat.format("Could not check for permission to perform operation \"{0}\" in space with ID \"{1}\"", str2, str));
        }
    }

    private boolean isGetRequest(HttpServletRequest httpServletRequest) {
        return HttpMethod.GET.matches(httpServletRequest.getMethod());
    }

    boolean checkPermissions(UserInfo userInfo, String str, String str2, boolean z) {
        if (hasAdminScope(userInfo)) {
            return true;
        }
        OAuth2AccessTokenWithAdditionalInfo token = this.tokenService.getToken(userInfo.getName());
        return hasPermissions(getRolesGetter(token), getSpaceWithUser(UUID.fromString(userInfo.getId()), this.clientFactory.createSpaceClient(token).getSpace(str, str2).getGuid()), z);
    }

    protected CfRolesGetter getRolesGetter(OAuth2AccessTokenWithAdditionalInfo oAuth2AccessTokenWithAdditionalInfo) {
        return new CfRolesGetter(this.configuration, this.webClientFactory, new CloudCredentials(oAuth2AccessTokenWithAdditionalInfo));
    }

    boolean checkPermissions(UserInfo userInfo, String str, boolean z) {
        if (hasAdminScope(userInfo)) {
            return true;
        }
        return hasPermissions(getRolesGetter(this.tokenService.getToken(userInfo.getName())), getSpaceWithUser(UUID.fromString(userInfo.getId()), convertSpaceIdToUUID(str)), z);
    }

    private UUID convertSpaceIdToUUID(String str) {
        UUID uuid = null;
        try {
            uuid = UUID.fromString(str);
        } catch (IllegalArgumentException e) {
            failWithNotFoundStatus(e.getMessage());
        }
        return uuid;
    }

    private boolean hasPermissions(CfRolesGetter cfRolesGetter, SpaceWithUser spaceWithUser, boolean z) {
        if (isSpaceDeveloperUsingCache(spaceWithUser)) {
            return true;
        }
        Set<UserRole> refreshUserRoles = refreshUserRoles(cfRolesGetter, spaceWithUser);
        if (refreshUserRoles.contains(UserRole.SPACE_DEVELOPER)) {
            return true;
        }
        return z && (refreshUserRoles.contains(UserRole.SPACE_AUDITOR) || refreshUserRoles.contains(UserRole.SPACE_MANAGER));
    }

    private SpaceWithUser getSpaceWithUser(UUID uuid, UUID uuid2) {
        return new SpaceWithUser(uuid, uuid2);
    }

    private boolean isSpaceDeveloperUsingCache(SpaceWithUser spaceWithUser) {
        Set set = (Set) this.userRolesCache.get(spaceWithUser);
        return set != null && set.contains(UserRole.SPACE_DEVELOPER);
    }

    private Set<UserRole> refreshUserRoles(CfRolesGetter cfRolesGetter, SpaceWithUser spaceWithUser) {
        Set<UserRole> roles = cfRolesGetter.getRoles(spaceWithUser.getSpaceGuid(), spaceWithUser.getUserGuid());
        this.userRolesCache.put(spaceWithUser, roles);
        return roles;
    }

    private boolean hasAdminScope(UserInfo userInfo) {
        return userInfo.getToken().getOAuth2AccessToken().getScopes().contains("cloud_controller.admin");
    }

    private void failWithNotFoundStatus(String str) {
        failWithStatus(HttpStatus.NOT_FOUND, str);
    }

    private void failWithUnauthorizedStatus(String str) {
        failWithStatus(HttpStatus.UNAUTHORIZED, str);
    }

    private void failWithForbiddenStatus(String str) {
        failWithStatus(HttpStatus.FORBIDDEN, str);
    }

    private static void failWithStatus(HttpStatus httpStatus, String str) {
        LOGGER.warn(str);
        throw new ResponseStatusException(httpStatus, str);
    }

    public void destroy() {
        this.userRolesCache.clear();
    }
}
