package org.spf4j.kube.jaxrs.security.providers;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import java.security.Principal;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Priority;
import javax.inject.Inject;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.ext.Provider;
import org.apache.avro.reflect.Nullable;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.spf4j.kube.client.Client;
import org.spf4j.kube.client.TokenReview;

@Provider
@Priority(1000)
/* loaded from: input_file:org/spf4j/kube/jaxrs/security/providers/KubeAccountAuthorizationFilter.class */
public final class KubeAccountAuthorizationFilter implements ContainerRequestFilter {
    private static final SecurityContext NOT_AUTH = new SecurityContextImpl(null, null, str -> {
        return Boolean.FALSE;
    });
    private static final String AUTH_METHOD = "Bearer";
    private final Authenticate secResolver;
    private final KubeRoleMap roleMap;
    private final Client kubeClient;

    /* loaded from: input_file:org/spf4j/kube/jaxrs/security/providers/KubeAccountAuthorizationFilter$Authenticate.class */
    interface Authenticate {
        SecurityContext authenticate(String str, String str2);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/spf4j/kube/jaxrs/security/providers/KubeAccountAuthorizationFilter$SecurityContextImpl.class */
    public static class SecurityContextImpl implements SecurityContext {
        private final TokenReview.User user;
        private final String scheme;
        private final Function<String, Boolean> roles;
        private final Principal principal;

        SecurityContextImpl(@Nullable TokenReview.User user, @Nullable String str, @Nonnull Function<String, Boolean> function) {
            Principal principal;
            this.user = user;
            this.scheme = str;
            this.roles = function;
            if (user == null) {
                principal = null;
            } else {
                user.getClass();
                principal = user::getUsername;
            }
            this.principal = principal;
        }

        public Principal getUserPrincipal() {
            return this.principal;
        }

        public boolean isUserInRole(String str) {
            if (this.user.getGroups().contains(str)) {
                return true;
            }
            return this.roles.apply(str).booleanValue();
        }

        public boolean isSecure() {
            return "https".equalsIgnoreCase(this.scheme);
        }

        public String getAuthenticationScheme() {
            return this.scheme;
        }
    }

    @Inject
    public KubeAccountAuthorizationFilter(Client client, @ConfigProperty(name = "jaxrs.service.auth.tokenCacheTimeMillis", defaultValue = "1000") final long j, @ConfigProperty(name = "jaxrs.service.auth.roleCacheTimeMillis", defaultValue = "10000") long j2) {
        this.kubeClient = client;
        this.roleMap = new KubeRoleMap(client, j2);
        if (j <= 0) {
            this.secResolver = this::authenticate;
        } else {
            LoadingCache build = CacheBuilder.newBuilder().build(new CacheLoader<String, LoadingCache<String, SecurityContext>>() { // from class: org.spf4j.kube.jaxrs.security.providers.KubeAccountAuthorizationFilter.1
                public LoadingCache<String, SecurityContext> load(final String str) {
                    return CacheBuilder.newBuilder().expireAfterWrite(j, TimeUnit.MILLISECONDS).build(new CacheLoader<String, SecurityContext>() { // from class: org.spf4j.kube.jaxrs.security.providers.KubeAccountAuthorizationFilter.1.1
                        public SecurityContext load(String str2) {
                            return KubeAccountAuthorizationFilter.this.authenticate(str2, str);
                        }
                    });
                }
            });
            this.secResolver = (str, str2) -> {
                return (SecurityContext) ((LoadingCache) build.getUnchecked(str2)).getUnchecked(str);
            };
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public SecurityContext authenticate(String str, String str2) {
        TokenReview.Status status = this.kubeClient.tokenReview(str.substring(AUTH_METHOD.length() + 1));
        if (!status.isAuthenticated()) {
            return NOT_AUTH;
        }
        TokenReview.User user = status.getUser();
        Set<String> roles = this.roleMap.getRoles(user.getUsername());
        roles.getClass();
        return new SecurityContextImpl(user, str2, (v1) -> {
            return r4.contains(v1);
        });
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        String headerString;
        SecurityContext authenticate;
        if (containerRequestContext.getSecurityContext() == null && (headerString = containerRequestContext.getHeaderString("Authorization")) != null && headerString.startsWith(AUTH_METHOD) && (authenticate = this.secResolver.authenticate(headerString, containerRequestContext.getUriInfo().getRequestUri().getScheme())) != NOT_AUTH) {
            containerRequestContext.setSecurityContext(authenticate);
        }
    }

    public String toString() {
        return "ServiceAccountAuthorizationFilter{kubeClient=" + this.kubeClient + '}';
    }
}
