package io.helidon.security.providers.header;

import io.helidon.config.Config;
import io.helidon.config.metadata.Configured;
import io.helidon.security.AuthenticationResponse;
import io.helidon.security.EndpointConfig;
import io.helidon.security.OutboundSecurityResponse;
import io.helidon.security.Principal;
import io.helidon.security.ProviderRequest;
import io.helidon.security.SecurityEnvironment;
import io.helidon.security.SubjectType;
import io.helidon.security.providers.common.OutboundConfig;
import io.helidon.security.providers.common.OutboundTarget;
import io.helidon.security.spi.AuthenticationProvider;
import io.helidon.security.spi.OutboundSecurityProvider;
import io.helidon.security.spi.SecurityProvider;
import io.helidon.security.spi.SynchronousProvider;
import io.helidon.security.util.TokenHandler;
import java.util.HashMap;
import java.util.Objects;
import java.util.Optional;

/* loaded from: input_file:io/helidon/security/providers/header/HeaderAtnProvider.class */
public class HeaderAtnProvider extends SynchronousProvider implements AuthenticationProvider, OutboundSecurityProvider {
    private final boolean optional;
    private final boolean authenticate;
    private final boolean propagate;
    private final SubjectType subjectType;
    private final TokenHandler atnTokenHandler;
    private final TokenHandler outboundTokenHandler;
    private final OutboundConfig outboundConfig;
    private final TokenHandler defaultOutboundTokenHandler;

    /* renamed from: io.helidon.security.providers.header.HeaderAtnProvider$1, reason: invalid class name */
    /* loaded from: input_file:io/helidon/security/providers/header/HeaderAtnProvider$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$helidon$security$SubjectType = new int[SubjectType.values().length];

        static {
            try {
                $SwitchMap$io$helidon$security$SubjectType[SubjectType.USER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$helidon$security$SubjectType[SubjectType.SERVICE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    @Configured(prefix = "header-atn", description = "Security provider that extracts a username (or service name) from a header.", provides = {SecurityProvider.class, AuthenticationProvider.class})
    /* loaded from: input_file:io/helidon/security/providers/header/HeaderAtnProvider$Builder.class */
    public static final class Builder implements io.helidon.common.Builder<Builder, HeaderAtnProvider> {
        private Boolean propagate;
        private TokenHandler atnTokenHandler;
        private TokenHandler outboundTokenHandler;
        private OutboundConfig outboundConfig;
        private final OutboundConfig.Builder outboundBuilder = OutboundConfig.builder();
        private boolean optional = false;
        private boolean authenticate = true;
        private SubjectType subjectType = SubjectType.USER;

        private Builder() {
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public HeaderAtnProvider m2build() {
            this.outboundConfig = this.outboundBuilder.build();
            if (this.propagate == null || this.propagate.booleanValue()) {
                this.propagate = Boolean.valueOf(this.outboundTokenHandler != null || this.outboundConfig.targets().size() > 0);
            }
            if (this.outboundConfig.targets().size() > 0 && this.outboundTokenHandler == null) {
                this.outboundTokenHandler = this.atnTokenHandler;
            }
            return new HeaderAtnProvider(this);
        }

        public Builder config(Config config) {
            config.get("optional").asBoolean().ifPresent((v1) -> {
                optional(v1);
            });
            config.get("authenticate").asBoolean().ifPresent((v1) -> {
                authenticate(v1);
            });
            config.get("propagate").asBoolean().ifPresent((v1) -> {
                propagate(v1);
            });
            config.get("principal-type").asString().map(SubjectType::valueOf).ifPresent(this::subjectType);
            config.get("atn-token").as(TokenHandler::create).ifPresent(this::atnTokenHandler);
            config.get("outbound-token").as(TokenHandler::create).ifPresent(this::outboundTokenHandler);
            config.get("outbound").asList(OutboundTarget::create).ifPresent(list -> {
                OutboundConfig.Builder builder = this.outboundBuilder;
                Objects.requireNonNull(builder);
                list.forEach(builder::addTarget);
            });
            return this;
        }

        public Builder subjectType(SubjectType subjectType) {
            this.subjectType = subjectType;
            switch (AnonymousClass1.$SwitchMap$io$helidon$security$SubjectType[subjectType.ordinal()]) {
                case 1:
                case 2:
                    return this;
                default:
                    throw new SecurityException("Invalid configuration. Principal type not supported: " + subjectType);
            }
        }

        public Builder propagate(boolean z) {
            this.propagate = Boolean.valueOf(z);
            return this;
        }

        public Builder authenticate(boolean z) {
            this.authenticate = z;
            return this;
        }

        public Builder atnTokenHandler(TokenHandler tokenHandler) {
            this.atnTokenHandler = tokenHandler;
            return this;
        }

        public Builder outboundTokenHandler(TokenHandler tokenHandler) {
            this.outboundTokenHandler = tokenHandler;
            return this;
        }

        public Builder optional(boolean z) {
            this.optional = z;
            return this;
        }

        public Builder addOutboundTarget(OutboundTarget outboundTarget) {
            this.outboundBuilder.addTarget(outboundTarget);
            return this;
        }
    }

    private HeaderAtnProvider(Builder builder) {
        this.optional = builder.optional;
        this.authenticate = builder.authenticate;
        this.propagate = builder.propagate.booleanValue();
        this.subjectType = builder.subjectType;
        this.atnTokenHandler = builder.atnTokenHandler;
        this.outboundTokenHandler = builder.outboundTokenHandler;
        this.outboundConfig = builder.outboundConfig;
        this.defaultOutboundTokenHandler = this.outboundTokenHandler == null ? this.atnTokenHandler : this.outboundTokenHandler;
    }

    public static HeaderAtnProvider create(Config config) {
        return builder().config(config).m2build();
    }

    public static Builder builder() {
        return new Builder();
    }

    protected AuthenticationResponse syncAuthenticate(ProviderRequest providerRequest) {
        if (!this.authenticate) {
            return AuthenticationResponse.abstain();
        }
        try {
            return (AuthenticationResponse) this.atnTokenHandler.extractToken(providerRequest.env().headers()).map(Principal::create).map(principal -> {
                return this.subjectType == SubjectType.USER ? AuthenticationResponse.success(principal) : AuthenticationResponse.successService(principal);
            }).orElseGet(() -> {
                return this.optional ? AuthenticationResponse.abstain() : AuthenticationResponse.failed("Header not available or in a wrong format");
            });
        } catch (Exception e) {
            return this.optional ? AuthenticationResponse.abstain() : AuthenticationResponse.failed("Header not available or in a wrong format", e);
        }
    }

    public boolean isOutboundSupported(ProviderRequest providerRequest, SecurityEnvironment securityEnvironment, EndpointConfig endpointConfig) {
        return this.propagate;
    }

    protected OutboundSecurityResponse syncOutbound(ProviderRequest providerRequest, SecurityEnvironment securityEnvironment, EndpointConfig endpointConfig) {
        Optional user = this.subjectType == SubjectType.USER ? providerRequest.securityContext().user() : providerRequest.securityContext().service();
        Optional findTargetCustomObject = this.outboundConfig.findTargetCustomObject(securityEnvironment, HeaderAtnOutboundConfig.class, HeaderAtnOutboundConfig::create, HeaderAtnOutboundConfig::create);
        if (findTargetCustomObject.isEmpty()) {
            return this.outboundTokenHandler != null ? (OutboundSecurityResponse) user.map((v0) -> {
                return v0.principal();
            }).map((v0) -> {
                return v0.id();
            }).map(str -> {
                return respond(securityEnvironment, this.outboundTokenHandler, str);
            }).orElseGet(OutboundSecurityResponse::abstain) : OutboundSecurityResponse.abstain();
        }
        HeaderAtnOutboundConfig headerAtnOutboundConfig = (HeaderAtnOutboundConfig) findTargetCustomObject.get();
        TokenHandler orElse = headerAtnOutboundConfig.tokenHandler().orElse(this.defaultOutboundTokenHandler);
        Optional optional = user;
        return (OutboundSecurityResponse) headerAtnOutboundConfig.explicitUser().or(() -> {
            return optional.map((v0) -> {
                return v0.principal();
            }).map((v0) -> {
                return v0.id();
            });
        }).map(str2 -> {
            return respond(securityEnvironment, orElse, str2);
        }).orElseGet(OutboundSecurityResponse::abstain);
    }

    private OutboundSecurityResponse respond(SecurityEnvironment securityEnvironment, TokenHandler tokenHandler, String str) {
        HashMap hashMap = new HashMap(securityEnvironment.headers());
        tokenHandler.header(hashMap, str);
        return OutboundSecurityResponse.withHeaders(hashMap);
    }
}
