package org.georchestra.gateway.security.accessrules;

import com.google.common.annotations.VisibleForTesting;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import lombok.Generated;
import lombok.NonNull;
import org.georchestra.gateway.model.GatewayConfigProperties;
import org.georchestra.gateway.model.RoleBasedAccessRule;
import org.georchestra.gateway.security.GeorchestraUserMapper;
import org.georchestra.gateway.security.ServerHttpSecurityCustomizer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.thymeleaf.spring5.util.FieldUtils;

/* loaded from: input_file:BOOT-INF/classes/org/georchestra/gateway/security/accessrules/AccessRulesCustomizer.class */
public class AccessRulesCustomizer implements ServerHttpSecurityCustomizer {

    @Generated
    private static final Logger log = LoggerFactory.getLogger("org.georchestra.gateway.config.security.accessrules");

    @NonNull
    private final GatewayConfigProperties config;

    @NonNull
    private final GeorchestraUserMapper userMapper;

    @Override // org.springframework.security.config.Customizer
    public void customize(ServerHttpSecurity serverHttpSecurity) {
        log.info("Configuring proxied applications access rules...");
        ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchange = serverHttpSecurity.authorizeExchange();
        this.config.getServices().forEach((str, service) -> {
            log.info("Applying access rules for backend service '{}' at {}", str, service.getTarget());
            apply(str, authorizeExchange, service.getAccessRules());
        });
        log.info("Applying global access rules...");
        apply(FieldUtils.GLOBAL_EXPRESSION, authorizeExchange, this.config.getGlobalAccessRules());
    }

    private void apply(String str, ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchangeSpec, List<RoleBasedAccessRule> list) {
        if (list == null || list.isEmpty()) {
            log.debug("No {} access rules found.", str);
            return;
        }
        Iterator<RoleBasedAccessRule> it = list.iterator();
        while (it.hasNext()) {
            apply(authorizeExchangeSpec, it.next());
        }
    }

    @VisibleForTesting
    void apply(ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchangeSpec, RoleBasedAccessRule roleBasedAccessRule) {
        List<String> resolveAntPatterns = resolveAntPatterns(roleBasedAccessRule);
        boolean isForbidden = roleBasedAccessRule.isForbidden();
        boolean isAnonymous = roleBasedAccessRule.isAnonymous();
        List<String> of = roleBasedAccessRule.getAllowedRoles() == null ? List.of() : roleBasedAccessRule.getAllowedRoles();
        ServerHttpSecurity.AuthorizeExchangeSpec.Access authorizeExchange = authorizeExchange(authorizeExchangeSpec, resolveAntPatterns);
        if (isForbidden) {
            log.debug("Denying access to everyone for {}", resolveAntPatterns);
            denyAll(authorizeExchange);
            return;
        }
        if (isAnonymous) {
            log.debug("Granting anonymous access for {}", resolveAntPatterns);
            permitAll(authorizeExchange);
        } else if (of.isEmpty()) {
            log.debug("Granting access to any authenticated user for {}", resolveAntPatterns);
            requireAuthenticatedUser(authorizeExchange);
        } else {
            List<String> resolveRoles = resolveRoles(resolveAntPatterns, of);
            log.debug("Granting access to roles {} for {}", resolveRoles, resolveAntPatterns);
            hasAnyAuthority(authorizeExchange, resolveRoles);
        }
    }

    private List<String> resolveAntPatterns(RoleBasedAccessRule roleBasedAccessRule) {
        List<String> interceptUrl = roleBasedAccessRule.getInterceptUrl();
        Objects.requireNonNull(interceptUrl, "intercept-urls is null");
        interceptUrl.forEach((v0) -> {
            Objects.requireNonNull(v0);
        });
        if (interceptUrl.isEmpty()) {
            throw new IllegalArgumentException("No ant-pattern(s) defined for rule " + String.valueOf(roleBasedAccessRule));
        }
        interceptUrl.forEach((v0) -> {
            Objects.requireNonNull(v0);
        });
        return interceptUrl;
    }

    @VisibleForTesting
    ServerHttpSecurity.AuthorizeExchangeSpec.Access authorizeExchange(ServerHttpSecurity.AuthorizeExchangeSpec authorizeExchangeSpec, List<String> list) {
        return authorizeExchangeSpec.pathMatchers((String[]) list.toArray(i -> {
            return new String[i];
        }));
    }

    private List<String> resolveRoles(List<String> list, List<String> list2) {
        return (List) list2.stream().map(this::ensureRolePrefix).collect(Collectors.toList());
    }

    @VisibleForTesting
    void requireAuthenticatedUser(ServerHttpSecurity.AuthorizeExchangeSpec.Access access) {
        access.authenticated();
    }

    @VisibleForTesting
    void hasAnyAuthority(ServerHttpSecurity.AuthorizeExchangeSpec.Access access, List<String> list) {
        access.access(GeorchestraUserRolesAuthorizationManager.hasAnyAuthority(this.userMapper, (String[]) list.toArray(i -> {
            return new String[i];
        })));
    }

    @VisibleForTesting
    void permitAll(ServerHttpSecurity.AuthorizeExchangeSpec.Access access) {
        access.permitAll();
    }

    @VisibleForTesting
    void denyAll(ServerHttpSecurity.AuthorizeExchangeSpec.Access access) {
        access.denyAll();
    }

    private String ensureRolePrefix(@NonNull String str) {
        if (str == null) {
            throw new NullPointerException("roleName is marked non-null but is null");
        }
        return str.startsWith("ROLE_") ? str : "ROLE_" + str;
    }

    @Generated
    public AccessRulesCustomizer(@NonNull GatewayConfigProperties gatewayConfigProperties, @NonNull GeorchestraUserMapper georchestraUserMapper) {
        if (gatewayConfigProperties == null) {
            throw new NullPointerException("config is marked non-null but is null");
        }
        if (georchestraUserMapper == null) {
            throw new NullPointerException("userMapper is marked non-null but is null");
        }
        this.config = gatewayConfigProperties;
        this.userMapper = georchestraUserMapper;
    }
}
