package net.krotscheck.kangaroo.authz.admin.v1.resource;

import java.lang.reflect.Type;
import java.math.BigInteger;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.ClientErrorException;
import javax.ws.rs.DELETE;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.NotFoundException;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import net.krotscheck.kangaroo.authz.admin.Scope;
import net.krotscheck.kangaroo.authz.admin.v1.auth.ScopesAllowed;
import net.krotscheck.kangaroo.authz.common.database.entity.ApplicationScope;
import net.krotscheck.kangaroo.authz.common.database.entity.Role;
import net.krotscheck.kangaroo.authz.oauth2.exception.RFC6749;
import net.krotscheck.kangaroo.common.hibernate.transaction.Transactional;
import org.glassfish.jersey.internal.inject.AbstractBinder;
import org.glassfish.jersey.process.internal.RequestScope;
import org.hibernate.Session;

@Transactional
@ScopesAllowed({Scope.ROLE, Scope.ROLE_ADMIN})
/* loaded from: input_file:net/krotscheck/kangaroo/authz/admin/v1/resource/RoleScopeService.class */
public final class RoleScopeService extends AbstractService {
    private BigInteger roleId;

    /* loaded from: input_file:net/krotscheck/kangaroo/authz/admin/v1/resource/RoleScopeService$Binder.class */
    public static final class Binder extends AbstractBinder {
        @Override // org.glassfish.jersey.internal.inject.AbstractBinder
        protected void configure() {
            bind(RoleScopeService.class).to(RoleScopeService.class).to((Type) RequestScope.class);
        }
    }

    public void setRoleId(BigInteger bigInteger) {
        this.roleId = bigInteger;
    }

    @POST
    @Path("/{id: [a-f0-9]{32}}")
    public Response createResource(@PathParam("id") BigInteger bigInteger) {
        Session session = getSession();
        SecurityContext securityContext = getSecurityContext();
        Role role = (Role) session.get(Role.class, this.roleId);
        assertCanAccess(role, getAdminScope());
        ApplicationScope applicationScope = (ApplicationScope) session.get(ApplicationScope.class, bigInteger);
        if (!securityContext.isUserInRole(Scope.SCOPE) && !securityContext.isUserInRole(Scope.SCOPE_ADMIN)) {
            throw new RFC6749.InvalidScopeException();
        }
        assertCanAccess(applicationScope, Scope.SCOPE_ADMIN);
        if (!role.getApplication().equals(applicationScope.getApplication())) {
            throw new BadRequestException();
        }
        if (role.getScopes().values().contains(applicationScope)) {
            throw new ClientErrorException(Response.Status.CONFLICT);
        }
        if (role.getApplication().equals(getAdminApplication())) {
            throw new ForbiddenException();
        }
        role.getScopes().put(applicationScope.getName(), applicationScope);
        session.update(role);
        return Response.created(getUriInfo().getAbsolutePath()).build();
    }

    @Path("/{id: [a-f0-9]{32}}")
    @DELETE
    public Response deleteResource(@PathParam("id") BigInteger bigInteger) {
        Session session = getSession();
        SecurityContext securityContext = getSecurityContext();
        Role role = (Role) session.get(Role.class, this.roleId);
        assertCanAccess(role, getAdminScope());
        ApplicationScope applicationScope = (ApplicationScope) session.get(ApplicationScope.class, bigInteger);
        if (!securityContext.isUserInRole(Scope.SCOPE) && !securityContext.isUserInRole(Scope.SCOPE_ADMIN)) {
            throw new RFC6749.InvalidScopeException();
        }
        assertCanAccess(applicationScope, Scope.SCOPE_ADMIN);
        if (!role.getScopes().values().contains(applicationScope)) {
            throw new NotFoundException();
        }
        if (getAdminApplication().equals(role.getApplication())) {
            throw new ForbiddenException();
        }
        role.getScopes().remove(applicationScope.getName());
        session.update(role);
        return Response.noContent().build();
    }

    @Override // net.krotscheck.kangaroo.authz.admin.v1.resource.AbstractService
    protected String getAdminScope() {
        return Scope.ROLE_ADMIN;
    }

    @Override // net.krotscheck.kangaroo.authz.admin.v1.resource.AbstractService
    protected String getAccessScope() {
        return Scope.ROLE;
    }
}
