package org.commandmosaic.security.interceptor;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import com.google.common.util.concurrent.UncheckedExecutionException;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.stream.Stream;
import org.commandmosaic.api.Command;
import org.commandmosaic.api.CommandContext;
import org.commandmosaic.api.executor.ParameterSource;
import org.commandmosaic.api.interceptor.CommandInterceptor;
import org.commandmosaic.api.interceptor.InterceptorChain;
import org.commandmosaic.security.AccessDeniedException;
import org.commandmosaic.security.AuthenticationException;
import org.commandmosaic.security.annotation.RestrictedAccess;
import org.commandmosaic.security.annotation.UnauthenticatedAccess;

/* loaded from: input_file:org/commandmosaic/security/interceptor/AbstractSecurityCommandInterceptor.class */
public abstract class AbstractSecurityCommandInterceptor implements CommandInterceptor {
    private final LoadingCache<Class<?>, Boolean> unauthenticatedAccessCache = CacheBuilder.newBuilder().softValues().build(new CacheLoader<Class<?>, Boolean>() { // from class: org.commandmosaic.security.interceptor.AbstractSecurityCommandInterceptor.1
        public Boolean load(Class<?> cls) {
            return AbstractSecurityCommandInterceptor.this.loadUnauthenticatedAccess(cls);
        }
    });
    private final LoadingCache<Class<?>, Set<String>> commandRequiredRolesCache = CacheBuilder.newBuilder().softValues().build(new CacheLoader<Class<?>, Set<String>>() { // from class: org.commandmosaic.security.interceptor.AbstractSecurityCommandInterceptor.2
        public Set<String> load(Class<?> cls) {
            return AbstractSecurityCommandInterceptor.this.loadCommandRequiredRoles(cls);
        }
    });

    private Set<String> loadCommandRequiredRoles(Class<?> cls) {
        RestrictedAccess restrictedAccess = (RestrictedAccess) cls.getAnnotation(RestrictedAccess.class);
        if (restrictedAccess == null) {
            throw new IllegalStateException("When security is used, a class must be either annotated with @UnauthenticatedAccess or @RestrictedAccess");
        }
        String[] requiredRoles = restrictedAccess.requiredRoles();
        return (requiredRoles == null || requiredRoles.length == 0) ? Collections.emptySet() : new HashSet(Arrays.asList(requiredRoles));
    }

    private Boolean loadUnauthenticatedAccess(Class<?> cls) {
        UnauthenticatedAccess unauthenticatedAccess = (UnauthenticatedAccess) cls.getAnnotation(UnauthenticatedAccess.class);
        if (unauthenticatedAccess == null || cls.getAnnotation(RestrictedAccess.class) == null) {
            return Boolean.valueOf(unauthenticatedAccess != null);
        }
        throw new IllegalStateException("Both @UnauthenticatedAccess and @RestrictedAccess are present on " + cls);
    }

    public final <R, C extends Command<R>> R intercept(Class<C> cls, ParameterSource parameterSource, CommandContext commandContext, InterceptorChain interceptorChain) {
        checkAccess(cls, parameterSource, commandContext);
        return (R) interceptorChain.execute(cls, parameterSource, commandContext);
    }

    private <R, C extends Command<R>> void checkAccess(Class<C> cls, ParameterSource parameterSource, CommandContext commandContext) throws AuthenticationException, AccessDeniedException {
        try {
            Boolean bool = (Boolean) this.unauthenticatedAccessCache.get(cls);
            Objects.requireNonNull(bool, "unauthenticatedAccess cannot be null");
            if (!bool.booleanValue()) {
                try {
                    checkAuthorization(cls, (Set) this.commandRequiredRolesCache.get(cls), attemptLogin(commandContext));
                } catch (AuthenticationException e) {
                    throw new AccessDeniedException("Access Denied: " + cls.getName() + ": authentication failure", e);
                }
            }
        } catch (ExecutionException | UncheckedExecutionException e2) {
            throw new IllegalStateException("Failed to fetch command security metadata for " + cls, e2);
        }
    }

    protected <R, C extends Command<R>> void checkAuthorization(Class<C> cls, Set<String> set, Set<String> set2) {
        if (set.isEmpty()) {
            return;
        }
        if (set2 != null) {
            Stream<String> stream = set2.stream();
            Objects.requireNonNull(set);
            if (!stream.noneMatch((v1) -> {
                return r1.contains(v1);
            })) {
                return;
            }
        }
        throw new AccessDeniedException("Access Denied: " + cls.getName());
    }

    protected abstract Set<String> attemptLogin(CommandContext commandContext) throws AuthenticationException;
}
