package org.jfrog.access.server.service.auth;

import java.security.Principal;
import java.util.List;
import java.util.Optional;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
import org.jfrog.access.common.AccessAuthz;
import org.jfrog.access.common.AudienceMatcher;
import org.jfrog.access.common.Scope;
import org.jfrog.access.common.ServiceId;
import org.jfrog.access.server.config.AccessConfig;
import org.jfrog.access.server.exception.ForbiddenException;
import org.jfrog.access.server.exception.UnauthorizedException;
import org.jfrog.access.server.model.Role;
import org.jfrog.access.server.model.Token;
import org.jfrog.access.server.service.auth.model.AccessPrincipal;
import org.jfrog.access.server.service.auth.model.TokenPrincipal;
import org.jfrog.access.server.service.auth.model.UserPrincipal;
import org.jfrog.access.server.service.token.TokenSpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:WEB-INF/lib/access-server-core-2.0.1.jar:org/jfrog/access/server/service/auth/AuthorizationServiceImpl.class */
public class AuthorizationServiceImpl implements AuthorizationService {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AuthorizationServiceImpl.class);
    private static final String ANY_INSTANCE_ID_REGEX = "(" + ServiceId.ELEMENT_PATTERN + "|\\*)";
    private static final String ANY_SERVICE_ID_REGEX = ServiceId.createServiceIdRegex(ServiceId.ELEMENT_PATTERN.pattern(), ANY_INSTANCE_ID_REGEX);
    private static final Pattern ACCESS_ADMIN_SCOPE = Pattern.compile(ANY_SERVICE_ID_REGEX + ":" + AccessAuthz.ADMIN);

    @Autowired
    private AuthenticationService authenticationService;

    @Autowired
    private AccessConfig accessConfig;

    @Override // org.jfrog.access.server.service.auth.AuthorizationService
    public Optional<String> getLoggedIn() {
        Principal loggedInPrincipal = this.authenticationService.getLoggedInPrincipal();
        return loggedInPrincipal instanceof AccessPrincipal ? Optional.of(((AccessPrincipal) loggedInPrincipal).getFormattedName()) : Optional.empty();
    }

    @Override // org.jfrog.access.server.service.auth.AuthorizationService
    public boolean loggedInAdmin() {
        Principal loggedInPrincipal = this.authenticationService.getLoggedInPrincipal();
        if (loggedInPrincipal instanceof UserPrincipal) {
            return isAdminUserPrincipal((UserPrincipal) loggedInPrincipal);
        }
        if (!(loggedInPrincipal instanceof TokenPrincipal)) {
            return false;
        }
        TokenPrincipal tokenPrincipal = (TokenPrincipal) loggedInPrincipal;
        assertAccessIsInUserTokenAudience(tokenPrincipal);
        return hasPermissionsOn(AccessAuthz.ADMIN, this.accessConfig.getAccessServerId().getFormattedName(), tokenPrincipal.getAccessToken().getScope());
    }

    @Override // org.jfrog.access.server.service.auth.AuthorizationService
    public boolean loggedInIsAnonymous() {
        return !getLoggedIn().isPresent();
    }

    @Override // org.jfrog.access.server.service.auth.AuthorizationService
    public void assertAdmin() {
        if (loggedInAdmin()) {
            return;
        }
        if (loggedInIsAnonymous()) {
            throw new UnauthorizedException("Resource requires authentication");
        }
        throw new ForbiddenException("Logged in '" + getLoggedIn().get() + "' is not an admin.");
    }

    @Override // org.jfrog.access.server.service.auth.AuthorizationService
    public void assertCanCreateToken(TokenSpec tokenSpec) {
        assertCanCreateToken(assertAccessPrincipal(), tokenSpec);
    }

    private AccessPrincipal assertAccessPrincipal() {
        if (loggedInIsAnonymous()) {
            throw new UnauthorizedException("Authentication required");
        }
        Principal loggedInPrincipal = this.authenticationService.getLoggedInPrincipal();
        if (loggedInPrincipal instanceof AccessPrincipal) {
            return (AccessPrincipal) loggedInPrincipal;
        }
        throw new ForbiddenException("Principal " + loggedInPrincipal + " is not allowed to access the requested resource");
    }

    @Override // org.jfrog.access.server.service.auth.AuthorizationService
    public void assertCanCreateToken(AccessPrincipal accessPrincipal, TokenSpec tokenSpec) {
        if (accessPrincipal instanceof UserPrincipal) {
            assertCanCreateWithUserPrincipal((UserPrincipal) accessPrincipal);
        } else {
            assertCanCreateWithTokenPrincipal((TokenPrincipal) accessPrincipal, tokenSpec);
        }
    }

    private void assertAccessIsInUserTokenAudience(TokenPrincipal tokenPrincipal) {
        List<String> audience = tokenPrincipal.getAccessToken().getAudience();
        ServiceId accessServerId = this.accessConfig.getAccessServerId();
        log.trace("Found matching audience: {} matches {}", accessServerId, AudienceMatcher.match(accessServerId, audience).orElseThrow(() -> {
            return new ForbiddenException("Audience doesn't match. Required audience: " + accessServerId + " token audiences: " + audience);
        }));
    }

    private void assertCanCreateWithTokenPrincipal(TokenPrincipal tokenPrincipal, TokenSpec tokenSpec) {
        assertAccessIsInUserTokenAudience(tokenPrincipal);
        assertTargetAudience(tokenPrincipal, tokenSpec);
    }

    private void assertCanCreateWithUserPrincipal(UserPrincipal userPrincipal) {
        if (!isAdminUserPrincipal(userPrincipal)) {
            throw new ForbiddenException("User " + userPrincipal.getUser() + " with role " + userPrincipal.getUser().getRole() + " is not permitted to create tokens");
        }
    }

    private void assertTargetAudience(TokenPrincipal tokenPrincipal, TokenSpec tokenSpec) {
        List<String> scope = tokenPrincipal.getAccessToken().getScope();
        List<String> audience = tokenSpec.getAudience();
        boolean allMatch = audience.stream().allMatch(str -> {
            return canCreateTokenForAudience(str, scope);
        });
        log.trace("Matching of audience {} to scope {} finished with result: {}", audience, scope, Boolean.valueOf(allMatch));
        if (!allMatch) {
            throw new ForbiddenException("Principal " + tokenPrincipal.getName() + " is not permitted to create tokens for audience '" + audience + "'");
        }
    }

    private boolean canCreateTokenForAudience(String str, List<String> list) {
        return hasPermissionsOn(AccessAuthz.ADMIN, str, list) || hasPermissionsOn(AccessAuthz.TOKEN, str, list);
    }

    @Override // org.jfrog.access.server.service.auth.AuthorizationService
    public boolean hasPermissionsOn(String str, String str2, List<String> list) {
        return list.stream().anyMatch(str3 -> {
            return hasPermissionsOn(str, str2, str3);
        });
    }

    private boolean hasPermissionsOn(String str, String str2, String str3) {
        boolean z = false;
        try {
            Scope parse = Scope.parse(str3);
            if (matchScopeResourceToRequestedResource(str2, parse.getResource())) {
                z = parse.getPermission().equals(str);
            }
        } catch (IllegalArgumentException e) {
            log.debug("Failed to check permissions on scope {}, resource {}: {}", str3, str2, e.getMessage());
            z = false;
        }
        log.trace("Matching scope {} with resource {} result: {}", str3, str2, Boolean.valueOf(z));
        return z;
    }

    private boolean matchScopeResourceToRequestedResource(String str, String str2) {
        return ResourceMatcher.matches(str, str2);
    }

    @Override // org.jfrog.access.server.service.auth.AuthorizationService
    public void assertCanDeleteToken(@Nonnull Token token) {
        if (loggedInAdmin()) {
            return;
        }
        AccessPrincipal assertAccessPrincipal = assertAccessPrincipal();
        if (assertAccessPrincipal instanceof UserPrincipal) {
            assertCanDeleteWithUserPrincipal((UserPrincipal) assertAccessPrincipal);
        } else {
            assertCanDeleteWithTokenPrincipal((TokenPrincipal) assertAccessPrincipal, token);
        }
    }

    private void assertCanDeleteWithTokenPrincipal(TokenPrincipal tokenPrincipal, Token token) {
        assertAccessIsInUserTokenAudience(tokenPrincipal);
        List<String> scope = tokenPrincipal.getAccessToken().getScope();
        if (!canDeleteTokenOfOwner(token.getOwner(), scope)) {
            throw new ForbiddenException("Principal " + tokenPrincipal.getName() + " with scopes " + scope + " cannot delete token " + token.getId() + " owned by " + token.getOwner());
        }
    }

    private boolean canDeleteTokenOfOwner(String str, List<String> list) {
        return hasPermissionsOn(AccessAuthz.ADMIN, str, list) || hasPermissionsOn(AccessAuthz.TOKEN, str, list);
    }

    private void assertCanDeleteWithUserPrincipal(UserPrincipal userPrincipal) {
        if (!isAdminUserPrincipal(userPrincipal)) {
            throw new ForbiddenException("User " + userPrincipal.getUser() + " with role " + userPrincipal.getUser().getRole() + " is not permitted to delete tokens");
        }
    }

    @Override // org.jfrog.access.server.service.auth.AuthorizationService
    public boolean hasServiceAdminScope(@Nonnull List<String> list) {
        return list.stream().anyMatch(str -> {
            return ACCESS_ADMIN_SCOPE.matcher(str).matches() || AccessAuthz.ADMIN.equals(str);
        });
    }

    @Override // org.jfrog.access.server.service.auth.AuthorizationService
    public void assertCanReadTokens(String str) {
        log.debug("Checking if '{}' is has read permissions for tokens of owner '{}'", this.authenticationService.getLoggedInPrincipal(), str);
        if (loggedInAdmin()) {
            return;
        }
        AccessPrincipal assertAccessPrincipal = assertAccessPrincipal();
        if (assertAccessPrincipal.getFormattedName().equals(str) || canReadTokensOfOwner(str, ((TokenPrincipal) assertAccessPrincipal).getAccessToken().getScope())) {
            return;
        }
        String name = assertAccessPrincipal.getName();
        log.debug("Principal in '{}' is not allowed to get tokens of owner '{}'", assertAccessPrincipal, str);
        throw new ForbiddenException("Logged in '" + name + "' is not allowed to read tokens of owner '" + str);
    }

    private boolean isAdminUserPrincipal(UserPrincipal userPrincipal) {
        return Role.ADMIN.equals(userPrincipal.getUser().getRole());
    }

    private boolean canReadTokensOfOwner(String str, List<String> list) {
        return hasPermissionsOn(AccessAuthz.ADMIN, str, list) || hasPermissionsOn(AccessAuthz.TOKEN, str, list);
    }
}
