package io.helidon.security.integration.jersey;

import io.helidon.common.serviceloader.HelidonServiceLoader;
import io.helidon.config.Config;
import io.helidon.jersey.common.InvokedResource;
import io.helidon.security.AuditEvent;
import io.helidon.security.Security;
import io.helidon.security.SecurityContext;
import io.helidon.security.SecurityLevel;
import io.helidon.security.annotations.Audited;
import io.helidon.security.annotations.Authenticated;
import io.helidon.security.annotations.Authorized;
import io.helidon.security.integration.common.ResponseTracing;
import io.helidon.security.integration.common.SecurityTracing;
import io.helidon.security.integration.jersey.SecurityFilterCommon;
import io.helidon.security.internal.SecurityAuditEvent;
import io.helidon.security.providers.common.spi.AnnotationAnalyzer;
import io.helidon.webserver.ServerRequest;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.ServiceLoader;
import java.util.concurrent.ConcurrentHashMap;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.annotation.Priority;
import javax.ws.rs.ConstrainedTo;
import javax.ws.rs.Path;
import javax.ws.rs.RuntimeType;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.core.Application;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.Response;
import org.glassfish.jersey.server.ExtendedUriInfo;
import org.glassfish.jersey.server.ServerConfig;
import org.glassfish.jersey.server.model.AbstractResourceModelVisitor;
import org.glassfish.jersey.server.model.Invocable;
import org.glassfish.jersey.server.model.Resource;
import org.glassfish.jersey.server.model.ResourceMethod;
import org.glassfish.jersey.server.model.RuntimeResource;

@Priority(1000)
@ConstrainedTo(RuntimeType.SERVER)
/* loaded from: input_file:io/helidon/security/integration/jersey/SecurityFilter.class */
public class SecurityFilter extends SecurityFilterCommon implements ContainerRequestFilter, ContainerResponseFilter {
    private static final Logger LOGGER = Logger.getLogger(SecurityFilter.class.getName());
    private final Map<Class<?>, CacheEntry> applicationClassCache;

    @Context
    private ServerConfig serverConfig;

    @Context
    private SecurityContext securityContext;

    @Context
    private ServerRequest serverRequest;
    private final List<AnnotationAnalyzer> analyzers;

    /* renamed from: io.helidon.security.integration.jersey.SecurityFilter$1, reason: invalid class name */
    /* loaded from: input_file:io/helidon/security/integration/jersey/SecurityFilter$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$javax$ws$rs$core$Response$Status$Family = new int[Response.Status.Family.values().length];

        static {
            try {
                $SwitchMap$javax$ws$rs$core$Response$Status$Family[Response.Status.Family.CLIENT_ERROR.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$javax$ws$rs$core$Response$Status$Family[Response.Status.Family.SERVER_ERROR.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$javax$ws$rs$core$Response$Status$Family[Response.Status.Family.INFORMATIONAL.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$javax$ws$rs$core$Response$Status$Family[Response.Status.Family.SUCCESSFUL.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$javax$ws$rs$core$Response$Status$Family[Response.Status.Family.REDIRECTION.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$javax$ws$rs$core$Response$Status$Family[Response.Status.Family.OTHER.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/helidon/security/integration/jersey/SecurityFilter$CacheEntry.class */
    public static class CacheEntry {
        private SecurityDefinition appClassSecurity;
        private final Map<Class<?>, SecurityDefinition> resourceClassSecurity = new ConcurrentHashMap();
        private final Map<Method, SecurityDefinition> resourceMethodSecurity = new ConcurrentHashMap();
        private final Map<String, SecurityDefinition> subResourceMethodSecurity = new ConcurrentHashMap();

        private CacheEntry() {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/helidon/security/integration/jersey/SecurityFilter$PathVisitor.class */
    public static final class PathVisitor extends AbstractResourceModelVisitor {
        private final List<Invocable> list = new LinkedList();

        private PathVisitor() {
        }

        public void visitResource(Resource resource) {
            if (resource.getResourceLocator() != null) {
                resource.getResourceLocator().accept(this);
            }
        }

        public void visitChildResource(Resource resource) {
            visitResource(resource);
        }

        public void visitResourceMethod(ResourceMethod resourceMethod) {
            this.list.add(resourceMethod.getInvocable());
        }

        public void visitRuntimeResource(RuntimeResource runtimeResource) {
            Iterator it = runtimeResource.getResources().iterator();
            while (it.hasNext()) {
                ((Resource) it.next()).accept(this);
            }
        }

        public void visit(List<RuntimeResource> list) {
            Iterator<RuntimeResource> it = list.iterator();
            while (it.hasNext()) {
                it.next().accept(this);
            }
        }
    }

    private CacheEntry appClassCacheEntry(Class<?> cls) {
        return this.applicationClassCache.computeIfAbsent(cls, cls2 -> {
            SecurityDefinition securityForClass = securityForClass(cls2, null);
            CacheEntry cacheEntry = new CacheEntry();
            cacheEntry.appClassSecurity = securityForClass;
            return cacheEntry;
        });
    }

    private SecurityDefinition appClassSecurity(Class<?> cls) {
        return appClassCacheEntry(cls).appClassSecurity;
    }

    private Map<Class<?>, SecurityDefinition> resourceClassSecurity(Class<?> cls) {
        return appClassCacheEntry(cls).resourceClassSecurity;
    }

    private Map<Method, SecurityDefinition> resourceMethodSecurity(Class<?> cls) {
        return appClassCacheEntry(cls).resourceMethodSecurity;
    }

    private Map<String, SecurityDefinition> subResourceMethodSecurity(Class<?> cls) {
        return appClassCacheEntry(cls).subResourceMethodSecurity;
    }

    public SecurityFilter() {
        this.applicationClassCache = new ConcurrentHashMap();
        this.analyzers = new LinkedList();
        loadAnalyzers();
    }

    SecurityFilter(FeatureConfig featureConfig, Security security, ServerConfig serverConfig, SecurityContext securityContext) {
        super(security, featureConfig);
        this.applicationClassCache = new ConcurrentHashMap();
        this.analyzers = new LinkedList();
        this.serverConfig = serverConfig;
        this.securityContext = securityContext;
        loadAnalyzers();
    }

    private void loadAnalyzers() {
        HelidonServiceLoader build = HelidonServiceLoader.builder(ServiceLoader.load(AnnotationAnalyzer.class)).build();
        List<AnnotationAnalyzer> list = this.analyzers;
        Objects.requireNonNull(list);
        build.forEach((v1) -> {
            r1.add(v1);
        });
    }

    @PostConstruct
    public void postConstruct() {
        Config config = config("jersey.analyzers");
        this.analyzers.forEach(annotationAnalyzer -> {
            annotationAnalyzer.init(config);
        });
    }

    public void filter(ContainerRequestContext containerRequestContext) {
        if (featureConfig().shouldUsePrematchingAuthentication() && featureConfig().shouldUsePrematchingAuthorization()) {
            return;
        }
        doFilter(containerRequestContext, this.securityContext);
    }

    @Override // io.helidon.security.integration.jersey.SecurityFilterCommon
    protected void processSecurity(ContainerRequestContext containerRequestContext, SecurityFilterCommon.FilterContext filterContext, SecurityTracing securityTracing, SecurityContext securityContext) {
        if (!featureConfig().shouldUsePrematchingAuthentication()) {
            authenticate(filterContext, securityContext, securityTracing.atnTracing());
            LOGGER.finest(() -> {
                return "Filter after authentication. Should finish: " + filterContext.isShouldFinish();
            });
            if (filterContext.isShouldFinish()) {
                return;
            } else {
                filterContext.clearTrace();
            }
        }
        if (featureConfig().shouldUsePrematchingAuthorization()) {
            return;
        }
        authorize(filterContext, securityContext, securityTracing.atzTracing());
        LOGGER.finest(() -> {
            return "Filter completed (after authorization)";
        });
    }

    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) {
        javax.ws.rs.core.SecurityContext securityContext = containerRequestContext.getSecurityContext();
        if (null != securityContext && (securityContext instanceof JerseySecurityContext)) {
            JerseySecurityContext jerseySecurityContext = (JerseySecurityContext) securityContext;
            SecurityFilterCommon.FilterContext filterContext = (SecurityFilterCommon.FilterContext) containerRequestContext.getProperty("io.helidon.security.jersey.FilterContext");
            SecurityDefinition methodSecurity = jerseySecurityContext.methodSecurity();
            SecurityContext securityContext2 = jerseySecurityContext.securityContext();
            if (filterContext.isExplicitAtz() && !securityContext2.atzChecked()) {
                switch (AnonymousClass1.$SwitchMap$javax$ws$rs$core$Response$Status$Family[containerResponseContext.getStatusInfo().getFamily().ordinal()]) {
                    case 1:
                    case 2:
                        break;
                    case 3:
                    case 4:
                    case 5:
                    case 6:
                    default:
                        if (featureConfig().isDebug()) {
                            containerResponseContext.setEntity("Authorization was marked as explicit, yet it was never called in resource method");
                        } else {
                            containerResponseContext.setEntity("");
                        }
                        containerResponseContext.setStatus(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode());
                        LOGGER.severe("Authorization failure. Request for" + filterContext.getResourcePath() + " has failed, as it was markedas explicitly authorized, yet authorization was never called on security context. The method was invoked and may have changed data. Marking as internal server error");
                        filterContext.setShouldFinish(true);
                        break;
                }
            }
            ResponseTracing responseTracing = SecurityTracing.get().responseTracing();
            try {
                if (methodSecurity.isAudited()) {
                    SecurityAuditEvent addParam = SecurityAuditEvent.audit(containerResponseContext.getStatusInfo().getFamily() == Response.Status.Family.SUCCESSFUL ? methodSecurity.getAuditOkSeverity() : methodSecurity.getAuditErrorSeverity(), methodSecurity.getAuditEventType(), methodSecurity.getAuditMessageFormat()).addParam(AuditEvent.AuditParam.plain("method", filterContext.getMethod())).addParam(AuditEvent.AuditParam.plain("path", filterContext.getResourcePath())).addParam(AuditEvent.AuditParam.plain("status", String.valueOf(containerResponseContext.getStatus())));
                    Optional user = securityContext2.user();
                    Objects.requireNonNull(securityContext2);
                    securityContext2.audit(addParam.addParam(AuditEvent.AuditParam.plain("subject", user.or(securityContext2::service).orElse(SecurityContext.ANONYMOUS))).addParam(AuditEvent.AuditParam.plain("transport", "http")).addParam(AuditEvent.AuditParam.plain("resourceType", filterContext.getResourceName())).addParam(AuditEvent.AuditParam.plain("targetUri", filterContext.getTargetUri())));
                }
            } finally {
                responseTracing.finish();
            }
        }
    }

    @Override // io.helidon.security.integration.jersey.SecurityFilterCommon
    protected SecurityFilterCommon.FilterContext initRequestFiltering(ContainerRequestContext containerRequestContext) {
        SecurityFilterCommon.FilterContext filterContext = new SecurityFilterCommon.FilterContext();
        InvokedResource create = InvokedResource.create(containerRequestContext);
        return (SecurityFilterCommon.FilterContext) create.definitionMethod().map(method -> {
            filterContext.setMethodSecurity(getMethodSecurity(create, method, (ExtendedUriInfo) containerRequestContext.getUriInfo()));
            filterContext.setResourceName(method.getDeclaringClass().getSimpleName());
            return configureContext(filterContext, containerRequestContext, containerRequestContext.getUriInfo());
        }).orElseGet(() -> {
            filterContext.setShouldFinish(true);
            return filterContext;
        });
    }

    @Override // io.helidon.security.integration.jersey.SecurityFilterCommon
    protected Logger logger() {
        return LOGGER;
    }

    private SecurityDefinition securityForClass(Class<?> cls, SecurityDefinition securityDefinition) {
        Class<?> realClass = getRealClass(cls);
        Authenticated authenticated = (Authenticated) realClass.getAnnotation(Authenticated.class);
        Authorized authorized = (Authorized) realClass.getAnnotation(Authorized.class);
        Audited audited = (Audited) realClass.getAnnotation(Audited.class);
        SecurityDefinition securityDefinition2 = null == securityDefinition ? new SecurityDefinition(featureConfig().shouldAuthorizeAnnotatedOnly()) : securityDefinition.copyMe();
        securityDefinition2.add(authenticated);
        securityDefinition2.add(authorized);
        securityDefinition2.add(audited);
        if (!featureConfig().shouldAuthenticateAnnotatedOnly()) {
            securityDefinition2.requiresAuthentication(true);
        }
        HashMap hashMap = new HashMap();
        addCustomAnnotations(hashMap, realClass);
        securityDefinition2.getSecurityLevels().add(SecurityLevel.create(realClass.getName()).withClassAnnotations(hashMap).build());
        for (AnnotationAnalyzer annotationAnalyzer : this.analyzers) {
            securityDefinition2.analyzerResponse(annotationAnalyzer, null == securityDefinition ? annotationAnalyzer.analyze(realClass) : annotationAnalyzer.analyze(realClass, securityDefinition.analyzerResponse(annotationAnalyzer)));
        }
        return securityDefinition2;
    }

    private static Class<?> getRealClass(Class<?> cls) {
        Class<?> cls2 = cls;
        while (true) {
            Class<?> cls3 = cls2;
            if (!cls3.isSynthetic()) {
                return cls3;
            }
            cls2 = cls3.getSuperclass();
        }
    }

    private SecurityDefinition getMethodSecurity(InvokedResource invokedResource, Method method, ExtendedUriInfo extendedUriInfo) {
        Class<?> realClass = getRealClass((Class) invokedResource.definitionClass().orElseThrow(() -> {
            return new SecurityException("Got definition method, cannot get definition class");
        }));
        Class<?> realClass2 = getRealClass(((Application) this.serverRequest.context().get(Application.class).get()).getClass());
        SecurityDefinition appClassSecurity = appClassSecurity(realClass2);
        if (realClass.getAnnotation(Path.class) != null) {
            if (resourceMethodSecurity(realClass2).containsKey(method)) {
                return resourceMethodSecurity(realClass2).get(method);
            }
            SecurityDefinition computeIfAbsent = resourceClassSecurity(realClass2).computeIfAbsent(realClass, cls -> {
                return securityForClass(realClass, appClassSecurity);
            });
            Authenticated authenticated = (Authenticated) method.getAnnotation(Authenticated.class);
            Authorized authorized = (Authorized) method.getAnnotation(Authorized.class);
            Audited audited = (Audited) method.getAnnotation(Audited.class);
            SecurityDefinition copyMe = computeIfAbsent.copyMe();
            copyMe.add(authenticated);
            copyMe.add(authorized);
            copyMe.add(audited);
            int size = copyMe.getSecurityLevels().size() - 1;
            SecurityLevel securityLevel = copyMe.getSecurityLevels().get(size);
            HashMap hashMap = new HashMap();
            addCustomAnnotations(hashMap, method);
            copyMe.getSecurityLevels().set(size, SecurityLevel.create(securityLevel).withMethodName(method.getName()).withMethodAnnotations(hashMap).build());
            resourceMethodSecurity(realClass2).put(method, copyMe);
            for (AnnotationAnalyzer annotationAnalyzer : this.analyzers) {
                copyMe.analyzerResponse(annotationAnalyzer, annotationAnalyzer.analyze(method, computeIfAbsent.analyzerResponse(annotationAnalyzer)));
            }
            return copyMe;
        }
        PathVisitor pathVisitor = new PathVisitor();
        pathVisitor.visit(extendedUriInfo.getMatchedRuntimeResources());
        Collections.reverse(pathVisitor.list);
        StringBuilder sb = new StringBuilder();
        LinkedList<Method> linkedList = new LinkedList();
        Iterator<Invocable> it = pathVisitor.list.iterator();
        while (it.hasNext()) {
            Method definitionMethod = it.next().getDefinitionMethod();
            sb.append("/").append(definitionMethod.getDeclaringClass().getName()).append(".").append(definitionMethod.getName());
            linkedList.add(definitionMethod);
        }
        sb.append("/").append(realClass.getName()).append(".").append(method.getName());
        linkedList.add(method);
        String sb2 = sb.toString();
        if (subResourceMethodSecurity(realClass2).containsKey(sb2)) {
            return subResourceMethodSecurity(realClass2).get(sb2);
        }
        SecurityDefinition securityDefinition = appClassSecurity;
        for (Method method2 : linkedList) {
            SecurityDefinition securityForClass = securityForClass(method2.getDeclaringClass(), securityDefinition);
            Authenticated authenticated2 = (Authenticated) method2.getAnnotation(Authenticated.class);
            Authorized authorized2 = (Authorized) method2.getAnnotation(Authorized.class);
            Audited audited2 = (Audited) method2.getAnnotation(Audited.class);
            SecurityDefinition copyMe2 = securityForClass.copyMe();
            copyMe2.add(authenticated2);
            copyMe2.add(authorized2);
            copyMe2.add(audited2);
            SecurityLevel securityLevel2 = copyMe2.getSecurityLevels().get(copyMe2.getSecurityLevels().size() - 1);
            HashMap hashMap2 = new HashMap();
            addCustomAnnotations(hashMap2, method2);
            copyMe2.getSecurityLevels().set(copyMe2.getSecurityLevels().size() - 1, SecurityLevel.create(securityLevel2).withMethodName(method2.getName()).withMethodAnnotations(hashMap2).build());
            for (AnnotationAnalyzer annotationAnalyzer2 : this.analyzers) {
                copyMe2.analyzerResponse(annotationAnalyzer2, annotationAnalyzer2.analyze(method2, securityForClass.analyzerResponse(annotationAnalyzer2)));
            }
            securityDefinition = copyMe2;
        }
        subResourceMethodSecurity(realClass2).put(sb2, securityDefinition);
        return securityDefinition;
    }

    private void addCustomAnnotations(Map<Class<? extends Annotation>, List<Annotation>> map, Class<?> cls) {
        for (Annotation annotation : cls.getAnnotations()) {
            addToMap(annotation.annotationType(), map, annotation);
        }
    }

    private void addToMap(Class<? extends Annotation> cls, Map<Class<? extends Annotation>, List<Annotation>> map, Annotation... annotationArr) {
        map.computeIfAbsent(cls, cls2 -> {
            return new LinkedList();
        }).addAll(Arrays.asList(annotationArr));
    }

    private void addCustomAnnotations(Map<Class<? extends Annotation>, List<Annotation>> map, Method method) {
        for (Annotation annotation : method.getAnnotations()) {
            addToMap(annotation.annotationType(), map, annotation);
        }
    }

    List<AnnotationAnalyzer> analyzers() {
        return this.analyzers;
    }
}
