package io.digdag.server;

import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.jaxrs.json.JacksonJsonProvider;
import com.google.inject.Inject;
import com.google.inject.Scopes;
import com.google.inject.multibindings.Multibinder;
import io.digdag.client.DigdagVersion;
import io.digdag.client.config.ConfigException;
import io.digdag.core.crypto.SecretCrypto;
import io.digdag.core.crypto.SecretCryptoProvider;
import io.digdag.core.database.DatabaseSecretControlStoreManager;
import io.digdag.core.database.DatabaseSecretStoreManager;
import io.digdag.core.repository.ModelValidationException;
import io.digdag.core.repository.ResourceConflictException;
import io.digdag.core.repository.ResourceLimitExceededException;
import io.digdag.core.repository.ResourceNotFoundException;
import io.digdag.guice.rs.GuiceRsModule;
import io.digdag.server.ac.DefaultAccessController;
import io.digdag.server.auth.BasicAuthenticatorFactory;
import io.digdag.server.rs.AdminResource;
import io.digdag.server.rs.AdminRestricted;
import io.digdag.server.rs.AttemptResource;
import io.digdag.server.rs.LogResource;
import io.digdag.server.rs.ProjectResource;
import io.digdag.server.rs.ScheduleResource;
import io.digdag.server.rs.SessionResource;
import io.digdag.server.rs.UiResource;
import io.digdag.server.rs.VersionResource;
import io.digdag.server.rs.WorkflowResource;
import io.digdag.spi.AuthenticatedUser;
import io.digdag.spi.Authenticator;
import io.digdag.spi.AuthenticatorFactory;
import io.digdag.spi.SecretControlStoreManager;
import io.digdag.spi.SecretStoreManager;
import io.digdag.spi.StorageFileNotFoundException;
import io.digdag.spi.ac.AccessControlException;
import io.digdag.spi.ac.AccessController;
import io.swagger.jaxrs.config.BeanConfig;
import io.swagger.jaxrs.listing.ApiListingResource;
import io.swagger.jaxrs.listing.SwaggerSerializers;
import java.io.IOException;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.NotFoundException;
import javax.ws.rs.NotSupportedException;
import javax.ws.rs.Path;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/digdag/server/ServerModule.class */
public class ServerModule extends GuiceRsModule {
    private static final Logger logger = LoggerFactory.getLogger(ServerModule.class);
    private ServerConfig serverConfig;

    @Provider
    @AdminRestricted
    /* loaded from: input_file:io/digdag/server/ServerModule$AdminRestrictedFilter.class */
    public static class AdminRestrictedFilter implements ContainerRequestFilter {

        @Context
        private HttpServletRequest request;

        @Inject
        public AdminRestrictedFilter() {
        }

        public void filter(ContainerRequestContext containerRequestContext) throws IOException {
            Object property = containerRequestContext.getProperty("io.digdag.guice.rs.server.ListenAddress.name");
            if (property == null || !property.equals(ServerConfig.ADMIN_ADDRESS)) {
                throw new NotFoundException();
            }
            AuthenticatedUser authenticatedUser = (AuthenticatedUser) this.request.getAttribute("authenticatedUser");
            if (authenticatedUser == null || !authenticatedUser.isAdmin()) {
                throw new ForbiddenException();
            }
        }
    }

    @Provider
    /* loaded from: input_file:io/digdag/server/ServerModule$CorsFilter.class */
    public static class CorsFilter implements ContainerResponseFilter {
        public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) {
            containerResponseContext.getHeaders().add("Access-Control-Allow-Origin", "*");
            containerResponseContext.getHeaders().add("Access-Control-Allow-Headers", "origin, content-type, accept, authorization");
            containerResponseContext.getHeaders().add("Access-Control-Allow-Credentials", "true");
            containerResponseContext.getHeaders().add("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS, HEAD");
            containerResponseContext.getHeaders().add("Access-Control-Max-Age", "1209600");
        }
    }

    @Provider
    /* loaded from: input_file:io/digdag/server/ServerModule$CustomHeaderFilter.class */
    public static class CustomHeaderFilter implements ContainerResponseFilter {
        private final Map<String, String> headers;

        @Inject
        public CustomHeaderFilter(ServerConfig serverConfig) {
            this.headers = serverConfig.mo4getHeaders();
        }

        public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) {
            Map<String, String> map = this.headers;
            MultivaluedMap headers = containerResponseContext.getHeaders();
            headers.getClass();
            map.forEach((v1, v2) -> {
                r1.add(v1, v2);
            });
        }
    }

    /* loaded from: input_file:io/digdag/server/ServerModule$JsonProviderProvider.class */
    public static class JsonProviderProvider implements com.google.inject.Provider<JacksonJsonProvider> {
        private final ObjectMapper mapper;

        @Inject
        public JsonProviderProvider(ObjectMapper objectMapper) {
            this.mapper = objectMapper.copy();
            this.mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
        }

        /* renamed from: get, reason: merged with bridge method [inline-methods] */
        public JacksonJsonProvider m10get() {
            return new JacksonJsonProvider(this.mapper);
        }
    }

    @Path("/api/swagger.{type:json|yaml}")
    /* loaded from: input_file:io/digdag/server/ServerModule$SwaggerApiListingResource.class */
    public static class SwaggerApiListingResource extends ApiListingResource {
    }

    public ServerModule(ServerConfig serverConfig) {
        this.serverConfig = serverConfig;
    }

    public void configure() {
        GuiceRsModule.ApplicationBindingBuilder addProvider = bindApplication().matches(new String[]{"/api/*"}).addProvider(JacksonJsonProvider.class, JsonProviderProvider.class).addProvider(AuthRequestFilter.class).addProvider(CustomHeaderFilter.class).addProvider(AdminRestrictedFilter.class);
        bindResources(addProvider);
        bindAuthorization();
        bindAuthenticator();
        bindExceptionhandlers(addProvider);
        bindSecrets();
        bindUiApplication();
        if (this.serverConfig.getEnableSwagger()) {
            enableSwagger(addProvider);
        }
    }

    protected void bindSecrets() {
        binder().bind(SecretCrypto.class).toProvider(SecretCryptoProvider.class).in(Scopes.SINGLETON);
        binder().bind(SecretStoreManager.class).to(DatabaseSecretStoreManager.class).in(Scopes.SINGLETON);
        binder().bind(SecretControlStoreManager.class).to(DatabaseSecretControlStoreManager.class);
    }

    protected void bindResources(GuiceRsModule.ApplicationBindingBuilder applicationBindingBuilder) {
        applicationBindingBuilder.addResources(new Class[]{ProjectResource.class, WorkflowResource.class, ScheduleResource.class, SessionResource.class, AttemptResource.class, LogResource.class, VersionResource.class, AdminResource.class});
    }

    protected void bindAuthenticator() {
        Multibinder.newSetBinder(binder(), AuthenticatorFactory.class).addBinding().to(BasicAuthenticatorFactory.class).in(Scopes.SINGLETON);
        binder().bind(Authenticator.class).toProvider(AuthenticatorProvider.class).in(Scopes.SINGLETON);
    }

    protected void bindAuthorization() {
        binder().bind(AccessController.class).to(DefaultAccessController.class);
    }

    protected void bindExceptionhandlers(GuiceRsModule.ApplicationBindingBuilder applicationBindingBuilder) {
        applicationBindingBuilder.addProviderInstance(new GenericJsonExceptionHandler<AccessControlException>(Response.Status.FORBIDDEN) { // from class: io.digdag.server.ServerModule.10
        }).addProviderInstance(new GenericJsonExceptionHandler<ResourceNotFoundException>(Response.Status.NOT_FOUND) { // from class: io.digdag.server.ServerModule.9
        }).addProviderInstance(new GenericJsonExceptionHandler<StorageFileNotFoundException>(Response.Status.NOT_FOUND) { // from class: io.digdag.server.ServerModule.8
        }).addProviderInstance(new GenericJsonExceptionHandler<ResourceConflictException>(Response.Status.CONFLICT) { // from class: io.digdag.server.ServerModule.7
        }).addProviderInstance(new GenericJsonExceptionHandler<NotSupportedException>(Response.Status.BAD_REQUEST) { // from class: io.digdag.server.ServerModule.6
        }).addProviderInstance(new GenericJsonExceptionHandler<IOException>(Response.Status.BAD_REQUEST) { // from class: io.digdag.server.ServerModule.5
        }).addProviderInstance(new GenericJsonExceptionHandler<ModelValidationException>(Response.Status.BAD_REQUEST) { // from class: io.digdag.server.ServerModule.4
        }).addProviderInstance(new GenericJsonExceptionHandler<ConfigException>(Response.Status.BAD_REQUEST) { // from class: io.digdag.server.ServerModule.3
        }).addProviderInstance(new GenericJsonExceptionHandler<IllegalArgumentException>(Response.Status.BAD_REQUEST) { // from class: io.digdag.server.ServerModule.2
        }).addProviderInstance(new GenericJsonExceptionHandler<ResourceLimitExceededException>(Response.Status.BAD_REQUEST) { // from class: io.digdag.server.ServerModule.1
        });
    }

    protected void bindUiApplication() {
        bindApplication().matches(new String[]{"/*"}).addResources(new Class[]{UiResource.class});
    }

    protected void enableSwagger(GuiceRsModule.ApplicationBindingBuilder applicationBindingBuilder) {
        BeanConfig beanConfig = new BeanConfig();
        beanConfig.setTitle("Digdag");
        beanConfig.setDescription("Digdag server API");
        beanConfig.setVersion(DigdagVersion.buildVersion().toString());
        beanConfig.setResourcePackage(VersionResource.class.getPackage().getName());
        beanConfig.setScan();
        applicationBindingBuilder.addProvider(SwaggerSerializers.class).addProvider(CorsFilter.class).addResources(new Class[]{SwaggerApiListingResource.class});
        logger.info("swagger api enabled on: /api/swagger.{json,yaml}");
    }
}
