package io.openk9.auth.query.parser;

import io.openk9.auth.keycloak.api.AuthVerifier;
import io.openk9.auth.keycloak.api.UserInfo;
import io.openk9.datasource.model.Tenant;
import io.openk9.http.web.HttpRequest;
import io.openk9.search.api.query.QueryParser;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import reactor.core.publisher.Mono;

@Component(immediate = true, service = {QueryParser.class})
/* loaded from: input_file:io/openk9/auth/query/parser/AuthQueryParser.class */
public class AuthQueryParser implements QueryParser {
    private boolean _enabled;

    @Reference
    private AuthVerifier _authVerifier;

    /* loaded from: input_file:io/openk9/auth/query/parser/AuthQueryParser$Config.class */
    @interface Config {
        boolean enabled() default true;
    }

    public Mono<Consumer<BoolQueryBuilder>> apply(QueryParser.Context context) {
        return !this._enabled ? (Mono) NOTHING.apply(context) : Mono.defer(() -> {
            HttpRequest httpRequest = context.getHttpRequest();
            Tenant tenant = context.getTenant();
            return this._authVerifier.getUserInfo(httpRequest).map(userInfo -> {
                return boolQueryBuilder -> {
                    _addAclQuery(tenant, userInfo, boolQueryBuilder);
                };
            });
        });
    }

    @Activate
    void activate(Config config) {
        this._enabled = config.enabled();
    }

    @Modified
    void modified(Config config) {
        this._enabled = config.enabled();
    }

    private void _addAclQuery(Tenant tenant, UserInfo userInfo, BoolQueryBuilder boolQueryBuilder) {
        boolQueryBuilder.must(QueryBuilders.matchQuery("acl.allow.roles", "Guest"));
        if (userInfo == AuthVerifier.GUEST) {
            return;
        }
        for (Map.Entry entry : userInfo.getRealmAccess().entrySet()) {
            if (((String) entry.getKey()).equals(tenant.getVirtualHost())) {
                Iterator it = ((List) entry.getValue()).iterator();
                while (it.hasNext()) {
                    boolQueryBuilder.must(QueryBuilders.matchQuery("acl.allow.roles", (String) it.next()));
                }
            }
        }
    }
}
