package com.vmware.dcp.services.common;

import com.vmware.dcp.common.Claims;
import com.vmware.dcp.common.Operation;
import com.vmware.dcp.common.OperationJoin;
import com.vmware.dcp.common.QueryFilterUtils;
import com.vmware.dcp.common.ServiceDocument;
import com.vmware.dcp.common.ServiceDocumentQueryResult;
import com.vmware.dcp.common.ServiceHost;
import com.vmware.dcp.common.StatelessService;
import com.vmware.dcp.common.UriUtils;
import com.vmware.dcp.common.Utils;
import com.vmware.dcp.services.common.QueryFilter;
import com.vmware.dcp.services.common.QueryTask;
import com.vmware.dcp.services.common.ResourceGroupService;
import com.vmware.dcp.services.common.RoleService;
import com.vmware.dcp.services.common.UserGroupService;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;

/* loaded from: input_file:com/vmware/dcp/services/common/AuthorizationContextService.class */
public class AuthorizationContextService extends StatelessService {
    public static String SELF_LINK = ServiceUriPaths.CORE_AUTHZ_VERIFICATION;
    private Map<String, Collection<Operation>> pendingOperationsBySubject = new HashMap();
    private Map<String, Operation.AuthorizationContext> authorizationContextCache = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/vmware/dcp/services/common/AuthorizationContextService$Role.class */
    public static class Role {
        protected RoleService.RoleState roleState;
        protected UserGroupService.UserGroupState userGroupState;
        protected ResourceGroupService.ResourceGroupState resourceGroupState;

        private Role() {
        }

        public void setRoleState(RoleService.RoleState roleState) {
            this.roleState = roleState;
        }

        public void setUserGroupState(UserGroupService.UserGroupState userGroupState) {
            this.userGroupState = userGroupState;
        }

        public void setResourceGroupState(ResourceGroupService.ResourceGroupState resourceGroupState) {
            this.resourceGroupState = resourceGroupState;
        }
    }

    @Override // com.vmware.dcp.common.StatelessService, com.vmware.dcp.common.Service
    public boolean queueRequest(Operation operation) {
        Operation.AuthorizationContext authorizationContext = operation.getAuthorizationContext();
        if (authorizationContext == null) {
            operation.complete();
            return true;
        }
        Claims claims = authorizationContext.getClaims();
        if (claims == null) {
            operation.fail(new IllegalArgumentException("no claims"));
            return true;
        }
        String subject = claims.getSubject();
        if (subject == null) {
            operation.fail(new IllegalArgumentException("no subject"));
            return true;
        }
        if (subject.equals(SystemUserService.SELF_LINK)) {
            operation.complete();
            return true;
        }
        if (authorizationContext.getResourceQueryFilter() != null) {
            operation.complete();
            return true;
        }
        Operation.AuthorizationContext authorizationContext2 = this.authorizationContextCache.get(authorizationContext.getToken());
        if (authorizationContext2 == null) {
            return false;
        }
        setAuthorizationContext(operation, authorizationContext2);
        operation.complete();
        return true;
    }

    @Override // com.vmware.dcp.common.StatelessService, com.vmware.dcp.common.Service
    public void handleRequest(Operation operation) {
        Operation.AuthorizationContext authorizationContext = operation.getAuthorizationContext();
        if (authorizationContext == null) {
            operation.fail(new IllegalArgumentException("no authorization context"));
            return;
        }
        Claims claims = authorizationContext.getClaims();
        if (claims == null) {
            operation.fail(new IllegalArgumentException("no claims"));
            return;
        }
        synchronized (this.pendingOperationsBySubject) {
            String subject = claims.getSubject();
            Collection<Operation> collection = this.pendingOperationsBySubject.get(subject);
            if (collection != null) {
                collection.add(operation);
                return;
            }
            LinkedList linkedList = new LinkedList();
            linkedList.add(operation);
            this.pendingOperationsBySubject.put(subject, linkedList);
            getSubject(authorizationContext, claims);
        }
    }

    private void getSubject(Operation.AuthorizationContext authorizationContext, Claims claims) {
        Operation completion = Operation.createGet(UriUtils.buildUri(getHost(), claims.getSubject())).setCompletion((operation, th) -> {
            if (th != null) {
                failThrowable(claims.getSubject(), th);
                return;
            }
            ServiceDocument serviceState = QueryFilterUtils.getServiceState(operation, getHost());
            if (serviceState == null) {
                populateAuthorizationContext(authorizationContext, claims, null);
            } else {
                loadUserGroups(authorizationContext, claims, serviceState);
            }
        });
        completion.addRequestHeader(Operation.PRAGMA_HEADER, Operation.PRAGMA_DIRECTIVE_NO_QUEUING);
        setAuthorizationContext(completion, getSystemAuthorizationContext());
        sendRequest(completion);
    }

    private void loadUserGroups(Operation.AuthorizationContext authorizationContext, Claims claims, ServiceDocument serviceDocument) {
        Operation completion = Operation.createGet(UriUtils.buildExpandLinksQueryUri(UriUtils.buildUri(getHost(), ServiceUriPaths.CORE_AUTHZ_USER_GROUPS))).setCompletion((operation, th) -> {
            if (th != null) {
                failThrowable(claims.getSubject(), th);
                return;
            }
            ServiceDocumentQueryResult serviceDocumentQueryResult = (ServiceDocumentQueryResult) operation.getBody(ServiceDocumentQueryResult.class);
            Collection<UserGroupService.UserGroupState> arrayList = new ArrayList<>();
            Iterator<Object> it = serviceDocumentQueryResult.documents.values().iterator();
            while (it.hasNext()) {
                UserGroupService.UserGroupState userGroupState = (UserGroupService.UserGroupState) Utils.fromJson(it.next(), UserGroupService.UserGroupState.class);
                try {
                    if (QueryFilterUtils.evaluate(QueryFilter.create(userGroupState.query), serviceDocument, getHost())) {
                        arrayList.add(userGroupState);
                    }
                } catch (QueryFilter.QueryFilterException e) {
                    logWarning("Error creating query filter: %s", e.toString());
                    failThrowable(claims.getSubject(), e);
                    return;
                }
            }
            if (arrayList.isEmpty()) {
                populateAuthorizationContext(authorizationContext, claims, null);
            } else {
                loadRoles(authorizationContext, claims, arrayList);
            }
        });
        setAuthorizationContext(completion, getSystemAuthorizationContext());
        sendRequest(completion);
    }

    private void loadRoles(Operation.AuthorizationContext authorizationContext, Claims claims, Collection<UserGroupService.UserGroupState> collection) {
        HashMap hashMap = new HashMap();
        for (UserGroupService.UserGroupState userGroupState : collection) {
            hashMap.put(userGroupState.documentSelfLink, userGroupState);
        }
        QueryTask.Query query = new QueryTask.Query();
        query.occurance = QueryTask.Query.Occurance.MUST_OCCUR;
        query.setTermPropertyName(ServiceDocument.FIELD_NAME_KIND);
        query.setTermMatchType(QueryTask.QueryTerm.MatchType.TERM);
        query.setTermMatchValue(RoleService.RoleState.KIND);
        QueryTask.Query query2 = new QueryTask.Query();
        query2.occurance = QueryTask.Query.Occurance.MUST_OCCUR;
        if (collection.size() == 1) {
            query2.setTermPropertyName(RoleService.RoleState.FIELD_NAME_USER_GROUP_LINK);
            query2.setTermMatchType(QueryTask.QueryTerm.MatchType.TERM);
            query2.setTermMatchValue(collection.iterator().next().documentSelfLink);
        } else {
            for (UserGroupService.UserGroupState userGroupState2 : collection) {
                QueryTask.Query query3 = new QueryTask.Query();
                query3.occurance = QueryTask.Query.Occurance.SHOULD_OCCUR;
                query3.setTermPropertyName(RoleService.RoleState.FIELD_NAME_USER_GROUP_LINK);
                query3.setTermMatchType(QueryTask.QueryTerm.MatchType.TERM);
                query3.setTermMatchValue(userGroupState2.documentSelfLink);
                query2.addBooleanClause(query3);
            }
        }
        QueryTask.Query query4 = new QueryTask.Query();
        query4.addBooleanClause(query);
        query4.addBooleanClause(query2);
        QueryTask queryTask = new QueryTask();
        queryTask.querySpec = new QueryTask.QuerySpecification();
        queryTask.querySpec.query = query4;
        queryTask.querySpec.options = EnumSet.of(QueryTask.QuerySpecification.QueryOption.EXPAND_CONTENT);
        queryTask.setDirect(true);
        Operation completion = Operation.createPost(UriUtils.buildUri(getHost(), ServiceUriPaths.CORE_LOCAL_QUERY_TASKS)).setBody(queryTask).setCompletion((operation, th) -> {
            if (th != null) {
                failThrowable(claims.getSubject(), th);
                return;
            }
            ServiceDocumentQueryResult serviceDocumentQueryResult = ((QueryTask) operation.getBody(QueryTask.class)).results;
            if (serviceDocumentQueryResult.documents == null || serviceDocumentQueryResult.documents.isEmpty()) {
                failForbidden(claims.getSubject());
                return;
            }
            LinkedList linkedList = new LinkedList();
            Iterator<Object> it = serviceDocumentQueryResult.documents.values().iterator();
            while (it.hasNext()) {
                RoleService.RoleState roleState = (RoleService.RoleState) Utils.fromJson(it.next(), RoleService.RoleState.class);
                Role role = new Role();
                role.setRoleState(roleState);
                role.setUserGroupState((UserGroupService.UserGroupState) hashMap.get(roleState.userGroupLink));
                linkedList.add(role);
            }
            loadResourceGroups(authorizationContext, claims, linkedList);
        });
        setAuthorizationContext(completion, getSystemAuthorizationContext());
        sendRequest(completion);
    }

    private void loadResourceGroups(Operation.AuthorizationContext authorizationContext, Claims claims, Collection<Role> collection) {
        HashMap hashMap = new HashMap();
        for (Role role : collection) {
            String str = role.roleState.resourceGroupLink;
            Collection collection2 = (Collection) hashMap.get(str);
            if (collection2 == null) {
                collection2 = new LinkedList();
                hashMap.put(str, collection2);
            }
            collection2.add(role);
        }
        OperationJoin.JoinedCompletionHandler joinedCompletionHandler = (map, map2) -> {
            if (map2 != null && !map2.isEmpty()) {
                failThrowable(claims.getSubject(), (Throwable) map2.values().iterator().next());
                return;
            }
            Iterator it = map.values().iterator();
            while (it.hasNext()) {
                ResourceGroupService.ResourceGroupState resourceGroupState = (ResourceGroupService.ResourceGroupState) ((Operation) it.next()).getBody(ResourceGroupService.ResourceGroupState.class);
                Iterator it2 = ((Collection) hashMap.get(resourceGroupState.documentSelfLink)).iterator();
                while (it2.hasNext()) {
                    ((Role) it2.next()).setResourceGroupState(resourceGroupState);
                }
            }
            populateAuthorizationContext(authorizationContext, claims, collection);
        };
        LinkedList linkedList = new LinkedList();
        Iterator it = hashMap.keySet().iterator();
        while (it.hasNext()) {
            Operation referer = Operation.createGet(this, (String) it.next()).setReferer(getUri());
            setAuthorizationContext(referer, getSystemAuthorizationContext());
            linkedList.add(referer);
        }
        OperationJoin create = OperationJoin.create(linkedList);
        create.setCompletion(joinedCompletionHandler);
        create.sendWith(getHost());
    }

    private void populateAuthorizationContext(Operation.AuthorizationContext authorizationContext, Claims claims, Collection<Role> collection) {
        if (collection == null) {
            collection = Collections.emptyList();
        }
        Operation.AuthorizationContext.Builder create = Operation.AuthorizationContext.Builder.create();
        create.setClaims(authorizationContext.getClaims());
        create.setToken(authorizationContext.getToken());
        if (collection.isEmpty()) {
            create.setResourceQueryFilter(QueryFilter.FALSE);
        } else {
            QueryTask.Query query = new QueryTask.Query();
            query.occurance = QueryTask.Query.Occurance.MUST_OCCUR;
            Iterator<Role> it = collection.iterator();
            while (it.hasNext()) {
                QueryTask.Query query2 = it.next().resourceGroupState.query;
                query2.occurance = QueryTask.Query.Occurance.SHOULD_OCCUR;
                query.addBooleanClause(query2);
            }
            create.setResourceQuery(query);
            try {
                create.setResourceQueryFilter(QueryFilter.create(query));
            } catch (QueryFilter.QueryFilterException e) {
                logWarning("Error creating query filter: %s", e.toString());
                failThrowable(claims.getSubject(), e);
                return;
            }
        }
        Operation.AuthorizationContext result = create.getResult();
        this.authorizationContextCache.put(authorizationContext.getToken(), result);
        completePendingOperations(claims.getSubject(), result);
    }

    private Collection<Operation> getPendingOperations(String str) {
        Collection<Operation> collection;
        synchronized (this.pendingOperationsBySubject) {
            collection = this.pendingOperationsBySubject.get(str);
            this.pendingOperationsBySubject.remove(str);
        }
        return collection == null ? Collections.emptyList() : collection;
    }

    private void completePendingOperations(String str, Operation.AuthorizationContext authorizationContext) {
        for (Operation operation : getPendingOperations(str)) {
            setAuthorizationContext(operation, authorizationContext);
            operation.complete();
        }
    }

    private void failThrowable(String str, Throwable th) {
        if (th instanceof ServiceHost.ServiceNotFoundException) {
            failNotFound(str);
            return;
        }
        Iterator<Operation> it = getPendingOperations(str).iterator();
        while (it.hasNext()) {
            it.next().fail(th);
        }
    }

    private void failForbidden(String str) {
        Iterator<Operation> it = getPendingOperations(str).iterator();
        while (it.hasNext()) {
            it.next().fail(Operation.STATUS_CODE_FORBIDDEN);
        }
    }

    private void failNotFound(String str) {
        Iterator<Operation> it = getPendingOperations(str).iterator();
        while (it.hasNext()) {
            it.next().fail(Operation.STATUS_CODE_NOT_FOUND);
        }
    }
}
