package org.xlcloud.iam;

import javax.inject.Inject;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.xlcloud.config.ConfigParam;
import org.xlcloud.logging.LoggingUtils;
import org.xlcloud.rest.exception.AuthenticateException;
import org.xlcloud.rest.exception.ForbiddenException;

/* loaded from: input_file:org/xlcloud/iam/BaseEntitlementValidator.class */
public abstract class BaseEntitlementValidator {
    private static Logger LOG = Logger.getLogger(BaseEntitlementValidator.class);

    @Inject
    private EntitlementContext entitlementCtx;

    @Inject
    @ConfigParam
    private Boolean authTokenRequestFilterEnabled = false;

    public void validate() {
        if (isAuthTokenRequired()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Evaluating authentication using entitlement context " + this.entitlementCtx.toString());
            }
            validateToken();
            Decision isAllowed = isAllowed(this.entitlementCtx.getAccessToken(), this.entitlementCtx.getAction(), this.entitlementCtx.getResource());
            switch (isAllowed.getAnswer()) {
                case DENY:
                    LOG.info(LoggingUtils.maskResource("User is not allowed to access resource"));
                    throw new ForbiddenException(isAllowed.getDetails(), this.entitlementCtx.getAction(), this.entitlementCtx.getResource(), ForbiddenException.Reason.DENIAL);
                case FAILED:
                    LOG.warn(LoggingUtils.maskResource("Error occured when validating entitlements for resource"));
                    throw new ForbiddenException(isAllowed.getDetails(), this.entitlementCtx.getAction(), this.entitlementCtx.getResource(), ForbiddenException.Reason.ERROR);
                case RESTRICTED:
                    LOG.info(LoggingUtils.maskResource("User is restricted to access resource") + (isAllowed.getDetails() == null ? "" : ", because: " + isAllowed.getDetails()));
                    throw new ForbiddenException(isAllowed.getDetails(), this.entitlementCtx.getAction(), this.entitlementCtx.getResource(), ForbiddenException.Reason.RESTRICTION);
                default:
                    return;
            }
        }
    }

    protected abstract Decision isAllowed(String str, String str2, String str3);

    private boolean isAuthTokenRequired() {
        if (this.authTokenRequestFilterEnabled.booleanValue()) {
            return true;
        }
        LOG.warn("Authentication filter disabled! This is only acceptable in development mode");
        LOG.debug("Skipped validation for path: " + LoggingUtils.maskResource(this.entitlementCtx.getResource()));
        return false;
    }

    private void validateToken() {
        if (StringUtils.isBlank(this.entitlementCtx.getAccessToken())) {
            throw new AuthenticateException("Oauth token header cannot be empty", AuthenticateException.AuthenticationFailureType.MISSING_AUTH_HEADER);
        }
    }
}
