package com.sap.cloud.sdk.service.prov.api.security;

import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.sap.cloud.sdk.service.prov.api.security.ExpressionExecutorUtil;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.script.ScriptException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cloud/sdk/service/prov/api/security/SecurityUtil.class */
public final class SecurityUtil {
    private static final String USER_ATTRIBUTES = "xs.user.attributes";
    private static final String SYSTEM_USER_SCOPE = "system-user";
    private static final String AUTHENTICATED_USER = "authenticated-user";
    private static final String SYSTEM_USER = "system-user";
    private static final String ANY = "any";
    private static final String USER_NAME = "user_name";
    private static final String ZID = "zid";
    private static final String USER = "user";
    private static final String USER_ID = "user_id";
    private static final String TENANT = "tenant";
    private static final String OPEN_ID = "openid";
    public static final List<String> SYSTEM_USER_GRANT_TYPES = Collections.unmodifiableList(Arrays.asList("client_credentials", "client_x509"));
    private static final Logger log = LoggerFactory.getLogger(SecurityUtil.class);

    private SecurityUtil() {
    }

    public static boolean checkUserAccess(AuthorizationDetails authorizationDetails, List<String> list, JsonObject jsonObject, String str) {
        boolean z = false;
        List<AccessGrantDetails> restrict = authorizationDetails.getRestrict();
        AuthorizationService.setWhereCondition(null);
        Iterator<AccessGrantDetails> it = restrict.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            AccessGrantDetails next = it.next();
            if (checkGrant(next, str) && next.getTo() != null && next.getWhere() == null && list.contains(next.getTo())) {
                log.debug("User Scope {} ", list);
                z = true;
                break;
            }
        }
        if (!z && jsonObject != null) {
            ArrayList<String> arrayList = new ArrayList();
            for (AccessGrantDetails accessGrantDetails : restrict) {
                if (checkGrant(accessGrantDetails, str) && accessGrantDetails.getTo() == null && accessGrantDetails.getWhere() != null) {
                    try {
                        String buildExpression = ExpressionExecutorUtil.buildExpression(accessGrantDetails.getWhere(), jsonObject);
                        if (buildExpression.startsWith(ExpressionExecutorUtil.SPECIAL)) {
                            arrayList.add(buildExpression.replace(ExpressionExecutorUtil.SPECIAL, ExpressionExecutorUtil.EMPTY));
                        } else {
                            z |= ExpressionExecutorUtil.executeExpression(accessGrantDetails.getWhere(), jsonObject);
                        }
                    } catch (ScriptException e) {
                        log.error("Error while evaluating expression ", e);
                    }
                    if (z) {
                        break;
                    }
                }
            }
            if (!z && arrayList.size() > 0) {
                StringBuilder sb = new StringBuilder();
                boolean z2 = true;
                for (String str2 : arrayList) {
                    if (!z2) {
                        switch (ExpressionExecutorUtil.OPERATION.OR) {
                            case OR:
                                sb.append(" OR ");
                                sb.append(str2);
                                break;
                        }
                    } else {
                        z2 = false;
                        sb.append(str2);
                    }
                }
                AuthorizationService.setWhereCondition(sb.toString());
                z = true;
            }
        }
        return z;
    }

    private static boolean checkGrant(AccessGrantDetails accessGrantDetails, String str) {
        return accessGrantDetails.getGrant().contains(str);
    }

    public static boolean isAuthenticatedUser(AuthorizationDetails authorizationDetails, String str) {
        boolean z = false;
        List<String> requires = authorizationDetails.getRequires();
        List<String> scopes = JWTUtil.getScopes();
        for (String str2 : requires) {
            if (scopes.contains(str2)) {
                z = true;
            } else if (AUTHENTICATED_USER.equalsIgnoreCase(str2)) {
                z = scopes.contains(OPEN_ID);
            } else if ("system-user".equalsIgnoreCase(str2)) {
                z = SYSTEM_USER_GRANT_TYPES.contains(JWTUtil.getGrantType());
            } else if (ANY.equalsIgnoreCase(str2)) {
                z = true;
            }
            if (z) {
                break;
            }
        }
        return z;
    }

    public static boolean hasEntityAccess(String str, String str2) {
        log.debug("Authorization Check for Service: {} and Operation: {}", str, str2);
        JsonObject jsonObject = null;
        AuthorizationDetails rule = AuthorizationRulesContainer.getRule(str);
        JsonElement valueFromJwt = JWTUtil.getValueFromJwt(USER_ATTRIBUTES);
        if (null != valueFromJwt) {
            jsonObject = valueFromJwt.getAsJsonObject();
            jsonObject.add(USER, JWTUtil.getValueFromJwt(USER_NAME));
        }
        JsonElement valueFromJwt2 = JWTUtil.getValueFromJwt(ZID);
        if (jsonObject == null && valueFromJwt2 != null) {
            jsonObject = new JsonObject();
        }
        if (valueFromJwt2 != null) {
            jsonObject.add(TENANT, valueFromJwt2);
        }
        List<String> scopes = JWTUtil.getScopes();
        if (SYSTEM_USER_GRANT_TYPES.contains(JWTUtil.getGrantType())) {
            scopes.add("system-user");
        }
        if (rule != null) {
            return checkUserAccess(rule, scopes, jsonObject, str2);
        }
        return false;
    }

    public static boolean hasUserRole(String str) {
        return JWTUtil.getScopes().contains(str);
    }

    public static String getUserId() {
        return JWTUtil.getJWTAttribute(USER_ID);
    }

    public static String getUserName() {
        return JWTUtil.getJWTAttribute(USER_NAME);
    }
}
