package io.inverno.mod.security.internal;

import io.inverno.mod.security.SecurityException;
import io.inverno.mod.security.SecurityManager;
import io.inverno.mod.security.accesscontrol.AccessController;
import io.inverno.mod.security.accesscontrol.AccessControllerResolver;
import io.inverno.mod.security.authentication.Authentication;
import io.inverno.mod.security.authentication.AuthenticationException;
import io.inverno.mod.security.authentication.Authenticator;
import io.inverno.mod.security.authentication.Credentials;
import io.inverno.mod.security.context.SecurityContext;
import io.inverno.mod.security.identity.Identity;
import io.inverno.mod.security.identity.IdentityResolver;
import java.util.Objects;
import org.reactivestreams.Publisher;
import reactor.core.publisher.Flux;
import reactor.core.publisher.Mono;

/* loaded from: input_file:io/inverno/mod/security/internal/GenericSecurityManager.class */
public class GenericSecurityManager<A extends Credentials, B extends Authentication, C extends Identity, D extends AccessController> implements SecurityManager<A, C, D> {
    private final Authenticator<? super A, ? extends B> authenticator;
    private final IdentityResolver<? super B, ? extends C> identityResolver;
    private final AccessControllerResolver<? super B, ? extends D> accessControllerResolver;

    public GenericSecurityManager(Authenticator<? super A, ? extends B> authenticator) {
        this(authenticator, null, null);
    }

    public GenericSecurityManager(Authenticator<? super A, ? extends B> authenticator, IdentityResolver<? super B, ? extends C> identityResolver) {
        this(authenticator, identityResolver, null);
    }

    public GenericSecurityManager(Authenticator<? super A, ? extends B> authenticator, AccessControllerResolver<? super B, ? extends D> accessControllerResolver) {
        this(authenticator, null, accessControllerResolver);
    }

    public GenericSecurityManager(Authenticator<? super A, ? extends B> authenticator, IdentityResolver<? super B, ? extends C> identityResolver, AccessControllerResolver<? super B, ? extends D> accessControllerResolver) {
        this.authenticator = (Authenticator) Objects.requireNonNull(authenticator);
        this.identityResolver = identityResolver;
        this.accessControllerResolver = accessControllerResolver;
    }

    @Override // io.inverno.mod.security.SecurityManager
    public Mono<SecurityContext<C, D>> authenticate(A a) {
        return a == null ? Mono.just(SecurityContext.of(Authentication.anonymous())) : this.authenticator.authenticate(a).switchIfEmpty(Mono.error(() -> {
            return new AuthenticationException("Unable to authenticate");
        })).flatMap(authentication -> {
            if (!authentication.isAuthenticated()) {
                return Mono.just(SecurityContext.of(authentication));
            }
            SecurityContext.Builder builder = SecurityContext.builder(authentication);
            Mono flatMap = Mono.justOrEmpty(this.identityResolver).flatMap(identityResolver -> {
                return identityResolver.resolveIdentity(authentication);
            });
            Objects.requireNonNull(builder);
            Mono flatMap2 = Mono.justOrEmpty(this.accessControllerResolver).flatMap(accessControllerResolver -> {
                return accessControllerResolver.resolveAccessController(authentication);
            });
            Objects.requireNonNull(builder);
            Flux merge = Flux.merge(new Publisher[]{flatMap.doOnNext(builder::identity), flatMap2.doOnNext(builder::accessController)});
            Objects.requireNonNull(builder);
            return merge.then(Mono.fromSupplier(builder::build));
        }).onErrorResume(SecurityException.class, securityException -> {
            return Mono.just(SecurityContext.of(Authentication.denied(securityException)));
        });
    }
}
