package no.fintlabs.opa;

import java.util.Collection;
import no.vigoiks.resourceserver.security.FintJwtEndUserPrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.ConfigAttribute;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

@Component
/* loaded from: input_file:no/fintlabs/opa/OpaAuthorizationManager.class */
public class OpaAuthorizationManager implements AccessDecisionManager {
    private static final Logger log = LoggerFactory.getLogger(OpaAuthorizationManager.class);

    @Autowired
    private AuthorizationClient authorizationClient;

    public void decide(Authentication authentication, Object obj, Collection<ConfigAttribute> collection) throws AccessDeniedException, InsufficientAuthenticationException {
        if (!(authentication instanceof JwtAuthenticationToken)) {
            throw new AccessDeniedException("Not a JwtAuthenticationToken");
        }
        Jwt jwt = (Jwt) ((JwtAuthenticationToken) authentication).getPrincipal();
        FintJwtEndUserPrincipal from = FintJwtEndUserPrincipal.from(jwt);
        String mail = from.getMail() != null ? from.getMail() : "";
        log.info("Fant principalName {}", (String) jwt.getClaims().get("principalName"));
        ServletRequestAttributes requestAttributes = RequestContextHolder.getRequestAttributes();
        log.info("Request method {}", requestAttributes.getRequest().getMethod());
        log.info("Request path {}", requestAttributes.getRequest().getRequestURI());
        log.info("Authenticated {}", Boolean.valueOf(authentication.isAuthenticated()));
        log.info("Checking if user is authorized in opa with username {}", mail);
        if (!this.authorizationClient.isAuthorized(mail, requestAttributes.getRequest().getMethod()).booleanValue()) {
            throw new AccessDeniedException("Access is denied");
        }
    }

    public boolean supports(ConfigAttribute configAttribute) {
        return true;
    }

    public boolean supports(Class<?> cls) {
        return true;
    }
}
