package eu.openanalytics.containerproxy.service;

import com.google.common.base.Supplier;
import com.google.common.base.Suppliers;
import eu.openanalytics.containerproxy.auth.IAuthenticationBackend;
import eu.openanalytics.containerproxy.model.spec.AccessControl;
import eu.openanalytics.containerproxy.model.spec.ProxySpec;
import eu.openanalytics.containerproxy.spec.expression.SpecExpressionContext;
import eu.openanalytics.containerproxy.spec.expression.SpecExpressionResolver;
import org.springframework.context.annotation.Lazy;
import org.springframework.core.env.Environment;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:BOOT-INF/lib/containerproxy-1.2.0.jar:eu/openanalytics/containerproxy/service/AccessControlEvaluationService.class */
public class AccessControlEvaluationService {
    public static final String PROP_USERNAME_CASE_SENSITIVE = "proxy.username-case-sensitive";
    private final IAuthenticationBackend authBackend;
    private final UserService userService;
    private final SpecExpressionResolver specExpressionResolver;
    private final Boolean usernameCaseSensitive;

    public AccessControlEvaluationService(@Lazy IAuthenticationBackend iAuthenticationBackend, UserService userService, SpecExpressionResolver specExpressionResolver, Environment environment) {
        this.authBackend = iAuthenticationBackend;
        this.userService = userService;
        this.specExpressionResolver = specExpressionResolver;
        this.usernameCaseSensitive = (Boolean) environment.getProperty(PROP_USERNAME_CASE_SENSITIVE, Boolean.class, true);
    }

    public boolean checkAccess(Authentication authentication, ProxySpec proxySpec, AccessControl accessControl, Object... objArr) {
        if ((authentication instanceof AnonymousAuthenticationToken) && this.authBackend.hasAuthorization()) {
            return false;
        }
        Supplier memoize = Suppliers.memoize(() -> {
            SpecExpressionContext.SpecExpressionContextBuilder extend = SpecExpressionContext.create(objArr).addServerName().extend(proxySpec);
            if (authentication != null) {
                extend.extend(authentication, authentication.getPrincipal(), authentication.getCredentials());
            }
            return extend.build();
        });
        if (accessControl != null && accessControl.hasStrictExpressionAccess() && !this.specExpressionResolver.evaluateToBoolean(accessControl.getStrictExpression(), (SpecExpressionContext) memoize.get()).booleanValue()) {
            return false;
        }
        if (hasNoAccessControl(accessControl) || allowedByGroups(authentication, accessControl) || allowedByUsers(authentication, accessControl)) {
            return true;
        }
        return allowedByExpression((SpecExpressionContext) memoize.get(), accessControl);
    }

    public boolean hasNoAccessControl(AccessControl accessControl) {
        if (accessControl == null) {
            return true;
        }
        return (accessControl.hasGroupAccess() || accessControl.hasUserAccess() || accessControl.hasExpressionAccess()) ? false : true;
    }

    public boolean allowedByGroups(Authentication authentication, AccessControl accessControl) {
        if (!accessControl.hasGroupAccess()) {
            return false;
        }
        for (String str : accessControl.getGroups()) {
            if (this.userService.isMember(authentication, str)) {
                return true;
            }
        }
        return false;
    }

    public boolean allowedByUsers(Authentication authentication, AccessControl accessControl) {
        if (!accessControl.hasUserAccess()) {
            return false;
        }
        for (String str : accessControl.getUsers()) {
            if (usernameEquals(authentication.getName(), str)) {
                return true;
            }
        }
        return false;
    }

    public boolean allowedByExpression(SpecExpressionContext specExpressionContext, AccessControl accessControl) {
        if (accessControl.hasExpressionAccess()) {
            return this.specExpressionResolver.evaluateToBoolean(accessControl.getExpression(), specExpressionContext).booleanValue();
        }
        return false;
    }

    public boolean usernameEquals(String str, String str2) {
        return this.usernameCaseSensitive.booleanValue() ? str.equals(str2) : str.equalsIgnoreCase(str2);
    }
}
