package io.helidon.security.abac.scope;

import io.helidon.common.CollectionsHelper;
import io.helidon.common.Errors;
import io.helidon.common.OptionalHelper;
import io.helidon.config.Config;
import io.helidon.security.EndpointConfig;
import io.helidon.security.ProviderRequest;
import io.helidon.security.SecurityLevel;
import io.helidon.security.providers.abac.AbacAnnotation;
import io.helidon.security.providers.abac.AbacValidatorConfig;
import io.helidon.security.providers.abac.spi.AbacValidator;
import java.lang.annotation.Annotation;
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Inherited;
import java.lang.annotation.Repeatable;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Objects;
import java.util.stream.Stream;

/* loaded from: input_file:io/helidon/security/abac/scope/ScopeValidator.class */
public final class ScopeValidator implements AbacValidator<ScopesConfig> {
    public static final String SCOPE_GRANT_TYPE = "scope";
    private final boolean useOrOperator;

    /* loaded from: input_file:io/helidon/security/abac/scope/ScopeValidator$Builder.class */
    public static final class Builder implements io.helidon.common.Builder<ScopeValidator> {
        private boolean useOrOperator;

        private Builder() {
            this.useOrOperator = false;
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public ScopeValidator m2build() {
            return new ScopeValidator(this);
        }

        public Builder useOrOperator(boolean z) {
            this.useOrOperator = z;
            return this;
        }

        public Builder config(Config config) {
            String str = "OR";
            config.get("operator").asString().map((v1) -> {
                return r1.equals(v1);
            }).ifPresent((v1) -> {
                useOrOperator(v1);
            });
            return this;
        }
    }

    @Target({ElementType.METHOD, ElementType.TYPE})
    @AbacAnnotation
    @Inherited
    @Retention(RetentionPolicy.RUNTIME)
    @Documented
    @Repeatable(Scopes.class)
    /* loaded from: input_file:io/helidon/security/abac/scope/ScopeValidator$Scope.class */
    public @interface Scope {
        String value();
    }

    @Target({ElementType.METHOD, ElementType.TYPE})
    @Inherited
    @Retention(RetentionPolicy.RUNTIME)
    @Documented
    /* loaded from: input_file:io/helidon/security/abac/scope/ScopeValidator$Scopes.class */
    public @interface Scopes {
        Scope[] value();
    }

    /* loaded from: input_file:io/helidon/security/abac/scope/ScopeValidator$ScopesConfig.class */
    public static final class ScopesConfig implements AbacValidatorConfig {
        private final List<String> requiredScopes;

        private ScopesConfig(List<String> list) {
            this.requiredScopes = list;
        }

        public static ScopesConfig create(String... strArr) {
            return new ScopesConfig(CollectionsHelper.listOf(strArr));
        }

        public static ScopesConfig create(List<Scope> list) {
            ArrayList arrayList = new ArrayList();
            Iterator<Scope> it = list.iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().value());
            }
            return new ScopesConfig(arrayList);
        }

        public static ScopesConfig create(Config config) {
            return new ScopesConfig((List) config.asList(String.class).orElse(CollectionsHelper.listOf()));
        }

        public List<String> requiredScopes() {
            return Collections.unmodifiableList(this.requiredScopes);
        }
    }

    private ScopeValidator(Builder builder) {
        this.useOrOperator = builder.useOrOperator;
    }

    public static Builder builder() {
        return new Builder();
    }

    public static ScopeValidator create() {
        return builder().m2build();
    }

    public static ScopeValidator create(Config config) {
        return builder().config(config).m2build();
    }

    public Class<ScopesConfig> configClass() {
        return ScopesConfig.class;
    }

    public Collection<Class<? extends Annotation>> supportedAnnotations() {
        return CollectionsHelper.setOf(new Class[]{Scope.class, Scopes.class});
    }

    public String configKey() {
        return "scopes";
    }

    /* renamed from: fromConfig, reason: merged with bridge method [inline-methods] */
    public ScopesConfig m1fromConfig(Config config) {
        return ScopesConfig.create(config);
    }

    /* renamed from: fromAnnotations, reason: merged with bridge method [inline-methods] */
    public ScopesConfig m0fromAnnotations(EndpointConfig endpointConfig) {
        ArrayList arrayList = new ArrayList();
        for (SecurityLevel securityLevel : endpointConfig.securityLevels()) {
            for (EndpointConfig.AnnotationScope annotationScope : EndpointConfig.AnnotationScope.values()) {
                ArrayList<Annotation> arrayList2 = new ArrayList();
                Iterator<Class<? extends Annotation>> it = supportedAnnotations().iterator();
                while (it.hasNext()) {
                    arrayList2.addAll(securityLevel.filterAnnotations(it.next(), annotationScope));
                }
                for (Annotation annotation : arrayList2) {
                    if (annotation instanceof Scopes) {
                        arrayList.addAll(Arrays.asList(((Scopes) annotation).value()));
                    } else if (annotation instanceof Scope) {
                        arrayList.add((Scope) annotation);
                    }
                }
            }
        }
        return ScopesConfig.create(arrayList);
    }

    public void validate(ScopesConfig scopesConfig, Errors.Collector collector, ProviderRequest providerRequest) {
        OptionalHelper.from(providerRequest.subject()).ifPresentOrElse(subject -> {
            LinkedHashSet linkedHashSet = new LinkedHashSet(scopesConfig.requiredScopes());
            int size = linkedHashSet.size();
            if (size == 0) {
                collector.hint(this, "There are no required scopes for current request.");
                return;
            }
            List grantsByType = subject.grantsByType(SCOPE_GRANT_TYPE);
            Stream map = grantsByType.stream().map((v0) -> {
                return v0.getName();
            });
            Objects.requireNonNull(linkedHashSet);
            map.forEach((v1) -> {
                r1.remove(v1);
            });
            int size2 = linkedHashSet.size();
            if (size2 == size) {
                collector.fatal(this, "Access requires scopes: " + scopesConfig.requiredScopes() + ", yet the user is in neither of them: " + grantsByType);
            } else {
                if (size2 == 0 || this.useOrOperator) {
                    return;
                }
                collector.fatal(this, "User is not in all required scopes: " + scopesConfig.requiredScopes() + ", user's scopes: " + grantsByType);
            }
        }, () -> {
            List<String> requiredScopes = scopesConfig.requiredScopes();
            if (requiredScopes.isEmpty()) {
                return;
            }
            collector.fatal(this, "User not logged int. Required scopes: " + requiredScopes);
        });
    }
}
