package com.normation.rudder.rest;

import cats.data.NonEmptyList;
import cats.syntax.EitherOps$;
import com.normation.rudder.RudderAccount;
import com.normation.rudder.User;
import com.normation.rudder.UserService;
import com.normation.rudder.api.ApiAccount;
import com.normation.rudder.api.ApiAccountKind;
import com.normation.rudder.api.ApiAccountKind$User$;
import com.normation.rudder.api.ApiAclElement;
import com.normation.rudder.api.ApiAuthorization;
import com.normation.rudder.api.ApiAuthorization$None$;
import com.normation.rudder.api.ApiAuthorization$RO$;
import com.normation.rudder.api.ApiAuthorization$RW$;
import com.normation.rudder.api.HttpAction;
import com.normation.rudder.api.HttpAction$GET$;
import com.normation.rudder.api.HttpAction$HEAD$;
import com.normation.rudder.rest.ApiError;
import com.oracle.truffle.js.builtins.AtomicsBuiltins;
import scala.Function0;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Some;
import scala.Tuple3;
import scala.collection.immutable.List;
import scala.package$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxesRunTime;
import scala.util.Either;

/* compiled from: ApiAuthorization.scala */
@ScalaSignature(bytes = "\u0006\u0005=3AAB\u0004\u0001!!Aa\u0004\u0001B\u0001B\u0003%q\u0004\u0003\u0005#\u0001\t\u0005\t\u0015!\u0003$\u0011!9\u0003A!A!\u0002\u0013A\u0003\"\u0002\u0018\u0001\t\u0003y\u0003\"\u0002\u001b\u0001\t\u0003)$aE!dY\u0006\u0003\u0018.Q;uQ>\u0014\u0018N_1uS>t'B\u0001\u0005\n\u0003\u0011\u0011Xm\u001d;\u000b\u0005)Y\u0011A\u0002:vI\u0012,'O\u0003\u0002\r\u001b\u0005Ian\u001c:nCRLwN\u001c\u0006\u0002\u001d\u0005\u00191m\\7\u0004\u0001M\u0019\u0001!E\f\u0011\u0005I)R\"A\n\u000b\u0003Q\tQa]2bY\u0006L!AF\n\u0003\r\u0005s\u0017PU3g!\rA\u0012dG\u0007\u0002\u000f%\u0011!d\u0002\u0002\u0011\u0003BL\u0017)\u001e;i_JL'0\u0019;j_:\u0004\"\u0001\u0007\u000f\n\u0005u9!AC!vi\"THk\\6f]\u00061An\\4hKJ\u0004\"\u0001\u0007\u0011\n\u0005\u0005:!a\u0001'pO\u0006YQo]3s'\u0016\u0014h/[2f!\t!S%D\u0001\n\u0013\t1\u0013BA\u0006Vg\u0016\u00148+\u001a:wS\u000e,\u0017AC1dY\u0016s\u0017M\u00197fIB\u0019!#K\u0016\n\u0005)\u001a\"!\u0003$v]\u000e$\u0018n\u001c81!\t\u0011B&\u0003\u0002.'\t9!i\\8mK\u0006t\u0017A\u0002\u001fj]&$h\b\u0006\u00031cI\u001a\u0004C\u0001\r\u0001\u0011\u0015qB\u00011\u0001 \u0011\u0015\u0011C\u00011\u0001$\u0011\u00159C\u00011\u0001)\u0003)\u0019\u0007.Z2l\u0003V$\bN\u001f\u000b\u0004m\u0015S\u0005\u0003B\u001c@\u0005nq!\u0001O\u001f\u000f\u0005ebT\"\u0001\u001e\u000b\u0005mz\u0011A\u0002\u001fs_>$h(C\u0001\u0015\u0013\tq4#A\u0004qC\u000e\\\u0017mZ3\n\u0005\u0001\u000b%AB#ji\",'O\u0003\u0002?'A\u0011\u0001dQ\u0005\u0003\t\u001e\u0011\u0001\"\u00119j\u000bJ\u0014xN\u001d\u0005\u0006\r\u0016\u0001\raR\u0001\tK:$\u0007o\\5oiB\u0011\u0001\u0004S\u0005\u0003\u0013\u001e\u0011\u0001\"\u00128ea>Lg\u000e\u001e\u0005\u0006\u0017\u0016\u0001\r\u0001T\u0001\fe\u0016\fX/Z:u!\u0006$\b\u000e\u0005\u0002\u0019\u001b&\u0011aj\u0002\u0002\b\u0003BL\u0007+\u0019;i\u0001")
/* loaded from: input_file:WEB-INF/lib/rudder-rest-7.1.1.jar:com/normation/rudder/rest/AclApiAuthorization.class */
public class AclApiAuthorization implements ApiAuthorization<AuthzToken> {
    private final Log logger;
    private final UserService userService;
    private final Function0<Object> aclEnabled;

    @Override // com.normation.rudder.rest.ApiAuthorization
    public Either<ApiError, AuthzToken> checkAuthz(Endpoint endpoint, NonEmptyList<ApiPathSegment> nonEmptyList) {
        User currentUser = this.userService.getCurrentUser();
        return EitherOps$.MODULE$.leftMap$extension(cats.implicits$.MODULE$.catsSyntaxEither(ApiPath$.MODULE$.drop$extension(nonEmptyList, endpoint.prefix())), str -> {
            return new ApiError.BadRequest(str, endpoint.schema().name());
        }).flatMap(obj -> {
            return $anonfun$checkAuthz$2(this, currentUser, endpoint, ((ApiPath) obj).parts());
        });
    }

    private static final Option checkRO$1(HttpAction httpAction) {
        HttpAction$GET$ httpAction$GET$ = HttpAction$GET$.MODULE$;
        if (httpAction != null ? !httpAction.equals(httpAction$GET$) : httpAction$GET$ != null) {
            HttpAction$HEAD$ httpAction$HEAD$ = HttpAction$HEAD$.MODULE$;
            if (httpAction != null ? !httpAction.equals(httpAction$HEAD$) : httpAction$HEAD$ != null) {
                return None$.MODULE$;
            }
        }
        return new Some(AtomicsBuiltins.OK);
    }

    private static final Option checkACL$1(List list, NonEmptyList nonEmptyList, HttpAction httpAction, Endpoint endpoint) {
        return AclCheck$.MODULE$.apply(list, nonEmptyList, endpoint.schema().action()) ? new Some(AtomicsBuiltins.OK) : None$.MODULE$;
    }

    public static final /* synthetic */ Either $anonfun$checkAuthz$2(AclApiAuthorization aclApiAuthorization, User user, Endpoint endpoint, NonEmptyList nonEmptyList) {
        Option checkACL$1;
        ApiAccount api;
        ApiAccount api2;
        Tuple3 tuple3 = new Tuple3(BoxesRunTime.boxToBoolean(aclApiAuthorization.aclEnabled.apply$mcZ$sp()), user.getApiAuthz(), user.account());
        if (tuple3 != null) {
            boolean unboxToBoolean = BoxesRunTime.unboxToBoolean(tuple3._1());
            RudderAccount rudderAccount = (RudderAccount) tuple3._3();
            if (false == unboxToBoolean && (rudderAccount instanceof RudderAccount.Api) && (api2 = ((RudderAccount.Api) rudderAccount).api()) != null) {
                if (ApiAccountKind$User$.MODULE$.equals(api2.kind())) {
                    aclApiAuthorization.logger.warn(() -> {
                        return new StringBuilder(101).append("API account linked to a user account '").append(user.actor()).append("' is disabled because the API Authorization plugin is disabled.").toString();
                    });
                    checkACL$1 = None$.MODULE$;
                    return ((Either) checkACL$1.map(str -> {
                        return package$.MODULE$.Right().apply(new AuthzToken(user.actor()));
                    }).getOrElse(() -> {
                        return package$.MODULE$.Left().apply(new ApiError.Authz(new StringBuilder(35).append("User '").append(user.actor()).append("' is not allowed to access ").append(endpoint.schema().action().name().toUpperCase()).append(" ").append(ApiPath$.MODULE$.value$extension(endpoint.prefix())).append("/").append(ApiPath$.MODULE$.value$extension(endpoint.schema().path())).toString(), endpoint.schema().name()));
                    })).map(authzToken -> {
                        return authzToken;
                    });
                }
            }
        }
        if (tuple3 != null) {
            boolean unboxToBoolean2 = BoxesRunTime.unboxToBoolean(tuple3._1());
            com.normation.rudder.api.ApiAuthorization apiAuthorization = (com.normation.rudder.api.ApiAuthorization) tuple3._2();
            RudderAccount rudderAccount2 = (RudderAccount) tuple3._3();
            if (false == unboxToBoolean2 && (apiAuthorization instanceof ApiAuthorization.ACL) && (rudderAccount2 instanceof RudderAccount.Api) && (api = ((RudderAccount.Api) rudderAccount2).api()) != null && (api.kind() instanceof ApiAccountKind.PublicApi)) {
                aclApiAuthorization.logger.info(() -> {
                    return new StringBuilder(112).append("API account '").append(user.actor()).append("' has ACL authorization but no plugin allows to interpret them. Removing all rights for that token.").toString();
                });
                checkACL$1 = None$.MODULE$;
                return ((Either) checkACL$1.map(str2 -> {
                    return package$.MODULE$.Right().apply(new AuthzToken(user.actor()));
                }).getOrElse(() -> {
                    return package$.MODULE$.Left().apply(new ApiError.Authz(new StringBuilder(35).append("User '").append(user.actor()).append("' is not allowed to access ").append(endpoint.schema().action().name().toUpperCase()).append(" ").append(ApiPath$.MODULE$.value$extension(endpoint.prefix())).append("/").append(ApiPath$.MODULE$.value$extension(endpoint.schema().path())).toString(), endpoint.schema().name()));
                })).map(authzToken2 -> {
                    return authzToken2;
                });
            }
        }
        if (tuple3 != null) {
            if (ApiAuthorization$None$.MODULE$.equals((com.normation.rudder.api.ApiAuthorization) tuple3._2())) {
                aclApiAuthorization.logger.debug(() -> {
                    return new StringBuilder(43).append("Acount '").append(user.actor()).append("' does not have any authorizations.").toString();
                });
                checkACL$1 = None$.MODULE$;
                return ((Either) checkACL$1.map(str22 -> {
                    return package$.MODULE$.Right().apply(new AuthzToken(user.actor()));
                }).getOrElse(() -> {
                    return package$.MODULE$.Left().apply(new ApiError.Authz(new StringBuilder(35).append("User '").append(user.actor()).append("' is not allowed to access ").append(endpoint.schema().action().name().toUpperCase()).append(" ").append(ApiPath$.MODULE$.value$extension(endpoint.prefix())).append("/").append(ApiPath$.MODULE$.value$extension(endpoint.schema().path())).toString(), endpoint.schema().name()));
                })).map(authzToken22 -> {
                    return authzToken22;
                });
            }
        }
        if (tuple3 != null) {
            if (ApiAuthorization$RO$.MODULE$.equals((com.normation.rudder.api.ApiAuthorization) tuple3._2())) {
                aclApiAuthorization.logger.debug(() -> {
                    return new StringBuilder(32).append("Account '").append(user.actor()).append("' has RO authorization.").toString();
                });
                checkACL$1 = checkRO$1(endpoint.schema().action());
                return ((Either) checkACL$1.map(str222 -> {
                    return package$.MODULE$.Right().apply(new AuthzToken(user.actor()));
                }).getOrElse(() -> {
                    return package$.MODULE$.Left().apply(new ApiError.Authz(new StringBuilder(35).append("User '").append(user.actor()).append("' is not allowed to access ").append(endpoint.schema().action().name().toUpperCase()).append(" ").append(ApiPath$.MODULE$.value$extension(endpoint.prefix())).append("/").append(ApiPath$.MODULE$.value$extension(endpoint.schema().path())).toString(), endpoint.schema().name()));
                })).map(authzToken222 -> {
                    return authzToken222;
                });
            }
        }
        if (tuple3 != null) {
            if (ApiAuthorization$RW$.MODULE$.equals((com.normation.rudder.api.ApiAuthorization) tuple3._2())) {
                aclApiAuthorization.logger.debug(() -> {
                    return new StringBuilder(37).append("Account '").append(user.actor()).append("' has full RW authorization.").toString();
                });
                checkACL$1 = new Some(AtomicsBuiltins.OK);
                return ((Either) checkACL$1.map(str2222 -> {
                    return package$.MODULE$.Right().apply(new AuthzToken(user.actor()));
                }).getOrElse(() -> {
                    return package$.MODULE$.Left().apply(new ApiError.Authz(new StringBuilder(35).append("User '").append(user.actor()).append("' is not allowed to access ").append(endpoint.schema().action().name().toUpperCase()).append(" ").append(ApiPath$.MODULE$.value$extension(endpoint.prefix())).append("/").append(ApiPath$.MODULE$.value$extension(endpoint.schema().path())).toString(), endpoint.schema().name()));
                })).map(authzToken2222 -> {
                    return authzToken2222;
                });
            }
        }
        if (tuple3 != null) {
            com.normation.rudder.api.ApiAuthorization apiAuthorization2 = (com.normation.rudder.api.ApiAuthorization) tuple3._2();
            if (apiAuthorization2 instanceof ApiAuthorization.ACL) {
                List<ApiAclElement> acl = ((ApiAuthorization.ACL) apiAuthorization2).acl();
                aclApiAuthorization.logger.debug(() -> {
                    return new StringBuilder(34).append("Account '").append(user.actor()).append("' has ACL authorizations.").toString();
                });
                checkACL$1 = checkACL$1(acl, nonEmptyList, endpoint.schema().action(), endpoint);
                return ((Either) checkACL$1.map(str22222 -> {
                    return package$.MODULE$.Right().apply(new AuthzToken(user.actor()));
                }).getOrElse(() -> {
                    return package$.MODULE$.Left().apply(new ApiError.Authz(new StringBuilder(35).append("User '").append(user.actor()).append("' is not allowed to access ").append(endpoint.schema().action().name().toUpperCase()).append(" ").append(ApiPath$.MODULE$.value$extension(endpoint.prefix())).append("/").append(ApiPath$.MODULE$.value$extension(endpoint.schema().path())).toString(), endpoint.schema().name()));
                })).map(authzToken22222 -> {
                    return authzToken22222;
                });
            }
        }
        throw new MatchError(tuple3);
    }

    public AclApiAuthorization(Log log, UserService userService, Function0<Object> function0) {
        this.logger = log;
        this.userService = userService;
        this.aclEnabled = function0;
    }
}
