package com.tokera.ate.delegates;

import com.tokera.ate.annotations.PermitReadEntity;
import com.tokera.ate.annotations.PermitWriteEntity;
import com.tokera.ate.common.UUIDTools;
import com.tokera.ate.dao.PUUID;
import com.tokera.ate.dao.enumerations.PermissionPhase;
import com.tokera.ate.dao.enumerations.RiskRole;
import com.tokera.ate.dao.enumerations.UserRole;
import com.tokera.ate.dto.EffectivePermissions;
import com.tokera.ate.dto.TokenDto;
import com.tokera.ate.events.NewAccessRightsEvent;
import com.tokera.ate.events.RightsValidationEvent;
import com.tokera.ate.events.TokenDiscoveryEvent;
import com.tokera.ate.events.TokenScopeChangedEvent;
import com.tokera.ate.events.TokenStateChangedEvent;
import com.tokera.ate.scopes.ScopeContext;
import com.tokera.ate.scopes.TokenScoped;
import java.util.Iterator;
import java.util.UUID;
import javax.enterprise.context.RequestScoped;
import javax.enterprise.event.Observes;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Response;

@RequestScoped
/* loaded from: input_file:com/tokera/ate/delegates/CurrentTokenDelegate.class */
public class CurrentTokenDelegate {
    private AteDelegate d = AteDelegate.get();
    private boolean performedValidation = false;
    private boolean skipValidation = false;
    private boolean withinTokenScope = false;
    private ScopeContext<String> tokenScopeContext = null;
    private String tokenScopeValue = null;
    private String tokenScopeContextKey = null;

    public void enterTokenScope(String str) {
        this.d.requestAccessLog.pause();
        try {
            ScopeContext<String> scopeContext = (ScopeContext) this.d.beanManager.getContext(TokenScoped.class);
            this.tokenScopeValue = str;
            this.tokenScopeContext = scopeContext;
            this.tokenScopeContextKey = scopeContext.enter(str);
            boolean z = false;
            this.withinTokenScope = true;
            try {
                TokenDto token = this.d.tokenSecurity.getToken();
                if (token != null) {
                    this.d.eventTokenScopeChanged.fire(new TokenScopeChangedEvent(token));
                }
                this.d.eventTokenChanged.fire(new TokenStateChangedEvent());
                this.d.eventNewAccessRights.fire(new NewAccessRightsEvent());
                this.d.eventRightsValidation.fire(new RightsValidationEvent());
                z = true;
                if (1 == 0) {
                    this.withinTokenScope = false;
                }
            } catch (Throwable th) {
                if (!z) {
                    this.withinTokenScope = false;
                }
                throw th;
            }
        } finally {
            this.d.requestAccessLog.unpause();
        }
    }

    public void leaveTokenScope() {
        if (this.withinTokenScope) {
            this.withinTokenScope = false;
            try {
                ScopeContext<String> scopeContext = this.tokenScopeContext;
                String str = this.tokenScopeContextKey;
                if (scopeContext != null && str != null) {
                    scopeContext.exit(str);
                }
                this.tokenScopeContext = null;
                this.tokenScopeContextKey = null;
                this.tokenScopeValue = null;
            } catch (Throwable th) {
                if (!(th instanceof RuntimeException)) {
                    throw new WebApplicationException("Failed to end TokenContext - internal error", th, Response.Status.INTERNAL_SERVER_ERROR);
                }
                throw ((RuntimeException) th);
            }
        }
    }

    public void tokenChanged(@Observes RightsValidationEvent rightsValidationEvent) {
        validate();
    }

    public String getTokenScopeValue() {
        return this.tokenScopeValue;
    }

    public void foundToken(@Observes TokenDiscoveryEvent tokenDiscoveryEvent) {
        TokenDto token = tokenDiscoveryEvent.getToken();
        String str = this.tokenScopeValue;
        if (str == null || !token.getBase64().equals(str)) {
            if (this.skipValidation) {
                token.setValidated(true);
            }
            enterTokenScope(token.getBase64());
        }
    }

    public boolean getWithinTokenScope() {
        return this.withinTokenScope;
    }

    public TokenDto getToken() {
        TokenDto tokenOrNull = getTokenOrNull();
        if (tokenOrNull == null) {
            throw new WebApplicationException("Token is null.", Response.Status.BAD_REQUEST);
        }
        return tokenOrNull;
    }

    public TokenDto getTokenOrNull() {
        if (this.withinTokenScope) {
            return this.d.tokenSecurity.getToken();
        }
        return null;
    }

    public void missingToken() {
        ContainerRequestContext containerRequestContextOrNull = this.d.requestContext.getContainerRequestContextOrNull();
        if (this.d.resourceInfo.isPermitMissingToken()) {
            return;
        }
        if (this.withinTokenScope) {
            throw new WebApplicationException("Token is not known to this server - POST token to /login/token", Response.Status.PRECONDITION_FAILED);
        }
        if (containerRequestContextOrNull == null) {
            throw new WebApplicationException("This operation requires a token.", Response.Status.UNAUTHORIZED);
        }
        throw new WebApplicationException("This operation requires a token (uri = '" + this.d.requestContext.getUriInfo().getAbsolutePath() + "')", Response.Status.UNAUTHORIZED);
    }

    public void validate() {
        if (this.performedValidation) {
            return;
        }
        TokenDto tokenOrNull = getTokenOrNull();
        if (this.withinTokenScope && tokenOrNull == null) {
            missingToken();
        }
        validateRiskRole(tokenOrNull);
        validateUserRole(tokenOrNull);
        validateReadRoles(tokenOrNull);
        validateWriteRoles(tokenOrNull);
        this.performedValidation = true;
    }

    private void validateRiskRole(TokenDto tokenDto) {
        for (RiskRole riskRole : this.d.resourceInfo.getPermitRiskRoles()) {
            if (tokenDto == null) {
                missingToken();
            } else if (!tokenDto.hasRiskRole(riskRole)) {
                throw new WebApplicationException("Access denied (missing risk role)" + this.d.requestContext.getUriInfo().getAbsolutePath() + "')", Response.Status.UNAUTHORIZED);
            }
        }
    }

    private void validateUserRole(TokenDto tokenDto) {
        Iterator<UserRole> it = this.d.resourceInfo.getPermitUserRoles().iterator();
        while (it.hasNext()) {
            if (UserRole.ANYTHING.equals(it.next())) {
                if (tokenDto == null) {
                    missingToken();
                    return;
                }
                return;
            }
        }
        boolean z = false;
        boolean z2 = false;
        for (UserRole userRole : this.d.resourceInfo.getPermitUserRoles()) {
            if (tokenDto == null) {
                missingToken();
            } else {
                z = true;
                if (tokenDto.hasUserRole(userRole)) {
                    z2 = true;
                }
            }
        }
        if (!z || z2) {
            return;
        }
        StringBuilder sb = new StringBuilder();
        for (UserRole userRole2 : this.d.resourceInfo.getPermitUserRoles()) {
            if (sb.length() > 0) {
                sb.append(",");
            }
            sb.append(userRole2);
        }
        throw new WebApplicationException("Access denied (missing user role: " + sb.toString() + ") while processing " + this.d.requestContext.getUriInfo().getAbsolutePath() + "')", Response.Status.UNAUTHORIZED);
    }

    private void validateReadRoles(TokenDto tokenDto) {
        RuntimeException webApplicationException;
        for (PermitReadEntity permitReadEntity : this.d.resourceInfo.getPermitReadParams()) {
            if (tokenDto == null) {
                missingToken();
            } else {
                for (String str : permitReadEntity.name()) {
                    PUUID andValidateRequestParamValue = getAndValidateRequestParamValue(str, permitReadEntity.prefix());
                    if (!this.d.authorization.canRead(andValidateRequestParamValue)) {
                        try {
                            webApplicationException = this.d.authorization.buildReadException(this.d.authorization.perms((String) null, andValidateRequestParamValue, PermissionPhase.BeforeMerge), true);
                        } catch (Throwable th) {
                            webApplicationException = new WebApplicationException("Read access denied (Missing permitted entity). Path Param (" + str + "=" + andValidateRequestParamValue + ")", Response.Status.UNAUTHORIZED);
                        }
                        throw webApplicationException;
                    }
                }
            }
        }
    }

    private void validateWriteRoles(TokenDto tokenDto) {
        RuntimeException webApplicationException;
        for (PermitWriteEntity permitWriteEntity : this.d.resourceInfo.getPermitWriteParams()) {
            if (tokenDto == null) {
                missingToken();
            } else {
                for (String str : permitWriteEntity.name()) {
                    PUUID andValidateRequestParamValue = getAndValidateRequestParamValue(str, permitWriteEntity.prefix());
                    if (!this.d.authorization.canWrite(andValidateRequestParamValue)) {
                        try {
                            EffectivePermissions perms = this.d.authorization.perms((String) null, andValidateRequestParamValue, PermissionPhase.BeforeMerge);
                            webApplicationException = this.d.authorization.buildWriteException(perms.rolesWrite, perms, true);
                        } catch (Throwable th) {
                            webApplicationException = new WebApplicationException("Write access denied (Missing permitted entity). Path Param (" + str + "=" + andValidateRequestParamValue + ")", Response.Status.UNAUTHORIZED);
                        }
                        throw webApplicationException;
                    }
                }
            }
        }
    }

    private PUUID getAndValidateRequestParamValue(String str, String str2) {
        PUUID parse;
        if (!this.d.requestContext.getUriInfo().getPathParameters().keySet().contains(str)) {
            throw new WebApplicationException("Access denied (Missing path parameter). Path Param Name:" + str, Response.Status.UNAUTHORIZED);
        }
        String str3 = (String) this.d.requestContext.getUriInfo().getPathParameters().getFirst(str);
        if (str2 == null || str2.length() <= 0) {
            UUID parseUUIDorNull = UUIDTools.parseUUIDorNull(str3);
            parse = parseUUIDorNull == null ? PUUID.parse(str3) : PUUID.from(this.d.requestContext.currentPartitionKey(), parseUUIDorNull);
        } else {
            parse = PUUID.from(this.d.requestContext.currentPartitionKey(), UUIDTools.generateUUID(str2 + str3));
        }
        if (this.d.io.exists(parse)) {
            return parse;
        }
        throw new WebApplicationException("Entity does not exist (" + str + "=" + str3 + ", pid=" + parse.toString() + ")", Response.Status.NOT_FOUND);
    }

    public void setPerformedValidation(boolean z) {
        this.performedValidation = z;
    }

    public boolean hasRiskRole(RiskRole riskRole) {
        TokenDto tokenOrNull = getTokenOrNull();
        if (tokenOrNull == null) {
            return false;
        }
        return tokenOrNull.hasRiskRole(riskRole);
    }

    public boolean hasUserRole(UserRole userRole) {
        TokenDto tokenOrNull = getTokenOrNull();
        if (tokenOrNull == null) {
            return false;
        }
        return tokenOrNull.hasUserRole(userRole);
    }

    public void publishToken(TokenDto tokenDto) {
        this.d.requestAccessLog.pause();
        try {
            this.d.eventTokenDiscovery.fire(new TokenDiscoveryEvent(tokenDto));
            this.d.eventTokenScopeChanged.fire(new TokenScopeChangedEvent(tokenDto));
            this.d.eventTokenChanged.fire(new TokenStateChangedEvent());
            this.d.eventNewAccessRights.fire(new NewAccessRightsEvent());
            this.d.eventRightsValidation.fire(new RightsValidationEvent());
        } finally {
            this.d.requestAccessLog.unpause();
        }
    }

    public boolean isSkipValidation() {
        return this.skipValidation;
    }

    public void setSkipValidation(boolean z) {
        this.skipValidation = z;
    }
}
