package de.mummeit.pmg.api.aspect;

import de.mummeit.pmg.api.PermissionManagerClient;
import de.mummeit.pmg.api.annotation.RequiresPermission;
import de.mummeit.pmg.api.model.access.request.CheckAccessRequest;
import de.mummeit.pmg.exception.AccessDeniedException;
import java.lang.reflect.Method;
import java.util.Optional;
import org.aspectj.lang.ProceedingJoinPoint;
import org.aspectj.lang.annotation.Around;
import org.aspectj.lang.annotation.Aspect;
import org.springframework.context.ApplicationContext;
import org.springframework.context.expression.BeanFactoryResolver;
import org.springframework.core.DefaultParameterNameDiscoverer;
import org.springframework.core.ParameterNameDiscoverer;
import org.springframework.expression.EvaluationContext;
import org.springframework.expression.ExpressionParser;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.expression.spel.support.StandardEvaluationContext;
import org.springframework.stereotype.Component;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;

@Aspect
@Component
/* loaded from: input_file:de/mummeit/pmg/api/aspect/PermissionCheckAspect.class */
public class PermissionCheckAspect {
    private final PermissionManagerClient permissionManagerClient;
    private final ApplicationContext applicationContext;
    private final ExpressionParser parser = new SpelExpressionParser();
    private final ParameterNameDiscoverer parameterNameDiscoverer = new DefaultParameterNameDiscoverer();

    @Around("@annotation(de.mummeit.pmg.api.annotation.RequiresPermission)")
    public Object checkPermission(ProceedingJoinPoint proceedingJoinPoint) throws Throwable {
        Method method = proceedingJoinPoint.getSignature().getMethod();
        RequiresPermission requiresPermission = (RequiresPermission) method.getAnnotation(RequiresPermission.class);
        StandardEvaluationContext standardEvaluationContext = new StandardEvaluationContext();
        standardEvaluationContext.setBeanResolver(new BeanFactoryResolver(this.applicationContext));
        String[] parameterNames = this.parameterNameDiscoverer.getParameterNames(method);
        if (parameterNames != null) {
            Object[] args = proceedingJoinPoint.getArgs();
            for (int i = 0; i < parameterNames.length; i++) {
                standardEvaluationContext.setVariable(parameterNames[i], args[i]);
            }
        }
        String resolveUserId = resolveUserId(standardEvaluationContext, requiresPermission);
        String str = requiresPermission.scope().isEmpty() ? "" : (String) this.parser.parseExpression(requiresPermission.scope()).getValue(standardEvaluationContext, String.class);
        CheckAccessRequest checkAccessRequest = new CheckAccessRequest();
        checkAccessRequest.setDomain(requiresPermission.domain());
        checkAccessRequest.setPermission(requiresPermission.permission());
        checkAccessRequest.setUserId(resolveUserId);
        checkAccessRequest.setScope(str);
        if (this.permissionManagerClient.checkAccess(checkAccessRequest).isPermitted()) {
            return proceedingJoinPoint.proceed();
        }
        throw new AccessDeniedException("Access denied", resolveUserId, requiresPermission.domain(), requiresPermission.permission(), str);
    }

    private String resolveUserId(EvaluationContext evaluationContext, RequiresPermission requiresPermission) {
        try {
            String str = (String) this.parser.parseExpression(requiresPermission.userIdExpression()).getValue(evaluationContext, String.class);
            if (str != null) {
                return str;
            }
        } catch (Exception e) {
        }
        return (String) Optional.ofNullable(RequestContextHolder.getRequestAttributes()).map(requestAttributes -> {
            return ((ServletRequestAttributes) requestAttributes).getRequest();
        }).map(httpServletRequest -> {
            return httpServletRequest.getParameter("userId");
        }).orElseThrow(() -> {
            return new IllegalArgumentException("Could not resolve userId");
        });
    }

    public PermissionCheckAspect(PermissionManagerClient permissionManagerClient, ApplicationContext applicationContext) {
        this.permissionManagerClient = permissionManagerClient;
        this.applicationContext = applicationContext;
    }
}
