package io.imunity.scim.user;

import io.imunity.scim.SCIMSystemScopeProvider;
import io.imunity.scim.config.AttributeDefinitionWithMapping;
import io.imunity.scim.config.SCIMEndpointDescription;
import java.util.Objects;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.logging.log4j.Logger;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.AuthorizationManagement;
import pl.edu.icm.unity.engine.api.authn.AuthorizationException;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;

/* loaded from: input_file:io/imunity/scim/user/UserAuthzService.class */
class UserAuthzService {
    private static final Logger log = Log.getLogger("unity.server.scim", UserAuthzService.class);
    private final AuthorizationManagement authzMan;
    private final SCIMEndpointDescription configuration;

    /* renamed from: io.imunity.scim.user.UserAuthzService$1, reason: invalid class name */
    /* loaded from: input_file:io/imunity/scim/user/UserAuthzService$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$pl$edu$icm$unity$engine$api$authn$InvocationContext$InvocationMaterial = new int[InvocationContext.InvocationMaterial.values().length];

        static {
            try {
                $SwitchMap$pl$edu$icm$unity$engine$api$authn$InvocationContext$InvocationMaterial[InvocationContext.InvocationMaterial.DIRECT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$pl$edu$icm$unity$engine$api$authn$InvocationContext$InvocationMaterial[InvocationContext.InvocationMaterial.OAUTH_DELEGATION.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    @Component
    /* loaded from: input_file:io/imunity/scim/user/UserAuthzService$SCIMUserAuthzServiceFactory.class */
    static class SCIMUserAuthzServiceFactory {
        private final AuthorizationManagement authzMan;

        @Autowired
        SCIMUserAuthzServiceFactory(AuthorizationManagement authorizationManagement) {
            this.authzMan = authorizationManagement;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public UserAuthzService getService(SCIMEndpointDescription sCIMEndpointDescription) {
            return new UserAuthzService(this.authzMan, sCIMEndpointDescription);
        }
    }

    UserAuthzService(AuthorizationManagement authorizationManagement, SCIMEndpointDescription sCIMEndpointDescription) {
        this.authzMan = authorizationManagement;
        this.configuration = sCIMEndpointDescription;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkReadUser(long j, Set<String> set) throws AuthorizationException {
        InvocationContext current = InvocationContext.getCurrent();
        switch (AnonymousClass1.$SwitchMap$pl$edu$icm$unity$engine$api$authn$InvocationContext$InvocationMaterial[current.getInvocationMaterial().ordinal()]) {
            case 1:
                checkReadUserWithDirectInvocationMaterial(j, current, set);
                return;
            case 2:
                checkReadUserWithOAuthInvocationMaterial(j, current, set);
                return;
            default:
                throw new AuthorizationException("Access is denied");
        }
    }

    private void checkReadUserWithDirectInvocationMaterial(long j, InvocationContext invocationContext, Set<String> set) throws AuthorizationException {
        long entityId = invocationContext.getLoginSession().getEntityId();
        try {
            this.authzMan.checkReadCapability(j == entityId, this.configuration.rootGroup);
        } catch (AuthorizationException e) {
            if (j == entityId && set.contains(this.configuration.rootGroup)) {
                return;
            }
            log.debug("Access is denied. Caller not a member of root SCIM group");
            throw new AuthorizationException("Access is denied");
        }
    }

    private void checkReadUserWithOAuthInvocationMaterial(long j, InvocationContext invocationContext, Set<String> set) throws AuthorizationException {
        if (j != invocationContext.getLoginSession().getEntityId()) {
            log.debug("Access is denied. Caller wants to read data that is not his own");
            throw new AuthorizationException("Access is denied");
        }
        if (!set.contains(this.configuration.rootGroup)) {
            log.debug("Access is denied. Caller not a member of root SCIM group");
            throw new AuthorizationException("Access is denied");
        }
        Stream stream = invocationContext.getScopes().stream();
        Set set2 = (Set) SCIMSystemScopeProvider.getScopeNames().stream().filter(str -> {
            return !str.equals(SCIMSystemScopeProvider.READ_SELF_GROUP_SCOPE);
        }).collect(Collectors.toSet());
        Objects.requireNonNull(set2);
        if (stream.anyMatch((v1) -> {
            return r1.contains(v1);
        })) {
            return;
        }
        log.debug("Access is denied. Client does not have the required scopes");
        throw new AuthorizationException("Access is denied");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkReadUsers() throws AuthorizationException {
        if (InvocationContext.getCurrent().getInvocationMaterial().equals(InvocationContext.InvocationMaterial.DIRECT)) {
            this.authzMan.checkReadCapability(false, this.configuration.rootGroup);
        } else {
            log.debug("Access is denied. Reading users is available only via direct access");
            throw new AuthorizationException("Access is denied");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Predicate<AttributeDefinitionWithMapping> getFilter() {
        InvocationContext current = InvocationContext.getCurrent();
        if (current.getInvocationMaterial().equals(InvocationContext.InvocationMaterial.DIRECT)) {
            return attributeDefinitionWithMapping -> {
                return true;
            };
        }
        Predicate<AttributeDefinitionWithMapping> predicate = attributeDefinitionWithMapping2 -> {
            return false;
        };
        if (current.getScopes().contains(SCIMSystemScopeProvider.READ_PROFILE_SCOPE)) {
            predicate = predicate.or(attributeDefinitionWithMapping3 -> {
                return !this.configuration.membershipAttributes.contains(attributeDefinitionWithMapping3.attributeDefinition.name);
            });
        }
        if (current.getScopes().contains(SCIMSystemScopeProvider.READ_MEMBERSHIPS_SCOPE)) {
            predicate = predicate.or(attributeDefinitionWithMapping4 -> {
                return this.configuration.membershipAttributes.contains(attributeDefinitionWithMapping4.attributeDefinition.name);
            });
        }
        return predicate;
    }
}
