package io.cellery.observability.auth;

import com.google.gson.JsonParser;
import io.cellery.observability.auth.Permission;
import io.cellery.observability.auth.exception.AuthProviderException;
import io.cellery.observability.auth.internal.AuthConfig;
import io.cellery.observability.auth.internal.ServiceHolder;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import javax.sql.DataSource;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpResponse;
import org.apache.http.ParseException;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
import org.apache.log4j.Logger;
import org.wso2.carbon.config.ConfigurationException;
import org.wso2.carbon.datasource.core.exception.DataSourceException;

/* loaded from: input_file:io/cellery/observability/auth/CelleryLocalAuthProvider.class */
public class CelleryLocalAuthProvider implements AuthProvider {
    private final String localRuntimeId;
    private final DataSource dataSource;
    private static final String ACTIVE_STATUS = "active";
    private static final String TABLE_NAME = "K8sComponentInfoTable";
    private static final String DATASOURCE_NAME = "CELLERY_OBSERVABILITY_DB";
    private static final Logger logger = Logger.getLogger(CelleryLocalAuthProvider.class);
    private static final JsonParser jsonParser = new JsonParser();
    private static final List<Permission.Action> ALL_ACTIONS = Arrays.asList(Permission.Action.API_GET, Permission.Action.DATA_PUBLISH);

    public CelleryLocalAuthProvider() throws AuthProviderException {
        try {
            this.dataSource = (DataSource) ServiceHolder.getDataSourceService().getDataSource(DATASOURCE_NAME);
            this.localRuntimeId = AuthConfig.getInstance().getDefaultLocalAuthProviderLocalRuntimeId();
        } catch (ConfigurationException | DataSourceException e) {
            throw new AuthProviderException("Failed to initialize Cellery Local Auth Provider", e);
        }
    }

    @Override // io.cellery.observability.auth.AuthProvider
    public boolean isTokenValid(String str, Permission permission) throws AuthProviderException {
        boolean z;
        if (!StringUtils.isBlank(permission.getRuntime()) && !Objects.equals(permission.getRuntime(), this.localRuntimeId)) {
            if (!logger.isDebugEnabled()) {
                return false;
            }
            logger.debug("Blocking " + permission.getActions().toString() + " for runtime: " + permission.getRuntime() + ", namespace: " + permission.getNamespace() + " since runtime ID does not match " + this.localRuntimeId);
            return false;
        }
        List<Permission.Action> actions = permission.getActions();
        if (actions.size() != 1 || !Objects.equals(actions.get(0), Permission.Action.DATA_PUBLISH)) {
            boolean isTokenValid = isTokenValid(str);
            if (logger.isDebugEnabled()) {
                logger.debug((isTokenValid ? "Allowing " : "Blocking ") + permission.getActions().toString() + " for runtime: " + permission.getRuntime() + ", namespace: " + permission.getNamespace() + " since the token is invalid");
            }
            return isTokenValid;
        }
        try {
            z = Objects.equals(AuthConfig.getInstance().getDefaultLocalAuthProviderToken(), str);
        } catch (ConfigurationException e) {
            logger.error("Failed to validate data publish request access token from runtime " + permission.getRuntime(), e);
            z = false;
        }
        if (logger.isDebugEnabled()) {
            logger.debug((z ? "Allowing" : "Blocking") + " data publish request from runtime " + permission.getRuntime() + " since the token does not match the configured data publish token");
        }
        return z;
    }

    @Override // io.cellery.observability.auth.AuthProvider
    public Permission[] getAllAllowedPermissions(String str) {
        List<String> arrayList;
        Permission[] permissionArr;
        try {
            arrayList = getAllNamespaces();
        } catch (SQLException e) {
            arrayList = new ArrayList(0);
            logger.error("Providing no access to any namespace since failure occurred while getting all the namespaces in " + this.localRuntimeId, e);
        }
        if (arrayList.size() > 0) {
            permissionArr = (Permission[]) arrayList.stream().map(str2 -> {
                return new Permission(this.localRuntimeId, str2, ALL_ACTIONS);
            }).toArray(i -> {
                return new Permission[i];
            });
            if (logger.isDebugEnabled()) {
                logger.debug("Providing all actions for all namespaces (" + arrayList.size() + ") from " + this.localRuntimeId + " runtime as allowed permissions");
            }
        } else {
            permissionArr = new Permission[0];
            if (logger.isDebugEnabled()) {
                logger.debug("Providing no allowed permissions as no namespaces are present");
            }
        }
        return permissionArr;
    }

    protected boolean isTokenValid(String str) throws AuthProviderException {
        try {
            ArrayList arrayList = new ArrayList();
            arrayList.add(new BasicNameValuePair("token", str));
            HttpPost httpPost = new HttpPost(AuthConfig.getInstance().getIdpUrl() + AuthConfig.getInstance().getIdpOidcIntrospectEndpoint());
            httpPost.setHeader(Constants.HEADER_AUTHORIZATION, AuthUtils.generateBasicAuthHeaderValue(AuthConfig.getInstance().getIdpUsername(), AuthConfig.getInstance().getIdpPassword()));
            httpPost.setEntity(new UrlEncodedFormEntity(arrayList, StandardCharsets.UTF_8.name()));
            HttpResponse execute = AuthUtils.getTrustAllClient().execute(httpPost);
            int statusCode = execute.getStatusLine().getStatusCode();
            if (statusCode >= 200 && statusCode < 400) {
                return jsonParser.parse(EntityUtils.toString(execute.getEntity())).getAsJsonObject().get(ACTIVE_STATUS).getAsBoolean();
            }
            logger.error("Failed to validate whether the token is valid with status code " + statusCode);
            return false;
        } catch (IOException | KeyManagementException | NoSuchAlgorithmException | ParseException | ConfigurationException e) {
            throw new AuthProviderException("Error occurred while calling the introspect endpoint", e);
        }
    }

    private List<String> getAllNamespaces() throws SQLException {
        ArrayList arrayList = new ArrayList();
        Connection connection = null;
        PreparedStatement preparedStatement = null;
        ResultSet resultSet = null;
        try {
            connection = this.dataSource.getConnection();
            preparedStatement = connection.prepareStatement("SELECT DISTINCT namespace FROM K8sComponentInfoTable WHERE runtime = ?");
            preparedStatement.setString(1, this.localRuntimeId);
            resultSet = preparedStatement.executeQuery();
            while (resultSet.next()) {
                arrayList.add(resultSet.getString(1));
            }
            if (resultSet != null) {
                try {
                    resultSet.close();
                } catch (SQLException e) {
                    logger.error("Error on closing resultSet " + e.getMessage(), e);
                }
            }
            if (preparedStatement != null) {
                try {
                    preparedStatement.close();
                } catch (SQLException e2) {
                    logger.error("Error on closing statement " + e2.getMessage(), e2);
                }
            }
            if (connection != null) {
                try {
                    connection.close();
                } catch (SQLException e3) {
                    logger.error("Error on closing connection " + e3.getMessage(), e3);
                }
            }
            return arrayList;
        } catch (Throwable th) {
            if (resultSet != null) {
                try {
                    resultSet.close();
                } catch (SQLException e4) {
                    logger.error("Error on closing resultSet " + e4.getMessage(), e4);
                }
            }
            if (preparedStatement != null) {
                try {
                    preparedStatement.close();
                } catch (SQLException e5) {
                    logger.error("Error on closing statement " + e5.getMessage(), e5);
                }
            }
            if (connection != null) {
                try {
                    connection.close();
                } catch (SQLException e6) {
                    logger.error("Error on closing connection " + e6.getMessage(), e6);
                }
            }
            throw th;
        }
    }
}
