package com.netflix.spinnaker.fiat.permissions;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.UnmodifiableIterator;
import com.netflix.spinnaker.fiat.config.AccountManagerConfig;
import com.netflix.spinnaker.fiat.config.FiatAdminConfig;
import com.netflix.spinnaker.fiat.config.UnrestrictedResourceConfig;
import com.netflix.spinnaker.fiat.model.UserPermission;
import com.netflix.spinnaker.fiat.model.resources.Resource;
import com.netflix.spinnaker.fiat.model.resources.Role;
import com.netflix.spinnaker.fiat.model.resources.ServiceAccount;
import com.netflix.spinnaker.fiat.providers.ProviderException;
import com.netflix.spinnaker.fiat.providers.ResourceProvider;
import com.netflix.spinnaker.fiat.roles.UserRolesProvider;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import lombok.NonNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:com/netflix/spinnaker/fiat/permissions/DefaultPermissionsResolver.class */
public class DefaultPermissionsResolver implements PermissionsResolver {
    private static final Logger log = LoggerFactory.getLogger(DefaultPermissionsResolver.class);
    private final UserRolesProvider userRolesProvider;
    private final ResourceProvider<ServiceAccount> serviceAccountProvider;
    private final ImmutableList<ResourceProvider<? extends Resource>> resourceProviders;
    private final FiatAdminConfig fiatAdminConfig;
    private final AccountManagerConfig accountManagerConfig;
    private final ObjectMapper mapper;

    @Autowired
    public DefaultPermissionsResolver(UserRolesProvider userRolesProvider, ResourceProvider<ServiceAccount> resourceProvider, List<ResourceProvider<? extends Resource>> list, FiatAdminConfig fiatAdminConfig, AccountManagerConfig accountManagerConfig, @Qualifier("objectMapper") ObjectMapper objectMapper) {
        this.userRolesProvider = userRolesProvider;
        this.serviceAccountProvider = resourceProvider;
        this.resourceProviders = ImmutableList.copyOf(list);
        this.fiatAdminConfig = fiatAdminConfig;
        this.accountManagerConfig = accountManagerConfig;
        this.mapper = objectMapper;
    }

    @Override // com.netflix.spinnaker.fiat.permissions.PermissionsResolver
    public UserPermission resolveUnrestrictedUser() {
        return getUserPermission(UnrestrictedResourceConfig.UNRESTRICTED_USERNAME, new HashSet(this.userRolesProvider.loadUnrestrictedRoles()));
    }

    @Override // com.netflix.spinnaker.fiat.permissions.PermissionsResolver
    public UserPermission resolve(@NonNull String str) {
        if (str == null) {
            throw new IllegalArgumentException("userId is marked non-null but is null");
        }
        return resolveAndMerge(new ExternalUser().setId(str));
    }

    @Override // com.netflix.spinnaker.fiat.permissions.PermissionsResolver
    public UserPermission resolveAndMerge(@NonNull ExternalUser externalUser) {
        if (externalUser == null) {
            throw new IllegalArgumentException("user is marked non-null but is null");
        }
        try {
            log.debug("Loading roles for user " + String.valueOf(externalUser));
            List<Role> loadRoles = this.userRolesProvider.loadRoles(externalUser);
            log.debug("Got roles " + String.valueOf(loadRoles) + " for user " + String.valueOf(externalUser));
            return getUserPermission(externalUser.getId(), (Set) Stream.concat(loadRoles.stream(), externalUser.getExternalRoles().stream()).collect(Collectors.toSet()));
        } catch (ProviderException e) {
            throw new PermissionResolutionException("Failed to resolve user permission for user " + externalUser.getId(), e);
        }
    }

    @Override // com.netflix.spinnaker.fiat.permissions.PermissionsResolver
    public void clearCache() {
        UnmodifiableIterator it = this.resourceProviders.iterator();
        while (it.hasNext()) {
            ((ResourceProvider) it.next()).clearCache();
        }
    }

    private boolean hasAdminRole(Set<Role> set) {
        return !Collections.disjoint(Set.copyOf(this.fiatAdminConfig.getAdmin().getRoles()), (Set) set.stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet()));
    }

    private boolean hasAccountManagerRole(Set<Role> set) {
        return !Collections.disjoint(Set.copyOf(this.accountManagerConfig.getRoles()), (Set) set.stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet()));
    }

    private UserPermission getUserPermission(String str, Set<Role> set) {
        UserPermission accountManager = new UserPermission().setId(str).setRoles(set).setAdmin(hasAdminRole(set)).setAccountManager(hasAccountManagerRole(set));
        UnmodifiableIterator it = this.resourceProviders.iterator();
        while (it.hasNext()) {
            ResourceProvider resourceProvider = (ResourceProvider) it.next();
            try {
                if (UnrestrictedResourceConfig.UNRESTRICTED_USERNAME.equalsIgnoreCase(str)) {
                    accountManager.addResources(resourceProvider.getAllUnrestricted());
                }
                if (!set.isEmpty()) {
                    accountManager.addResources(resourceProvider.getAllRestricted(str, set, accountManager.isAdmin()));
                }
            } catch (ProviderException e) {
                throw new PermissionResolutionException(String.format("permission resolution failed from provider %s", resourceProvider.getClass().getSimpleName()), e);
            }
        }
        return accountManager;
    }

    @Override // com.netflix.spinnaker.fiat.permissions.PermissionsResolver
    public Map<String, UserPermission> resolve(@NonNull Collection<ExternalUser> collection) {
        if (collection == null) {
            throw new IllegalArgumentException("users is marked non-null but is null");
        }
        Map<String, Collection<Role>> serviceAccountRoles = getServiceAccountRoles();
        Collection<?> collection2 = (Collection) collection.stream().filter(externalUser -> {
            return serviceAccountRoles.containsKey(externalUser.getId());
        }).collect(Collectors.toList());
        collection.removeAll(collection2);
        HashMap hashMap = new HashMap();
        if (!collection.isEmpty()) {
            hashMap.putAll(getAndMergeUserRoles(collection));
        }
        hashMap.putAll((Map) collection2.stream().collect(Collectors.toMap((v0) -> {
            return v0.getId();
        }, (v0) -> {
            return v0.getExternalRoles();
        })));
        return resolveResources(hashMap);
    }

    private Map<String, Collection<Role>> getServiceAccountRoles() {
        return (Map) this.serviceAccountProvider.getAll().stream().map((v0) -> {
            return v0.toUserPermission();
        }).collect(Collectors.toMap((v0) -> {
            return v0.getId();
        }, (v0) -> {
            return v0.getRoles();
        }));
    }

    private Map<String, Collection<Role>> getAndMergeUserRoles(@NonNull Collection<ExternalUser> collection) {
        if (collection == null) {
            throw new IllegalArgumentException("users is marked non-null but is null");
        }
        Map<String, Collection<Role>> multiLoadRoles = this.userRolesProvider.multiLoadRoles(collection);
        collection.forEach(externalUser -> {
            ((Collection) multiLoadRoles.computeIfAbsent(externalUser.getId(), str -> {
                return new ArrayList();
            })).addAll(externalUser.getExternalRoles());
        });
        if (log.isDebugEnabled()) {
            try {
                log.debug("Multi-loaded roles: \n" + this.mapper.writerWithDefaultPrettyPrinter().writeValueAsString(multiLoadRoles));
            } catch (Exception e) {
                log.debug("Exception writing roles", e);
            }
        }
        return multiLoadRoles;
    }

    @Override // com.netflix.spinnaker.fiat.permissions.PermissionsResolver
    public Map<String, UserPermission> resolveResources(@NonNull Map<String, Collection<Role>> map) {
        if (map == null) {
            throw new IllegalArgumentException("userToRoles is marked non-null but is null");
        }
        return (Map) map.entrySet().stream().map(entry -> {
            String str = (String) entry.getKey();
            HashSet hashSet = new HashSet((Collection) entry.getValue());
            boolean hasAdminRole = hasAdminRole(hashSet);
            return new UserPermission().setId(str).setRoles(hashSet).setAdmin(hasAdminRole).setAccountManager(hasAccountManagerRole(hashSet)).addResources(getResources(str, hashSet, hasAdminRole));
        }).collect(Collectors.toMap((v0) -> {
            return v0.getId();
        }, Function.identity()));
    }

    private Set<Resource> getResources(String str, Set<Role> set, boolean z) {
        return (Set) this.resourceProviders.stream().flatMap(resourceProvider -> {
            try {
                return resourceProvider.getAllRestricted(str, set, z).stream();
            } catch (ProviderException e) {
                throw new PermissionResolutionException(String.format("resource lookup failed from provider %s", resourceProvider.getClass().getSimpleName()), e);
            }
        }).collect(Collectors.toSet());
    }
}
