package no.fintlabs.resource.server;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.functions.Function1;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.SourceDebugExtension;
import kotlin.text.StringsKt;
import no.fintlabs.resource.server.authentication.CorePrincipal;
import no.fintlabs.resource.server.config.SecurityProperties;
import no.fintlabs.resource.server.enums.FintScope;
import no.fintlabs.resource.server.enums.FintType;
import no.fintlabs.resource.server.opa.OpaService;
import no.fintlabs.resource.server.opa.model.OpaResponse;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.core.OAuth2Token;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/* compiled from: CoreAccessService.kt */
@Metadata(mv = {1, 9, 0}, k = 1, xi = 48, d1 = {"��>\n\u0002\u0018\u0002\n\u0002\u0010��\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\u0010\u000b\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0007\u0018��2\u00020\u0001B\u0015\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0005¢\u0006\u0002\u0010\u0006J\u001e\u0010\t\u001a\b\u0012\u0004\u0012\u00020\u000b0\n2\u0006\u0010\f\u001a\u00020\r2\u0006\u0010\u000e\u001a\u00020\u000fH\u0002J\u001c\u0010\u0010\u001a\b\u0012\u0004\u0012\u00020\u000b0\n2\u0006\u0010\u000e\u001a\u00020\u000f2\u0006\u0010\u0011\u001a\u00020\u0012J\u001e\u0010\u0013\u001a\b\u0012\u0004\u0012\u00020\u000b0\n2\u0006\u0010\u0014\u001a\u00020\r2\u0006\u0010\u0015\u001a\u00020\u000fH\u0002J\u0018\u0010\u0016\u001a\u00020\u000b2\u0006\u0010\u0014\u001a\u00020\r2\u0006\u0010\u0015\u001a\u00020\u000fH\u0002J\u0010\u0010\u0017\u001a\u00020\u000b2\u0006\u0010\u0014\u001a\u00020\rH\u0002J\u0010\u0010\u0018\u001a\u00020\u000b2\u0006\u0010\u0014\u001a\u00020\rH\u0002R\u000e\u0010\u0007\u001a\u00020\bX\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0004\u001a\u00020\u0005X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n��¨\u0006\u0019"}, d2 = {"Lno/fintlabs/resource/server/CoreAccessService;", "", "securityProperties", "Lno/fintlabs/resource/server/config/SecurityProperties;", "opaService", "Lno/fintlabs/resource/server/opa/OpaService;", "(Lno/fintlabs/resource/server/config/SecurityProperties;Lno/fintlabs/resource/server/opa/OpaService;)V", "logger", "Lorg/slf4j/Logger;", "authorizeCore", "Lreactor/core/publisher/Mono;", "", "principal", "Lno/fintlabs/resource/server/authentication/CorePrincipal;", "exchange", "Lorg/springframework/web/server/ServerWebExchange;", "isAuthorized", "authentication", "Lorg/springframework/security/core/Authentication;", "opaCheck", "p", "ex", "roleMatches", "scopeMatches", "typeMatches", "core-resource-server"})
@SourceDebugExtension({"SMAP\nCoreAccessService.kt\nKotlin\n*S Kotlin\n*F\n+ 1 CoreAccessService.kt\nno/fintlabs/resource/server/CoreAccessService\n+ 2 fake.kt\nkotlin/jvm/internal/FakeKt\n+ 3 _Collections.kt\nkotlin/collections/CollectionsKt___CollectionsKt\n*L\n1#1,75:1\n1#2:76\n1747#3,3:77\n766#3:80\n857#3,2:81\n*S KotlinDebug\n*F\n+ 1 CoreAccessService.kt\nno/fintlabs/resource/server/CoreAccessService\n*L\n56#1:77,3\n62#1:80\n62#1:81,2\n*E\n"})
/* loaded from: input_file:no/fintlabs/resource/server/CoreAccessService.class */
public final class CoreAccessService {

    @NotNull
    private final SecurityProperties securityProperties;

    @NotNull
    private final OpaService opaService;

    @NotNull
    private final Logger logger;

    public CoreAccessService(@NotNull SecurityProperties securityProperties, @NotNull OpaService opaService) {
        Intrinsics.checkNotNullParameter(securityProperties, "securityProperties");
        Intrinsics.checkNotNullParameter(opaService, "opaService");
        this.securityProperties = securityProperties;
        this.opaService = opaService;
        Logger logger = LoggerFactory.getLogger(CoreAccessService.class);
        Intrinsics.checkNotNullExpressionValue(logger, "getLogger(...)");
        this.logger = logger;
    }

    @NotNull
    public final Mono<Boolean> isAuthorized(@NotNull ServerWebExchange serverWebExchange, @NotNull Authentication authentication) {
        Intrinsics.checkNotNullParameter(serverWebExchange, "exchange");
        Intrinsics.checkNotNullParameter(authentication, "authentication");
        if (authentication instanceof CorePrincipal) {
            return authorizeCore((CorePrincipal) authentication, serverWebExchange);
        }
        this.logger.debug("Authorization failed: not a CorePrincipal, authentication={}", authentication);
        Mono<Boolean> just = Mono.just(false);
        Intrinsics.checkNotNull(just);
        return just;
    }

    private final Mono<Boolean> authorizeCore(CorePrincipal corePrincipal, ServerWebExchange serverWebExchange) {
        if (!typeMatches(corePrincipal)) {
            this.logger.debug("Authorization failed: typeMatches=false, requiredType={}, principal={}", this.securityProperties.getFintType(), corePrincipal);
            Mono<Boolean> just = Mono.just(false);
            Intrinsics.checkNotNull(just);
            return just;
        }
        if (!scopeMatches(corePrincipal)) {
            this.logger.debug("Authorization failed: scopeMatches=false, requiredScopes={}, principalScopes={}", this.securityProperties.getRequiredScopes(), corePrincipal.getScopes());
            Mono<Boolean> just2 = Mono.just(false);
            Intrinsics.checkNotNull(just2);
            return just2;
        }
        if (roleMatches(corePrincipal, serverWebExchange)) {
            return opaCheck(corePrincipal, serverWebExchange);
        }
        this.logger.debug("Authorization failed: roleMatches=false for path={}, principalRoles={}", serverWebExchange.getRequest().getURI().getPath(), corePrincipal.getRoles());
        Mono<Boolean> just3 = Mono.just(false);
        Intrinsics.checkNotNull(just3);
        return just3;
    }

    private final boolean typeMatches(CorePrincipal corePrincipal) {
        FintType fintType = this.securityProperties.getFintType();
        if (fintType != null) {
            return fintType == FintType.CLIENT ? corePrincipal.isClient() : corePrincipal.isAdapter();
        }
        return true;
    }

    private final boolean scopeMatches(CorePrincipal corePrincipal) {
        List<FintScope> requiredScopes = this.securityProperties.getRequiredScopes();
        if (requiredScopes == null) {
            return true;
        }
        List<FintScope> list = requiredScopes;
        if ((list instanceof Collection) && list.isEmpty()) {
            return false;
        }
        Iterator<T> it = list.iterator();
        while (it.hasNext()) {
            if (corePrincipal.getScopes().contains(((FintScope) it.next()).getFormattedValue())) {
                return true;
            }
        }
        return false;
    }

    private final boolean roleMatches(CorePrincipal corePrincipal, ServerWebExchange serverWebExchange) {
        String str;
        String path = serverWebExchange.getRequest().getURI().getPath();
        Intrinsics.checkNotNullExpressionValue(path, "getPath(...)");
        List split$default = StringsKt.split$default(path, new char[]{'/'}, false, 0, 6, (Object) null);
        ArrayList arrayList = new ArrayList();
        for (Object obj : split$default) {
            if (!StringsKt.isBlank((String) obj)) {
                arrayList.add(obj);
            }
        }
        ArrayList arrayList2 = arrayList;
        String str2 = (String) CollectionsKt.getOrNull(arrayList2, 0);
        if (str2 == null || (str = (String) CollectionsKt.getOrNull(arrayList2, 1)) == null) {
            return false;
        }
        return corePrincipal.hasRole(str2, str);
    }

    private final Mono<Boolean> opaCheck(CorePrincipal corePrincipal, final ServerWebExchange serverWebExchange) {
        OpaService opaService = this.opaService;
        OAuth2Token token = corePrincipal.getToken();
        Intrinsics.checkNotNullExpressionValue(token, "getToken(...)");
        ServerHttpRequest request = serverWebExchange.getRequest();
        Intrinsics.checkNotNullExpressionValue(request, "getRequest(...)");
        Mono<OpaResponse> requestOpa = opaService.requestOpa((Jwt) token, request);
        Function1<OpaResponse, Boolean> function1 = new Function1<OpaResponse, Boolean>() { // from class: no.fintlabs.resource.server.CoreAccessService$opaCheck$1
            /* JADX INFO: Access modifiers changed from: package-private */
            /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
            {
                super(1);
            }

            public final Boolean invoke(OpaResponse opaResponse) {
                Map attributes = serverWebExchange.getAttributes();
                Intrinsics.checkNotNullExpressionValue(attributes, "getAttributes(...)");
                attributes.put("x-opa-fields", opaResponse.getResult().getFields());
                Map attributes2 = serverWebExchange.getAttributes();
                Intrinsics.checkNotNullExpressionValue(attributes2, "getAttributes(...)");
                attributes2.put("x-opa-relations", opaResponse.getResult().getRelations());
                return Boolean.valueOf(opaResponse.getResult().getAllow());
            }
        };
        Mono<Boolean> map = requestOpa.map((v1) -> {
            return opaCheck$lambda$2(r1, v1);
        });
        Intrinsics.checkNotNullExpressionValue(map, "map(...)");
        return map;
    }

    private static final Boolean opaCheck$lambda$2(Function1 function1, Object obj) {
        Intrinsics.checkNotNullParameter(function1, "$tmp0");
        return (Boolean) function1.invoke(obj);
    }
}
