package org.tailormap.api.security;

import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Service;
import org.tailormap.api.persistence.Application;
import org.tailormap.api.persistence.GeoService;
import org.tailormap.api.persistence.Group;
import org.tailormap.api.persistence.json.AuthorizationRule;
import org.tailormap.api.persistence.json.AuthorizationRuleDecision;
import org.tailormap.api.persistence.json.GeoServiceLayer;
import org.tailormap.api.persistence.json.GeoServiceLayerSettings;

@Service
/* loaded from: input_file:org/tailormap/api/security/AuthorizationService.class */
public class AuthorizationService {
    public static final String ACCESS_TYPE_READ = "read";

    private Optional<AuthorizationRuleDecision> isAuthorizedByRules(List<AuthorizationRule> list, String str) {
        Set of;
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null || (authentication instanceof AnonymousAuthenticationToken)) {
            of = Set.of(Group.ANONYMOUS);
        } else {
            of = new HashSet();
            of.add(Group.ANONYMOUS);
            of.add(Group.AUTHENTICATED);
            Iterator it = authentication.getAuthorities().iterator();
            while (it.hasNext()) {
                of.add(((GrantedAuthority) it.next()).getAuthority());
            }
        }
        if (of.contains(Group.ADMIN)) {
            return Optional.of(AuthorizationRuleDecision.ALLOW);
        }
        boolean z = false;
        for (AuthorizationRule authorizationRule : list) {
            if (of.contains(authorizationRule.getGroupName())) {
                z = true;
                AuthorizationRuleDecision authorizationRuleDecision = authorizationRule.getDecisions().get(str);
                if (authorizationRuleDecision == null) {
                    return Optional.empty();
                }
                if (authorizationRuleDecision.equals(AuthorizationRuleDecision.ALLOW)) {
                    return Optional.of(authorizationRuleDecision);
                }
            }
        }
        return z ? Optional.of(AuthorizationRuleDecision.DENY) : Optional.empty();
    }

    public boolean userMayView(Application application) {
        return isAuthorizedByRules(application.getAuthorizationRules(), ACCESS_TYPE_READ).equals(Optional.of(AuthorizationRuleDecision.ALLOW));
    }

    public boolean userMayView(GeoService geoService) {
        return isAuthorizedByRules(geoService.getAuthorizationRules(), ACCESS_TYPE_READ).equals(Optional.of(AuthorizationRuleDecision.ALLOW));
    }

    public boolean userMayView(GeoService geoService, GeoServiceLayer geoServiceLayer) {
        Optional<AuthorizationRuleDecision> isAuthorizedByRules = isAuthorizedByRules(geoService.getAuthorizationRules(), ACCESS_TYPE_READ);
        if (isAuthorizedByRules.equals(Optional.of(AuthorizationRuleDecision.DENY))) {
            return false;
        }
        GeoServiceLayerSettings geoServiceLayerSettings = geoService.getSettings().getLayerSettings().get(geoServiceLayer.getName());
        if (geoServiceLayerSettings != null && geoServiceLayerSettings.getAuthorizationRules() != null) {
            Optional<AuthorizationRuleDecision> isAuthorizedByRules2 = isAuthorizedByRules(geoServiceLayerSettings.getAuthorizationRules(), ACCESS_TYPE_READ);
            if (isAuthorizedByRules2.isPresent() || !geoServiceLayerSettings.getAuthorizationRules().isEmpty()) {
                return isAuthorizedByRules2.equals(Optional.of(AuthorizationRuleDecision.ALLOW));
            }
        }
        return isAuthorizedByRules.equals(Optional.of(AuthorizationRuleDecision.ALLOW));
    }

    public boolean mustDenyAccessForSecuredProxy(Application application, GeoService geoService) {
        if (Boolean.TRUE.equals(geoService.getSettings().getUseProxy()) && geoService.getAuthentication() != null) {
            return application.getAuthorizationRules().stream().anyMatch(authorizationRule -> {
                return Group.ANONYMOUS.equals(authorizationRule.getGroupName()) && AuthorizationRuleDecision.ALLOW.equals(authorizationRule.getDecisions().get(ACCESS_TYPE_READ));
            });
        }
        return false;
    }
}
