package io.helidon.webserver.security;

import io.helidon.builder.api.RuntimeType;
import io.helidon.common.config.Config;
import io.helidon.common.context.Context;
import io.helidon.common.context.Contexts;
import io.helidon.common.uri.UriQuery;
import io.helidon.http.HeaderName;
import io.helidon.http.HeaderNames;
import io.helidon.http.HeaderValues;
import io.helidon.http.Method;
import io.helidon.http.RoutedPath;
import io.helidon.http.ServerResponseHeaders;
import io.helidon.http.Status;
import io.helidon.security.AuditEvent;
import io.helidon.security.AuthenticationResponse;
import io.helidon.security.AuthorizationResponse;
import io.helidon.security.ClassToInstanceStore;
import io.helidon.security.QueryParamMapping;
import io.helidon.security.SecurityClientBuilder;
import io.helidon.security.SecurityContext;
import io.helidon.security.SecurityRequest;
import io.helidon.security.SecurityRequestBuilder;
import io.helidon.security.SecurityResponse;
import io.helidon.security.Subject;
import io.helidon.security.integration.common.AtnTracing;
import io.helidon.security.integration.common.AtzTracing;
import io.helidon.security.integration.common.SecurityTracing;
import io.helidon.security.internal.SecurityAuditEvent;
import io.helidon.security.util.TokenHandler;
import io.helidon.tracing.SpanContext;
import io.helidon.webserver.http.Handler;
import io.helidon.webserver.http.ServerRequest;
import io.helidon.webserver.http.ServerResponse;
import io.helidon.webserver.security.SecurityHandlerConfig;
import java.lang.System;
import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Consumer;
import java.util.stream.Stream;

@RuntimeType.PrototypedBy(SecurityHandlerConfig.class)
/* loaded from: input_file:io/helidon/webserver/security/SecurityHandler.class */
public final class SecurityHandler implements Handler, RuntimeType.Api<SecurityHandlerConfig> {
    static final String DEFAULT_AUDIT_EVENT_TYPE = "request";
    static final String DEFAULT_AUDIT_MESSAGE_FORMAT = "%3$s %1$s \"%2$s\" %5$s %6$s requested by %4$s";
    private static final System.Logger LOGGER = System.getLogger(SecurityHandler.class.getName());
    private static final SecurityHandler DEFAULT_INSTANCE = builder().m17build();
    private final SecurityHandlerConfig config;
    private final Optional<Set<String>> rolesAllowed;
    private final Optional<ClassToInstanceStore<Object>> customObjects;
    private final Optional<String> explicitAuthenticator;
    private final Optional<String> explicitAuthorizer;
    private final Optional<Boolean> authenticate;
    private final Optional<Boolean> authenticationOptional;
    private final Optional<Boolean> authorize;
    private final Optional<Boolean> audited;
    private final Optional<String> auditEventType;
    private final Optional<String> auditMessageFormat;
    private final boolean combined;
    private final List<QueryParamHandler> queryParamHandlers = new LinkedList();
    private final Map<String, Config> configMap = new HashMap();
    private final AtomicReference<SecurityHandler> combinedHandler = new AtomicReference<>();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.helidon.webserver.security.SecurityHandler$1, reason: invalid class name */
    /* loaded from: input_file:io/helidon/webserver/security/SecurityHandler$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$helidon$http$Status$Family;
        static final /* synthetic */ int[] $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus = new int[SecurityResponse.SecurityStatus.values().length];

        static {
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.SUCCESS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.FAILURE_FINISH.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.SUCCESS_FINISH.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.ABSTAIN.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.FAILURE.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            $SwitchMap$io$helidon$http$Status$Family = new int[Status.Family.values().length];
            try {
                $SwitchMap$io$helidon$http$Status$Family[Status.Family.INFORMATIONAL.ordinal()] = 1;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$io$helidon$http$Status$Family[Status.Family.SUCCESSFUL.ordinal()] = 2;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$io$helidon$http$Status$Family[Status.Family.REDIRECTION.ordinal()] = 3;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$io$helidon$http$Status$Family[Status.Family.CLIENT_ERROR.ordinal()] = 4;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$io$helidon$http$Status$Family[Status.Family.SERVER_ERROR.ordinal()] = 5;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$io$helidon$http$Status$Family[Status.Family.OTHER.ordinal()] = 6;
            } catch (NoSuchFieldError e11) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/helidon/webserver/security/SecurityHandler$AtxResult.class */
    public static final class AtxResult {
        private static final AtxResult PROCEED = new AtxResult(true);
        private static final AtxResult STOP = new AtxResult(false);
        private final boolean proceed;

        private AtxResult(boolean z) {
            this.proceed = z;
        }

        private AtxResult(SecurityRequest securityRequest) {
            this.proceed = true;
        }
    }

    /* loaded from: input_file:io/helidon/webserver/security/SecurityHandler$QueryParamHandler.class */
    public static final class QueryParamHandler {
        private final String queryParamName;
        private final TokenHandler headerHandler;

        private QueryParamHandler(QueryParamMapping queryParamMapping) {
            this.queryParamName = queryParamMapping.queryParamName();
            this.headerHandler = queryParamMapping.tokenHandler();
        }

        public static QueryParamHandler create(Config config) {
            return create(QueryParamMapping.create(config));
        }

        public static QueryParamHandler create(QueryParamMapping queryParamMapping) {
            return new QueryParamHandler(queryParamMapping);
        }

        public static QueryParamHandler create(String str, TokenHandler tokenHandler) {
            return create(QueryParamMapping.create(str, tokenHandler));
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void extract(ServerRequest serverRequest, Map<String, List<String>> map) {
            UriQuery query = serverRequest.query();
            if (query.contains(this.queryParamName)) {
                query.all(this.queryParamName).forEach(str -> {
                    this.headerHandler.addHeader(map, this.headerHandler.extractToken(str));
                });
            }
        }
    }

    private SecurityHandler(SecurityHandlerConfig securityHandlerConfig) {
        this.config = securityHandlerConfig;
        Set<String> rolesAllowed = securityHandlerConfig.rolesAllowed();
        if (rolesAllowed.isEmpty()) {
            this.rolesAllowed = Optional.empty();
        } else {
            this.rolesAllowed = Optional.of(rolesAllowed);
        }
        this.customObjects = securityHandlerConfig.customObjects().map(classToInstanceStore -> {
            ClassToInstanceStore classToInstanceStore = new ClassToInstanceStore();
            classToInstanceStore.putAll(classToInstanceStore);
            return classToInstanceStore;
        });
        this.explicitAuthenticator = securityHandlerConfig.authenticator();
        this.explicitAuthorizer = securityHandlerConfig.authorizer();
        this.authenticate = securityHandlerConfig.authenticate();
        this.authenticationOptional = securityHandlerConfig.authenticationOptional();
        this.audited = securityHandlerConfig.audit();
        this.auditEventType = securityHandlerConfig.auditEventType();
        this.auditMessageFormat = securityHandlerConfig.auditMessageFormat();
        this.authorize = securityHandlerConfig.authorize();
        this.combined = securityHandlerConfig.combined();
        this.queryParamHandlers.addAll(securityHandlerConfig.queryParams());
        securityHandlerConfig.config().ifPresent(config -> {
            ((List) config.asNodeList().get()).forEach(config -> {
                this.configMap.put(config.name(), config);
            });
        });
    }

    public static SecurityHandlerConfig.Builder builder() {
        return SecurityHandlerConfig.builder();
    }

    public static SecurityHandler create(Consumer<SecurityHandlerConfig.Builder> consumer) {
        return ((SecurityHandlerConfig.Builder) builder().update(consumer)).m17build();
    }

    public static SecurityHandler create(Config config, SecurityHandler securityHandler) {
        return builder().from(securityHandler.m13prototype()).m18config(config).m17build();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SecurityHandler create(SecurityHandlerConfig securityHandlerConfig) {
        return new SecurityHandler(securityHandlerConfig);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SecurityHandler create() {
        return DEFAULT_INSTANCE;
    }

    public void handle(ServerRequest serverRequest, ServerResponse serverResponse) {
        Optional context = Contexts.context();
        Objects.requireNonNull(serverRequest);
        Context context2 = (Context) context.orElseGet(serverRequest::context);
        SecurityContext securityContext = (SecurityContext) context2.get(SecurityContext.class).orElseThrow(() -> {
            return new SecurityException("Security context not present. The security feature must be applied on this socket.");
        });
        if (this.combined) {
            processSecurity(securityContext, serverRequest, serverResponse);
            return;
        }
        if (null == this.combinedHandler.get()) {
            SecurityHandler securityHandler = (SecurityHandler) context2.get(SecurityHandler.class).orElse(DEFAULT_INSTANCE);
            if (securityHandler == DEFAULT_INSTANCE) {
                this.combinedHandler.set(this);
            } else {
                this.combinedHandler.compareAndSet(null, builder().from(securityHandler.m13prototype()).from(m13prototype()).combined(true).m17build());
            }
        }
        this.combinedHandler.get().processSecurity(securityContext, serverRequest, serverResponse);
    }

    /* renamed from: prototype, reason: merged with bridge method [inline-methods] */
    public SecurityHandlerConfig m13prototype() {
        return this.config;
    }

    public List<QueryParamHandler> queryParamHandlers() {
        return Collections.unmodifiableList(this.queryParamHandlers);
    }

    public SecurityHandler authenticator(String str) {
        return builder().from(m13prototype()).authenticator(str).m17build();
    }

    public SecurityHandler authorizer(String str) {
        return builder().from(m13prototype()).authorizer(str).m17build();
    }

    public SecurityHandler rolesAllowed(String... strArr) {
        return builder().from(m13prototype()).rolesAllowed(Set.of((Object[]) strArr)).authorize(true).authenticate(true).m17build();
    }

    public SecurityHandler authenticationOptional() {
        return builder().from(m13prototype()).authenticationOptional(true).m17build();
    }

    public SecurityHandler authenticate() {
        return builder().from(m13prototype()).authenticate(true).m17build();
    }

    public SecurityHandler skipAuthentication() {
        return builder().from(m13prototype()).authenticate(false).m17build();
    }

    public SecurityHandler customObject(Object obj) {
        return builder().from(m13prototype()).addObject(obj).m17build();
    }

    public SecurityHandler auditEventType(String str) {
        return builder().from(m13prototype()).auditEventType(str).m17build();
    }

    public SecurityHandler auditMessageFormat(String str) {
        return builder().from(m13prototype()).auditMessageFormat(str).m17build();
    }

    public SecurityHandler authorize() {
        return builder().from(m13prototype()).authorize(true).m17build();
    }

    public SecurityHandler skipAuthorization() {
        return builder().from(m13prototype()).authorize(false).m17build();
    }

    public SecurityHandler audit() {
        return builder().from(m13prototype()).audit(true).m17build();
    }

    public SecurityHandler skipAudit() {
        return builder().from(m13prototype()).audit(false).m17build();
    }

    public SecurityHandler queryParam(String str, TokenHandler tokenHandler) {
        return builder().from(m13prototype()).addQueryParam(QueryParamHandler.create(str, tokenHandler)).m17build();
    }

    void extractQueryParams(SecurityContext securityContext, ServerRequest serverRequest) {
        HashMap hashMap = new HashMap();
        this.queryParamHandlers.forEach(queryParamHandler -> {
            queryParamHandler.extract(serverRequest, hashMap);
        });
        securityContext.env(securityContext.env().derive().headers(hashMap).build());
    }

    private static <T> void configure(Config config, String str, Optional<T> optional, Consumer<T> consumer, Class<T> cls) {
        config.get(str).as(cls).or(() -> {
            return optional;
        }).ifPresent(consumer);
    }

    private void processSecurity(SecurityContext securityContext, ServerRequest serverRequest, ServerResponse serverResponse) {
        SecurityTracing securityTracing = SecurityTracing.get();
        securityTracing.securityContext(securityContext);
        extractQueryParams(securityContext, serverRequest);
        securityContext.endpointConfig(securityContext.endpointConfig().derive().configMap(this.configMap).customObjects(this.customObjects.orElse(new ClassToInstanceStore<>())).build());
        try {
            if ((processAuthentication(serverResponse, securityContext, securityTracing.atnTracing()).proceed ? processAuthorization(serverRequest, serverResponse, securityContext, securityTracing.atzTracing()) : AtxResult.STOP).proceed) {
                securityTracing.logProceed();
                securityTracing.finish();
                serverResponse.next();
            } else {
                securityTracing.logDeny();
                securityTracing.finish();
            }
        } catch (Exception e) {
            securityTracing.error(e);
            LOGGER.log(System.Logger.Level.ERROR, "Unexpected exception during security processing", e);
            abortRequest(serverResponse, null, Status.INTERNAL_SERVER_ERROR_500.code(), Map.of());
        }
        serverResponse.whenSent(() -> {
            processAudit(serverRequest, serverResponse, securityContext);
        });
    }

    private void processAudit(ServerRequest serverRequest, ServerResponse serverResponse, SecurityContext securityContext) {
        AuditEvent.AuditSeverity auditSeverity;
        Method method = serverRequest.prologue().method();
        if (this.audited.orElse(true).booleanValue()) {
            if (this.audited.isEmpty() && (method == Method.GET || method == Method.HEAD)) {
                return;
            }
            switch (AnonymousClass1.$SwitchMap$io$helidon$http$Status$Family[serverResponse.status().family().ordinal()]) {
                case 1:
                case 2:
                case 3:
                    auditSeverity = AuditEvent.AuditSeverity.SUCCESS;
                    break;
                case 4:
                case 5:
                case 6:
                default:
                    auditSeverity = AuditEvent.AuditSeverity.FAILURE;
                    break;
            }
            SecurityAuditEvent addParam = SecurityAuditEvent.audit(auditSeverity, this.auditEventType.orElse(DEFAULT_AUDIT_EVENT_TYPE), this.auditMessageFormat.orElse(DEFAULT_AUDIT_MESSAGE_FORMAT)).addParam(AuditEvent.AuditParam.plain("method", method)).addParam(AuditEvent.AuditParam.plain("path", serverRequest.path())).addParam(AuditEvent.AuditParam.plain("status", String.valueOf(serverResponse.status().code()))).addParam(AuditEvent.AuditParam.plain("subject", securityContext.user().orElse(SecurityContext.ANONYMOUS))).addParam(AuditEvent.AuditParam.plain("transport", "http")).addParam(AuditEvent.AuditParam.plain("resourceType", "http")).addParam(AuditEvent.AuditParam.plain("targetUri", serverRequest.prologue().uriPath().rawPath()));
            securityContext.service().ifPresent(subject -> {
                addParam.addParam(AuditEvent.AuditParam.plain("service", subject.toString()));
            });
            securityContext.audit(addParam);
        }
    }

    private AtxResult processAuthentication(ServerResponse serverResponse, SecurityContext securityContext, AtnTracing atnTracing) {
        if (!this.authenticate.orElse(false).booleanValue()) {
            return AtxResult.PROCEED;
        }
        SecurityClientBuilder atnClientBuilder = securityContext.atnClientBuilder();
        configureSecurityRequest(atnClientBuilder, (SpanContext) atnTracing.findParent().orElse(null));
        try {
            AuthenticationResponse authenticationResponse = (AuthenticationResponse) atnClientBuilder.explicitProvider(this.explicitAuthenticator.orElse(null)).submit();
            authenticationResponse.responseHeaders().forEach((str, list) -> {
                serverResponse.headers().set(HeaderValues.create(str, list));
            });
            switch (AnonymousClass1.$SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[authenticationResponse.status().ordinal()]) {
                case 1:
                    break;
                case 2:
                    if (atnFinishFailure(serverResponse, authenticationResponse)) {
                        atnSpanFinish(atnTracing, authenticationResponse);
                        return AtxResult.STOP;
                    }
                    break;
                case 3:
                    atnFinish(serverResponse, authenticationResponse);
                    atnSpanFinish(atnTracing, authenticationResponse);
                    return AtxResult.STOP;
                case 4:
                case 5:
                    if (atnAbstainFailure(serverResponse, authenticationResponse)) {
                        atnSpanFinish(atnTracing, authenticationResponse);
                        return AtxResult.STOP;
                    }
                    break;
                default:
                    throw new SecurityException("Invalid SecurityStatus returned: " + String.valueOf(authenticationResponse.status()));
            }
            atnSpanFinish(atnTracing, authenticationResponse);
            return new AtxResult(atnClientBuilder.buildRequest());
        } catch (Exception e) {
            atnTracing.error(e);
            throw e;
        }
    }

    private void atnSpanFinish(AtnTracing atnTracing, AuthenticationResponse authenticationResponse) {
        Optional user = authenticationResponse.user();
        Objects.requireNonNull(atnTracing);
        user.ifPresent(atnTracing::logUser);
        Optional service = authenticationResponse.service();
        Objects.requireNonNull(atnTracing);
        service.ifPresent(atnTracing::logService);
        atnTracing.logStatus(authenticationResponse.status());
        atnTracing.finish();
    }

    private boolean atnAbstainFailure(ServerResponse serverResponse, AuthenticationResponse authenticationResponse) {
        if (this.authenticationOptional.orElse(false).booleanValue()) {
            LOGGER.log(System.Logger.Level.TRACE, "Authentication failed, but was optional, so assuming anonymous");
            return false;
        }
        abortRequest(serverResponse, authenticationResponse, Status.UNAUTHORIZED_401.code(), Map.of(HeaderNames.WWW_AUTHENTICATE, List.of("Basic realm=\"Security Realm\"")));
        return true;
    }

    private boolean atnFinishFailure(ServerResponse serverResponse, AuthenticationResponse authenticationResponse) {
        if (this.authenticationOptional.orElse(false).booleanValue()) {
            LOGGER.log(System.Logger.Level.TRACE, "Authentication failed, but was optional, so assuming anonymous");
            return false;
        }
        abortRequest(serverResponse, authenticationResponse, Status.UNAUTHORIZED_401.code(), Map.of());
        return true;
    }

    private void atnFinish(ServerResponse serverResponse, AuthenticationResponse authenticationResponse) {
        abortRequest(serverResponse, authenticationResponse, Status.OK_200.code(), Map.of());
    }

    private void abortRequest(ServerResponse serverResponse, SecurityResponse securityResponse, int i, Map<HeaderName, List<String>> map) {
        Map<HeaderName, List<String>> map2;
        int orElse = null == securityResponse ? i : securityResponse.statusCode().orElse(i);
        if (securityResponse == null) {
            map2 = map;
        } else {
            HashMap hashMap = new HashMap();
            securityResponse.responseHeaders().forEach((str, list) -> {
                hashMap.put(HeaderNames.create(str), list);
            });
            map2 = hashMap;
        }
        Map<HeaderName, List<String>> map3 = map2.isEmpty() ? map : map2;
        ServerResponseHeaders headers = serverResponse.headers();
        for (Map.Entry<HeaderName, List<String>> entry : map3.entrySet()) {
            headers.set(entry.getKey(), entry.getValue());
        }
        serverResponse.status(Status.create(orElse));
        serverResponse.send();
    }

    private void configureSecurityRequest(SecurityRequestBuilder<? extends SecurityRequestBuilder<?>> securityRequestBuilder, SpanContext spanContext) {
        securityRequestBuilder.optional(this.authenticationOptional.orElse(false).booleanValue()).tracingSpan(spanContext);
    }

    private AtxResult processAuthorization(ServerRequest serverRequest, ServerResponse serverResponse, SecurityContext securityContext, AtzTracing atzTracing) {
        if (!this.authorize.orElse(false).booleanValue()) {
            atzTracing.logStatus(SecurityResponse.SecurityStatus.ABSTAIN);
            atzTracing.finish();
            return AtxResult.PROCEED;
        }
        Set<String> orElse = this.rolesAllowed.orElse(Set.of());
        if (!orElse.isEmpty()) {
            if (!this.explicitAuthorizer.isPresent()) {
                Stream<String> stream = orElse.stream();
                Objects.requireNonNull(securityContext);
                if (stream.noneMatch(securityContext::isUserInRole)) {
                    auditRoleMissing(securityContext, serverRequest.path(), securityContext.user(), orElse);
                    abortRequest(serverResponse, null, Status.FORBIDDEN_403.code(), Map.of());
                    atzTracing.finish();
                    return AtxResult.STOP;
                }
            } else if (orElse.stream().noneMatch(str -> {
                return securityContext.isUserInRole(str, this.explicitAuthorizer.get());
            })) {
                auditRoleMissing(securityContext, serverRequest.path(), securityContext.user(), orElse);
                abortRequest(serverResponse, null, Status.FORBIDDEN_403.code(), Map.of());
                atzTracing.finish();
                return AtxResult.STOP;
            }
        }
        SecurityClientBuilder atzClientBuilder = securityContext.atzClientBuilder();
        configureSecurityRequest(atzClientBuilder, (SpanContext) atzTracing.findParent().orElse(null));
        try {
            AuthorizationResponse submit = atzClientBuilder.explicitProvider(this.explicitAuthorizer.orElse(null)).submit();
            atzTracing.logStatus(submit.status());
            switch (AnonymousClass1.$SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[submit.status().ordinal()]) {
                case 1:
                    atzTracing.finish();
                    return AtxResult.PROCEED;
                case 2:
                case 3:
                    int code = submit.status() == SecurityResponse.SecurityStatus.FAILURE_FINISH ? Status.FORBIDDEN_403.code() : Status.OK_200.code();
                    atzTracing.finish();
                    abortRequest(serverResponse, submit, code, Map.of());
                    return AtxResult.STOP;
                case 4:
                case 5:
                    atzTracing.finish();
                    abortRequest(serverResponse, submit, Status.FORBIDDEN_403.code(), Map.of());
                    return AtxResult.STOP;
                default:
                    throw new SecurityException("Invalid SecurityStatus returned: " + String.valueOf(submit.status()));
            }
        } catch (Exception e) {
            atzTracing.error(e);
            throw e;
        }
    }

    private void auditRoleMissing(SecurityContext securityContext, RoutedPath routedPath, Optional<Subject> optional, Set<String> set) {
        securityContext.audit(SecurityAuditEvent.failure("authz.authorize", "User is not in any of the required roles: %s. Path %s. Subject %s").addParam(AuditEvent.AuditParam.plain("roles", set)).addParam(AuditEvent.AuditParam.plain("path", routedPath)).addParam(AuditEvent.AuditParam.plain("subject", optional)));
    }
}
