package com.yahoo.athenz.common.server.util;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.yahoo.athenz.auth.Authority;
import com.yahoo.athenz.auth.Principal;
import com.yahoo.athenz.auth.util.StringUtils;
import com.yahoo.athenz.common.config.AuthzDetailsEntity;
import com.yahoo.athenz.common.server.rest.ResourceException;
import com.yahoo.athenz.zms.Assertion;
import com.yahoo.athenz.zms.Entity;
import com.yahoo.athenz.zms.GroupMember;
import com.yahoo.athenz.zms.Policy;
import com.yahoo.athenz.zms.Role;
import com.yahoo.athenz.zms.RoleMember;
import com.yahoo.rdl.Struct;
import com.yahoo.rdl.Timestamp;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/yahoo/athenz/common/server/util/AuthzHelper.class */
public class AuthzHelper {
    private static final String ASSUME_ROLE = "assume_role";
    private static final Logger LOGGER = LoggerFactory.getLogger(AuthzHelper.class);
    private static final ObjectMapper JSON_MAPPER = initJsonMapper();

    /* loaded from: input_file:com/yahoo/athenz/common/server/util/AuthzHelper$GroupMembersFetcher.class */
    public interface GroupMembersFetcher {
        List<GroupMember> getGroupMembers(String str);
    }

    static ObjectMapper initJsonMapper() {
        ObjectMapper objectMapper = new ObjectMapper();
        objectMapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, true);
        return objectMapper;
    }

    private static boolean isUpdateRequired(RoleMember roleMember, RoleMember roleMember2) {
        return (Objects.equals(roleMember.getExpiration(), roleMember2.getExpiration()) && Objects.equals(roleMember.getReviewReminder(), roleMember2.getReviewReminder())) ? false : true;
    }

    public static void removeRoleMembers(List<RoleMember> list, List<RoleMember> list2, boolean z) {
        if (list2 == null || list == null) {
            return;
        }
        for (RoleMember roleMember : list2) {
            list.removeIf(roleMember2 -> {
                return roleMember2.getMemberName().equalsIgnoreCase(roleMember.getMemberName()) && (z || !isUpdateRequired(roleMember2, roleMember));
            });
        }
    }

    private static boolean isGroupMemberExpirationChanged(GroupMember groupMember, GroupMember groupMember2) {
        return !Objects.equals(groupMember.getExpiration(), groupMember2.getExpiration());
    }

    public static void removeGroupMembers(List<GroupMember> list, List<GroupMember> list2, boolean z) {
        if (list2 == null || list == null) {
            return;
        }
        for (GroupMember groupMember : list2) {
            list.removeIf(groupMember2 -> {
                return groupMember2.getMemberName().equalsIgnoreCase(groupMember.getMemberName()) && (z || !isGroupMemberExpirationChanged(groupMember2, groupMember));
            });
        }
    }

    public static boolean isMemberDisabled(Integer num) {
        return (num == null || num.intValue() == 0) ? false : true;
    }

    public static boolean isMemberExpired(Timestamp timestamp, long j) {
        return timestamp != null && timestamp.millis() < j;
    }

    public static boolean shouldSkipGroupMember(GroupMember groupMember, long j) {
        return isMemberDisabled(groupMember.getSystemDisabled()) || isMemberExpired(groupMember.getExpiration(), j);
    }

    public static boolean isMemberOfGroup(List<GroupMember> list, String str) {
        if (list == null) {
            return false;
        }
        return checkGroupMemberValidity(list, str);
    }

    public static boolean checkGroupMemberValidity(List<GroupMember> list, String str) {
        boolean z = false;
        long currentTimeMillis = System.currentTimeMillis();
        Iterator<GroupMember> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            GroupMember next = it.next();
            if (memberNameMatch(next.getMemberName(), str)) {
                z = (isMemberDisabled(next.getSystemDisabled()) || isMemberExpired(next.getExpiration(), currentTimeMillis)) ? false : true;
            }
        }
        return z;
    }

    public static boolean memberNameMatch(String str, String str2) {
        if (str.equals("*")) {
            return true;
        }
        return str.endsWith("*") ? str2.startsWith(str.substring(0, str.length() - 1)) : str.equals(str2);
    }

    public static boolean shouldRunDelegatedTrustCheck(String str, String str2) {
        if (str == null) {
            return false;
        }
        if (str2 == null) {
            return true;
        }
        return str.equalsIgnoreCase(str2);
    }

    public static String retrieveResourceDomain(String str, String str2, String str3) {
        return (!ASSUME_ROLE.equalsIgnoreCase(str2) || str3 == null) ? extractResourceDomainName(str) : str3;
    }

    public static String extractResourceDomainName(String str) {
        int indexOf = str.indexOf(58);
        if (indexOf == -1) {
            return null;
        }
        return str.substring(0, indexOf);
    }

    public static boolean authorityAuthorizationAllowed(Principal principal) {
        Authority authority = principal.getAuthority();
        if (authority == null) {
            return true;
        }
        return authority.allowAuthorization();
    }

    public static boolean checkRoleMemberValidity(List<RoleMember> list, String str, GroupMembersFetcher groupMembersFetcher) {
        ArrayList<RoleMember> arrayList = new ArrayList();
        for (RoleMember roleMember : list) {
            if (roleMember.getPrincipalType() != null && roleMember.getPrincipalType().intValue() == Principal.Type.GROUP.getValue()) {
                arrayList.add(roleMember);
            }
        }
        boolean z = false;
        long currentTimeMillis = System.currentTimeMillis();
        Iterator<RoleMember> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            RoleMember next = it.next();
            if (next.getPrincipalType() == null || next.getPrincipalType().intValue() != Principal.Type.GROUP.getValue()) {
                if (memberNameMatch(next.getMemberName(), str)) {
                    z = (isMemberDisabled(next.getSystemDisabled()) || isMemberExpired(next.getExpiration(), currentTimeMillis)) ? false : true;
                }
            }
        }
        if (z || arrayList.isEmpty()) {
            return z;
        }
        for (RoleMember roleMember2 : arrayList) {
            if (!isMemberExpired(roleMember2.getExpiration(), currentTimeMillis)) {
                z = isMemberOfGroup(groupMembersFetcher.getGroupMembers(roleMember2.getMemberName()), str);
                if (z) {
                    break;
                }
            }
        }
        return z;
    }

    public static boolean isMemberOfRole(Role role, String str, GroupMembersFetcher groupMembersFetcher) {
        List roleMembers = role.getRoleMembers();
        if (roleMembers == null) {
            return false;
        }
        return checkRoleMemberValidity(roleMembers, str, groupMembersFetcher);
    }

    public static boolean assumeRoleNameMatch(String str, Assertion assertion) {
        if (ASSUME_ROLE.equalsIgnoreCase(assertion.getAction())) {
            return str.equals(assertion.getRole());
        }
        return false;
    }

    public static boolean assumeRoleResourceMatch(String str, Assertion assertion) {
        if (ASSUME_ROLE.equalsIgnoreCase(assertion.getAction())) {
            return str.matches(StringUtils.patternFromGlob(assertion.getResource()));
        }
        return false;
    }

    public static boolean matchDelegatedTrustPolicy(Policy policy, String str, String str2, List<Role> list, GroupMembersFetcher groupMembersFetcher) {
        List assertions = policy.getAssertions();
        if (assertions == null) {
            return false;
        }
        Iterator it = assertions.iterator();
        while (it.hasNext()) {
            if (matchDelegatedTrustAssertion((Assertion) it.next(), str, str2, list, groupMembersFetcher)) {
                return true;
            }
        }
        return false;
    }

    public static boolean matchDelegatedTrustAssertion(Assertion assertion, String str, String str2, List<Role> list, GroupMembersFetcher groupMembersFetcher) {
        if (!assumeRoleResourceMatch(str, assertion)) {
            return false;
        }
        String patternFromGlob = StringUtils.patternFromGlob(assertion.getRole());
        for (Role role : list) {
            if (role.getName().matches(patternFromGlob) && isMemberOfRole(role, str2, groupMembersFetcher)) {
                return true;
            }
        }
        return false;
    }

    public static AuthzDetailsEntity convertEntityToAuthzDetailsEntity(Entity entity) throws JsonProcessingException {
        Struct value = entity.getValue();
        if (value == null) {
            throw new ResourceException(ResourceException.BAD_REQUEST, "Entity has no value");
        }
        String string = value.getString("data");
        if (StringUtil.isEmpty(string)) {
            throw new ResourceException(ResourceException.BAD_REQUEST, "Entity has no data field");
        }
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Authorization Details json input: {}", string);
        }
        return (AuthzDetailsEntity) JSON_MAPPER.readValue(string, AuthzDetailsEntity.class);
    }
}
