package io.helidon.security.integration.jersey;

import io.helidon.common.CollectionsHelper;
import io.helidon.common.reactive.Flow;
import io.helidon.config.Config;
import io.helidon.security.AuthenticationResponse;
import io.helidon.security.AuthorizationResponse;
import io.helidon.security.EndpointConfig;
import io.helidon.security.Entity;
import io.helidon.security.Security;
import io.helidon.security.SecurityClientBuilder;
import io.helidon.security.SecurityContext;
import io.helidon.security.SecurityEnvironment;
import io.helidon.security.SecurityResponse;
import io.helidon.security.integration.common.AtnTracing;
import io.helidon.security.integration.common.AtzTracing;
import io.helidon.security.integration.common.SecurityTracing;
import io.opentracing.Span;
import io.opentracing.SpanContext;
import java.net.URI;
import java.nio.ByteBuffer;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Function;
import java.util.logging.Logger;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.glassfish.jersey.server.ContainerRequest;

/* loaded from: input_file:io/helidon/security/integration/jersey/SecurityFilterCommon.class */
abstract class SecurityFilterCommon {
    static final String PROP_FILTER_CONTEXT = "io.helidon.security.jersey.FilterContext";

    @Context
    private Security security;

    @Context
    private FeatureConfig featureConfig;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.helidon.security.integration.jersey.SecurityFilterCommon$1, reason: invalid class name */
    /* loaded from: input_file:io/helidon/security/integration/jersey/SecurityFilterCommon$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus = new int[SecurityResponse.SecurityStatus.values().length];

        static {
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.SUCCESS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.FAILURE_FINISH.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.SUCCESS_FINISH.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.ABSTAIN.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.FAILURE.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/helidon/security/integration/jersey/SecurityFilterCommon$FilterContext.class */
    public static class FilterContext {
        private String resourceName;
        private String resourcePath;
        private String method;
        private Map<String, List<String>> headers;
        private URI targetUri;
        private ContainerRequest jerseyRequest;
        private boolean shouldFinish;
        private SecurityDefinition methodSecurity;
        private boolean explicitAtz;
        private String traceDescription;
        private Throwable traceThrowable;
        private final JerseyResponseEntity responseMessage = new JerseyResponseEntity();
        private boolean traceSuccess = true;

        /* JADX INFO: Access modifiers changed from: package-private */
        public JerseyResponseEntity getResponseMessage() {
            return this.responseMessage;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public String getResourceName() {
            return this.resourceName;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void setResourceName(String str) {
            this.resourceName = str;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public String getResourcePath() {
            return this.resourcePath;
        }

        void setResourcePath(String str) {
            this.resourcePath = str;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public String getMethod() {
            return this.method;
        }

        void setMethod(String str) {
            this.method = str;
        }

        Map<String, List<String>> getHeaders() {
            return this.headers;
        }

        void setHeaders(Map<String, List<String>> map) {
            this.headers = map;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public URI getTargetUri() {
            return this.targetUri;
        }

        void setTargetUri(URI uri) {
            this.targetUri = uri;
        }

        ContainerRequest getJerseyRequest() {
            return this.jerseyRequest;
        }

        void setJerseyRequest(ContainerRequest containerRequest) {
            this.jerseyRequest = containerRequest;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public boolean isShouldFinish() {
            return this.shouldFinish;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void setShouldFinish(boolean z) {
            this.shouldFinish = z;
        }

        SecurityDefinition getMethodSecurity() {
            return this.methodSecurity;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void setMethodSecurity(SecurityDefinition securityDefinition) {
            this.methodSecurity = securityDefinition;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public boolean isExplicitAtz() {
            return this.explicitAtz;
        }

        void setExplicitAtz(boolean z) {
            this.explicitAtz = z;
        }

        boolean isTraceSuccess() {
            return this.traceSuccess;
        }

        void setTraceSuccess(boolean z) {
            this.traceSuccess = z;
        }

        String getTraceDescription() {
            return this.traceDescription;
        }

        void setTraceDescription(String str) {
            this.traceDescription = str;
        }

        Throwable getTraceThrowable() {
            return this.traceThrowable;
        }

        void setTraceThrowable(Throwable th) {
            this.traceThrowable = th;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void clearTrace() {
            setTraceSuccess(true);
            setTraceDescription(null);
            setTraceThrowable(null);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:io/helidon/security/integration/jersey/SecurityFilterCommon$JerseyResponseEntity.class */
    public static class JerseyResponseEntity implements Entity {
        private volatile Function<Flow.Publisher<ByteBuffer>, Flow.Publisher<ByteBuffer>> filterFunction;

        protected JerseyResponseEntity() {
        }

        public void filter(Function<Flow.Publisher<ByteBuffer>, Flow.Publisher<ByteBuffer>> function) {
            this.filterFunction = function;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public Function<Flow.Publisher<ByteBuffer>, Flow.Publisher<ByteBuffer>> filterFunction() {
            return this.filterFunction;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityFilterCommon() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityFilterCommon(Security security, FeatureConfig featureConfig) {
        this.security = security;
        this.featureConfig = featureConfig;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void doFilter(ContainerRequestContext containerRequestContext, SecurityContext securityContext) {
        SecurityTracing securityTracing = SecurityTracing.get();
        securityTracing.securityContext(securityContext);
        FilterContext initRequestFiltering = initRequestFiltering(containerRequestContext);
        if (initRequestFiltering.isShouldFinish()) {
            securityTracing.finish();
            return;
        }
        URI requestUri = containerRequestContext.getUriInfo().getRequestUri();
        String query = requestUri.getQuery();
        String path = (null == query || query.isEmpty()) ? requestUri.getPath() : requestUri.getPath() + "?" + query;
        HashMap hashMap = new HashMap(initRequestFiltering.getHeaders());
        hashMap.put("X_ORIG_URI_HEADER", CollectionsHelper.listOf(new String[]{path}));
        SecurityEnvironment build = SecurityEnvironment.builder(this.security.serverTime()).path(initRequestFiltering.getResourcePath()).targetUri(initRequestFiltering.getTargetUri()).method(initRequestFiltering.getMethod()).headers(hashMap).addAttribute("resourceType", initRequestFiltering.getResourceName()).build();
        EndpointConfig build2 = EndpointConfig.builder().securityLevels(initRequestFiltering.getMethodSecurity().getSecurityLevels()).build();
        try {
            securityContext.env(build);
            securityContext.endpointConfig(build2);
            containerRequestContext.setProperty(PROP_FILTER_CONTEXT, initRequestFiltering);
            containerRequestContext.setSecurityContext(new JerseySecurityContext(securityContext, initRequestFiltering.getMethodSecurity(), "https".equals(initRequestFiltering.getTargetUri().getScheme())));
            processSecurity(containerRequestContext, initRequestFiltering, securityTracing, securityContext);
            if (initRequestFiltering.isTraceSuccess()) {
                securityTracing.logProceed();
                securityTracing.finish();
            } else {
                securityTracing.logDeny();
                securityTracing.error("aborted");
            }
        } catch (Throwable th) {
            if (initRequestFiltering.isTraceSuccess()) {
                securityTracing.logProceed();
                securityTracing.finish();
            } else {
                securityTracing.logDeny();
                securityTracing.error("aborted");
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void authenticate(FilterContext filterContext, SecurityContext securityContext, AtnTracing atnTracing) {
        try {
            SecurityDefinition methodSecurity = filterContext.getMethodSecurity();
            if (methodSecurity.requiresAuthentication()) {
                SecurityClientBuilder<AuthenticationResponse> securityClientBuilder = (SecurityClientBuilder) securityContext.atnClientBuilder().optional(methodSecurity.authenticationOptional()).requestMessage(toRequestMessage(filterContext)).responseMessage(filterContext.getResponseMessage()).tracingSpan((SpanContext) atnTracing.findParent().orElse(null)).tracingSpan((Span) atnTracing.findParentSpan().orElse(null));
                securityClientBuilder.explicitProvider(methodSecurity.getAuthenticator());
                processAuthentication(filterContext, securityClientBuilder, methodSecurity, atnTracing);
            }
            if (!filterContext.isTraceSuccess()) {
                Throwable traceThrowable = filterContext.getTraceThrowable();
                if (null == traceThrowable) {
                    atnTracing.error(filterContext.getTraceDescription());
                    return;
                } else {
                    atnTracing.error(traceThrowable);
                    return;
                }
            }
            Optional user = securityContext.user();
            Objects.requireNonNull(atnTracing);
            user.ifPresent(atnTracing::logUser);
            Optional service = securityContext.service();
            Objects.requireNonNull(atnTracing);
            service.ifPresent(atnTracing::logService);
            atnTracing.finish();
        } catch (Throwable th) {
            if (filterContext.isTraceSuccess()) {
                Optional user2 = securityContext.user();
                Objects.requireNonNull(atnTracing);
                user2.ifPresent(atnTracing::logUser);
                Optional service2 = securityContext.service();
                Objects.requireNonNull(atnTracing);
                service2.ifPresent(atnTracing::logService);
                atnTracing.finish();
            } else {
                Throwable traceThrowable2 = filterContext.getTraceThrowable();
                if (null == traceThrowable2) {
                    atnTracing.error(filterContext.getTraceDescription());
                } else {
                    atnTracing.error(traceThrowable2);
                }
            }
            throw th;
        }
    }

    protected Entity toRequestMessage(FilterContext filterContext) {
        String lowerCase = filterContext.getMethod().toLowerCase();
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case -1335458389:
                if (lowerCase.equals("delete")) {
                    z = 3;
                    break;
                }
                break;
            case -1249474914:
                if (lowerCase.equals("options")) {
                    z = true;
                    break;
                }
                break;
            case 102230:
                if (lowerCase.equals("get")) {
                    z = false;
                    break;
                }
                break;
            case 3198432:
                if (lowerCase.equals("head")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
            case true:
            case true:
                return null;
            default:
                return function -> {
                    InputStreamPublisher inputStreamPublisher = new InputStreamPublisher(filterContext.getJerseyRequest().getEntityStream(), 1024);
                    SubscriberInputStream subscriberInputStream = new SubscriberInputStream();
                    filterContext.getJerseyRequest().setEntityStream(subscriberInputStream);
                    ((Flow.Publisher) function.apply(inputStreamPublisher)).subscribe(subscriberInputStream);
                };
        }
    }

    protected void processAuthentication(FilterContext filterContext, SecurityClientBuilder<AuthenticationResponse> securityClientBuilder, SecurityDefinition securityDefinition, AtnTracing atnTracing) {
        AuthenticationResponse buildAndGet = securityClientBuilder.buildAndGet();
        SecurityResponse.SecurityStatus status = buildAndGet.status();
        atnTracing.logStatus(status);
        switch (AnonymousClass1.$SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[status.ordinal()]) {
            case 1:
                return;
            case 2:
                if (securityDefinition.authenticationOptional()) {
                    logger().finest("Authentication failed, but was optional, so assuming anonymous");
                    return;
                }
                filterContext.setTraceSuccess(false);
                filterContext.setTraceDescription((String) buildAndGet.description().orElse(status.toString()));
                filterContext.setTraceThrowable((Throwable) buildAndGet.throwable().orElse(null));
                filterContext.setShouldFinish(true);
                abortRequest(filterContext, buildAndGet, buildAndGet.statusCode().orElse(Response.Status.UNAUTHORIZED.getStatusCode()), CollectionsHelper.mapOf());
                return;
            case 3:
                filterContext.setShouldFinish(true);
                abortRequest(filterContext, buildAndGet, buildAndGet.statusCode().orElse(Response.Status.OK.getStatusCode()), CollectionsHelper.mapOf());
                return;
            case 4:
                if (securityDefinition.authenticationOptional()) {
                    logger().finest("Authentication failed, but was optional, so assuming anonymous");
                    return;
                }
                filterContext.setTraceSuccess(false);
                filterContext.setTraceDescription((String) buildAndGet.description().orElse(status.toString()));
                filterContext.setShouldFinish(true);
                abortRequest(filterContext, buildAndGet, Response.Status.UNAUTHORIZED.getStatusCode(), CollectionsHelper.mapOf());
                return;
            case 5:
                if (securityDefinition.authenticationOptional()) {
                    logger().finest("Authentication failed, but was optional, so assuming anonymous");
                    return;
                }
                filterContext.setTraceDescription((String) buildAndGet.description().orElse(status.toString()));
                filterContext.setTraceThrowable((Throwable) buildAndGet.throwable().orElse(null));
                filterContext.setTraceSuccess(false);
                abortRequest(filterContext, buildAndGet, Response.Status.UNAUTHORIZED.getStatusCode(), CollectionsHelper.mapOf());
                filterContext.setShouldFinish(true);
                return;
            default:
                filterContext.setTraceSuccess(false);
                filterContext.setTraceDescription((String) buildAndGet.description().orElse("UNKNOWN_RESPONSE: " + status));
                filterContext.setShouldFinish(true);
                SecurityException securityException = new SecurityException("Invalid SecurityStatus returned: " + status);
                filterContext.setTraceThrowable(securityException);
                throw securityException;
        }
    }

    protected abstract Logger logger();

    /* JADX INFO: Access modifiers changed from: protected */
    public void authorize(FilterContext filterContext, SecurityContext securityContext, AtzTracing atzTracing) {
        if (filterContext.getMethodSecurity().isAtzExplicit()) {
            filterContext.setExplicitAtz(true);
            return;
        }
        try {
            if (filterContext.getMethodSecurity().requiresAuthorization()) {
                processAuthorization(filterContext, (SecurityClientBuilder) securityContext.atzClientBuilder().tracingSpan((Span) atzTracing.findParentSpan().orElse(null)).tracingSpan((SpanContext) atzTracing.findParent().orElse(null)).explicitProvider(filterContext.getMethodSecurity().getAuthorizer()));
            }
            if (filterContext.isTraceSuccess()) {
                atzTracing.finish();
                return;
            }
            Throwable traceThrowable = filterContext.getTraceThrowable();
            if (null == traceThrowable) {
                atzTracing.error(filterContext.getTraceDescription());
            } else {
                atzTracing.error(traceThrowable);
            }
        } catch (Throwable th) {
            if (filterContext.isTraceSuccess()) {
                atzTracing.finish();
            } else {
                Throwable traceThrowable2 = filterContext.getTraceThrowable();
                if (null == traceThrowable2) {
                    atzTracing.error(filterContext.getTraceDescription());
                } else {
                    atzTracing.error(traceThrowable2);
                }
            }
            throw th;
        }
    }

    protected void processAuthorization(FilterContext filterContext, SecurityClientBuilder<AuthorizationResponse> securityClientBuilder) {
        AuthorizationResponse buildAndGet = securityClientBuilder.buildAndGet();
        SecurityResponse.SecurityStatus status = buildAndGet.status();
        switch (AnonymousClass1.$SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[status.ordinal()]) {
            case 1:
                return;
            case 2:
                filterContext.setTraceSuccess(false);
                filterContext.setTraceDescription((String) buildAndGet.description().orElse(status.toString()));
                filterContext.setTraceThrowable((Throwable) buildAndGet.throwable().orElse(null));
                filterContext.setShouldFinish(true);
                abortRequest(filterContext, buildAndGet, buildAndGet.statusCode().orElse(Response.Status.FORBIDDEN.getStatusCode()), CollectionsHelper.mapOf());
                return;
            case 3:
                filterContext.setShouldFinish(true);
                abortRequest(filterContext, buildAndGet, buildAndGet.statusCode().orElse(Response.Status.OK.getStatusCode()), CollectionsHelper.mapOf());
                return;
            case 4:
                filterContext.setTraceSuccess(false);
                filterContext.setTraceDescription((String) buildAndGet.description().orElse(status.toString()));
                filterContext.setShouldFinish(true);
                abortRequest(filterContext, buildAndGet, buildAndGet.statusCode().orElse(Response.Status.FORBIDDEN.getStatusCode()), CollectionsHelper.mapOf());
                return;
            case 5:
                filterContext.setTraceSuccess(false);
                filterContext.setTraceDescription((String) buildAndGet.description().orElse(status.toString()));
                filterContext.setTraceThrowable((Throwable) buildAndGet.throwable().orElse(null));
                filterContext.setShouldFinish(true);
                abortRequest(filterContext, buildAndGet, buildAndGet.statusCode().orElse(Response.Status.FORBIDDEN.getStatusCode()), CollectionsHelper.mapOf());
                return;
            default:
                filterContext.setTraceSuccess(false);
                filterContext.setTraceDescription((String) buildAndGet.description().orElse("UNKNOWN_RESPONSE: " + status));
                filterContext.setShouldFinish(true);
                SecurityException securityException = new SecurityException("Invalid SecurityStatus returned: " + status);
                filterContext.setTraceThrowable(securityException);
                throw securityException;
        }
    }

    protected void abortRequest(FilterContext filterContext, SecurityResponse securityResponse, int i, Map<String, List<String>> map) {
        int orElse = securityResponse.statusCode().orElse(i);
        Map<String, List<String>> responseHeaders = securityResponse.responseHeaders();
        Response.ResponseBuilder status = Response.status(orElse);
        if (responseHeaders.isEmpty()) {
            for (Map.Entry<String, List<String>> entry : map.entrySet()) {
                status.header(entry.getKey(), entry.getValue());
            }
        } else {
            updateHeaders(responseHeaders, status);
        }
        if (this.featureConfig.isDebug()) {
            Optional description = securityResponse.description();
            Objects.requireNonNull(status);
            description.ifPresent((v1) -> {
                r1.entity(v1);
            });
        }
        if (!this.featureConfig.useAbortWith()) {
            throw new WebApplicationException((String) securityResponse.description().orElse("Security did not allow this request to proceed."), status.build());
        }
        filterContext.getJerseyRequest().abortWith(status.build());
    }

    protected void updateHeaders(Map<String, List<String>> map, Response.ResponseBuilder responseBuilder) {
        for (Map.Entry<String, List<String>> entry : map.entrySet()) {
            Iterator<String> it = entry.getValue().iterator();
            while (it.hasNext()) {
                responseBuilder.header(entry.getKey(), it.next());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public FilterContext configureContext(FilterContext filterContext, ContainerRequestContext containerRequestContext, UriInfo uriInfo) {
        filterContext.setMethod(containerRequestContext.getMethod());
        filterContext.setHeaders(containerRequestContext.getHeaders());
        filterContext.setTargetUri(containerRequestContext.getUriInfo().getRequestUri());
        filterContext.setResourcePath(filterContext.getTargetUri().getPath());
        filterContext.setJerseyRequest((ContainerRequest) containerRequestContext);
        featureConfig().getQueryParamHandlers().forEach(queryParamHandler -> {
            queryParamHandler.extract(uriInfo, filterContext.getHeaders());
        });
        return filterContext;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Security security() {
        return this.security;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public FeatureConfig featureConfig() {
        return this.featureConfig;
    }

    protected abstract void processSecurity(ContainerRequestContext containerRequestContext, FilterContext filterContext, SecurityTracing securityTracing, SecurityContext securityContext);

    protected abstract FilterContext initRequestFiltering(ContainerRequestContext containerRequestContext);

    /* JADX INFO: Access modifiers changed from: package-private */
    public Config config(String str) {
        return this.security.configFor(str);
    }
}
