package org.opencastproject.assetmanager.auth;

import java.sql.SQLSyntaxErrorException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Dictionary;
import java.util.Hashtable;
import java.util.List;
import java.util.Objects;
import java.util.function.Predicate;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.persistence.EntityManagerFactory;
import javax.persistence.PersistenceException;
import javax.persistence.Query;
import org.apache.commons.lang3.BooleanUtils;
import org.opencastproject.security.api.SecurityService;
import org.opencastproject.security.api.StaticFileAuthorization;
import org.opencastproject.security.api.User;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(property = {"service.description=AssetManager based StaticFileAuthorization"}, immediate = true, service = {StaticFileAuthorization.class})
/* loaded from: input_file:org/opencastproject/assetmanager/auth/AssetManagerStaticFileAuthorization.class */
public class AssetManagerStaticFileAuthorization implements StaticFileAuthorization {
    private static final Logger logger = LoggerFactory.getLogger(AssetManagerStaticFileAuthorization.class);
    protected EntityManagerFactory entityManagerFactory;
    private SecurityService securityService;
    private Pattern staticFilePattern = Pattern.compile("^/([^/]+)/(?:api|internal)/([^/]+)/.*$");
    private boolean includeAPIRoles = false;
    private boolean includeCARoles = false;
    private boolean includeUIRoles = false;
    private final Predicate<String> roleFilter = str -> {
        return (this.includeAPIRoles || !str.startsWith("ROLE_API_")) && (this.includeCARoles || !str.startsWith("ROLE_CAPTURE_AGENT_")) && (this.includeUIRoles || !str.startsWith("ROLE_UI_"));
    };

    @Reference
    public void setEntityManagerFactory(EntityManagerFactory entityManagerFactory) {
        this.entityManagerFactory = entityManagerFactory;
    }

    @Reference
    void setSecurityService(SecurityService securityService) {
        this.securityService = securityService;
    }

    @Activate
    public void activate(ComponentContext componentContext) {
        new ArrayList();
        Dictionary properties = componentContext != null ? componentContext.getProperties() : new Hashtable();
        this.staticFilePattern = Pattern.compile(Objects.toString(properties.get("pattern"), "^/([^/]+)/(?:api|internal)/([^/]+)/.*$"));
        this.includeAPIRoles = BooleanUtils.toBoolean(Objects.toString(properties.get("evaluate.roles.api"), null));
        this.includeCARoles = BooleanUtils.toBoolean(Objects.toString(properties.get("evaluate.roles.ca"), null));
        this.includeUIRoles = BooleanUtils.toBoolean(Objects.toString(properties.get("evaluate.roles.ui"), null));
        logger.info("Started authentication handler for {}", this.staticFilePattern);
    }

    public List<Pattern> getProtectedUrlPattern() {
        return Collections.singletonList(this.staticFilePattern);
    }

    public boolean verifyUrlAccess(String str) {
        User user = this.securityService.getUser();
        if (user.hasRole("ROLE_ADMIN")) {
            logger.debug("Allow access for admin `{}`", user);
            return true;
        }
        Matcher matcher = this.staticFilePattern.matcher(str);
        if (!matcher.matches()) {
            logger.debug("Path does not match pattern. Preventing access.");
            return false;
        }
        if (!this.securityService.getOrganization().getId().equals(matcher.group(1))) {
            logger.debug("The user's organization does not match. Preventing access.");
            return false;
        }
        if (user.getRoles().size() == 0) {
            logger.debug("User has no roles allowing access.");
            return false;
        }
        List list = (List) user.getRoles().parallelStream().map((v0) -> {
            return v0.getName();
        }).filter(this.roleFilter).map(str2 -> {
            return str2 + " | read";
        }).collect(Collectors.toList());
        StringBuilder sb = new StringBuilder("property_name = ?");
        for (int i = 1; i < list.size(); i++) {
            sb.append(" or property_name = ?");
        }
        Query createNativeQuery = this.entityManagerFactory.createEntityManager().createNativeQuery("select count(1) from oc_assets_properties where val_bool = true and namespace = ? and mediapackage_id = ? and (" + sb + ")");
        createNativeQuery.setParameter(1, "org.opencastproject.assetmanager.security");
        createNativeQuery.setParameter(2, matcher.group(2));
        for (int i2 = 0; i2 < list.size(); i2++) {
            createNativeQuery.setParameter(i2 + 3, list.get(i2));
        }
        try {
            return ((Long) createNativeQuery.getSingleResult()).longValue() > 0;
        } catch (PersistenceException e) {
            Throwable cause = e.getCause();
            if (cause instanceof RuntimeException) {
                Throwable cause2 = cause.getCause();
                if (cause2 instanceof SQLSyntaxErrorException) {
                    logger.info("Denying access to static file {}. {}", str, cause2.getMessage());
                    return false;
                }
            }
            throw e;
        }
    }
}
