package io.helidon.security.providers.abac;

import io.helidon.common.Errors;
import io.helidon.common.serviceloader.HelidonServiceLoader;
import io.helidon.config.Config;
import io.helidon.security.AuthorizationResponse;
import io.helidon.security.EndpointConfig;
import io.helidon.security.ProviderRequest;
import io.helidon.security.SecurityLevel;
import io.helidon.security.SecurityResponse;
import io.helidon.security.providers.abac.spi.AbacValidator;
import io.helidon.security.providers.abac.spi.AbacValidatorService;
import io.helidon.security.spi.AuthorizationProvider;
import io.helidon.security.spi.SynchronousProvider;
import java.lang.annotation.Annotation;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Optional;
import java.util.ServiceLoader;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;

/* loaded from: input_file:io/helidon/security/providers/abac/AbacProvider.class */
public final class AbacProvider extends SynchronousProvider implements AuthorizationProvider {
    private static final String CONFIG_KEY = "abac";
    private final List<AbacValidator<? extends AbacValidatorConfig>> validators = new ArrayList();
    private final Set<Class<? extends Annotation>> supportedAnnotations;
    private final Set<String> supportedConfigKeys;
    private final Set<Class<? extends AbacValidatorConfig>> supportedCustomObjects;
    private final boolean failOnUnvalidated;
    private final boolean failIfNoneValidated;

    /* loaded from: input_file:io/helidon/security/providers/abac/AbacProvider$Builder.class */
    public static final class Builder implements io.helidon.common.Builder<AbacProvider> {
        private final List<AbacValidator<? extends AbacValidatorConfig>> validators = new ArrayList();
        private Config config = Config.empty();
        private boolean failOnUnvalidated = true;
        private boolean failIfNoneValidated = true;

        private Builder() {
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public AbacProvider m0build() {
            return new AbacProvider(this);
        }

        public Builder addValidator(AbacValidator<? extends AbacValidatorConfig> abacValidator) {
            this.validators.add(abacValidator);
            return this;
        }

        public Builder configuration(Config config) {
            this.config = config;
            return this;
        }

        public Builder failOnUnvalidated(boolean z) {
            this.failOnUnvalidated = z;
            return this;
        }

        public Builder failIfNoneValidated(boolean z) {
            this.failIfNoneValidated = z;
            return this;
        }

        public Builder config(Config config) {
            configuration(config);
            config.get("fail-on-unvalidated").asBoolean().ifPresent((v1) -> {
                failOnUnvalidated(v1);
            });
            config.get("fail-if-none-validated").asBoolean().ifPresent((v1) -> {
                failIfNoneValidated(v1);
            });
            return this;
        }
    }

    private AbacProvider(Builder builder) {
        Iterator it = HelidonServiceLoader.create(ServiceLoader.load(AbacValidatorService.class)).iterator();
        while (it.hasNext()) {
            AbacValidatorService abacValidatorService = (AbacValidatorService) it.next();
            this.validators.add(abacValidatorService.instantiate(builder.config.get(abacValidatorService.configKey())));
        }
        this.validators.addAll(builder.validators);
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        HashSet hashSet3 = new HashSet();
        this.validators.forEach(abacValidator -> {
            hashSet.addAll(abacValidator.supportedAnnotations());
            hashSet2.add(abacValidator.configKey());
            hashSet3.add(abacValidator.configClass());
        });
        this.supportedAnnotations = Collections.unmodifiableSet(hashSet);
        this.supportedConfigKeys = Collections.unmodifiableSet(hashSet2);
        this.supportedCustomObjects = Collections.unmodifiableSet(hashSet3);
        this.failOnUnvalidated = builder.failOnUnvalidated;
        this.failIfNoneValidated = builder.failIfNoneValidated;
    }

    public static Builder builder() {
        return new Builder();
    }

    public static AbacProvider create(Config config) {
        return builder().config(config).m0build();
    }

    public static AbacProvider create() {
        return builder().m0build();
    }

    public Collection<Class<? extends Annotation>> supportedAnnotations() {
        return this.supportedAnnotations;
    }

    protected AuthorizationResponse syncAuthorize(ProviderRequest providerRequest) {
        Errors.Collector collector = Errors.collector();
        ArrayList<RuntimeAttribute> arrayList = new ArrayList();
        EndpointConfig endpointConfig = providerRequest.endpointConfig();
        validateAnnotations(endpointConfig, collector);
        validateConfig(endpointConfig, collector);
        validateCustom(endpointConfig, collector);
        Optional config = endpointConfig.config(CONFIG_KEY);
        for (AbacValidator<? extends AbacValidatorConfig> abacValidator : this.validators) {
            Class<? extends AbacValidatorConfig> configClass = abacValidator.configClass();
            String configKey = abacValidator.configKey();
            Collection<Class<? extends Annotation>> supportedAnnotations = abacValidator.supportedAnnotations();
            Optional instance = endpointConfig.instance(configClass);
            if (instance.isPresent()) {
                arrayList.add(new RuntimeAttribute(abacValidator, (AbacValidatorConfig) instance.get()));
            } else {
                config.flatMap(config2 -> {
                    return config2.get(configKey).asNode().asOptional();
                }).ifPresentOrElse(config3 -> {
                    arrayList.add(new RuntimeAttribute(abacValidator, abacValidator.fromConfig(config3)));
                }, () -> {
                    ArrayList arrayList2 = new ArrayList();
                    for (SecurityLevel securityLevel : endpointConfig.securityLevels()) {
                        Iterator it = supportedAnnotations.iterator();
                        while (it.hasNext()) {
                            arrayList2.addAll(securityLevel.combineAnnotations((Class) it.next(), EndpointConfig.AnnotationScope.values()));
                        }
                    }
                    if (arrayList2.isEmpty()) {
                        return;
                    }
                    arrayList.add(new RuntimeAttribute(abacValidator, abacValidator.fromAnnotations(endpointConfig)));
                });
            }
        }
        for (RuntimeAttribute runtimeAttribute : arrayList) {
            validate(runtimeAttribute.getValidator(), runtimeAttribute.getConfig(), collector, providerRequest);
        }
        Errors collect = collector.collect();
        return collect.isValid() ? AuthorizationResponse.permit() : AuthorizationResponse.builder().status(SecurityResponse.SecurityStatus.FAILURE).description(collect.toString()).build();
    }

    private <A extends AbacValidator<B>, B extends AbacValidatorConfig> void validate(A a, AbacValidatorConfig abacValidatorConfig, Errors.Collector collector, ProviderRequest providerRequest) {
        a.validate(abacValidatorConfig, collector, providerRequest);
    }

    private void validateCustom(EndpointConfig endpointConfig, Errors.Collector collector) {
        endpointConfig.instanceKeys().forEach(cls -> {
            int i = 0;
            int i2 = 0;
            LinkedList linkedList = new LinkedList();
            if (AbacValidatorConfig.class.isInstance(endpointConfig.instance(cls))) {
                i = 0 + 1;
                if (!this.supportedCustomObjects.contains(cls)) {
                    i2 = 0 + 1;
                    linkedList.add(cls.getName());
                }
            }
            boolean z = false;
            if (i2 != 0) {
                if (i2 == i && this.failIfNoneValidated) {
                    z = true;
                } else if (this.failOnUnvalidated) {
                    z = true;
                }
                if (z) {
                    Iterator it = linkedList.iterator();
                    while (it.hasNext()) {
                        collector.fatal(this, ((String) it.next()) + " custom object is not supported.");
                    }
                    collector.fatal(this, "Supported custom objects: " + this.supportedCustomObjects);
                }
            }
        });
    }

    private void validateConfig(EndpointConfig endpointConfig, Errors.Collector collector) {
        endpointConfig.config(CONFIG_KEY).ifPresent(config -> {
            validateAbacConfig(config, collector);
        });
    }

    private void validateAbacConfig(Config config, Errors.Collector collector) {
        List list = (List) ((List) config.asNodeList().orElseGet(List::of)).stream().map((v0) -> {
            return v0.name();
        }).collect(Collectors.toList());
        HashSet<String> hashSet = new HashSet(list);
        if (hashSet.size() != list.size()) {
            collector.fatal(list, "There are duplicit keys under \"abac\" node in configuration.");
        }
        int i = 0;
        int i2 = 0;
        LinkedList linkedList = new LinkedList();
        for (String str : hashSet) {
            i++;
            if (!this.supportedConfigKeys.contains(str)) {
                i2++;
                linkedList.add(str);
            }
        }
        boolean z = false;
        if (i2 != 0) {
            if (i2 == i && this.failIfNoneValidated) {
                z = true;
            } else if (this.failOnUnvalidated) {
                z = true;
            }
            if (z) {
                Iterator it = linkedList.iterator();
                while (it.hasNext()) {
                    collector.fatal(this, "\"" + ((String) it.next()) + "\" ABAC attribute config key is not supported.");
                }
                collector.fatal(this, "Supported ABAC config keys: " + this.supportedConfigKeys);
            }
        }
    }

    private void validateAnnotations(EndpointConfig endpointConfig, Errors.Collector collector) {
        for (SecurityLevel securityLevel : endpointConfig.securityLevels()) {
            int i = 0;
            int i2 = 0;
            LinkedList linkedList = new LinkedList();
            for (Class<? extends Annotation> cls : securityLevel.allAnnotations().keySet()) {
                if (null != ((AbacAnnotation) cls.getAnnotation(AbacAnnotation.class)) || isSupportedAnnotation(cls)) {
                    i++;
                    if (!this.supportedAnnotations.contains(cls)) {
                        i2++;
                        linkedList.add(cls.getName());
                    }
                }
            }
            if (i2 != 0) {
                boolean z = this.failOnUnvalidated;
                if (i2 == i && this.failIfNoneValidated) {
                    z = true;
                }
                if (z) {
                    Iterator it = linkedList.iterator();
                    while (it.hasNext()) {
                        collector.fatal(this, ((String) it.next()) + " attribute annotation is not supported.");
                    }
                    collector.fatal(this, "Supported annotations: " + this.supportedAnnotations);
                }
            }
        }
    }

    private boolean isSupportedAnnotation(Class<? extends Annotation> cls) {
        return RolesAllowed.class.equals(cls) || PermitAll.class.equals(cls) || DenyAll.class.equals(cls);
    }
}
