package au.csiro.pathling.security;

import au.csiro.pathling.errors.AccessDeniedError;
import jakarta.annotation.Nonnull;
import java.util.Collection;
import java.util.Optional;
import java.util.stream.Collectors;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
import org.hl7.fhir.r4.model.Enumerations;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Profile;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AbstractAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.jwt.JwtClaimAccessor;
import org.springframework.stereotype.Component;

@Aspect
@Profile({"core"})
@ConditionalOnProperty(prefix = "pathling", name = {"auth.enabled"}, havingValue = "true")
@Component
@Order(100)
/* loaded from: input_file:au/csiro/pathling/security/SecurityAspect.class */
public class SecurityAspect {
    private static final Logger log = LoggerFactory.getLogger(SecurityAspect.class);

    @Before("@annotation(resourceAccess) && args(resourceType,..)")
    public void checkResourceRead(@Nonnull ResourceAccess resourceAccess, Enumerations.ResourceType resourceType) {
        log.debug("Checking access to resource: {}, type: {}", resourceType, resourceAccess.value());
        checkHasAuthority(PathlingAuthority.resourceAccess(resourceAccess.value(), resourceType));
    }

    @Before("@annotation(operationAccess)")
    public void checkRequiredAuthority(@Nonnull OperationAccess operationAccess) {
        log.debug("Checking access to operation: {}", operationAccess.value());
        checkHasAuthority(PathlingAuthority.operationAccess(operationAccess.value()));
    }

    public static void checkHasAuthority(@Nonnull PathlingAuthority pathlingAuthority) {
        AbstractAuthenticationToken authentication = SecurityContextHolder.getContext().getAuthentication();
        AbstractAuthenticationToken abstractAuthenticationToken = authentication instanceof AbstractAuthenticationToken ? authentication : null;
        if (abstractAuthenticationToken == null) {
            throw new AccessDeniedError("Token not present");
        }
        Collection<PathlingAuthority> collection = (Collection) abstractAuthenticationToken.getAuthorities().stream().map((v0) -> {
            return v0.getAuthority();
        }).filter(str -> {
            return str.startsWith("pathling");
        }).map(PathlingAuthority::fromAuthority).collect(Collectors.toList());
        if (abstractAuthenticationToken.getAuthorities() == null || !pathlingAuthority.subsumedByAny(collection)) {
            throw new AccessDeniedError(String.format("Missing authority: '%s'", pathlingAuthority), pathlingAuthority.getAuthority());
        }
    }

    @Nonnull
    public static Optional<String> getCurrentUserId(@Nullable Authentication authentication) {
        String str = null;
        if (authentication != null) {
            Object principal = authentication.getPrincipal();
            if (principal instanceof JwtClaimAccessor) {
                str = ((JwtClaimAccessor) principal).getSubject();
            }
        }
        return Optional.ofNullable(str);
    }
}
