package io.helidon.webserver.security;

import io.helidon.common.Weighted;
import io.helidon.common.config.Config;
import io.helidon.http.ForbiddenException;
import io.helidon.http.Method;
import io.helidon.http.PathMatchers;
import io.helidon.http.UnauthorizedException;
import io.helidon.security.Security;
import io.helidon.security.SecurityContext;
import io.helidon.webserver.http.Handler;
import io.helidon.webserver.http.HttpFeature;
import io.helidon.webserver.http.HttpRouting;
import io.helidon.webserver.http.HttpRules;
import io.helidon.webserver.http.HttpSecurity;
import io.helidon.webserver.http.ServerRequest;
import io.helidon.webserver.http.ServerResponse;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.logging.Logger;

/* loaded from: input_file:io/helidon/webserver/security/SecurityHttpFeature.class */
public final class SecurityHttpFeature implements HttpSecurity, HttpFeature, Weighted {
    public static final String CONTEXT_ADD_HEADERS = "security.addHeaders";
    public static final String CONTEXT_RESPONSE_HEADERS = "security.responseHeaders";
    private static final Logger LOGGER = Logger.getLogger(SecurityHttpFeature.class.getName());
    private final Security security;
    private final SecurityHandler defaultHandler;
    private final double weight;
    private final List<PathsConfig> configs;

    private SecurityHttpFeature(Security security, double d, SecurityHandler securityHandler, List<PathsConfig> list) {
        this.security = security;
        this.weight = d;
        this.defaultHandler = securityHandler;
        this.configs = list;
    }

    public static SecurityHttpFeature create(Security security) {
        return SecurityFeature.builder().security(security).m8build().routingFeature();
    }

    public static SecurityHttpFeature create(Config config) {
        return SecurityFeature.builder().security(Security.create(config.root().get("security"))).m9config(config).m8build().routingFeature();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SecurityHttpFeature create(Security security, double d, SecurityHandler securityHandler, List<PathsConfig> list) {
        return new SecurityHttpFeature(security, d, securityHandler, list);
    }

    public SecurityHttpFeature securityDefaults(SecurityHandler securityHandler) {
        Objects.requireNonNull(securityHandler, "Default security handler must not be null");
        return new SecurityHttpFeature(this.security, this.weight, securityHandler, this.configs);
    }

    public void setup(HttpRouting.Builder builder) {
        if (!this.security.enabled()) {
            LOGGER.info("Security is disabled. Not registering any security handlers");
            return;
        }
        builder.security(this);
        builder.addFilter(new SecurityContextFilter(this.security, this.defaultHandler));
        registerRouting(builder);
    }

    public boolean authenticate(ServerRequest serverRequest, ServerResponse serverResponse, boolean z) throws UnauthorizedException {
        if (!z || ((Boolean) serverRequest.context().get(SecurityContext.class).map((v0) -> {
            return v0.isAuthenticated();
        }).orElse(false)).booleanValue()) {
            return true;
        }
        throw new UnauthorizedException("User not authenticated");
    }

    public boolean authorize(ServerRequest serverRequest, ServerResponse serverResponse, String... strArr) throws ForbiddenException {
        Optional optional = serverRequest.context().get(SecurityContext.class);
        if (optional.isEmpty()) {
            if (strArr.length == 0) {
                return true;
            }
            throw new ForbiddenException("This endpoint is restricted");
        }
        SecurityContext securityContext = (SecurityContext) optional.get();
        if (strArr.length == 0) {
            if (securityContext.isAuthorized()) {
                return true;
            }
            throw new ForbiddenException("This endpoint is restricted");
        }
        if (securityContext.isAuthorized()) {
            return true;
        }
        for (String str : strArr) {
            if (securityContext.isUserInRole(str)) {
                return true;
            }
        }
        throw new ForbiddenException("This endpoint is restricted");
    }

    public double weight() {
        return this.weight;
    }

    private void registerRouting(HttpRules httpRules) {
        for (PathsConfig pathsConfig : this.configs) {
            SecurityHandler m17build = SecurityHandler.builder().from(this.defaultHandler.m13prototype()).from(pathsConfig.handler().m13prototype()).m17build();
            if (pathsConfig.methods().isEmpty()) {
                httpRules.any(pathsConfig.path(), new Handler[]{m17build});
            } else {
                httpRules.route(Method.predicate(pathsConfig.methods()), PathMatchers.create(pathsConfig.path()), m17build);
            }
        }
    }
}
