package io.apicurio.registry.auth;

import io.apicurio.common.apps.config.Info;
import io.apicurio.common.apps.multitenancy.ApicurioTenantContext;
import io.apicurio.common.apps.multitenancy.MultitenancyProperties;
import io.apicurio.common.apps.multitenancy.TenantContext;
import io.apicurio.common.apps.multitenancy.exceptions.TenantNotAuthorizedException;
import io.quarkus.security.ForbiddenException;
import io.quarkus.security.UnauthorizedException;
import io.quarkus.security.identity.SecurityIdentity;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import javax.annotation.Priority;
import javax.enterprise.inject.Instance;
import javax.inject.Inject;
import javax.interceptor.AroundInvoke;
import javax.interceptor.Interceptor;
import javax.interceptor.InvocationContext;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.eclipse.microprofile.jwt.JsonWebToken;
import org.slf4j.Logger;

@Priority(2000)
@Authorized
@Interceptor
/* loaded from: input_file:io/apicurio/registry/auth/AuthorizedInterceptor.class */
public class AuthorizedInterceptor {

    @Inject
    Logger log;

    @Inject
    AuthConfig authConfig;

    @Inject
    SecurityIdentity securityIdentity;

    @Inject
    Instance<JsonWebToken> jsonWebToken;

    @Inject
    AdminOverride adminOverride;

    @Inject
    RoleBasedAccessController rbac;

    @Inject
    OwnerBasedAccessController obac;

    @Inject
    MultitenancyProperties mtProperties;

    @Inject
    TenantContext tenantContext;

    @ConfigProperty(name = "registry.organization-id.claim-name")
    @Info(category = "mt", description = "Organization ID claim name", availableSince = "2.1.0.Final")
    List<String> organizationIdClaims;

    @AroundInvoke
    public Object authorizeMethod(InvocationContext invocationContext) throws Exception {
        if (this.mtProperties.isMultitenancyEnabled()) {
            if (!this.tenantContext.isLoaded()) {
                this.log.warn("Request is rejected because the tenant could not be found, and access to default tenant is disabled in a multitenant deployment");
                throw new ForbiddenException("Default tenant access is not allowed in multitenancy mode.");
            }
            if (this.mtProperties.isMultitenancyAuthorizationEnabled()) {
                checkTenantAuthorization(this.tenantContext.currentContext());
            }
        }
        if (((RoleBasedAccessApiOperation) invocationContext.getMethod().getAnnotation(RoleBasedAccessApiOperation.class)) != null && !this.authConfig.isApplicationRbacEnabled()) {
            this.log.warn("Access to /admin/roleMappings denied because application managed RBAC is not enabled.");
            throw new ForbiddenException("Application RBAC not enabled.");
        }
        if (!this.authConfig.authenticationEnabled) {
            return invocationContext.proceed();
        }
        this.log.trace("Authentication enabled, protected resource: " + invocationContext.getMethod());
        Authorized authorized = (Authorized) invocationContext.getMethod().getAnnotation(Authorized.class);
        if (this.securityIdentity == null || this.securityIdentity.isAnonymous()) {
            if (authorized.level() == AuthorizedLevel.None) {
                this.log.trace("Anonymous user is being granted access to unprotected operation.");
                return invocationContext.proceed();
            }
            if (this.authConfig.anonymousReadAccessEnabled.get().booleanValue() && authorized.level() == AuthorizedLevel.Read) {
                this.log.trace("Anonymous user is being granted access to read-only operation.");
                return invocationContext.proceed();
            }
            this.log.warn("Authentication credentials missing and required for protected endpoint.");
            throw new UnauthorizedException("User is not authenticated.");
        }
        this.log.trace("principalId:" + this.securityIdentity.getPrincipal().getName());
        if (authorized.level() == AuthorizedLevel.None) {
            return invocationContext.proceed();
        }
        if (this.adminOverride.isAdmin()) {
            this.log.trace("Admin override successful.");
            return invocationContext.proceed();
        }
        if (this.authConfig.authenticatedReadAccessEnabled.get().booleanValue() && authorized.level() == AuthorizedLevel.Read) {
            return invocationContext.proceed();
        }
        if (this.authConfig.roleBasedAuthorizationEnabled && !this.rbac.isAuthorized(invocationContext)) {
            this.log.warn("RBAC enabled and required role missing.");
            throw new ForbiddenException("User " + this.securityIdentity.getPrincipal().getName() + " is not authorized to perform the requested operation.");
        }
        if (!this.authConfig.ownerOnlyAuthorizationEnabled.get().booleanValue() || this.obac.isAuthorized(invocationContext)) {
            return invocationContext.proceed();
        }
        this.log.warn("OBAC enabled and operation not permitted due to wrong owner.");
        throw new ForbiddenException("User " + this.securityIdentity.getPrincipal().getName() + " is not authorized to perform the requested operation.");
    }

    private void checkTenantAuthorization(ApicurioTenantContext apicurioTenantContext) {
        if (this.authConfig.isAuthEnabled()) {
            if (!isTokenResolvable()) {
                this.log.debug("Tenant access attempted without JWT token for tenant {} [allowing because some endpoints allow anonymous access]", apicurioTenantContext.getTenantId());
                return;
            }
            String str = null;
            Iterator<String> it = this.organizationIdClaims.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Optional claim = ((JsonWebToken) this.jsonWebToken.get()).claim(it.next());
                if (claim.isPresent()) {
                    str = (String) claim.get();
                    break;
                }
            }
            if (null == str || !tenantCanAccessOrganization(apicurioTenantContext, str)) {
                this.log.warn("User not authorized to access tenant.");
                throw new TenantNotAuthorizedException("Tenant not authorized");
            }
        }
    }

    private boolean isTokenResolvable() {
        return this.jsonWebToken.isResolvable() && ((JsonWebToken) this.jsonWebToken.get()).getRawToken() != null;
    }

    private boolean tenantCanAccessOrganization(ApicurioTenantContext apicurioTenantContext, String str) {
        return apicurioTenantContext == null || str.equals(apicurioTenantContext.getOrganizationId());
    }
}
