package com.sap.cds.services.impl.cds;

import com.sap.cds.ql.Select;
import com.sap.cds.ql.cqn.CqnDelete;
import com.sap.cds.ql.cqn.CqnPredicate;
import com.sap.cds.ql.cqn.CqnStatement;
import com.sap.cds.ql.cqn.CqnUpdate;
import com.sap.cds.ql.cqn.CqnVisitor;
import com.sap.cds.reflect.CdsEntity;
import com.sap.cds.reflect.CdsModel;
import com.sap.cds.services.EventContext;
import com.sap.cds.services.authorization.AuthorizationService;
import com.sap.cds.services.cds.ApplicationService;
import com.sap.cds.services.changeset.ChangeSetContextSPI;
import com.sap.cds.services.handler.EventHandler;
import com.sap.cds.services.handler.annotations.Before;
import com.sap.cds.services.handler.annotations.HandlerOrder;
import com.sap.cds.services.handler.annotations.ServiceName;
import com.sap.cds.services.impl.authorization.AuthorizationEntity;
import com.sap.cds.services.impl.authorization.StaticAuthorizationsDeepChecker;
import com.sap.cds.services.impl.draft.ParentEntityLookup;
import com.sap.cds.services.impl.utils.CdsModelUtils;
import com.sap.cds.services.impl.utils.CdsServiceUtils;
import com.sap.cds.services.request.RequestContext;
import com.sap.cds.services.runtime.CdsRuntime;
import com.sap.cds.services.utils.CdsErrorStatuses;
import com.sap.cds.services.utils.ErrorStatusException;
import com.sap.cds.services.utils.TenantAwareCache;
import java.util.Collection;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ServiceName(value = {"*"}, type = {ApplicationService.class})
/* loaded from: input_file:com/sap/cds/services/impl/cds/StaticAuthorizationHandler.class */
public class StaticAuthorizationHandler implements EventHandler {
    private static final Logger logger = LoggerFactory.getLogger(StaticAuthorizationHandler.class);
    private final TenantAwareCache<ParentEntityLookup, CdsModel> parentEntityLookups;
    private final boolean authorizeDeeply;
    private final AuthorizationService authService;

    public StaticAuthorizationHandler(CdsRuntime cdsRuntime) {
        this.parentEntityLookups = TenantAwareCache.create(() -> {
            return new ParentEntityLookup(RequestContext.getCurrent(cdsRuntime).getModel());
        }, cdsRuntime);
        this.authorizeDeeply = cdsRuntime.getEnvironment().getCdsProperties().getSecurity().getAuthorization().getDeep().isEnabled().booleanValue();
        this.authService = cdsRuntime.getServiceCatalog().getService(AuthorizationService.class, "AuthorizationService$Default");
    }

    @HandlerOrder(-10800)
    @Before(event = {"*"})
    private void checkStaticAuthorization(EventContext eventContext) {
        if (eventContext.getUserInfo().isPrivileged()) {
            return;
        }
        checkStaticAuthorizationOrThrow(eventContext);
    }

    private void checkStaticAuthorizationOrThrow(EventContext eventContext) {
        String event = eventContext.getEvent();
        String qualifiedName = eventContext.getService().getDefinition().getQualifiedName();
        if (!this.authService.hasServiceAccess(qualifiedName, event)) {
            throwAuthorizationError(eventContext, event, qualifiedName);
        }
        CdsEntity target = eventContext.getTarget();
        String str = null;
        if (target != null) {
            str = target.getQualifiedName();
            CqnStatement cqnStatement = null;
            Object obj = eventContext.get("cqn");
            if (obj instanceof CqnStatement) {
                cqnStatement = (CqnStatement) obj;
            }
            AuthorizationEntity resolve = AuthorizationEntity.resolve(eventContext, cdsEntity -> {
                return ((ParentEntityLookup) this.parentEntityLookups.findOrCreate()).lookupParent(cdsEntity);
            });
            if (resolve.getAuthorizationEntity() == null) {
                logger.debug("No authorization entity found when sending event '{}' to entity '{}'", event, str);
                throwAuthorizationError(eventContext, event, str);
            }
            String qualifiedName2 = resolve.getAuthorizationEntity().getQualifiedName();
            if (!this.authService.hasEntityAccess(qualifiedName2, event, cqnStatement)) {
                throwAuthorizationError(eventContext, event, str);
            }
            if (this.authorizeDeeply && cqnStatement != null) {
                CqnVisitor newDeepAuthorizationChecker = newDeepAuthorizationChecker(eventContext, cqnStatement, List.of(str, qualifiedName2));
                if (cqnStatement.isSelect()) {
                    cqnStatement.asSelect().accept(newDeepAuthorizationChecker);
                } else if (cqnStatement.isInsert()) {
                    cqnStatement.asInsert().ref().accept(newDeepAuthorizationChecker);
                } else if (cqnStatement.isUpsert()) {
                    cqnStatement.asUpsert().ref().accept(newDeepAuthorizationChecker);
                } else if (cqnStatement.isUpdate()) {
                    CqnUpdate asUpdate = cqnStatement.asUpdate();
                    asUpdate.ref().accept(newDeepAuthorizationChecker);
                    asUpdate.where().ifPresent(cqnPredicate -> {
                        cqnPredicate.accept(newDeepAuthorizationChecker);
                    });
                } else if (cqnStatement.isDelete()) {
                    CqnDelete asDelete = cqnStatement.asDelete();
                    asDelete.ref().accept(newDeepAuthorizationChecker);
                    asDelete.where().ifPresent(cqnPredicate2 -> {
                        cqnPredicate2.accept(newDeepAuthorizationChecker);
                    });
                }
            }
            if (!authorizationEntityCondition(eventContext, str, resolve)) {
                throwAuthorizationError(eventContext, event, str);
            }
        }
        String str2 = target == null ? qualifiedName + "." + event : event;
        if (!CdsModelUtils.isStandardCdsEvent(event)) {
            if (CdsModelUtils.getAction(eventContext.getModel(), str, str2).isPresent() && !this.authService.hasActionAccess(str, str2)) {
                throwAuthorizationError(eventContext, str2, str != null ? str : qualifiedName);
            } else if (CdsModelUtils.getFunction(eventContext.getModel(), str, str2).isPresent() && !this.authService.hasFunctionAccess(str, str2)) {
                throwAuthorizationError(eventContext, str2, str != null ? str : qualifiedName);
            }
        }
        logger.debug("Static authorization check passed for event '{}' on service '{}'", event, qualifiedName);
    }

    private CqnVisitor newDeepAuthorizationChecker(EventContext eventContext, CqnStatement cqnStatement, Collection<String> collection) {
        return new StaticAuthorizationsDeepChecker(eventContext, cqnStatement, collection, cdsEntity -> {
            String qualifiedName = cdsEntity.getQualifiedName();
            if (this.authService.hasEntityAccess(qualifiedName, "READ")) {
                return;
            }
            logger.debug("Deep Authorization: user is not allowed to access entity '{}'", qualifiedName);
            throwAuthorizationError(eventContext, "READ", qualifiedName);
        });
    }

    private static void throwAuthorizationError(EventContext eventContext, String str, String str2) {
        if (!eventContext.getUserInfo().isAuthenticated()) {
            throw new ErrorStatusException(CdsErrorStatuses.EVENT_UNAUTHENTICATED, new Object[]{str, str2});
        }
        throw new ErrorStatusException(CdsErrorStatuses.EVENT_FORBIDDEN, new Object[]{str, str2});
    }

    private boolean authorizationEntityCondition(EventContext eventContext, String str, AuthorizationEntity authorizationEntity) {
        if (authorizationEntity.getAuthorizationPath() == null || str.equals(authorizationEntity.getAuthorizationEntity().getQualifiedName()) || authorizationEntity.authorizationCondition(eventContext.getEvent()) == null || authorizationEntity.isDraft()) {
            return true;
        }
        ChangeSetContextSPI changeSetContext = eventContext.getChangeSetContext();
        return (changeSetContext == null || !changeSetContext.hasChangeSetMember("PersistenceService$Default")) ? ((Boolean) eventContext.getCdsRuntime().changeSetContext().run(changeSetContext2 -> {
            return Boolean.valueOf(authorizationEntityConditionImpl(eventContext, authorizationEntity));
        })).booleanValue() : authorizationEntityConditionImpl(eventContext, authorizationEntity);
    }

    private boolean authorizationEntityConditionImpl(EventContext eventContext, AuthorizationEntity authorizationEntity) {
        CqnPredicate authorizationCondition = authorizationEntity.authorizationCondition(eventContext.getEvent());
        if (authorizationCondition == null || !CdsServiceUtils.getDefaultPersistenceService(eventContext).run(Select.from(authorizationEntity.getAuthorizationPath()).where(authorizationCondition), new Object[0]).first().isEmpty()) {
            return true;
        }
        logger.debug("No authorization to send event '{}' to entity '{}' because of instance '{}'", new Object[]{eventContext.getEvent(), authorizationEntity.getAuthorizationEntity().getQualifiedName(), authorizationEntity.getAuthorizationPath()});
        return false;
    }
}
