package com.liferay.oauth2.provider.rest.internal.vulcan.graphql.validation;

import com.liferay.oauth2.provider.rest.internal.scope.logic.ScopeLogic;
import com.liferay.oauth2.provider.scope.ScopeChecker;
import com.liferay.oauth2.provider.scope.liferay.OAuth2ProviderScopeLiferayAccessControlContext;
import com.liferay.oauth2.provider.scope.liferay.ScopeContext;
import com.liferay.portal.kernel.feature.flag.FeatureFlagManagerUtil;
import com.liferay.portal.kernel.security.access.control.AccessControlUtil;
import com.liferay.portal.kernel.security.access.control.AccessControlled;
import com.liferay.portal.kernel.security.auth.AccessControlContext;
import com.liferay.portal.kernel.security.auth.verifier.AuthVerifierResult;
import com.liferay.portal.kernel.security.service.access.policy.ServiceAccessPolicy;
import com.liferay.portal.kernel.util.ListUtil;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.security.access.control.AccessControlAdvisor;
import com.liferay.portal.security.access.control.AccessControlAdvisorImpl;
import com.liferay.portal.vulcan.graphql.validation.GraphQLRequestContext;
import com.liferay.portal.vulcan.graphql.validation.GraphQLRequestContextValidator;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.ws.rs.ForbiddenException;
import javax.ws.rs.core.Application;
import org.osgi.framework.Bundle;
import org.osgi.framework.BundleContext;
import org.osgi.framework.FrameworkUtil;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@Component(service = {GraphQLRequestContextValidator.class})
/* loaded from: input_file:com/liferay/oauth2/provider/rest/internal/vulcan/graphql/validation/OAuth2GraphQLRequestContextValidator.class */
public class OAuth2GraphQLRequestContextValidator implements GraphQLRequestContextValidator {
    private static final AccessControlled _NULL_ACCESS_CONTROLLED = new AccessControlled() { // from class: com.liferay.oauth2.provider.rest.internal.vulcan.graphql.validation.OAuth2GraphQLRequestContextValidator.1
        public Class<? extends Annotation> annotationType() {
            return AccessControlled.class;
        }

        public boolean guestAccessEnabled() {
            return false;
        }

        public boolean hostAllowedValidationEnabled() {
            return false;
        }
    };
    private final AccessControlAdvisor _accessControlAdvisor = new AccessControlAdvisorImpl();
    private BundleContext _bundleContext;

    @Reference
    private ScopeChecker _scopeChecker;

    @Reference(policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    private volatile ScopeContext _scopeContext;

    public void validate(GraphQLRequestContext graphQLRequestContext) throws Exception {
        if (graphQLRequestContext.isValidationRequired()) {
            if (OAuth2ProviderScopeLiferayAccessControlContext.isOAuth2AuthVerified()) {
                if (!FeatureFlagManagerUtil.isEnabled("LPS-158259")) {
                    throw new ForbiddenException();
                }
                ServiceReference<?> _getServiceReference = _getServiceReference(graphQLRequestContext.getApplicationName());
                _enableSAP(_getServiceReference);
                _checkScope(graphQLRequestContext, _getServiceReference);
            }
            Method resourceMethod = graphQLRequestContext.getResourceMethod();
            if (resourceMethod != null) {
                _setServiceDepth();
                this._accessControlAdvisor.accept(resourceMethod, new Object[0], _NULL_ACCESS_CONTROLLED);
            }
        }
    }

    @Activate
    protected void activate(BundleContext bundleContext) {
        this._bundleContext = bundleContext;
    }

    private void _checkScope(GraphQLRequestContext graphQLRequestContext, ServiceReference<?> serviceReference) throws Exception {
        String _getProperty = _getProperty(null, "oauth2.scope.checker.type", serviceReference);
        if (_getProperty == null) {
            _getProperty = _getProperty("http.method", "oauth2.scope.checker.type", serviceReference);
        }
        Collection serviceReferences = this._bundleContext.getServiceReferences(ScopeLogic.class, "(oauth2.scope.checker.type=" + _getProperty + ")");
        this._scopeContext.setApplicationName(graphQLRequestContext.getApplicationName());
        this._scopeContext.setBundle(FrameworkUtil.getBundle(graphQLRequestContext.getResourceClass()));
        this._scopeContext.setCompanyId(graphQLRequestContext.getCompanyId());
        try {
            Iterator it = serviceReferences.iterator();
            while (it.hasNext()) {
                ScopeLogic scopeLogic = (ScopeLogic) this._bundleContext.getService((ServiceReference) it.next());
                serviceReference.getClass();
                if (!scopeLogic.check(serviceReference::getProperty, graphQLRequestContext.getResourceClass(), graphQLRequestContext.getResourceMethod(), this._scopeChecker)) {
                    throw new ForbiddenException();
                }
            }
        } finally {
            this._scopeContext.setApplicationName((String) null);
            this._scopeContext.setBundle((Bundle) null);
            this._scopeContext.setCompanyId(0L);
        }
    }

    private void _enableSAP(ServiceReference<?> serviceReference) throws Exception {
        AuthVerifierResult authVerifierResult = AccessControlUtil.getAccessControlContext().getAuthVerifierResult();
        if (authVerifierResult == null) {
            return;
        }
        List list = (List) authVerifierResult.getSettings().computeIfAbsent(ServiceAccessPolicy.SERVICE_ACCESS_POLICY_NAMES, str -> {
            return new ArrayList();
        });
        String _getProperty = _getProperty("AUTHORIZED_OAUTH2_SAP", "oauth2.service.access.policy.name", serviceReference);
        if (list.contains(_getProperty)) {
            return;
        }
        list.add(_getProperty);
    }

    private String _getProperty(String str, String str2, ServiceReference<?> serviceReference) {
        String str3 = (String) serviceReference.getProperty(str2);
        return Validator.isBlank(str3) ? str : str3;
    }

    private ServiceReference<?> _getServiceReference(String str) throws Exception {
        List list = (List) this._bundleContext.getServiceReferences(Application.class, "(osgi.jaxrs.name=" + str + ")");
        if (ListUtil.isNotEmpty(list)) {
            return (ServiceReference) list.get(0);
        }
        throw new UnsupportedOperationException("Invalid JAX-RS application " + str);
    }

    private void _setServiceDepth() {
        AccessControlContext accessControlContext = AccessControlUtil.getAccessControlContext();
        if (accessControlContext == null) {
            return;
        }
        accessControlContext.getSettings().put(AccessControlContext.Settings.SERVICE_DEPTH.toString(), 1);
    }
}
