package de.iip_ecosphere.platform.support.aas.basyx.security;

import de.iip_ecosphere.platform.support.aas.AuthenticationDescriptor;
import de.iip_ecosphere.platform.support.aas.SetupSpec;
import java.lang.reflect.Field;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.function.Consumer;
import org.eclipse.basyx.aas.aggregator.api.IAASAggregator;
import org.eclipse.basyx.extensions.aas.aggregator.authorization.internal.AuthorizedAASAggregator;
import org.eclipse.basyx.extensions.aas.aggregator.authorization.internal.SimpleRbacAASAggregatorAuthorizer;
import org.eclipse.basyx.extensions.shared.authorization.internal.AuthenticationContextProvider;
import org.eclipse.basyx.extensions.shared.authorization.internal.BaSyxObjectTargetInformation;
import org.eclipse.basyx.extensions.shared.authorization.internal.PredefinedSetRbacRuleChecker;
import org.eclipse.basyx.extensions.shared.authorization.internal.RbacRule;
import org.eclipse.basyx.extensions.shared.authorization.internal.RbacRuleSet;
import org.eclipse.basyx.vab.protocol.http.server.BaSyxContext;
import org.eclipse.basyx.vab.protocol.http.server.JwtBearerTokenAuthenticationConfiguration;
import org.slf4j.Logger;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.FilterChainProxy;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import org.springframework.security.web.util.matcher.AnyRequestMatcher;

/* JADX WARN: Classes with same name are omitted:
  input_file:BOOT-INF/classes/support.aas.basyx1_0-0.7.1-SNAPSHOT.zip:target/jars/de.iip-ecosphere.platform.support.aas.basyx-0.7.1-SNAPSHOT-core.jar:de/iip_ecosphere/platform/support/aas/basyx/security/Helper.class
 */
/* loaded from: input_file:BOOT-INF/lib/support.aas.basyx-0.7.1-SNAPSHOT.jar:de/iip_ecosphere/platform/support/aas/basyx/security/Helper.class */
public class Helper {
    private static final Map<AuthenticationDescriptor.RbacAction, String> ACTION_MAPPING = new HashMap();

    public static String getDocBasePath(BaSyxContext baSyxContext, Logger logger) {
        String str = null;
        try {
            Field declaredField = baSyxContext.getClass().getDeclaredField("docBasePath");
            declaredField.setAccessible(true);
            str = (String) declaredField.get(baSyxContext);
        } catch (IllegalAccessException | NoSuchFieldException e) {
            logger.error("Cannot find/access field docBasePath in BaSyxContext: " + e.getMessage());
        }
        return str;
    }

    public static Optional<JwtBearerTokenAuthenticationConfiguration> configureSecurity(BaSyxContext baSyxContext, SetupSpec setupSpec, SetupSpec.AasComponent aasComponent, Consumer<FilterChainProxy> consumer) {
        SetupSpec.ComponentSetup setup = setupSpec.getSetup(aasComponent);
        Optional<JwtBearerTokenAuthenticationConfiguration> empty = Optional.empty();
        AuthenticationDescriptor authentication = setup.getAuthentication();
        if (!AuthenticationDescriptor.isEnabledOnServer(authentication) || SetupSpec.AasComponent.AAS_REPOSITORY != aasComponent) {
            empty = baSyxContext.getJwtBearerTokenAuthenticationConfiguration();
        } else if (authentication.getServerUsers() != null) {
            AuthenticationDescriptorBasedAuthenticationManager authenticationDescriptorBasedAuthenticationManager = new AuthenticationDescriptorBasedAuthenticationManager(authentication);
            ArrayList arrayList = new ArrayList();
            arrayList.add(new BasicAuthenticationFilter(authenticationDescriptorBasedAuthenticationManager));
            String str = null;
            SetupSpec.ComponentSetup setup2 = setupSpec.getSetup(SetupSpec.AasComponent.AAS_REGISTRY);
            if (setup2.getEndpoint().toServerUri().equals(setup.getEndpoint().toServerUri())) {
                String endpoint = setup2.getEndpoint().getEndpoint();
                if (!endpoint.startsWith("/")) {
                    endpoint = "/" + endpoint;
                }
                if (!endpoint.endsWith("/")) {
                    endpoint = endpoint + "/";
                }
                str = endpoint + ".*";
            }
            arrayList.add(new FailNoAuthorizationFilter(str, authentication.requiresAnonymousAccess()));
            consumer.accept(new FilterChainProxy(new DefaultSecurityFilterChain(AnyRequestMatcher.INSTANCE, arrayList)));
        } else if (authentication.getOAuth2Setup() != null) {
            AuthenticationDescriptor.OAuth2Setup oAuth2Setup = authentication.getOAuth2Setup();
            empty = Optional.of(JwtBearerTokenAuthenticationConfiguration.of(oAuth2Setup.getIssuerUri(), oAuth2Setup.getJwkSetUri(), oAuth2Setup.getRequiredAud()));
        }
        return empty;
    }

    public static IAASAggregator addAuthorization(IAASAggregator iAASAggregator, SetupSpec setupSpec, SetupSpec.AasComponent aasComponent) {
        IAASAggregator iAASAggregator2 = iAASAggregator;
        SetupSpec.ComponentSetup setup = setupSpec.getSetup(aasComponent);
        if (null != setup) {
            AuthenticationDescriptor authentication = setup.getAuthentication();
            if (AuthenticationDescriptor.isEnabledOnServer(authentication) && authentication.getAccessRules() != null) {
                RbacRuleSet rbacRuleSet = new RbacRuleSet();
                for (AuthenticationDescriptor.RbacRule rbacRule : authentication.getAccessRules()) {
                    for (AuthenticationDescriptor.RbacAction rbacAction : rbacRule.getActions()) {
                        String replaceAll = rbacRule.getPath() != null ? rbacRule.getPath().replaceAll(".", ".") : null;
                        String str = null;
                        String str2 = null;
                        if (rbacRule.getComponent() == AuthenticationDescriptor.RbacAasComponent.AAS) {
                            str = rbacRule.getElement();
                        } else if (rbacRule.getComponent() == AuthenticationDescriptor.RbacAasComponent.SUBMODEL || rbacRule.getComponent() == AuthenticationDescriptor.RbacAasComponent.SUBMODEL_ELEMENT) {
                            str2 = rbacRule.getElement();
                        }
                        rbacRuleSet.addRule(new RbacRule(rbacRule.getRole().name(), ACTION_MAPPING.get(rbacAction), new BaSyxObjectTargetInformation(str, str2, replaceAll)));
                    }
                }
                iAASAggregator2 = new AuthorizedAASAggregator(iAASAggregator2, new SimpleRbacAASAggregatorAuthorizer(new PredefinedSetRbacRuleChecker(rbacRuleSet), AuthenticationDescriptorBasedAuthenticationManager.AUTHENTICATOR), new AuthenticationContextProvider());
            }
        }
        return iAASAggregator2;
    }

    static {
        ACTION_MAPPING.put(AuthenticationDescriptor.RbacAction.CREATE, AuthenticationDescriptor.RbacAction.CREATE.toString());
        ACTION_MAPPING.put(AuthenticationDescriptor.RbacAction.DELETE, AuthenticationDescriptor.RbacAction.DELETE.toString());
        ACTION_MAPPING.put(AuthenticationDescriptor.RbacAction.EXECUTE, AuthenticationDescriptor.RbacAction.EXECUTE.toString());
        ACTION_MAPPING.put(AuthenticationDescriptor.RbacAction.READ, AuthenticationDescriptor.RbacAction.READ.toString());
        ACTION_MAPPING.put(AuthenticationDescriptor.RbacAction.UPDATE, AuthenticationDescriptor.RbacAction.UPDATE.toString());
    }
}
