package org.xlcloud.iam;

import com.sun.jersey.api.client.Client;
import com.sun.jersey.api.client.ClientResponse;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.StringWriter;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.annotation.PostConstruct;
import javax.inject.Inject;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;
import org.json.JSONTokener;
import org.xlcloud.config.ConfigParam;
import org.xlcloud.iam.Decision;
import org.xlcloud.logging.LoggingUtils;

/* loaded from: input_file:org/xlcloud/iam/DecisionResourceClient.class */
public class DecisionResourceClient {

    @Inject
    @IamRestClient
    private Client client;
    public static final String DECISION_SERVICE_URL = IamUtils.getOpenAmUrl() + "/ws/1/entitlement/entitlement";
    public static final String QUERY_PARAM_REALM = "realm";
    public static final String QUERY_PARAM_APPLICATION = "application";
    public static final String QUERY_PARAM_RESOURCE = "resource";
    public static final String ACCEPT_AUTHN_HEADER = "X-Accept-Authentication";
    public static final String QUERY_PARAMS_HEADER = "X-Query-Parameters";
    public static final String AUTHN_SCHEMA = "oauth";
    public static final String AUTHZ_SCHEMA = "oauth";
    public static final String AUTHZ_SCHEMA_SEPARATOR = ":";
    private static final String REASON_ATTRIBUTE_KEY = "reason";
    private static final String REASON_RESTRICTED_VALUE = "restricted";
    private static final String DETAIL_ATTRIBUTE_KEY = "details";

    @Inject
    @ConfigParam
    private String xlcRealmName;
    private final Logger LOG = Logger.getLogger(DecisionResourceClient.class);
    private String decisionServiceUrl = DECISION_SERVICE_URL;

    @PostConstruct
    public void init() {
        this.LOG.debug("Using Jersey client " + this.client.hashCode());
    }

    public Decision isAllowed(String str, String str2, String str3) {
        Decision decision;
        if (this.LOG.isDebugEnabled()) {
            this.LOG.debug("evaluating access for token=[" + LoggingUtils.maskPartially(str) + "], method=[" + str2 + "], resource=[" + LoggingUtils.maskResource(str3) + "]");
        }
        ClientResponse clientResponse = (ClientResponse) this.client.resource(this.decisionServiceUrl).queryParam(QUERY_PARAM_REALM, this.xlcRealmName).queryParam(QUERY_PARAM_APPLICATION, IamUtils.REST_SERVICE_NAME).queryParam(QUERY_PARAM_RESOURCE, str3).header(ACCEPT_AUTHN_HEADER, "oauth").header(QUERY_PARAMS_HEADER, "oauth:" + str).get(ClientResponse.class);
        if (clientResponse.getStatus() == 200) {
            decision = getDecision(clientResponse, str2);
        } else {
            String str4 = null;
            try {
                StringWriter stringWriter = new StringWriter();
                IOUtils.copy(clientResponse.getEntityInputStream(), stringWriter, "UTF-8");
                str4 = stringWriter.toString();
                if (this.LOG.isDebugEnabled()) {
                    this.LOG.debug("Failed to validate entitlements, status code: " + clientResponse.getStatus() + ", response: " + str4);
                }
            } catch (IOException e) {
                this.LOG.error(e.getMessage(), e);
            }
            decision = new Decision(Decision.DecisionAnswer.FAILED, "Received response with status code " + clientResponse.getStatus() + (str4 != null ? ": " + str4 : ""));
        }
        if (this.LOG.isDebugEnabled()) {
            this.LOG.debug("access for token=[" + LoggingUtils.maskPartially(str) + "], method=[" + str2 + "], resource=[" + LoggingUtils.maskResource(str3) + "] is " + decision);
        }
        return decision;
    }

    private Decision getDecision(ClientResponse clientResponse, String str) {
        try {
            HashMap hashMap = new HashMap();
            JSONObject jSONObject = new JSONObject(new JSONTokener(new InputStreamReader(clientResponse.getEntityInputStream()))).getJSONObject("body");
            JSONObject jSONObject2 = jSONObject.getJSONObject("actionsValues");
            boolean z = jSONObject2.isNull(str) ? false : jSONObject2.getBoolean(str);
            JSONObject jSONObject3 = jSONObject.getJSONObject("attributes");
            Iterator<String> keys = jSONObject3.keys();
            while (keys.hasNext()) {
                String next = keys.next();
                HashSet hashSet = new HashSet();
                JSONArray jSONArray = (JSONArray) jSONObject3.get(next);
                for (int i = 0; i < jSONArray.length(); i++) {
                    hashSet.add(jSONArray.getString(i));
                }
                hashMap.put(next, hashSet);
            }
            if (z) {
                return new Decision(Decision.DecisionAnswer.ALLOW);
            }
            if (hashMap.get(REASON_ATTRIBUTE_KEY) == null || !((Set) hashMap.get(REASON_ATTRIBUTE_KEY)).contains(REASON_RESTRICTED_VALUE)) {
                return new Decision(Decision.DecisionAnswer.DENY);
            }
            return new Decision(Decision.DecisionAnswer.RESTRICTED, hashMap.containsKey(DETAIL_ATTRIBUTE_KEY) ? StringUtils.join(((Set) hashMap.get(DETAIL_ATTRIBUTE_KEY)).toArray(), ';') : null);
        } catch (JSONException e) {
            return new Decision(Decision.DecisionAnswer.FAILED);
        }
    }

    public String getDecisionServiceUrl() {
        return this.decisionServiceUrl;
    }

    public void setDecisionServiceUrl(String str) {
        this.decisionServiceUrl = str;
    }
}
