package feast.common.auth.providers.keto;

import feast.common.auth.authorization.AuthorizationProvider;
import feast.common.auth.authorization.AuthorizationResult;
import feast.common.auth.utils.AuthUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import sh.ory.keto.ApiClient;
import sh.ory.keto.ApiException;
import sh.ory.keto.Configuration;
import sh.ory.keto.api.EnginesApi;
import sh.ory.keto.model.OryAccessControlPolicyAllowedInput;

/* loaded from: input_file:feast/common/auth/providers/keto/KetoAuthorizationProvider.class */
public class KetoAuthorizationProvider implements AuthorizationProvider {
    private static final Logger log = LoggerFactory.getLogger(KetoAuthorizationProvider.class);
    private final EnginesApi apiInstance;
    private final String subjectClaim;
    private final String flavor;
    private final String action;
    private final String subjectPrefix;
    private final String resourcePrefix;

    /* loaded from: input_file:feast/common/auth/providers/keto/KetoAuthorizationProvider$Builder.class */
    public static class Builder {
        private final String url;
        private String subjectClaim = "email";
        private String flavor = "glob";
        private String action = "edit";
        private String subjectPrefix = "";
        private String resourcePrefix = "";

        public Builder(String str) {
            this.url = str;
        }

        public Builder withSubjectClaim(String str) {
            this.subjectClaim = str;
            return this;
        }

        public Builder withFlavor(String str) {
            this.flavor = str;
            return this;
        }

        public Builder withAction(String str) {
            this.action = str;
            return this;
        }

        public Builder withSubjectPrefix(String str) {
            this.subjectPrefix = str;
            return this;
        }

        public Builder withResourcePrefix(String str) {
            this.resourcePrefix = str;
            return this;
        }

        public KetoAuthorizationProvider build() {
            return new KetoAuthorizationProvider(this);
        }
    }

    private KetoAuthorizationProvider(Builder builder) {
        ApiClient defaultApiClient = Configuration.getDefaultApiClient();
        defaultApiClient.setBasePath(builder.url);
        this.apiInstance = new EnginesApi(defaultApiClient);
        this.subjectClaim = builder.subjectClaim;
        this.flavor = builder.flavor;
        this.action = builder.action;
        this.subjectPrefix = builder.subjectPrefix;
        this.resourcePrefix = builder.resourcePrefix;
    }

    @Override // feast.common.auth.authorization.AuthorizationProvider
    public AuthorizationResult checkAccessToProject(String str, Authentication authentication) {
        sh.ory.keto.model.AuthorizationResult doOryAccessControlPoliciesAllow;
        String subjectFromAuth = AuthUtils.getSubjectFromAuth(authentication, this.subjectClaim);
        OryAccessControlPolicyAllowedInput oryAccessControlPolicyAllowedInput = new OryAccessControlPolicyAllowedInput();
        oryAccessControlPolicyAllowedInput.setAction(this.action);
        oryAccessControlPolicyAllowedInput.setSubject(String.format("%s%s", this.subjectPrefix, subjectFromAuth));
        oryAccessControlPolicyAllowedInput.setResource(String.format("%s%s", this.resourcePrefix, str));
        try {
            doOryAccessControlPoliciesAllow = this.apiInstance.doOryAccessControlPoliciesAllow(this.flavor, oryAccessControlPolicyAllowedInput);
        } catch (ApiException e) {
            log.error("API exception has occurred during authorization: {}", e.getMessage(), e);
        }
        if (doOryAccessControlPoliciesAllow == null) {
            throw new RuntimeException(String.format("Empty response returned for access to project %s for subject %s", str, subjectFromAuth));
        }
        if (doOryAccessControlPoliciesAllow.getAllowed().booleanValue()) {
            return AuthorizationResult.success();
        }
        return AuthorizationResult.failed(String.format("Access denied to project %s for subject %s", str, subjectFromAuth));
    }
}
