package com.aerospike.firefly.io.aerospike.admin;

import com.aerospike.firefly.process.traversal.strategy.optimization.FireflyAuthenticationStrategy;
import com.aerospike.firefly.security.JWTAuthenticator;
import com.aerospike.firefly.security.UserContext;
import com.aerospike.firefly.structure.FireflyGraph;
import com.aerospike.firefly.structure.iterator.FireflyCloseableIteratorUtils;
import com.aerospike.firefly.util.exceptions.AerospikeGraphAuthException;
import io.vertx.core.Handler;
import io.vertx.core.MultiMap;
import io.vertx.ext.web.RoutingContext;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.tinkerpop.gremlin.process.traversal.traverser.TraverserRequirement;
import org.apache.tinkerpop.gremlin.server.auth.AuthenticatedUser;
import org.apache.tinkerpop.gremlin.server.auth.AuthenticationException;
import org.apache.tinkerpop.gremlin.structure.service.Service;
import org.apache.tinkerpop.gremlin.structure.util.CloseableIterator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import shade.com.fasterxml.jackson.databind.ObjectMapper;

/* loaded from: input_file:com/aerospike/firefly/io/aerospike/admin/AdminService.class */
public abstract class AdminService<I, R> implements Service.ServiceFactory<I, R>, Service<I, R> {
    protected FireflyGraph graph;
    private String user = null;
    protected static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) AdminService.class);
    public static final String RESERVED_USER_CONTEXT = "aerospike.graph.admin.reserved.user.context";
    private static final int SUCCESS_CODE = 200;
    private static final int ERROR_CODE = 400;
    private static final int UNAUTHORIZED_CODE = 401;

    public AdminService(FireflyGraph fireflyGraph) {
        this.graph = fireflyGraph;
    }

    @Override // org.apache.tinkerpop.gremlin.structure.service.Service.ServiceFactory
    public Service<I, R> createService(boolean z, Map map) {
        if (z) {
            return this;
        }
        throw new UnsupportedOperationException(Service.Exceptions.cannotUseMidTraversal);
    }

    @Override // org.apache.tinkerpop.gremlin.structure.service.Service
    public Service.Type getType() {
        return Service.Type.Start;
    }

    @Override // org.apache.tinkerpop.gremlin.structure.service.Service
    public Set<TraverserRequirement> getRequirements() {
        return super.getRequirements();
    }

    @Override // org.apache.tinkerpop.gremlin.structure.service.Service.ServiceFactory, java.lang.AutoCloseable, org.apache.tinkerpop.gremlin.structure.service.Service
    public void close() {
        super.close();
        super.close();
    }

    @Override // org.apache.tinkerpop.gremlin.structure.service.Service.ServiceFactory
    public String getName() {
        return getAdminNamespace() != null ? "aerospike." + getGraphProjectNamespace() + ".admin." + getAdminNamespace() + "." + getAdminServiceName() : "aerospike." + getGraphProjectNamespace() + ".admin." + getAdminServiceName();
    }

    public String getPath() {
        String str = "/" + this.graph.getBaseGraph().GRAPH_ID;
        return getAdminNamespace() != null ? str + "/admin/" + getAdminNamespace() + "/" + getAdminServiceName() : str + "/admin/" + getAdminServiceName();
    }

    protected abstract String getGraphProjectNamespace();

    protected abstract String getAdminNamespace();

    protected abstract String getAdminServiceName();

    protected abstract String usage(Map map);

    protected abstract boolean sanitize(Map map);

    protected abstract R execute(Map map);

    protected abstract void auditLog(Map map);

    protected abstract UserContext.ROLE getRequiredRole();

    @Override // org.apache.tinkerpop.gremlin.structure.service.Service
    public CloseableIterator<R> execute(Service.ServiceCallContext serviceCallContext, Map map) {
        if (!validateAdminContext(serviceCallContext, map)) {
            LOGGER.info("[{}] - {} - Insufficient permissions to run service.", getUser(), getName());
            throw new IllegalArgumentException("Insufficient permissions for '" + getName() + "'.");
        }
        if (!sanitize(map)) {
            throw new IllegalArgumentException(usage(map));
        }
        auditLog(map);
        return FireflyCloseableIteratorUtils.of(execute(map));
    }

    protected boolean isValidPermissions(Map map, FireflyAuthenticationStrategy.UserClaims userClaims) {
        return true;
    }

    private boolean validateAdminContext(Service.ServiceCallContext serviceCallContext, Map map) {
        if (!this.graph.getBaseGraph().AUTHENTICATION_ENABLED) {
            return true;
        }
        FireflyAuthenticationStrategy.UserClaims userClaims = (FireflyAuthenticationStrategy.UserClaims) map.remove(RESERVED_USER_CONTEXT);
        if (userClaims == null) {
            throw AerospikeGraphAuthException.invalidUserContext();
        }
        this.user = userClaims.getUsername();
        UserContext.ROLE role = userClaims.getRole(this.graph.getBaseGraph().GRAPH_ID);
        if (role == null) {
            throw AerospikeGraphAuthException.userDoesNotHaveValidRole();
        }
        if (isValidPermissions(map, userClaims)) {
            return isRoleHigher(getRequiredRole(), role);
        }
        return false;
    }

    protected boolean isRoleHigher(UserContext.ROLE role, UserContext.ROLE role2) {
        return role.equals(UserContext.ROLE.ADMIN) ? role2.equals(UserContext.ROLE.ADMIN) : role.equals(UserContext.ROLE.READ_WRITE) ? role2.equals(UserContext.ROLE.ADMIN) || role2.equals(UserContext.ROLE.READ_WRITE) : role2.equals(UserContext.ROLE.ADMIN) || role2.equals(UserContext.ROLE.READ_WRITE) || role2.equals(UserContext.ROLE.READ);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getUser() {
        return this.user == null ? AuthenticatedUser.ANONYMOUS_USERNAME : this.user;
    }

    public Handler<RoutingContext> getHandler() {
        return routingContext -> {
            if (this.graph == null) {
                throw new IllegalStateException("Graph has not completed initialization.");
            }
            if (this.graph.getBaseGraph().AUTHENTICATION_ENABLED) {
                MultiMap headers = routingContext.request().headers();
                if (!headers.contains("Authorization")) {
                    routingContext.fail(401, new IllegalArgumentException("Authorization header is missing."));
                    return;
                }
                String str = headers.get("Authorization");
                if (!str.startsWith("Bearer ")) {
                    routingContext.fail(401, new IllegalArgumentException("Authorization header is missing 'Bearer ' prefix."));
                    return;
                }
                String substring = str.substring("Bearer ".length());
                try {
                    JWTAuthenticator jWTAuthenticator = JWTAuthenticator.getInstance();
                    if (jWTAuthenticator == null) {
                        throw new IllegalStateException("Authentication is not enabled or has not completed initialization.");
                    }
                    AuthenticatedUser authenticate = jWTAuthenticator.authenticate(substring);
                    if (authenticate == null) {
                        routingContext.fail(401, new IllegalArgumentException("Failed to authenticate user."));
                        return;
                    }
                    UserContext.ROLE role = ((JWTAuthenticator.JWTAuthenticatedUser) authenticate).getRole(this.graph.getBaseGraph().GRAPH_ID);
                    UserContext.ROLE requiredRole = getRequiredRole();
                    if (role == null) {
                        routingContext.fail(401, new IllegalArgumentException("User does not have a valid role."));
                        return;
                    } else if (!isRoleHigher(requiredRole, role)) {
                        routingContext.fail(401, new IllegalArgumentException("Insufficient permissions to perform operation."));
                        return;
                    }
                } catch (AuthenticationException e) {
                    routingContext.fail(401, e);
                    return;
                }
            }
            Map map = (Map) routingContext.queryParams().entries().stream().collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, (v0) -> {
                return v0.getValue();
            }));
            if (!sanitize(map)) {
                routingContext.fail(400, new IllegalArgumentException(usage(map)));
                return;
            }
            try {
                R execute = execute(map);
                routingContext.response().setStatusCode(200).putHeader("content-type", "application/json").end(new ObjectMapper().writer().withDefaultPrettyPrinter().writeValueAsString(execute));
            } catch (Exception e2) {
                routingContext.fail(400, e2);
            }
        };
    }

    @Override // org.apache.tinkerpop.gremlin.structure.service.Service.ServiceFactory
    public Set<Service.Type> getSupportedTypes() {
        return Set.of(Service.Type.Start);
    }

    public boolean needRouting() {
        return true;
    }
}
