package com.netflix.spinnaker.fiat.shared;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.netflix.spectator.api.Id;
import com.netflix.spectator.api.Registry;
import com.netflix.spinnaker.fiat.model.Authorization;
import com.netflix.spinnaker.fiat.model.UserPermission;
import com.netflix.spinnaker.fiat.model.resources.Account;
import com.netflix.spinnaker.fiat.model.resources.ResourceType;
import com.netflix.spinnaker.fiat.shared.FiatClientConfigurationProperties;
import com.netflix.spinnaker.kork.exceptions.IntegrationException;
import com.netflix.spinnaker.kork.telemetry.caffeine.CaffeineStatsCounter;
import com.netflix.spinnaker.security.AuthenticatedRequest;
import java.io.Serializable;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.PermissionEvaluator;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.stereotype.Component;
import org.springframework.util.backoff.BackOffExecution;
import org.springframework.util.backoff.ExponentialBackOff;
import retrofit.RetrofitError;

@Component
/* loaded from: input_file:com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator.class */
public class FiatPermissionEvaluator implements PermissionEvaluator {
    private static final Logger log = LoggerFactory.getLogger(FiatPermissionEvaluator.class);
    private static final ThreadLocal<AuthorizationFailure> authorizationFailure = new ThreadLocal<>();
    private final Registry registry;
    private final FiatService fiatService;
    private final FiatStatus fiatStatus;
    private final Cache<String, UserPermission.View> permissionsCache;
    private final Id getPermissionCounterId;
    private final RetryHandler retryHandler;

    /* renamed from: com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator$1, reason: invalid class name */
    /* loaded from: input_file:com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$springframework$http$HttpStatus = new int[HttpStatus.values().length];

        static {
            try {
                $SwitchMap$org$springframework$http$HttpStatus[HttpStatus.NOT_FOUND.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$springframework$http$HttpStatus[HttpStatus.BAD_REQUEST.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator$AuthorizationFailure.class */
    public static class AuthorizationFailure {
        private final Authorization authorization;
        private final ResourceType resourceType;
        private final String resourceName;

        public AuthorizationFailure(Authorization authorization, ResourceType resourceType, String str) {
            this.authorization = authorization;
            this.resourceType = resourceType;
            this.resourceName = str;
        }

        public Authorization getAuthorization() {
            return this.authorization;
        }

        public boolean hasAuthorization() {
            return this.authorization != null;
        }

        @Nonnull
        public ResourceType getResourceType() {
            return this.resourceType;
        }

        @Nonnull
        public String getResourceName() {
            return this.resourceName;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator$ExponentialBackoffRetryHandler.class */
    public static class ExponentialBackoffRetryHandler implements RetryHandler {
        private final FiatClientConfigurationProperties.RetryConfiguration retryConfiguration;

        public ExponentialBackoffRetryHandler(FiatClientConfigurationProperties.RetryConfiguration retryConfiguration) {
            this.retryConfiguration = retryConfiguration;
        }

        @Override // com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator.RetryHandler
        public <T> T retry(String str, Callable<T> callable) throws Exception {
            ExponentialBackOff exponentialBackOff = new ExponentialBackOff(this.retryConfiguration.getInitialBackoffMillis(), this.retryConfiguration.getRetryMultiplier());
            exponentialBackOff.setMaxElapsedTime(this.retryConfiguration.getMaxBackoffMillis());
            BackOffExecution start = exponentialBackOff.start();
            while (true) {
                try {
                    return callable.call();
                } catch (Throwable th) {
                    long nextBackOff = start.nextBackOff();
                    if (nextBackOff == -1) {
                        throw th;
                    }
                    FiatPermissionEvaluator.log.warn(str + " failed. Retrying in " + nextBackOff + "ms", th);
                    TimeUnit.MILLISECONDS.sleep(nextBackOff);
                }
            }
        }
    }

    /* loaded from: input_file:com/netflix/spinnaker/fiat/shared/FiatPermissionEvaluator$RetryHandler.class */
    interface RetryHandler {
        public static final RetryHandler NOOP = new RetryHandler() { // from class: com.netflix.spinnaker.fiat.shared.FiatPermissionEvaluator.RetryHandler.1
        };

        default <T> T retry(String str, Callable<T> callable) throws Exception {
            return callable.call();
        }
    }

    @Autowired
    public FiatPermissionEvaluator(Registry registry, FiatService fiatService, FiatClientConfigurationProperties fiatClientConfigurationProperties, FiatStatus fiatStatus) {
        this(registry, fiatService, fiatClientConfigurationProperties, fiatStatus, buildRetryHandler(fiatClientConfigurationProperties));
    }

    private static RetryHandler buildRetryHandler(FiatClientConfigurationProperties fiatClientConfigurationProperties) {
        return new ExponentialBackoffRetryHandler(fiatClientConfigurationProperties.getRetry());
    }

    FiatPermissionEvaluator(Registry registry, FiatService fiatService, FiatClientConfigurationProperties fiatClientConfigurationProperties, FiatStatus fiatStatus, RetryHandler retryHandler) {
        this.registry = registry;
        this.fiatService = fiatService;
        this.fiatStatus = fiatStatus;
        this.retryHandler = retryHandler;
        this.permissionsCache = Caffeine.newBuilder().maximumSize(fiatClientConfigurationProperties.getCache().getMaxEntries().intValue()).expireAfterWrite(fiatClientConfigurationProperties.getCache().getExpiresAfterWriteSeconds().intValue(), TimeUnit.SECONDS).recordStats(() -> {
            return new CaffeineStatsCounter(registry, "fiat.permissionsCache");
        }).build();
        this.getPermissionCounterId = registry.createId("fiat.getPermission");
    }

    public boolean hasPermission(Authentication authentication, Object obj, Object obj2) {
        return false;
    }

    public boolean canCreate(String str, Object obj) {
        if (!this.fiatStatus.isEnabled()) {
            return true;
        }
        String username = getUsername(SecurityContextHolder.getContext().getAuthentication());
        try {
            return ((Boolean) AuthenticatedRequest.propagate(() -> {
                return (Boolean) this.retryHandler.retry("determine whether " + username + " can create resource " + obj, () -> {
                    try {
                        this.fiatService.canCreate(username, str, obj);
                        return true;
                    } catch (RetrofitError e) {
                        boolean z = true;
                        if (e.getKind() == RetrofitError.Kind.HTTP) {
                            switch (AnonymousClass1.$SwitchMap$org$springframework$http$HttpStatus[HttpStatus.valueOf(e.getResponse().getStatus()).ordinal()]) {
                                case 1:
                                    return false;
                                case 2:
                                    z = false;
                                    break;
                            }
                        }
                        IntegrationException integrationException = new IntegrationException(e);
                        integrationException.setRetryable(Boolean.valueOf(z));
                        throw integrationException;
                    }
                });
            }).call()).booleanValue();
        } catch (Exception e) {
            log.info(e.toString());
            return false;
        }
    }

    public boolean hasCachedPermission(String str) {
        return (this.fiatStatus.isEnabled() && this.permissionsCache.getIfPresent(str) == null) ? false : true;
    }

    public boolean hasPermission(String str, Serializable serializable, String str2, Object obj) {
        if (!this.fiatStatus.isEnabled()) {
            return true;
        }
        if (serializable == null || str2 == null || obj == null) {
            log.warn("Permission denied because at least one of the required arguments was null. resourceName={}, resourceType={}, authorization={}", new Object[]{serializable, str2, obj});
            return false;
        }
        ResourceType parse = ResourceType.parse(str2);
        Authorization authorization = null;
        if (!parse.equals(ResourceType.SERVICE_ACCOUNT)) {
            authorization = Authorization.valueOf(obj.toString());
        }
        if (authorization == Authorization.CREATE) {
            throw new IllegalArgumentException("This method should not be called for `CREATE`. Please call the other implementation");
        }
        if (parse.equals(ResourceType.APPLICATION) && StringUtils.isNotEmpty(serializable.toString())) {
            serializable = serializable.toString();
        }
        UserPermission.View permission = getPermission(str);
        boolean permissionContains = permissionContains(permission, serializable.toString(), parse, authorization);
        authorizationFailure.set(permissionContains ? null : new AuthorizationFailure(authorization, parse, serializable.toString()));
        if (permission != null && permission.isLegacyFallback() && permissionContains) {
            if (authorization == Authorization.READ) {
                log.debug("Legacy fallback granted {} access (type: {}, resource: {})", new Object[]{authorization, parse, serializable});
            } else {
                log.warn("Legacy fallback granted {} access (type: {}, resource: {})", new Object[]{authorization, parse, serializable});
            }
        }
        return permissionContains;
    }

    public boolean hasPermission(Authentication authentication, Serializable serializable, String str, Object obj) {
        if (this.fiatStatus.isEnabled()) {
            return hasPermission(getUsername(authentication), serializable, str, obj);
        }
        return true;
    }

    public void invalidatePermission(String str) {
        this.permissionsCache.invalidate(str);
    }

    public UserPermission.View getPermission(String str) {
        UserPermission.View view = null;
        if (StringUtils.isEmpty(str)) {
            return null;
        }
        AtomicBoolean atomicBoolean = new AtomicBoolean(true);
        AtomicBoolean atomicBoolean2 = new AtomicBoolean(true);
        AtomicBoolean atomicBoolean3 = new AtomicBoolean(false);
        AtomicReference atomicReference = new AtomicReference();
        try {
            view = (UserPermission.View) this.permissionsCache.get(str, str2 -> {
                atomicBoolean.set(false);
                try {
                    return (UserPermission.View) AuthenticatedRequest.propagate(() -> {
                        try {
                            return (UserPermission.View) this.retryHandler.retry("getUserPermission for " + str2, () -> {
                                return this.fiatService.getUserPermission(str2);
                            });
                        } catch (Exception e) {
                            if (!this.fiatStatus.isLegacyFallbackEnabled()) {
                                throw e;
                            }
                            atomicBoolean3.set(true);
                            atomicBoolean2.set(false);
                            atomicReference.set(e);
                            return buildFallbackView();
                        }
                    }).call();
                } catch (RuntimeException e) {
                    throw e;
                } catch (Exception e2) {
                    throw new RuntimeException(e2);
                }
            });
        } catch (Exception e) {
            atomicBoolean2.set(false);
            atomicReference.set(e.getCause() != null ? e.getCause() : e);
        }
        Id withTag = this.getPermissionCounterId.withTag("cached", atomicBoolean.get()).withTag("success", atomicBoolean2.get());
        if (!atomicBoolean2.get()) {
            log.error("Cannot get whole user permission for user {}, reason: {} (fallbackAccounts: {})", new Object[]{str, ((Throwable) atomicReference.get()).getMessage(), getAccountsForView(view)});
            withTag = withTag.withTag("legacyFallback", atomicBoolean3.get());
        }
        this.registry.counter(withTag).increment();
        if (view != null && view.isLegacyFallback() && view.getAccounts().isEmpty()) {
            view = buildFallbackView();
            log.debug("Rebuilt legacy fallback user permission for {} (fallbackAccounts: {})", str, getAccountsForView(view));
        }
        return view;
    }

    @Deprecated
    public boolean storeWholePermission() {
        return (this.fiatStatus.isEnabled() && getPermission(getUsername(SecurityContextHolder.getContext().getAuthentication())) == null) ? false : true;
    }

    public static Optional<AuthorizationFailure> getAuthorizationFailure() {
        return Optional.ofNullable(authorizationFailure.get());
    }

    private String getUsername(Authentication authentication) {
        String str = "anonymous";
        if (authentication != null && authentication.isAuthenticated() && authentication.getPrincipal() != null) {
            Object principal = authentication.getPrincipal();
            if (principal instanceof UserDetails) {
                str = ((UserDetails) principal).getUsername();
            } else if (StringUtils.isNotEmpty(principal.toString())) {
                str = principal.toString();
            }
        }
        return str;
    }

    private boolean permissionContains(UserPermission.View view, String str, ResourceType resourceType, Authorization authorization) {
        if (view == null) {
            return false;
        }
        if (view.isAdmin()) {
            return true;
        }
        Function function = set -> {
            return Boolean.valueOf(set.stream().anyMatch(authorizable -> {
                return authorizable.getName().equalsIgnoreCase(str) && ((Set) Optional.ofNullable(authorizable.getAuthorizations()).orElse(Collections.emptySet())).contains(authorization);
            }));
        };
        if (resourceType.equals(ResourceType.ACCOUNT)) {
            boolean booleanValue = ((Boolean) function.apply(view.getAccounts())).booleanValue();
            if (!booleanValue) {
                log.debug("Authorization={} denied to account={} for user permission={}, found={}", new Object[]{authorization.toString(), str, view.getName(), ((Map) view.getAccounts().stream().collect(Collectors.toMap((v0) -> {
                    return v0.getName();
                }, (v0) -> {
                    return v0.getAuthorizations();
                }))).toString()});
            }
            return booleanValue;
        }
        if (resourceType.equals(ResourceType.APPLICATION)) {
            return (!view.getApplications().stream().anyMatch(view2 -> {
                return view2.getName().equalsIgnoreCase(str);
            }) && view.isAllowAccessToUnknownApplications()) || view.isLegacyFallback() || ((Boolean) function.apply(view.getApplications())).booleanValue();
        }
        if (resourceType.equals(ResourceType.SERVICE_ACCOUNT)) {
            return view.getServiceAccounts().stream().anyMatch(view3 -> {
                return view3.getName().equalsIgnoreCase(str);
            });
        }
        if (resourceType.equals(ResourceType.BUILD_SERVICE)) {
            return view.isLegacyFallback() || ((Boolean) function.apply(view.getBuildServices())).booleanValue();
        }
        if (view.getExtensionResources() == null || !view.getExtensionResources().containsKey(resourceType)) {
            return false;
        }
        return view.isLegacyFallback() || ((Boolean) function.apply((Set) view.getExtensionResources().get(resourceType))).booleanValue();
    }

    private UserPermission.View buildFallbackView() {
        return new UserPermission.View(new UserPermission().setId((String) AuthenticatedRequest.getSpinnakerUser().orElse("anonymous")).setAccounts((Set) Arrays.stream(((String) AuthenticatedRequest.getSpinnakerAccounts().orElse("")).split(",")).filter(str -> {
            return (str == null || str.isEmpty()) ? false : true;
        }).map(str2 -> {
            return new Account().setName(str2);
        }).collect(Collectors.toSet()))).setLegacyFallback(true).setAllowAccessToUnknownApplications(true);
    }

    private String getAccountsForView(UserPermission.View view) {
        String str = "''";
        if (view != null && view.getAccounts() != null && !view.getAccounts().isEmpty()) {
            str = (String) view.getAccounts().stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.joining(","));
        }
        return str;
    }

    public boolean isAdmin() {
        return true;
    }

    public boolean isAdmin(Authentication authentication) {
        if (!this.fiatStatus.isEnabled()) {
            return true;
        }
        UserPermission.View permission = getPermission(getUsername(authentication));
        return permission != null && permission.isAdmin();
    }
}
