package no.fintlabs.opa;

import java.util.function.Supplier;
import no.vigoiks.resourceserver.security.FintJwtEndUserPrincipal;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authorization.AuthorizationDecision;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.core.Authentication;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:no/fintlabs/opa/KontrollAuthorizationManager.class */
public final class KontrollAuthorizationManager implements AuthorizationManager<RequestAuthorizationContext> {
    private static final Logger log = LoggerFactory.getLogger(KontrollAuthorizationManager.class);

    @Autowired
    private AuthorizationClient authorizationClient;

    @Value("${fint.kontroll.authorization.authorized-role:rolle}")
    private String authorizedRole;

    @Value("${fint.kontroll.authorization.authorized-admin-role:admin}")
    private String adminRole;

    @Value("${fint.kontroll.authorization.authorized-org-id:vigo.no}")
    private String authorizedOrgId;

    @Value("${fint.relations.default-base-url:localhost}")
    private String baseUrl;

    public AuthorizationDecision check(Supplier<Authentication> supplier, RequestAuthorizationContext requestAuthorizationContext) {
        if (getRequestPath(requestAuthorizationContext).contains("/swagger-ui") || getRequestPath(requestAuthorizationContext).contains("/api-docs") || getRequestPath(requestAuthorizationContext).contains("/opabundle")) {
            log.debug("Swagger or api-docs, skipping authorization");
            return new AuthorizationDecision(true);
        }
        Authentication authentication = supplier.get();
        if (!(authentication instanceof JwtAuthenticationToken)) {
            log.warn("Illegal jwt token: " + authentication.getClass().getName());
            throw new AccessDeniedException("Access denied, illegal JwtAuthenticationToken: " + authentication.getClass().getName());
        }
        JwtAuthenticationToken jwtAuthenticationToken = (JwtAuthenticationToken) authentication;
        if (!isBeta()) {
            if (hasAdminRole(jwtAuthenticationToken)) {
                log.info("User has admin role, access granted");
                return new AuthorizationDecision(true);
            }
            if (!hasRoleAndAuthority(jwtAuthenticationToken)) {
                log.warn("Access denied, not correct role or org");
                throw new AccessDeniedException("Access is denied. Not correct org or role");
            }
        }
        String userNameFromToken = getUserNameFromToken(jwtAuthenticationToken);
        log.info("User {} got authentication result {}", userNameFromToken, Boolean.valueOf(authentication.isAuthenticated()));
        if (this.authorizationClient.isAuthorized(userNameFromToken, getRequestMethod(requestAuthorizationContext)).booleanValue()) {
            return new AuthorizationDecision(true);
        }
        log.info("User not authorized, access denied");
        throw new AccessDeniedException("User not authorized, access is denied");
    }

    private boolean isBeta() {
        log.info("Environment is: {}", this.baseUrl);
        if (!this.baseUrl.equals("localhost") && !this.baseUrl.contains("/beta.")) {
            return false;
        }
        log.info("Auth: Is beta");
        return true;
    }

    private static String getRequestMethod(RequestAuthorizationContext requestAuthorizationContext) {
        log.debug("Request method {}", requestAuthorizationContext.getRequest().getMethod());
        log.debug("Request path {}", requestAuthorizationContext.getRequest().getRequestURI());
        return requestAuthorizationContext.getRequest().getMethod();
    }

    private static String getRequestPath(RequestAuthorizationContext requestAuthorizationContext) {
        log.debug("Request path {}", requestAuthorizationContext.getRequest().getRequestURI());
        return requestAuthorizationContext.getRequest().getRequestURI();
    }

    private String getUserNameFromToken(JwtAuthenticationToken jwtAuthenticationToken) {
        FintJwtEndUserPrincipal from = FintJwtEndUserPrincipal.from((Jwt) jwtAuthenticationToken.getPrincipal());
        return from.getMail() != null ? from.getMail() : "";
    }

    private boolean hasRoleAndAuthority(JwtAuthenticationToken jwtAuthenticationToken) {
        return jwtAuthenticationToken.getAuthorities().stream().anyMatch(grantedAuthority -> {
            return grantedAuthority.getAuthority().equals("ROLE_" + this.authorizedRole);
        }) && jwtAuthenticationToken.getAuthorities().stream().anyMatch(grantedAuthority2 -> {
            return grantedAuthority2.getAuthority().equals("ORGID_" + this.authorizedOrgId);
        });
    }

    private boolean hasAdminRole(JwtAuthenticationToken jwtAuthenticationToken) {
        log.info("Auth: Found admin role in env: {}", this.adminRole);
        jwtAuthenticationToken.getAuthorities().forEach(grantedAuthority -> {
            log.info("Role in jwt: {}", grantedAuthority.getAuthority());
        });
        return hasRoleAndAuthority(jwtAuthenticationToken) && jwtAuthenticationToken.getAuthorities().stream().anyMatch(grantedAuthority2 -> {
            return grantedAuthority2.getAuthority().equals("ROLE_" + this.adminRole);
        });
    }

    protected void setAuthorizedRole(String str) {
        this.authorizedRole = str;
    }

    protected void setAuthorizedOrgId(String str) {
        this.authorizedOrgId = str;
    }

    protected void setBaseUrl(String str) {
        this.baseUrl = str;
    }

    public /* bridge */ /* synthetic */ AuthorizationDecision check(Supplier supplier, Object obj) {
        return check((Supplier<Authentication>) supplier, (RequestAuthorizationContext) obj);
    }
}
