package com.netflix.spinnaker.fiat.shared;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.google.common.util.concurrent.UncheckedExecutionException;
import com.netflix.spectator.api.Id;
import com.netflix.spectator.api.Registry;
import com.netflix.spinnaker.fiat.model.Authorization;
import com.netflix.spinnaker.fiat.model.UserPermission;
import com.netflix.spinnaker.fiat.model.resources.Account;
import com.netflix.spinnaker.fiat.model.resources.ResourceType;
import com.netflix.spinnaker.fiat.shared.FiatClientConfigurationProperties;
import com.netflix.spinnaker.security.AuthenticatedRequest;
import com.netflix.spinnaker.security.User;
import java.io.Serializable;
import java.util.Arrays;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;
import org.springframework.util.backoff.BackOffExecution;
import org.springframework.util.backoff.ExponentialBackOff;

@Component
/* loaded from: input_file:com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.class */
public class FiatPermissionEvaluator implements PermissionEvaluator {
    private static final Logger log = LoggerFactory.getLogger(FiatPermissionEvaluator.class);
    private final Registry registry;
    private final FiatService fiatService;
    private final FiatStatus fiatStatus;
    private final Cache<String, UserPermission.View> permissionsCache;
    private final Id getPermissionCounterId;
    private final RetryHandler retryHandler;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator$1, reason: invalid class name */
    /* loaded from: input_file:com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$netflix$spinnaker$fiat$model$resources$ResourceType = new int[ResourceType.values().length];

        static {
            try {
                $SwitchMap$com$netflix$spinnaker$fiat$model$resources$ResourceType[ResourceType.ACCOUNT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$netflix$spinnaker$fiat$model$resources$ResourceType[ResourceType.APPLICATION.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$netflix$spinnaker$fiat$model$resources$ResourceType[ResourceType.SERVICE_ACCOUNT.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator$ExponentialBackoffRetryHandler.class */
    public static class ExponentialBackoffRetryHandler implements RetryHandler {
        private final long maxBackoff;
        private final long initialBackoff;
        private final double backoffMultiplier;

        public ExponentialBackoffRetryHandler(long j, long j2, double d) {
            this.maxBackoff = j;
            this.initialBackoff = j2;
            this.backoffMultiplier = d;
        }

        @Override // com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator.RetryHandler
        public <T> T retry(String str, Callable<T> callable) throws Exception {
            ExponentialBackOff exponentialBackOff = new ExponentialBackOff(this.initialBackoff, this.backoffMultiplier);
            exponentialBackOff.setMaxElapsedTime(this.maxBackoff);
            BackOffExecution start = exponentialBackOff.start();
            while (true) {
                try {
                    return callable.call();
                } catch (Throwable th) {
                    long nextBackOff = start.nextBackOff();
                    if (nextBackOff == -1) {
                        throw th;
                    }
                    FiatPermissionEvaluator.log.warn(str + " failed. Retrying in " + nextBackOff + "ms", th);
                    TimeUnit.MILLISECONDS.sleep(nextBackOff);
                }
            }
        }
    }

    /* loaded from: input_file:com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator$RetryHandler.class */
    interface RetryHandler {
        public static final RetryHandler NOOP = new RetryHandler() { // from class: com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator.RetryHandler.1
        };

        default <T> T retry(String str, Callable<T> callable) throws Exception {
            return callable.call();
        }
    }

    @Autowired
    public FiatPermissionEvaluator(Registry registry, FiatService fiatService, FiatClientConfigurationProperties fiatClientConfigurationProperties, FiatStatus fiatStatus) {
        this(registry, fiatService, fiatClientConfigurationProperties, fiatStatus, buildRetryHandler(fiatClientConfigurationProperties));
    }

    private static RetryHandler buildRetryHandler(FiatClientConfigurationProperties fiatClientConfigurationProperties) {
        FiatClientConfigurationProperties.RetryConfiguration retry = fiatClientConfigurationProperties.getRetry();
        return new ExponentialBackoffRetryHandler(retry.getMaxBackoffMillis(), retry.getInitialBackoffMillis(), retry.getRetryMultiplier());
    }

    FiatPermissionEvaluator(Registry registry, FiatService fiatService, FiatClientConfigurationProperties fiatClientConfigurationProperties, FiatStatus fiatStatus, RetryHandler retryHandler) {
        this.registry = registry;
        this.fiatService = fiatService;
        this.fiatStatus = fiatStatus;
        this.retryHandler = retryHandler;
        this.permissionsCache = CacheBuilder.newBuilder().maximumSize(fiatClientConfigurationProperties.getCache().getMaxEntries().intValue()).expireAfterWrite(fiatClientConfigurationProperties.getCache().getExpiresAfterWriteSeconds().intValue(), TimeUnit.SECONDS).recordStats().build();
        this.getPermissionCounterId = registry.createId("fiat.getPermission");
    }

    public boolean hasPermission(Authentication authentication, Object obj, Object obj2) {
        return false;
    }

    public boolean hasPermission(Authentication authentication, Serializable serializable, String str, Object obj) {
        if (!this.fiatStatus.isEnabled()) {
            return true;
        }
        if (serializable == null || str == null || obj == null) {
            log.debug("Permission denied due to null argument. resourceName={}, resourceType={}, authorization={}", new Object[]{serializable, str, obj});
            return false;
        }
        ResourceType parse = ResourceType.parse(str);
        Authorization authorization = null;
        if (parse != ResourceType.SERVICE_ACCOUNT) {
            authorization = Authorization.valueOf(obj.toString());
        }
        if (parse == ResourceType.APPLICATION && StringUtils.isNotEmpty(serializable.toString())) {
            serializable = serializable.toString();
        }
        return permissionContains(getPermission(getUsername(authentication)), serializable.toString(), parse, authorization);
    }

    private String getUsername(Authentication authentication) {
        String str = "anonymous";
        if (authentication.isAuthenticated() && authentication.getPrincipal() != null) {
            Object principal = authentication.getPrincipal();
            if (principal instanceof User) {
                str = ((User) principal).getUsername();
            } else if (StringUtils.isNotEmpty(principal.toString())) {
                str = principal.toString();
            }
        }
        return str;
    }

    public void invalidatePermission(String str) {
        this.permissionsCache.invalidate(str);
    }

    public UserPermission.View getPermission(String str) {
        UserPermission.View view = null;
        if (StringUtils.isEmpty(str)) {
            return null;
        }
        AtomicBoolean atomicBoolean = new AtomicBoolean(true);
        AtomicBoolean atomicBoolean2 = new AtomicBoolean(true);
        AtomicBoolean atomicBoolean3 = new AtomicBoolean(false);
        AtomicReference atomicReference = new AtomicReference();
        try {
            view = (UserPermission.View) this.permissionsCache.get(str, () -> {
                atomicBoolean.set(false);
                return (UserPermission.View) AuthenticatedRequest.propagate(() -> {
                    try {
                        return (UserPermission.View) this.retryHandler.retry("getUserPermission for " + str, () -> {
                            return this.fiatService.getUserPermission(str);
                        });
                    } catch (Exception e) {
                        if (!this.fiatStatus.isLegacyFallbackEnabled()) {
                            throw e;
                        }
                        atomicBoolean3.set(true);
                        atomicBoolean2.set(false);
                        atomicReference.set(e);
                        return new UserPermission.View(new UserPermission().setId((String) AuthenticatedRequest.getSpinnakerUser().orElse("anonymous")).setAccounts((Set) Arrays.stream(((String) AuthenticatedRequest.getSpinnakerAccounts().orElse("")).split(",")).map(str2 -> {
                            return new Account().setName(str2);
                        }).collect(Collectors.toSet()))).setLegacyFallback(true);
                    }
                }).call();
            });
        } catch (ExecutionException | UncheckedExecutionException e) {
            atomicBoolean2.set(false);
            atomicReference.set(e.getCause() != null ? e.getCause() : e);
        }
        Id withTag = this.getPermissionCounterId.withTag("cached", atomicBoolean.get()).withTag("success", atomicBoolean2.get());
        if (!atomicBoolean2.get()) {
            log.error("Cannot get whole user permission for user {}, reason: {}", new Object[]{str, ((Throwable) atomicReference.get()).getMessage(), atomicReference});
            withTag = withTag.withTag("legacyFallback", atomicBoolean3.get());
        }
        if (atomicBoolean3.get()) {
            this.permissionsCache.invalidate(str);
        }
        this.registry.counter(withTag).increment();
        return view;
    }

    @Deprecated
    public boolean storeWholePermission() {
        return (this.fiatStatus.isEnabled() && getPermission(getUsername(SecurityContextHolder.getContext().getAuthentication())) == null) ? false : true;
    }

    private boolean permissionContains(UserPermission.View view, String str, ResourceType resourceType, Authorization authorization) {
        if (view == null) {
            return false;
        }
        if (view.isAdmin()) {
            return true;
        }
        Function function = set -> {
            return Boolean.valueOf(set.stream().anyMatch(authorizable -> {
                return authorizable.getName().equalsIgnoreCase(str) && authorizable.getAuthorizations().contains(authorization);
            }));
        };
        switch (AnonymousClass1.$SwitchMap$com$netflix$spinnaker$fiat$model$resources$ResourceType[resourceType.ordinal()]) {
            case 1:
                return ((Boolean) function.apply(view.getAccounts())).booleanValue();
            case 2:
                return (!view.getApplications().stream().anyMatch(view2 -> {
                    return view2.getName().equalsIgnoreCase(str);
                }) && view.isAllowAccessToUnknownApplications()) || view.isLegacyFallback() || ((Boolean) function.apply(view.getApplications())).booleanValue();
            case 3:
                return view.getServiceAccounts().stream().anyMatch(view3 -> {
                    return view3.getName().equalsIgnoreCase(str);
                });
            default:
                return false;
        }
    }

    public boolean isAdmin() {
        return true;
    }
}
