package com.aerospike.firefly.process.call.rbac;

import com.aerospike.firefly.process.traversal.strategy.optimization.FireflyAuthenticationStrategy;
import com.aerospike.firefly.security.JWTAuthenticator;
import com.aerospike.firefly.security.UserContext;
import com.aerospike.firefly.structure.FireflyGraph;
import io.vertx.ext.auth.authorization.impl.RoleBasedAuthorizationConverter;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;

/* loaded from: input_file:com/aerospike/firefly/process/call/rbac/JwtServiceIssueToken.class */
public class JwtServiceIssueToken<I, R> extends JwtServiceBase<I, R> {
    public JwtServiceIssueToken(FireflyGraph fireflyGraph) {
        super(fireflyGraph);
    }

    @Override // com.aerospike.firefly.io.aerospike.admin.AdminService
    public String getAdminServiceName() {
        return "issue-token";
    }

    @Override // com.aerospike.firefly.io.aerospike.admin.AdminService
    protected String usage(Map map) {
        return String.format("Illegal arguments provided to '%s'.\n\tExpected arguments: 'username', 'role'.\n\tAcceptable values of role are: 'READ', 'READ_WRITE', 'ADMIN' or Map of pairs GraphID-role.\n\tProvided arguments: '%s'.\n\tExample of correct usage:\n\t\tg.call(\"%s\").with(\"username\", \"lyndon\").with(\"role\", \"ADMIN\").next();\n\t\tg.call(\"%s\").with(\"username\", \"lyndon\").with(\"Graph1\", \"ADMIN\").with(\"Graph2\", \"READ\").next();\n\t\tg.call(\"%s\").with(\"username\", \"lyndon\").with(\"role\", [\"Graph1\": \"ADMIN\"]).next();\n\tor to set a token that expires in 1 day:\n\t\tg.call(\"%s\").with(\"username\", \"lyndon\").with(\"role\", \"ADMIN\").with(\"expiry\", 24 * 60 * 60).next();", getName(), map, getName(), getName(), getName(), getName());
    }

    @Override // org.apache.tinkerpop.gremlin.structure.service.Service.ServiceFactory
    public Map<String, String> describeParams() {
        HashMap hashMap = new HashMap();
        hashMap.put("username", "The username to issue the token for.");
        hashMap.put(RoleBasedAuthorizationConverter.TYPE, "The role to issue the token for. Acceptable values are 'READ', 'READ_WRITE', 'ADMIN' or Map with pairs GraphID-role.");
        hashMap.put("expiry", "The expiry time for the token in seconds from current time. Optional parameter.");
        return hashMap;
    }

    private void extractRoles(Map map) {
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : map.entrySet()) {
            if (!((String) entry.getKey()).equals("username") && !((String) entry.getKey()).equals(RoleBasedAuthorizationConverter.TYPE) && !((String) entry.getKey()).equals("expiry")) {
                hashMap.put((String) entry.getKey(), (String) entry.getValue());
            }
        }
        if (hashMap.isEmpty()) {
            return;
        }
        if (map.containsKey(RoleBasedAuthorizationConverter.TYPE)) {
            throw new IllegalStateException("Cannot issue JWT token. The role must be global or assigned per graph.");
        }
        map.put(RoleBasedAuthorizationConverter.TYPE, hashMap);
        hashMap.forEach((str, str2) -> {
            map.remove(str);
        });
    }

    @Override // com.aerospike.firefly.io.aerospike.admin.AdminService
    protected boolean sanitize(Map map) {
        String str;
        extractRoles(map);
        if (!map.containsKey("username") || !map.containsKey(RoleBasedAuthorizationConverter.TYPE) || !map.get("username").getClass().equals(String.class)) {
            return false;
        }
        if ((!map.get(RoleBasedAuthorizationConverter.TYPE).getClass().equals(String.class) && !(map.get(RoleBasedAuthorizationConverter.TYPE) instanceof Map)) || (str = (String) map.get("username")) == null || str.isEmpty()) {
            return false;
        }
        if (map.get(RoleBasedAuthorizationConverter.TYPE).getClass().equals(String.class)) {
            String str2 = (String) map.get(RoleBasedAuthorizationConverter.TYPE);
            if (str2 == null || str2.isEmpty() || !isValidRole(str2)) {
                return false;
            }
        } else {
            try {
                Map map2 = (Map) map.get(RoleBasedAuthorizationConverter.TYPE);
                if (map2.isEmpty()) {
                    return false;
                }
                Iterator it = map2.values().iterator();
                while (it.hasNext()) {
                    if (!isValidRole((String) it.next())) {
                        return false;
                    }
                }
            } catch (ClassCastException e) {
                return false;
            }
        }
        return map.get("expiry") == null || Number.class.isAssignableFrom(map.get("expiry").getClass());
    }

    private boolean isValidRole(String str) {
        return str.equals("READ") || str.equals("READ_WRITE") || str.equals("ADMIN");
    }

    @Override // com.aerospike.firefly.io.aerospike.admin.AdminService
    protected R execute(Map map) {
        String str = (String) map.get("username");
        Object obj = map.get(RoleBasedAuthorizationConverter.TYPE);
        Number number = (Number) map.get("expiry");
        JWTAuthenticator jWTAuthenticator = JWTAuthenticator.getInstance();
        if (jWTAuthenticator == null) {
            throw new IllegalStateException("Cannot issue JWT token because JWT authentication is not enabled on this Aerospike Graph instance.");
        }
        return (R) jWTAuthenticator.createToken(str, obj, number);
    }

    @Override // com.aerospike.firefly.io.aerospike.admin.AdminService
    protected void auditLog(Map map) {
        LOGGER.info("[{}] - {} - Creating a new JWT token for user '{}'.", getUser(), getName(), (String) map.get("username"));
    }

    @Override // com.aerospike.firefly.io.aerospike.admin.AdminService
    protected boolean isValidPermissions(Map map, FireflyAuthenticationStrategy.UserClaims userClaims) {
        extractRoles(map);
        if (!(map.get(RoleBasedAuthorizationConverter.TYPE) instanceof Map)) {
            return true;
        }
        Iterator it = ((Map) map.get(RoleBasedAuthorizationConverter.TYPE)).keySet().iterator();
        while (it.hasNext()) {
            if (!UserContext.ROLE.ADMIN.equals(userClaims.getRole((String) it.next()))) {
                return false;
            }
        }
        return true;
    }
}
