package org.opendaylight.aaa.shiro.realm;

import com.google.common.base.Preconditions;
import com.google.common.collect.Iterables;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Comparator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import javax.servlet.Filter;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.shiro.subject.Subject;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import org.opendaylight.aaa.shiro.web.env.ThreadLocals;
import org.opendaylight.mdsal.binding.api.ClusteredDataTreeChangeListener;
import org.opendaylight.mdsal.binding.api.DataBroker;
import org.opendaylight.mdsal.binding.api.DataTreeIdentifier;
import org.opendaylight.mdsal.binding.api.DataTreeModification;
import org.opendaylight.mdsal.binding.api.ReadTransaction;
import org.opendaylight.mdsal.common.api.LogicalDatastoreType;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.HttpAuthorization;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.authorization.Policies;
import org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.permission.Permissions;
import org.opendaylight.yangtools.concepts.ListenerRegistration;
import org.opendaylight.yangtools.yang.binding.InstanceIdentifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/opendaylight/aaa/shiro/realm/MDSALDynamicAuthorizationFilter.class */
public class MDSALDynamicAuthorizationFilter extends AuthorizationFilter implements ClusteredDataTreeChangeListener<HttpAuthorization> {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) MDSALDynamicAuthorizationFilter.class);
    private static final DataTreeIdentifier<HttpAuthorization> AUTHZ_CONTAINER = DataTreeIdentifier.create(LogicalDatastoreType.CONFIGURATION, InstanceIdentifier.create(HttpAuthorization.class));
    private final DataBroker dataBroker = (DataBroker) Objects.requireNonNull(ThreadLocals.DATABROKER_TL.get());
    private ListenerRegistration<?> reg;
    private volatile ListenableFuture<Optional<HttpAuthorization>> authContainer;

    public Filter processPathConfig(String str, String str2) {
        ReadTransaction newReadOnlyTransaction = this.dataBroker.newReadOnlyTransaction();
        try {
            this.authContainer = newReadOnlyTransaction.read(AUTHZ_CONTAINER.getDatastoreType(), AUTHZ_CONTAINER.getRootIdentifier());
            if (newReadOnlyTransaction != null) {
                newReadOnlyTransaction.close();
            }
            this.reg = this.dataBroker.registerDataTreeChangeListener(AUTHZ_CONTAINER, this);
            return super.processPathConfig(str, str2);
        } catch (Throwable th) {
            if (newReadOnlyTransaction != null) {
                try {
                    newReadOnlyTransaction.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public void destroy() {
        if (this.reg != null) {
            this.reg.close();
            this.reg = null;
        }
        super.destroy();
    }

    public void onDataTreeChanged(Collection<DataTreeModification<HttpAuthorization>> collection) {
        HttpAuthorization dataAfter = ((DataTreeModification) Iterables.getLast(collection)).getRootNode().getDataAfter();
        LOG.debug("Updating authorization information to {}", dataAfter);
        this.authContainer = Futures.immediateFuture(Optional.ofNullable(dataAfter));
    }

    public boolean isAccessAllowed(ServletRequest servletRequest, ServletResponse servletResponse, Object obj) {
        Preconditions.checkArgument(servletRequest instanceof HttpServletRequest, "Expected HttpServletRequest, received {}", servletRequest);
        Subject subject = getSubject(servletRequest, servletResponse);
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String requestURI = httpServletRequest.getRequestURI();
        LOG.debug("isAccessAllowed for user={} to requestURI={}", subject, requestURI);
        try {
            Optional<HttpAuthorization> optional = this.authContainer.get();
            if (!optional.isPresent()) {
                LOG.debug("Authorization Container does not exist");
                return true;
            }
            Policies policies = optional.get().getPolicies();
            List policies2 = policies != null ? policies.getPolicies() : null;
            if (policies2 == null || policies2.isEmpty()) {
                LOG.debug("Exiting successfully early since no authorization rules exist");
                return true;
            }
            ArrayList<org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.authorization.policies.Policies> arrayList = new ArrayList(policies2);
            arrayList.sort(Comparator.comparing((v0) -> {
                return v0.getIndex();
            }));
            for (org.opendaylight.yang.gen.v1.urn.opendaylight.params.xml.ns.yang.aaa.rev161214.http.authorization.policies.Policies policies3 : arrayList) {
                String resource = policies3.getResource();
                if (pathsMatch(resource, requestURI)) {
                    LOG.debug("paths match for pattern={} and requestURI={}", resource, requestURI);
                    String method = httpServletRequest.getMethod();
                    LOG.trace("method={}", method);
                    for (Permissions permissions : policies3.getPermissions()) {
                        String role = permissions.getRole();
                        LOG.trace("role={}", role);
                        for (Permissions.Actions actions : permissions.getActions()) {
                            LOG.trace("action={}", actions.getName());
                            if (actions.getName().equalsIgnoreCase(method)) {
                                boolean hasRole = subject.hasRole(role);
                                LOG.trace("hasRole({})={}", role, Boolean.valueOf(hasRole));
                                if (hasRole) {
                                    return true;
                                }
                            }
                        }
                    }
                    LOG.debug("couldn't authorize the user for access");
                    return false;
                }
            }
            LOG.debug("successfully authorized the user for access");
            return true;
        } catch (InterruptedException | ExecutionException e) {
            LOG.warn("MDSAL attempt to read Http Authz Container failed, disallowing access", e);
            return false;
        }
    }
}
