package io.helidon.webserver.security;

import io.helidon.common.Weighted;
import io.helidon.common.context.Context;
import io.helidon.config.Config;
import io.helidon.config.ConfigValue;
import io.helidon.http.ForbiddenException;
import io.helidon.http.Http;
import io.helidon.http.PathMatchers;
import io.helidon.http.UnauthorizedException;
import io.helidon.security.EndpointConfig;
import io.helidon.security.Security;
import io.helidon.security.SecurityContext;
import io.helidon.security.SecurityException;
import io.helidon.tracing.Span;
import io.helidon.webserver.http.FilterChain;
import io.helidon.webserver.http.Handler;
import io.helidon.webserver.http.HttpFeature;
import io.helidon.webserver.http.HttpRouting;
import io.helidon.webserver.http.HttpRules;
import io.helidon.webserver.http.HttpSecurity;
import io.helidon.webserver.http.ServerRequest;
import io.helidon.webserver.http.ServerResponse;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.logging.Logger;
import java.util.stream.Collectors;

/* loaded from: input_file:io/helidon/webserver/security/SecurityFeature.class */
public final class SecurityFeature implements HttpSecurity, HttpFeature, Weighted {
    public static final String CONTEXT_ADD_HEADERS = "security.addHeaders";
    private static final Logger LOGGER = Logger.getLogger(SecurityFeature.class.getName());
    private static final AtomicInteger SECURITY_COUNTER = new AtomicInteger();
    private static final double WEIGHT = 800.0d;
    private final Security security;
    private final Config config;
    private final SecurityHandler defaultHandler;
    private final double weight;

    private SecurityFeature(Security security, Config config) {
        this(security, config, SecurityHandler.create());
    }

    private SecurityFeature(Security security, Config config, SecurityHandler securityHandler) {
        this.security = security;
        this.config = config;
        this.defaultHandler = securityHandler;
        this.weight = config == null ? WEIGHT : ((Double) config.get("web-server.weight").asDouble().orElse(Double.valueOf(WEIGHT))).doubleValue();
    }

    public static SecurityFeature create(Security security) {
        return new SecurityFeature(security, null);
    }

    public static SecurityFeature create(Config config) {
        return create(Security.create(config), config);
    }

    public static SecurityFeature create(Security security, Config config) {
        return new SecurityFeature(security, config);
    }

    public static SecurityHandler secure() {
        return SecurityHandler.create().authenticate().authorize();
    }

    public static SecurityHandler authenticate() {
        return SecurityHandler.create().authenticate();
    }

    public static SecurityHandler audit() {
        return SecurityHandler.create().audit();
    }

    public static SecurityHandler authenticator(String str) {
        return SecurityHandler.create().authenticate().authenticator(str);
    }

    public static SecurityHandler authorizer(String str) {
        return SecurityHandler.create().authenticate().authorize().authorizer(str);
    }

    public static SecurityHandler rolesAllowed(String... strArr) {
        return SecurityHandler.create().rolesAllowed(strArr);
    }

    public static SecurityHandler allowAnonymous() {
        return SecurityHandler.create().authenticate().authenticationOptional();
    }

    public static SecurityHandler authorize() {
        return SecurityHandler.create().authorize();
    }

    public static SecurityHandler enforce() {
        return SecurityHandler.create();
    }

    public SecurityFeature securityDefaults(SecurityHandler securityHandler) {
        Objects.requireNonNull(securityHandler, "Default security handler must not be null");
        return new SecurityFeature(this.security, this.config, securityHandler);
    }

    public void setup(HttpRouting.Builder builder) {
        if (!this.security.enabled()) {
            LOGGER.info("Security is disabled. Not registering any security handlers");
            return;
        }
        builder.security(this);
        builder.addFilter((v1, v2, v3) -> {
            registerContext(v1, v2, v3);
        });
        if (null != this.config) {
            registerRouting(builder);
        }
    }

    public boolean authenticate(ServerRequest serverRequest, ServerResponse serverResponse, boolean z) throws UnauthorizedException {
        if (!z || ((Boolean) serverRequest.context().get(SecurityContext.class).map((v0) -> {
            return v0.isAuthenticated();
        }).orElse(false)).booleanValue()) {
            return true;
        }
        throw new UnauthorizedException("User not authenticated");
    }

    public boolean authorize(ServerRequest serverRequest, ServerResponse serverResponse, String... strArr) throws ForbiddenException {
        Optional optional = serverRequest.context().get(SecurityContext.class);
        if (optional.isEmpty()) {
            if (strArr.length == 0) {
                return true;
            }
            throw new ForbiddenException("This endpoint is restricted");
        }
        SecurityContext securityContext = (SecurityContext) optional.get();
        if (strArr.length == 0) {
            if (securityContext.isAuthorized()) {
                return true;
            }
            throw new ForbiddenException("This endpoint is restricted");
        }
        if (securityContext.isAuthorized()) {
            return true;
        }
        for (String str : strArr) {
            if (securityContext.isUserInRole(str)) {
                return true;
            }
        }
        throw new ForbiddenException("This endpoint is restricted");
    }

    private void registerContext(FilterChain filterChain, ServerRequest serverRequest, ServerResponse serverResponse) {
        HashMap hashMap = new HashMap(serverRequest.headers().toMap());
        Context context = serverRequest.context();
        Optional optional = context.get(CONTEXT_ADD_HEADERS, Map.class);
        Objects.requireNonNull(hashMap);
        optional.ifPresent(hashMap::putAll);
        if (context.get(SecurityContext.class).isEmpty()) {
            SecurityContext.Builder endpointConfig = this.security.contextBuilder(String.valueOf(SECURITY_COUNTER.incrementAndGet())).env(this.security.environmentBuilder().targetUri(serverRequest.requestedUri().toUri()).path(serverRequest.path().path()).method(serverRequest.prologue().method().text()).addAttribute("remotePeer", serverRequest.remotePeer()).addAttribute("userIp", serverRequest.remotePeer().host()).addAttribute("userPort", Integer.valueOf(serverRequest.remotePeer().port())).transport(serverRequest.isSecure() ? "https" : "http").headers(hashMap).build()).endpointConfig(EndpointConfig.builder().build());
            Span.current().ifPresent(span -> {
                endpointConfig.tracingSpan(span.context());
            });
            context.register(endpointConfig.build());
            context.register(this.defaultHandler);
        }
        filterChain.proceed();
    }

    public double weight() {
        return this.weight;
    }

    private void registerRouting(HttpRules httpRules) {
        Config config = this.config.get("web-server");
        SecurityHandler create = SecurityHandler.create(config.get("defaults"), this.defaultHandler);
        ConfigValue asNodeList = config.get("paths").asNodeList();
        if (asNodeList.isPresent()) {
            for (Config config2 : (List) asNodeList.get()) {
                List list = (List) ((List) config2.get("methods").asNodeList().orElse(List.of())).stream().map((v0) -> {
                    return v0.asString();
                }).map((v0) -> {
                    return v0.get();
                }).map(Http.Method::create).collect(Collectors.toList());
                String str = (String) config2.get("path").asString().orElseThrow(() -> {
                    return new SecurityException(String.valueOf(config2.key()) + " must contain path key with a path to register to web server");
                });
                if (list.isEmpty()) {
                    httpRules.any(str, new Handler[]{SecurityHandler.create(config2, create)});
                } else {
                    httpRules.route(Http.Method.predicate(list), PathMatchers.create(str), SecurityHandler.create(config2, create));
                }
            }
        }
    }
}
