package io.cellery.security.cell.sts.server.authorization.opa;

import com.google.gson.Gson;
import com.mashape.unirest.http.HttpResponse;
import com.mashape.unirest.http.JsonNode;
import com.mashape.unirest.http.Unirest;
import com.mashape.unirest.http.exceptions.UnirestException;
import io.cellery.security.cell.sts.server.authorization.AuthorizationContext;
import io.cellery.security.cell.sts.server.authorization.AuthorizationFailedException;
import io.cellery.security.cell.sts.server.authorization.AuthorizationHandler;
import io.cellery.security.cell.sts.server.authorization.AuthorizationUtils;
import io.cellery.security.cell.sts.server.authorization.AuthorizeRequest;
import io.cellery.security.cell.sts.server.core.CellStsUtils;
import io.cellery.security.cell.sts.server.core.model.CellStsRequest;
import io.cellery.security.cell.sts.server.core.service.CelleryCellSTSException;
import org.apache.commons.lang.StringUtils;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.json.JSONException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/cellery/security/cell/sts/server/authorization/opa/OPAAuthorizationHandler.class */
public class OPAAuthorizationHandler implements AuthorizationHandler {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) OPAAuthorizationHandler.class);

    @Override // io.cellery.security.cell.sts.server.authorization.AuthorizationHandler
    public void authorize(CellStsRequest cellStsRequest, String str) throws AuthorizationFailedException {
        AuthorizeRequest buildAuthorizeRequest = buildAuthorizeRequest(cellStsRequest, str);
        log.debug("OPA authorization handler invoked for request id: {}", buildAuthorizeRequest.getRequestId());
        buildAuthorizeRequest.setAuthorizationContext(new OPAAuthorizationContext(buildAuthorizeRequest.getAuthorizationContext().getJwt()));
        String str2 = "{ \"input\" :" + new Gson().toJson(buildAuthorizeRequest) + "}";
        log.info("Request to OPA server : {}", str2);
        try {
            boolean isRequestToMicroGateway = CellStsUtils.isRequestToMicroGateway(cellStsRequest);
            String buildEndpoint = buildEndpoint(AuthorizationUtils.getOPAEndpoint(cellStsRequest, isRequestToMicroGateway), buildAuthorizeRequest.getDestination().getWorkload(), isRequestToMicroGateway);
            log.info("Querying OPA from {}", buildEndpoint);
            HttpResponse<JsonNode> asJson = Unirest.post(buildEndpoint).body(str2).asJson();
            log.info("Response from OPA server: {}", asJson.getBody().toString());
            try {
            } catch (JSONException e) {
                log.debug("Proper policies which returns {\"result\" : boolean} are not defined for query {}", buildEndpoint);
            }
            if (!Boolean.valueOf(asJson.getBody().getObject().getBoolean("result")).booleanValue()) {
                throw new AuthorizationFailedException("Error while authorizing request. Decision found : " + asJson.getBody().toString());
            }
            log.info("Authorization successfully completed for request: ", buildAuthorizeRequest.getRequestId());
        } catch (UnirestException | CelleryCellSTSException e2) {
            throw new AuthorizationFailedException("Error while sending authorization request to OPA", e2);
        }
    }

    private String buildEndpoint(String str, String str2, boolean z) {
        if (z) {
            return str + "/allow_access";
        }
        if (StringUtils.isEmpty(str2)) {
            return str;
        }
        return str + "/" + str2.replace("-", "_").split(ParameterizedMessage.ERROR_MSG_SEPARATOR)[0].concat("_allow");
    }

    private AuthorizeRequest buildAuthorizeRequest(CellStsRequest cellStsRequest, String str) throws AuthorizationFailedException {
        log.info("Building authorize request with jwt: " + str);
        return new AuthorizeRequest(cellStsRequest, new AuthorizationContext(str));
    }
}
