package com.aerospike.firefly.security;

import com.aerospike.firefly.security.JWTAuthenticator;
import com.aerospike.firefly.security.UserContext;
import com.aerospike.firefly.util.exceptions.AerospikeGraphAuthException;
import io.vertx.ext.auth.authorization.impl.RoleBasedAuthorizationConverter;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import org.apache.commons.text.StringEscapeUtils;
import org.apache.tinkerpop.gremlin.process.traversal.Bytecode;
import org.apache.tinkerpop.gremlin.process.traversal.dsl.graph.GraphTraversal;
import org.apache.tinkerpop.gremlin.server.auth.AuthenticatedUser;
import org.apache.tinkerpop.gremlin.server.authz.AuthorizationException;
import org.apache.tinkerpop.gremlin.server.authz.Authorizer;
import org.apache.tinkerpop.gremlin.util.Tokens;
import org.apache.tinkerpop.gremlin.util.message.RequestMessage;
import org.codehaus.plexus.util.SelectorUtils;

/* loaded from: input_file:com/aerospike/firefly/security/JWTAuthorizer.class */
public class JWTAuthorizer implements Authorizer {
    public static final String RESERVED_CALL_STRING = "aerospike.graph.admin.reserved.info";
    private static final Set<String> TERMINAL_STEPS = new HashSet(Arrays.asList("explain", "iterate", "hasNext", "tryNext", "next", "toList", "toSet", "toBulkSet"));

    @Override // org.apache.tinkerpop.gremlin.server.authz.Authorizer
    public void setup(Map<String, Object> map) throws AuthorizationException {
    }

    @Override // org.apache.tinkerpop.gremlin.server.authz.Authorizer
    public Bytecode authorize(AuthenticatedUser authenticatedUser, Bytecode bytecode, Map<String, String> map) {
        JWTAuthenticator.JWTAuthenticatedUser jWTAuthenticatedUser = (JWTAuthenticator.JWTAuthenticatedUser) authenticatedUser;
        if (!jWTAuthenticatedUser.valid()) {
            throw AerospikeGraphAuthException.tokenExpired();
        }
        bytecode.addStep(GraphTraversal.Symbols.call, RESERVED_CALL_STRING);
        bytecode.addStep("with", "name", jWTAuthenticatedUser.getName());
        bytecode.addStep("with", RoleBasedAuthorizationConverter.TYPE, asBytecodeValue(jWTAuthenticatedUser.getRoles()));
        return bytecode;
    }

    private Object asBytecodeValue(Object obj) {
        return obj instanceof UserContext.ROLE ? obj.toString() : obj;
    }

    @Override // org.apache.tinkerpop.gremlin.server.authz.Authorizer
    public void authorize(AuthenticatedUser authenticatedUser, RequestMessage requestMessage) {
        JWTAuthenticator.JWTAuthenticatedUser jWTAuthenticatedUser = (JWTAuthenticator.JWTAuthenticatedUser) authenticatedUser;
        if (!jWTAuthenticatedUser.valid()) {
            throw AerospikeGraphAuthException.tokenExpired();
        }
        Map<String, Object> args = requestMessage.getArgs();
        String str = (String) args.get(Tokens.ARGS_GREMLIN);
        String format = String.format(".call('aerospike.graph.admin.reserved.info').with('name', '%s').with('role', %s)", StringEscapeUtils.escapeJava(jWTAuthenticatedUser.getName()), asStringValue(jWTAuthenticatedUser.getRoles()));
        String str2 = str;
        int lastIndexOf = str.lastIndexOf(".");
        if (lastIndexOf > 0 && lastIndexOf + 2 < str.length()) {
            str2 = TERMINAL_STEPS.contains(str.substring(lastIndexOf + 1, str.length() - 2)) ? str.substring(0, lastIndexOf) + format + str.substring(lastIndexOf) : str + format;
        }
        args.put(Tokens.ARGS_GREMLIN, str2);
    }

    private String asStringValue(Object obj) {
        if (obj instanceof UserContext.ROLE) {
            return String.format("'%s'", StringEscapeUtils.escapeJava(obj.toString()));
        }
        StringBuilder append = new StringBuilder().append(SelectorUtils.PATTERN_HANDLER_PREFIX);
        for (Map.Entry entry : ((Map) obj).entrySet()) {
            append.append(String.format("'%s':'%s',", StringEscapeUtils.escapeJava((String) entry.getKey()), StringEscapeUtils.escapeJava((String) entry.getValue())));
        }
        return append.append("]").toString();
    }
}
