package io.apicurio.registry.mt;

import io.apicurio.multitenant.api.datamodel.RegistryTenant;
import io.apicurio.multitenant.api.datamodel.TenantStatusValue;
import io.apicurio.registry.auth.AuthConfig;
import io.apicurio.registry.mt.limits.TenantLimitsConfigurationService;
import io.apicurio.registry.utils.CheckPeriodCache;
import io.quarkus.runtime.StartupEvent;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.event.Observes;
import javax.enterprise.inject.Instance;
import javax.inject.Inject;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.eclipse.microprofile.jwt.JsonWebToken;
import org.slf4j.Logger;

@ApplicationScoped
/* loaded from: input_file:io/apicurio/registry/mt/TenantContextLoader.class */
public class TenantContextLoader {
    private CheckPeriodCache<String, RegistryTenantContext> contextsCache;
    private RegistryTenantContext defaultTenantContext;

    @Inject
    Logger logger;

    @Inject
    AuthConfig authConfig;

    @Inject
    MultitenancyProperties mtProperties;

    @Inject
    TenantMetadataService tenantMetadataService;

    @Inject
    TenantLimitsConfigurationService limitsConfigurationService;

    @Inject
    Instance<JsonWebToken> jsonWebToken;

    @Inject
    @ConfigProperty(defaultValue = "60000", name = "registry.tenants.context.cache.check-period")
    Long cacheCheckPeriod;

    @ConfigProperty(name = "registry.organization-id.claim-name")
    List<String> organizationIdClaims;

    public void onStart(@Observes StartupEvent startupEvent) {
        this.contextsCache = new CheckPeriodCache<>(this.cacheCheckPeriod.longValue());
    }

    public RegistryTenantContext loadRequestContext(String str) {
        return loadContext(str, this.mtProperties.isMultitenancyAuthorizationEnabled());
    }

    public RegistryTenantContext loadBatchJobContext(String str) {
        return loadContext(str, false);
    }

    private RegistryTenantContext loadContext(String str, boolean z) {
        if (str.equals(TenantContext.DEFAULT_TENANT_ID)) {
            return defaultTenantContext();
        }
        RegistryTenantContext registryTenantContext = (RegistryTenantContext) this.contextsCache.compute(str, str2 -> {
            RegistryTenant tenant = this.tenantMetadataService.getTenant(str);
            return new RegistryTenantContext(str, tenant.getCreatedBy(), this.limitsConfigurationService.fromTenantMetadata(tenant), tenant.getStatus(), String.valueOf(tenant.getOrganizationId()));
        });
        if (z) {
            checkTenantAuthorization(registryTenantContext);
        }
        return registryTenantContext;
    }

    public RegistryTenantContext defaultTenantContext() {
        if (this.defaultTenantContext == null) {
            this.defaultTenantContext = new RegistryTenantContext(TenantContext.DEFAULT_TENANT_ID, null, this.limitsConfigurationService.defaultConfigurationTenant(), TenantStatusValue.READY, null);
        }
        return this.defaultTenantContext;
    }

    public void invalidateTenantInCache(String str) {
        this.contextsCache.remove(str);
    }

    private void checkTenantAuthorization(RegistryTenantContext registryTenantContext) {
        if (this.authConfig.isAuthEnabled()) {
            if (!isTokenResolvable()) {
                this.logger.debug("Tenant access attempted without JWT token for tenant {} [allowing because some endpoints allow anonymous access]", registryTenantContext.getTenantId());
                return;
            }
            String str = null;
            Iterator<String> it = this.organizationIdClaims.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Optional claim = ((JsonWebToken) this.jsonWebToken.get()).claim(it.next());
                if (claim.isPresent()) {
                    str = (String) claim.get();
                    break;
                }
            }
            if (null == str || !tenantCanAccessOrganization(registryTenantContext, str)) {
                this.logger.warn("User not authorized to access tenant.");
                throw new TenantNotAuthorizedException("Tenant not authorized");
            }
        }
    }

    private boolean isTokenResolvable() {
        return this.jsonWebToken.isResolvable() && ((JsonWebToken) this.jsonWebToken.get()).getRawToken() != null;
    }

    private boolean tenantCanAccessOrganization(RegistryTenantContext registryTenantContext, String str) {
        return registryTenantContext == null || str.equals(registryTenantContext.getOrganizationId());
    }

    public void invalidateTenantCache() {
        this.contextsCache.clear();
    }
}
