package io.helidon.security.providers.httpauth;

import io.helidon.common.serviceloader.HelidonServiceLoader;
import io.helidon.config.Config;
import io.helidon.security.AuthenticationResponse;
import io.helidon.security.EndpointConfig;
import io.helidon.security.OutboundSecurityResponse;
import io.helidon.security.Principal;
import io.helidon.security.ProviderRequest;
import io.helidon.security.Role;
import io.helidon.security.SecurityContext;
import io.helidon.security.SecurityEnvironment;
import io.helidon.security.SecurityResponse;
import io.helidon.security.Subject;
import io.helidon.security.SubjectType;
import io.helidon.security.providers.common.OutboundConfig;
import io.helidon.security.providers.common.OutboundTarget;
import io.helidon.security.providers.httpauth.SecureUserStore;
import io.helidon.security.providers.httpauth.spi.UserStoreService;
import io.helidon.security.spi.AuthenticationProvider;
import io.helidon.security.spi.OutboundSecurityProvider;
import io.helidon.security.spi.SynchronousProvider;
import io.helidon.security.util.TokenHandler;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.ServiceLoader;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/* loaded from: input_file:io/helidon/security/providers/httpauth/HttpBasicAuthProvider.class */
public class HttpBasicAuthProvider extends SynchronousProvider implements AuthenticationProvider, OutboundSecurityProvider {
    public static final String EP_PROPERTY_OUTBOUND_USER = "io.helidon.security.outbound.user";
    public static final String EP_PROPERTY_OUTBOUND_PASSWORD = "io.helidon.security.outbound.password";
    static final String HEADER_AUTHENTICATION_REQUIRED = "WWW-Authenticate";
    static final String HEADER_AUTHENTICATION = "authorization";
    static final String BASIC_PREFIX = "basic ";
    private static final Logger LOGGER = Logger.getLogger(HttpBasicAuthProvider.class.getName());
    private static final Pattern CREDENTIAL_PATTERN = Pattern.compile("(.*):(.*)");
    private final List<SecureUserStore> userStores;
    private final String realm;
    private final SubjectType subjectType;
    private final OutboundConfig outboundConfig;
    private final boolean outboundTargetsExist;

    /* renamed from: io.helidon.security.providers.httpauth.HttpBasicAuthProvider$1, reason: invalid class name */
    /* loaded from: input_file:io/helidon/security/providers/httpauth/HttpBasicAuthProvider$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$helidon$security$SubjectType = new int[SubjectType.values().length];

        static {
            try {
                $SwitchMap$io$helidon$security$SubjectType[SubjectType.USER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$helidon$security$SubjectType[SubjectType.SERVICE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/helidon/security/providers/httpauth/HttpBasicAuthProvider$BasicPrivateCredentials.class */
    public static final class BasicPrivateCredentials {
        private final String username;
        private final char[] password;

        private BasicPrivateCredentials(String str, char[] cArr) {
            this.username = str;
            this.password = cArr;
        }
    }

    /* loaded from: input_file:io/helidon/security/providers/httpauth/HttpBasicAuthProvider$Builder.class */
    public static final class Builder implements io.helidon.common.Builder<HttpBasicAuthProvider> {
        private final List<SecureUserStore> userStores = new LinkedList();
        private final OutboundConfig.Builder outboundBuilder = OutboundConfig.builder();
        private String realm = "helidon";
        private SubjectType subjectType = SubjectType.USER;

        private Builder() {
        }

        public Builder config(Config config) {
            config.get("realm").asString().ifPresent(this::realm);
            config.get("principal-type").asString().as(SubjectType::valueOf).ifPresent(this::subjectType);
            HelidonServiceLoader.Builder builder = HelidonServiceLoader.builder(ServiceLoader.load(UserStoreService.class));
            final Config config2 = config.get("users");
            if (config2.exists() && !config2.isLeaf()) {
                builder.addService(new UserStoreService() { // from class: io.helidon.security.providers.httpauth.HttpBasicAuthProvider.Builder.1
                    @Override // io.helidon.security.providers.httpauth.spi.UserStoreService
                    public String configKey() {
                        return "users";
                    }

                    @Override // io.helidon.security.providers.httpauth.spi.UserStoreService
                    public SecureUserStore create(Config config3) {
                        return (SecureUserStore) config2.as(ConfigUserStore::create).orElseThrow(() -> {
                            return new HttpAuthException("No users configured! Key \"users\" must be in configuration");
                        });
                    }
                });
            }
            builder.build().forEach(userStoreService -> {
                addUserStore(userStoreService.create(config.get(userStoreService.configKey())));
            });
            config.get("outbound").asList(OutboundTarget::create).ifPresent(list -> {
                OutboundConfig.Builder builder2 = this.outboundBuilder;
                Objects.requireNonNull(builder2);
                list.forEach(builder2::addTarget);
            });
            return this;
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public HttpBasicAuthProvider m4build() {
            return new HttpBasicAuthProvider(this);
        }

        public Builder subjectType(SubjectType subjectType) {
            this.subjectType = subjectType;
            switch (AnonymousClass1.$SwitchMap$io$helidon$security$SubjectType[subjectType.ordinal()]) {
                case 1:
                case 2:
                    return this;
                default:
                    throw new SecurityException("Invalid configuration. Principal type not supported: " + subjectType);
            }
        }

        public Builder addUserStore(SecureUserStore secureUserStore) {
            this.userStores.add(secureUserStore);
            return this;
        }

        public Builder userStore(SecureUserStore secureUserStore) {
            this.userStores.clear();
            this.userStores.add(secureUserStore);
            return this;
        }

        public Builder realm(String str) {
            this.realm = str;
            return this;
        }

        public Builder addOutboundTarget(OutboundTarget outboundTarget) {
            this.outboundBuilder.addTarget(outboundTarget);
            return this;
        }
    }

    HttpBasicAuthProvider(Builder builder) {
        this.userStores = new LinkedList(builder.userStores);
        this.realm = builder.realm;
        this.subjectType = builder.subjectType;
        this.outboundConfig = builder.outboundBuilder.build();
        this.outboundTargetsExist = this.outboundConfig.targets().size() > 0;
    }

    public static Builder builder() {
        return new Builder();
    }

    public static HttpBasicAuthProvider create(Config config) {
        return builder().config(config).m4build();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static OutboundSecurityResponse toBasicAuthOutbound(SecurityEnvironment securityEnvironment, TokenHandler tokenHandler, String str, char[] cArr) {
        String encodeToString = Base64.getEncoder().encodeToString((str + ":" + new String(cArr)).getBytes(StandardCharsets.UTF_8));
        HashMap hashMap = new HashMap(securityEnvironment.headers());
        tokenHandler.addHeader(hashMap, encodeToString);
        return OutboundSecurityResponse.withHeaders(hashMap);
    }

    public boolean isOutboundSupported(ProviderRequest providerRequest, SecurityEnvironment securityEnvironment, EndpointConfig endpointConfig) {
        if (endpointConfig.abacAttributeNames().contains(EP_PROPERTY_OUTBOUND_USER)) {
            return true;
        }
        return this.outboundTargetsExist;
    }

    protected OutboundSecurityResponse syncOutbound(ProviderRequest providerRequest, SecurityEnvironment securityEnvironment, EndpointConfig endpointConfig) {
        Optional abacAttribute = endpointConfig.abacAttribute(EP_PROPERTY_OUTBOUND_USER);
        if (abacAttribute.isPresent()) {
            return toBasicAuthOutbound(securityEnvironment, HttpBasicOutboundConfig.DEFAULT_TOKEN_HANDLER, abacAttribute.get().toString(), passwordFromEndpoint(endpointConfig));
        }
        Optional findTargetCustomObject = this.outboundConfig.findTargetCustomObject(securityEnvironment, HttpBasicOutboundConfig.class, HttpBasicOutboundConfig::create, HttpBasicOutboundConfig::create);
        if (findTargetCustomObject.isEmpty()) {
            return OutboundSecurityResponse.abstain();
        }
        HttpBasicOutboundConfig httpBasicOutboundConfig = (HttpBasicOutboundConfig) findTargetCustomObject.get();
        if (httpBasicOutboundConfig.hasExplicitUser()) {
            return toBasicAuthOutbound(securityEnvironment, httpBasicOutboundConfig.tokenHandler(), httpBasicOutboundConfig.explicitUser(), httpBasicOutboundConfig.explicitPassword());
        }
        SecurityContext securityContext = providerRequest.securityContext();
        Optional flatMap = securityContext.user().flatMap(this::credentialsFromSubject);
        if (flatMap.isEmpty()) {
            flatMap = securityContext.service().flatMap(this::credentialsFromSubject);
        }
        Optional map = endpointConfig.abacAttribute(EP_PROPERTY_OUTBOUND_PASSWORD).map(String::valueOf).map((v0) -> {
            return v0.toCharArray();
        });
        return (OutboundSecurityResponse) flatMap.map(basicPrivateCredentials -> {
            return toBasicAuthOutbound(securityEnvironment, httpBasicOutboundConfig.tokenHandler(), basicPrivateCredentials.username, (char[]) map.orElse(basicPrivateCredentials.password));
        }).orElseGet(OutboundSecurityResponse::abstain);
    }

    private Optional<BasicPrivateCredentials> credentialsFromSubject(Subject subject) {
        return subject.privateCredential(BasicPrivateCredentials.class);
    }

    private char[] passwordFromEndpoint(EndpointConfig endpointConfig) {
        return (char[]) endpointConfig.abacAttribute(EP_PROPERTY_OUTBOUND_PASSWORD).map(String::valueOf).map((v0) -> {
            return v0.toCharArray();
        }).orElse(HttpBasicOutboundConfig.EMPTY_PASSWORD);
    }

    protected AuthenticationResponse syncAuthenticate(ProviderRequest providerRequest) {
        List list = (List) providerRequest.env().headers().get(HEADER_AUTHENTICATION);
        return null == list ? fail("No authorization header") : (AuthenticationResponse) list.stream().filter(str -> {
            return str.toLowerCase().startsWith(BASIC_PREFIX);
        }).findFirst().map(this::validateBasicAuth).orElseGet(() -> {
            return fail("Authorization header does not contain basic authentication: " + list);
        });
    }

    private AuthenticationResponse validateBasicAuth(String str) {
        try {
            String str2 = new String(Base64.getDecoder().decode(str.substring(BASIC_PREFIX.length())), StandardCharsets.UTF_8);
            Matcher matcher = CREDENTIAL_PATTERN.matcher(str2);
            if (!matcher.matches()) {
                LOGGER.finest(() -> {
                    return "Basic authentication header with invalid content: " + str2;
                });
                return fail("Basic authentication header with invalid content");
            }
            String group = matcher.group(1);
            char[] charArray = matcher.group(2).toCharArray();
            Optional<SecureUserStore.User> empty = Optional.empty();
            Iterator<SecureUserStore> it = this.userStores.iterator();
            while (it.hasNext()) {
                empty = it.next().user(group);
                if (empty.isPresent()) {
                    break;
                }
            }
            return (AuthenticationResponse) empty.map(user -> {
                return user.isPasswordValid(charArray) ? this.subjectType == SubjectType.USER ? AuthenticationResponse.success(buildSubject(user, charArray)) : AuthenticationResponse.successService(buildSubject(user, charArray)) : invalidUser();
            }).orElseGet(this::invalidUser);
        } catch (IllegalArgumentException e) {
            return fail("Basic authentication header with invalid content - not base64 encoded");
        }
    }

    private AuthenticationResponse invalidUser() {
        return fail("Invalid username or password");
    }

    private AuthenticationResponse fail(String str) {
        return AuthenticationResponse.builder().statusCode(401).responseHeader(HEADER_AUTHENTICATION_REQUIRED, buildChallenge()).status(SecurityResponse.SecurityStatus.FAILURE).description(str).build();
    }

    private String buildChallenge() {
        return "Basic realm=\"" + this.realm + "\"";
    }

    private Subject buildSubject(SecureUserStore.User user, char[] cArr) {
        Subject.Builder addPrivateCredential = Subject.builder().principal(Principal.builder().name(user.login()).build()).addPrivateCredential(BasicPrivateCredentials.class, new BasicPrivateCredentials(user.login(), cArr));
        user.roles().forEach(str -> {
            addPrivateCredential.addGrant(Role.create(str));
        });
        return addPrivateCredential.build();
    }
}
