package org.wso2.carbon.appmgt.gateway.handlers.security.entitlement;

import java.util.List;
import org.apache.commons.collections.ListUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.synapse.ManagedLifecycle;
import org.apache.synapse.MessageContext;
import org.apache.synapse.core.SynapseEnvironment;
import org.apache.synapse.rest.AbstractHandler;
import org.wso2.carbon.appmgt.api.AppManagementException;
import org.wso2.carbon.appmgt.api.model.URITemplate;
import org.wso2.carbon.appmgt.api.model.WebApp;
import org.wso2.carbon.appmgt.gateway.handlers.security.Session;
import org.wso2.carbon.appmgt.gateway.internal.ServiceReferenceHolder;
import org.wso2.carbon.appmgt.gateway.utils.GatewayUtils;
import org.wso2.carbon.appmgt.impl.AppManagerConfiguration;
import org.wso2.carbon.appmgt.impl.DefaultAppRepository;
import org.wso2.carbon.context.CarbonContext;
import org.wso2.carbon.registry.core.Registry;
import org.wso2.carbon.user.api.UserStoreException;

/* loaded from: input_file:org/wso2/carbon/appmgt/gateway/handlers/security/entitlement/AuthorizationHandler.class */
public class AuthorizationHandler extends AbstractHandler implements ManagedLifecycle {
    private static final Log log = LogFactory.getLog(AuthorizationHandler.class);
    private AppManagerConfiguration configuration;
    private WebApp webApp;

    public void init(SynapseEnvironment synapseEnvironment) {
        this.configuration = ServiceReferenceHolder.getInstance().getAPIManagerConfiguration();
    }

    public boolean handleRequest(MessageContext messageContext) {
        GatewayUtils.logRequest(log, messageContext);
        String str = (String) messageContext.getProperty("REST_FULL_REQUEST_PATH");
        if (!isHandlerApplicable(messageContext)) {
            return true;
        }
        String str2 = (String) messageContext.getProperty("REST_API_CONTEXT");
        String str3 = (String) messageContext.getProperty("SYNAPSE_REST_API_VERSION");
        int tenantId = CarbonContext.getThreadLocalCarbonContext().getTenantId();
        try {
            if (this.webApp == null) {
                this.webApp = new DefaultAppRepository((Registry) null).getWebAppByContextAndVersion(str2, str3, tenantId);
            }
        } catch (AppManagementException e) {
            GatewayUtils.logAndThrowException(log, String.format("Can't fetch the web for '%s' from the repository.", str), e);
        }
        Session session = GatewayUtils.getSession(messageContext);
        List<String> roles = session.getAuthenticationContext().getRoles();
        List visibleRoleList = this.webApp.getVisibleRoleList();
        String tenantDomain = CarbonContext.getThreadLocalCarbonContext().getTenantDomain();
        String tenantDomain2 = session.getAuthenticationContext().getTenantDomain();
        if (!visibleRoleList.isEmpty()) {
            if (!isUserInCurrentTenantDomain(tenantDomain2)) {
                GatewayUtils.send401(messageContext, null);
                if (log.isDebugEnabled()) {
                    GatewayUtils.logWithRequestInfo(log, messageContext, String.format("User tenant domain '%s' and app tenant domain '%s' mismatch", tenantDomain2, tenantDomain));
                    return false;
                }
            }
            String str4 = null;
            try {
                str4 = getAdminRole();
            } catch (UserStoreException e2) {
                GatewayUtils.logAndThrowException(log, String.format("Error occurred while retrieving realm admin for tenant domain '%s' ", tenantDomain), e2);
            }
            if (ListUtils.intersection(roles, visibleRoleList).isEmpty() && !roles.contains(str4)) {
                if (log.isDebugEnabled()) {
                    GatewayUtils.logWithRequestInfo(log, messageContext, String.format("'%s' doesn't have required roles to access '%s'", session.getAuthenticationContext().getSubject(), str));
                }
                GatewayUtils.send401(messageContext, "You don't have required user role(s) to access this resource.");
                return false;
            }
        }
        URITemplate uRITemplate = (URITemplate) messageContext.getProperty("appm.gateway.matchedURITemplate");
        if (uRITemplate == null || !uRITemplate.isRoleRestricted()) {
            return true;
        }
        if (log.isDebugEnabled()) {
            GatewayUtils.logWithRequestInfo(log, messageContext, String.format("Resource '%s' is role restricted", str));
        }
        if (!isUserInCurrentTenantDomain(session.getAuthenticationContext().getTenantDomain())) {
            GatewayUtils.send401(messageContext, null);
            if (log.isDebugEnabled()) {
                GatewayUtils.logWithRequestInfo(log, messageContext, String.format("User tenant domain '%s' and app tenant domain '%s' mismatch", tenantDomain2, tenantDomain));
                return false;
            }
        }
        if (ListUtils.intersection(roles, uRITemplate.getAllowedRoles()).isEmpty()) {
            if (log.isDebugEnabled()) {
                GatewayUtils.logWithRequestInfo(log, messageContext, String.format("'%s' doesn't have required roles to access '%s'", session.getAuthenticationContext().getSubject(), str));
            }
            GatewayUtils.send401(messageContext, "You don't have required user role(s) to access this resource.");
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        GatewayUtils.logWithRequestInfo(log, messageContext, String.format("'%s' has required roles to access '%s'", session.getAuthenticationContext().getSubject(), str));
        return true;
    }

    private boolean isUserInCurrentTenantDomain(String str) {
        return CarbonContext.getThreadLocalCarbonContext().getTenantDomain().equals(str);
    }

    private String getAdminRole() throws UserStoreException {
        return CarbonContext.getThreadLocalCarbonContext().getUserRealm().getRealmConfiguration().getAdminRoleName();
    }

    public boolean handleResponse(MessageContext messageContext) {
        return true;
    }

    public void destroy() {
    }

    private boolean isHandlerApplicable(MessageContext messageContext) {
        return !GatewayUtils.shouldSkipSecurity(messageContext);
    }
}
