package com.netflix.spinnaker.fiat.shared;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.util.concurrent.UncheckedExecutionException;
import com.netflix.frigga.Names;
import com.netflix.spinnaker.fiat.model.Authorization;
import com.netflix.spinnaker.fiat.model.UserPermission;
import com.netflix.spinnaker.fiat.model.resources.ResourceType;
import com.netflix.spinnaker.security.AuthenticatedRequest;
import com.netflix.spinnaker.security.User;
import java.io.Serializable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.Function;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.class */
public class FiatPermissionEvaluator implements PermissionEvaluator, InitializingBean {
    private static final Logger log = LoggerFactory.getLogger(FiatPermissionEvaluator.class);

    @Autowired
    private FiatService fiatService;

    @Autowired
    private FiatClientConfigurationProperties configProps;

    @Value("${services.fiat.enabled:false}")
    private String fiatEnabled;
    private Cache<String, UserPermission.View> permissionsCache;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator$1, reason: invalid class name */
    /* loaded from: input_file:com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$netflix$spinnaker$fiat$model$resources$ResourceType = new int[ResourceType.values().length];

        static {
            try {
                $SwitchMap$com$netflix$spinnaker$fiat$model$resources$ResourceType[ResourceType.ACCOUNT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$netflix$spinnaker$fiat$model$resources$ResourceType[ResourceType.APPLICATION.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$netflix$spinnaker$fiat$model$resources$ResourceType[ResourceType.SERVICE_ACCOUNT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public void afterPropertiesSet() throws Exception {
        this.permissionsCache = CacheBuilder.newBuilder().maximumSize(this.configProps.getCache().getMaxEntries().intValue()).expireAfterWrite(this.configProps.getCache().getExpiresAfterWriteSeconds().intValue(), TimeUnit.SECONDS).recordStats().build();
    }

    public boolean hasPermission(Authentication authentication, Object obj, Object obj2) {
        return false;
    }

    public boolean hasPermission(Authentication authentication, Serializable serializable, String str, Object obj) {
        if (!Boolean.valueOf(this.fiatEnabled).booleanValue()) {
            return true;
        }
        if (serializable == null || str == null || obj == null) {
            log.debug("Permission denied due to null argument. resourceName={}, resourceType={}, authorization={}", new Object[]{serializable, str, obj});
            return false;
        }
        ResourceType parse = ResourceType.parse(str);
        Authorization authorization = null;
        if (parse != ResourceType.SERVICE_ACCOUNT) {
            authorization = Authorization.valueOf(obj.toString());
        }
        if (parse == ResourceType.APPLICATION) {
            String app = Names.parseName(serializable.toString()).getApp();
            if (StringUtils.isNotEmpty(app)) {
                serializable = app;
            }
        }
        return permissionContains(getPermission(getUsername(authentication)), serializable.toString(), parse, authorization);
    }

    private String getUsername(Authentication authentication) {
        String str = "anonymous";
        if (authentication.isAuthenticated() && authentication.getPrincipal() != null) {
            Object principal = authentication.getPrincipal();
            if (principal instanceof User) {
                str = ((User) principal).getUsername();
            } else if (StringUtils.isNotEmpty(principal.toString())) {
                str = principal.toString();
            }
        }
        return str;
    }

    private boolean isAuthorized(String str, ResourceType resourceType, String str2, Authorization authorization) {
        try {
            AuthenticatedRequest.propagate(() -> {
                return this.fiatService.hasAuthorization(str, resourceType.toString(), str2, authorization.toString());
            }).call();
            return true;
        } catch (Exception e) {
            String format = String.format("Fiat authorization failed for user '%s' '%s'-ing '%s' resourceType named '%s'. Cause: %s", str, authorization, resourceType, str2, e.getMessage());
            if (log.isDebugEnabled()) {
                log.debug(format, e);
                return false;
            }
            log.info(format);
            return false;
        }
    }

    public UserPermission.View getPermission(String str) {
        UserPermission.View view = null;
        if (StringUtils.isEmpty(str)) {
            return null;
        }
        try {
            AtomicBoolean atomicBoolean = new AtomicBoolean(true);
            view = (UserPermission.View) this.permissionsCache.get(str, () -> {
                atomicBoolean.set(false);
                return (UserPermission.View) AuthenticatedRequest.propagate(() -> {
                    return this.fiatService.getUserPermission(str);
                }).call();
            });
            log.debug("Fiat permission cache hit: " + atomicBoolean.get());
        } catch (ExecutionException | UncheckedExecutionException e) {
            String format = String.format("Cannot get whole user permission for user %s. Cause: %s", str, e.getCause().getMessage());
            if (log.isDebugEnabled()) {
                log.debug(format, e.getCause());
            } else {
                log.info(format);
            }
        }
        return view;
    }

    @Deprecated
    public boolean storeWholePermission() {
        return (Boolean.valueOf(this.fiatEnabled).booleanValue() && getPermission(getUsername(SecurityContextHolder.getContext().getAuthentication())) == null) ? false : true;
    }

    private boolean permissionContains(UserPermission.View view, String str, ResourceType resourceType, Authorization authorization) {
        if (view == null) {
            return false;
        }
        Function function = set -> {
            return Boolean.valueOf(set.stream().anyMatch(authorizable -> {
                return authorizable.getName().equalsIgnoreCase(str) && authorizable.getAuthorizations().contains(authorization);
            }));
        };
        switch (AnonymousClass1.$SwitchMap$com$netflix$spinnaker$fiat$model$resources$ResourceType[resourceType.ordinal()]) {
            case 1:
                return ((Boolean) function.apply(view.getAccounts())).booleanValue();
            case 2:
                return ((Boolean) function.apply(view.getApplications())).booleanValue();
            case 3:
                return view.getServiceAccounts().stream().anyMatch(view2 -> {
                    return view2.getName().equalsIgnoreCase(str);
                });
            default:
                return false;
        }
    }

    public boolean isAdmin() {
        return true;
    }

    public FiatPermissionEvaluator setFiatService(FiatService fiatService) {
        this.fiatService = fiatService;
        return this;
    }

    public FiatPermissionEvaluator setConfigProps(FiatClientConfigurationProperties fiatClientConfigurationProperties) {
        this.configProps = fiatClientConfigurationProperties;
        return this;
    }

    public FiatPermissionEvaluator setFiatEnabled(String str) {
        this.fiatEnabled = str;
        return this;
    }
}
