package dev.soffa.foundation.spring.aop;

import dev.soffa.foundation.commons.Logger;
import dev.soffa.foundation.commons.TextUtil;
import dev.soffa.foundation.context.Context;
import dev.soffa.foundation.error.UnauthorizedException;
import dev.soffa.foundation.error.ValidationException;
import dev.soffa.foundation.multitenancy.TenantHolder;
import java.util.Optional;
import org.aspectj.lang.JoinPoint;
import org.aspectj.lang.annotation.Aspect;
import org.aspectj.lang.annotation.Before;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.stereotype.Component;

@Aspect
@Component
/* loaded from: input_file:dev/soffa/foundation/spring/aop/SecurityAspect.class */
public class SecurityAspect {
    private static final Logger LOG = Logger.get(SecurityAspect.class);
    private static final Throwable ERR_AUTH_REQUIRED = new UnauthorizedException("Authentication is required to access this resource.", new Object[0]);
    private static final Throwable ERR_APP_REQUIRED = new ValidationException("An ApplicationName is required to access this resource.", new Object[0]);
    private static final Throwable ERR_TENANT_REQUIRED = new ValidationException("A TenantId is required to access this resource.", new Object[0]);

    @Before("@within(dev.soffa.foundation.annotation.Authenticated) || @annotation(dev.soffa.foundation.annotation.Authenticated)")
    public void checkAuthenticated(JoinPoint joinPoint) {
        LOG.debug("[aspect] Checking authentication...", new Object[0]);
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null || !authentication.isAuthenticated() || (authentication instanceof AnonymousAuthenticationToken)) {
            LOG.warn("Access denied to [%s.%s], current context does not contain an authentication", new Object[]{joinPoint.getSignature().getDeclaringTypeName(), joinPoint.getSignature().getName()});
            throw ERR_AUTH_REQUIRED;
        }
    }

    @Before("@within(dev.soffa.foundation.annotation.ApplicationRequired) || @annotation(dev.soffa.foundation.annotation.ApplicationRequired)")
    public void checkApplication(JoinPoint joinPoint) {
        LOG.debug("[aspect] Checking application...", new Object[0]);
        if (TextUtil.isEmpty(getRequestContext().orElseThrow(() -> {
            return ERR_APP_REQUIRED;
        }).getApplicationName())) {
            LOG.warn("Access denied to [%s.%s], current context does not contain a valid applicationName", new Object[]{joinPoint.getSignature().getDeclaringTypeName(), joinPoint.getSignature().getName()});
            throw ERR_APP_REQUIRED;
        }
    }

    @Before("@within(dev.soffa.foundation.annotation.TenantRequired) || @annotation(dev.soffa.foundation.annotation.TenantRequired)")
    public void checkTenant(JoinPoint joinPoint) {
        LOG.debug("Enforcing TenantRequired", new Object[0]);
        if (TenantHolder.isEmpty() || TenantHolder.isDefault()) {
            LOG.warn("Access denied to [%s.%s], current context does not contain a valid tenant", new Object[]{joinPoint.getSignature().getDeclaringTypeName(), joinPoint.getSignature().getName()});
            throw ERR_TENANT_REQUIRED;
        }
    }

    private Optional<Context> getRequestContext() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        return (authentication == null || authentication.getPrincipal() == null || !(authentication.getPrincipal() instanceof Context)) ? Optional.empty() : Optional.of((Context) authentication.getPrincipal());
    }
}
