package io.inverno.mod.security.internal;

import io.inverno.mod.security.SecurityException;
import io.inverno.mod.security.SecurityManager;
import io.inverno.mod.security.accesscontrol.AccessController;
import io.inverno.mod.security.accesscontrol.AccessControllerResolver;
import io.inverno.mod.security.authentication.Authentication;
import io.inverno.mod.security.authentication.AuthenticationException;
import io.inverno.mod.security.authentication.Authenticator;
import io.inverno.mod.security.authentication.Credentials;
import io.inverno.mod.security.context.SecurityContext;
import io.inverno.mod.security.identity.Identity;
import io.inverno.mod.security.identity.IdentityResolver;
import java.util.Objects;
import java.util.Optional;
import reactor.core.publisher.Mono;

/* loaded from: input_file:io/inverno/mod/security/internal/GenericSecurityManager.class */
public class GenericSecurityManager<A extends Credentials, B extends Authentication, C extends Identity, D extends AccessController> implements SecurityManager<A, C, D> {
    private final Authenticator<? super A, ? extends B> authenticator;
    private final Optional<IdentityResolver<? super B, ? extends C>> identityResolver;
    private final Optional<AccessControllerResolver<? super B, ? extends D>> accessControllerResolver;

    public GenericSecurityManager(Authenticator<? super A, ? extends B> authenticator) {
        this(authenticator, null, null);
    }

    public GenericSecurityManager(Authenticator<? super A, ? extends B> authenticator, IdentityResolver<? super B, ? extends C> identityResolver) {
        this(authenticator, identityResolver, null);
    }

    public GenericSecurityManager(Authenticator<? super A, ? extends B> authenticator, AccessControllerResolver<? super B, ? extends D> accessControllerResolver) {
        this(authenticator, null, accessControllerResolver);
    }

    public GenericSecurityManager(Authenticator<? super A, ? extends B> authenticator, IdentityResolver<? super B, ? extends C> identityResolver, AccessControllerResolver<? super B, ? extends D> accessControllerResolver) {
        this.authenticator = (Authenticator) Objects.requireNonNull(authenticator);
        this.identityResolver = Optional.ofNullable(identityResolver);
        this.accessControllerResolver = Optional.ofNullable(accessControllerResolver);
    }

    @Override // io.inverno.mod.security.SecurityManager
    public Mono<SecurityContext<C, D>> authenticate(A a) {
        return a == null ? Mono.just(SecurityContext.of(Authentication.anonymous())) : this.authenticator.authenticate(a).switchIfEmpty(Mono.error(() -> {
            return new AuthenticationException("Unable to authenticate");
        })).flatMap(authentication -> {
            return Mono.zip(Mono.just(authentication), (Mono) this.identityResolver.filter(identityResolver -> {
                return authentication.isAuthenticated();
            }).map(identityResolver2 -> {
                return identityResolver2.resolveIdentity(authentication).map((v0) -> {
                    return Optional.of(v0);
                }).switchIfEmpty(Mono.just(Optional.empty()));
            }).orElse(Mono.just(Optional.empty())), (Mono) this.accessControllerResolver.filter(accessControllerResolver -> {
                return authentication.isAuthenticated();
            }).map(accessControllerResolver2 -> {
                return accessControllerResolver2.resolveAccessController(authentication).map((v0) -> {
                    return Optional.of(v0);
                }).switchIfEmpty(Mono.just(Optional.empty()));
            }).orElse(Mono.just(Optional.empty()))).map(tuple3 -> {
                return SecurityContext.of(authentication, (Optional) tuple3.getT2(), (Optional) tuple3.getT3());
            });
        }).onErrorResume(SecurityException.class, securityException -> {
            return Mono.just(SecurityContext.of(Authentication.denied(securityException)));
        });
    }
}
