package io.helidon.security.providers.httpsign;

import io.helidon.config.Config;
import io.helidon.config.metadata.Configured;
import io.helidon.security.AuthenticationResponse;
import io.helidon.security.EndpointConfig;
import io.helidon.security.OutboundSecurityResponse;
import io.helidon.security.Principal;
import io.helidon.security.ProviderRequest;
import io.helidon.security.SecurityEnvironment;
import io.helidon.security.SecurityResponse;
import io.helidon.security.Subject;
import io.helidon.security.SubjectType;
import io.helidon.security.providers.common.OutboundConfig;
import io.helidon.security.providers.httpsign.SignedHeadersConfig;
import io.helidon.security.spi.AuthenticationProvider;
import io.helidon.security.spi.OutboundSecurityProvider;
import java.util.Collection;
import java.util.EnumSet;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.TreeMap;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.ConcurrentHashMap;

/* loaded from: input_file:io/helidon/security/providers/httpsign/HttpSignProvider.class */
public final class HttpSignProvider implements AuthenticationProvider, OutboundSecurityProvider {
    static final String ALGORITHM_HMAC = "hmac-sha256";
    static final String ALGORITHM_RSA = "rsa-sha256";
    static final SignedHeadersConfig DEFAULT_REQUIRED_HEADERS = SignedHeadersConfig.builder().defaultConfig(SignedHeadersConfig.HeadersConfig.create((List<String>) List.of("date", SignedHeadersConfig.REQUEST_TARGET))).config("get", SignedHeadersConfig.HeadersConfig.create(List.of("date", SignedHeadersConfig.REQUEST_TARGET, "host"), List.of("authorization"))).config("head", SignedHeadersConfig.HeadersConfig.create(List.of("date", SignedHeadersConfig.REQUEST_TARGET, "host"), List.of("authorization"))).config("delete", SignedHeadersConfig.HeadersConfig.create(List.of("date", SignedHeadersConfig.REQUEST_TARGET, "host"), List.of("authorization"))).config("put", SignedHeadersConfig.HeadersConfig.create(List.of("date", SignedHeadersConfig.REQUEST_TARGET, "host"), List.of("authorization"))).config("post", SignedHeadersConfig.HeadersConfig.create(List.of("date", SignedHeadersConfig.REQUEST_TARGET, "host"), List.of("authorization"))).m9build();
    static final String ATTRIB_NAME_KEY_ID = HttpSignProvider.class.getName() + ".keyId";
    private final boolean optional;
    private final String realm;
    private final Set<HttpSignHeader> acceptHeaders;
    private final SignedHeadersConfig inboundRequiredHeaders;
    private final Map<String, InboundClientDefinition> inboundKeys;
    private final OutboundConfig outboundConfig;
    private final Map<String, OutboundTargetDefinition> targetKeys = new ConcurrentHashMap();
    private final boolean backwardCompatibleEol;

    @Configured(prefix = "http-signatures", description = "HTTP header signature provider.", provides = {AuthenticationProvider.class})
    /* loaded from: input_file:io/helidon/security/providers/httpsign/HttpSignProvider$Builder.class */
    public static final class Builder implements io.helidon.common.Builder<Builder, HttpSignProvider> {
        private static final String DEFAULT_REALM_VALUE = "helidon";
        private boolean optional = true;
        private String realm = DEFAULT_REALM_VALUE;
        private final Set<HttpSignHeader> acceptHeaders = EnumSet.noneOf(HttpSignHeader.class);
        private SignedHeadersConfig inboundRequiredHeaders = SignedHeadersConfig.builder().m9build();
        private OutboundConfig outboundConfig = OutboundConfig.builder().build();
        private final Map<String, InboundClientDefinition> inboundKeys = new HashMap();
        private boolean backwardCompatibleEol = false;

        private Builder() {
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public HttpSignProvider m3build() {
            return new HttpSignProvider(this);
        }

        public Builder config(Config config) {
            config.get("headers").asList(HttpSignHeader.class).ifPresent(list -> {
                list.forEach(this::addAcceptHeader);
            });
            config.get("optional").asBoolean().ifPresent((v1) -> {
                optional(v1);
            });
            config.get("realm").asString().ifPresent(this::realm);
            config.get("sign-headers").as(SignedHeadersConfig::create).ifPresent(this::inboundRequiredHeaders);
            this.outboundConfig = OutboundConfig.create(config);
            config.get("inbound.keys").asList(InboundClientDefinition::create).ifPresent(list2 -> {
                list2.forEach(inboundClientDefinition -> {
                    this.inboundKeys.put(inboundClientDefinition.keyId(), inboundClientDefinition);
                });
            });
            config.get("backward-compatible-eol").asBoolean().ifPresent(this::backwardCompatibleEol);
            return this;
        }

        public Builder outbound(OutboundConfig outboundConfig) {
            this.outboundConfig = outboundConfig;
            return this;
        }

        public Builder addInbound(InboundClientDefinition inboundClientDefinition) {
            this.inboundKeys.put(inboundClientDefinition.keyId(), inboundClientDefinition);
            return this;
        }

        public Builder inboundRequiredHeaders(SignedHeadersConfig signedHeadersConfig) {
            this.inboundRequiredHeaders = signedHeadersConfig;
            return this;
        }

        public Builder addAcceptHeader(HttpSignHeader httpSignHeader) {
            this.acceptHeaders.add(httpSignHeader);
            return this;
        }

        public Builder optional(boolean z) {
            this.optional = z;
            return this;
        }

        public Builder realm(String str) {
            this.realm = str;
            return this;
        }

        public Builder backwardCompatibleEol(Boolean bool) {
            this.backwardCompatibleEol = bool.booleanValue();
            return this;
        }
    }

    private HttpSignProvider(Builder builder) {
        this.optional = builder.optional;
        this.realm = builder.realm;
        this.acceptHeaders = builder.acceptHeaders.isEmpty() ? EnumSet.of(HttpSignHeader.SIGNATURE, HttpSignHeader.AUTHORIZATION) : EnumSet.copyOf((Collection) builder.acceptHeaders);
        this.inboundRequiredHeaders = builder.inboundRequiredHeaders;
        this.inboundKeys = builder.inboundKeys;
        this.outboundConfig = builder.outboundConfig;
        this.backwardCompatibleEol = builder.backwardCompatibleEol;
        this.outboundConfig.targets().forEach(outboundTarget -> {
            outboundTarget.getConfig().ifPresent(config -> {
                this.targetKeys.put(outboundTarget.name(), (OutboundTargetDefinition) config.get("signature").as(OutboundTargetDefinition::create).get());
            });
        });
    }

    public static HttpSignProvider create(Config config) {
        return builder().config(config).m3build();
    }

    public static Builder builder() {
        return new Builder();
    }

    public CompletionStage<AuthenticationResponse> authenticate(ProviderRequest providerRequest) {
        Map headers = providerRequest.env().headers();
        return (headers.get("Signature") == null || !this.acceptHeaders.contains(HttpSignHeader.SIGNATURE)) ? (headers.get("Authorization") == null || !this.acceptHeaders.contains(HttpSignHeader.AUTHORIZATION)) ? this.optional ? CompletableFuture.completedFuture(AuthenticationResponse.abstain()) : CompletableFuture.completedFuture(AuthenticationResponse.failed("Missing header. Accepted headers: " + this.acceptHeaders)) : CompletableFuture.supplyAsync(() -> {
            return authorizeHeader(providerRequest.env());
        }, providerRequest.securityContext().executorService()) : CompletableFuture.supplyAsync(() -> {
            return signatureHeader((List) headers.get("Signature"), providerRequest.env());
        }, providerRequest.securityContext().executorService());
    }

    private AuthenticationResponse authorizeHeader(SecurityEnvironment securityEnvironment) {
        AuthenticationResponse authenticationResponse = null;
        for (String str : (List) securityEnvironment.headers().get("Authorization")) {
            if (str.toLowerCase().startsWith("signature ")) {
                authenticationResponse = signatureHeader(List.of(str.substring("singature ".length())), securityEnvironment);
                if (authenticationResponse.status().isSuccess()) {
                    return authenticationResponse;
                }
            }
        }
        if (this.optional) {
            return AuthenticationResponse.abstain();
        }
        return challenge(securityEnvironment, null == authenticationResponse ? "No Signature authorization header" : (String) authenticationResponse.description().orElse("Unknown problem"));
    }

    private AuthenticationResponse challenge(SecurityEnvironment securityEnvironment, String str) {
        return AuthenticationResponse.builder().responseHeader("WWW-Authenticate", "Signature realm=\"" + this.realm + ",headers=\"" + headersForMethod(securityEnvironment.method()) + "\"").status(SecurityResponse.SecurityStatus.FAILURE).statusCode(401).description(str).build();
    }

    private String headersForMethod(String str) {
        return String.join(" ", this.inboundRequiredHeaders.headers(str.toLowerCase()));
    }

    private AuthenticationResponse signatureHeader(List<String> list, SecurityEnvironment securityEnvironment) {
        String str = list.isEmpty() ? "No signature values for Signature header" : null;
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            HttpSignature fromHeader = HttpSignature.fromHeader(it.next(), this.backwardCompatibleEol);
            Optional<String> validate = fromHeader.validate();
            if (validate.isPresent()) {
                str = validate.get();
            } else {
                InboundClientDefinition inboundClientDefinition = this.inboundKeys.get(fromHeader.getKeyId());
                if (null != inboundClientDefinition) {
                    return validateSignature(securityEnvironment, fromHeader, inboundClientDefinition);
                }
                str = "Client definition for client with key " + fromHeader.getKeyId() + " not found";
            }
        }
        return this.optional ? AuthenticationResponse.abstain() : AuthenticationResponse.failed(str);
    }

    private AuthenticationResponse validateSignature(SecurityEnvironment securityEnvironment, HttpSignature httpSignature, InboundClientDefinition inboundClientDefinition) {
        Optional<String> validate = httpSignature.validate(securityEnvironment, inboundClientDefinition, this.inboundRequiredHeaders.headers(securityEnvironment.method(), securityEnvironment.headers()));
        if (validate.isPresent()) {
            return AuthenticationResponse.failed(validate.get());
        }
        Subject build = Subject.builder().principal(Principal.builder().name(inboundClientDefinition.principalName()).addAttribute(ATTRIB_NAME_KEY_ID, inboundClientDefinition.keyId()).build()).build();
        return inboundClientDefinition.subjectType() == SubjectType.USER ? AuthenticationResponse.success(build) : AuthenticationResponse.successService(build);
    }

    public boolean isOutboundSupported(ProviderRequest providerRequest, SecurityEnvironment securityEnvironment, EndpointConfig endpointConfig) {
        return this.outboundConfig.findTarget(securityEnvironment).isPresent();
    }

    public CompletionStage<OutboundSecurityResponse> outboundSecurity(ProviderRequest providerRequest, SecurityEnvironment securityEnvironment, EndpointConfig endpointConfig) {
        return CompletableFuture.supplyAsync(() -> {
            return signRequest(securityEnvironment);
        }, providerRequest.securityContext().executorService());
    }

    private OutboundSecurityResponse signRequest(SecurityEnvironment securityEnvironment) {
        return (OutboundSecurityResponse) this.outboundConfig.findTarget(securityEnvironment).map(outboundTarget -> {
            OutboundTargetDefinition computeIfAbsent = this.targetKeys.computeIfAbsent(outboundTarget.name(), str -> {
                return (OutboundTargetDefinition) outboundTarget.getConfig().flatMap(config -> {
                    return config.get("signature").as(OutboundTargetDefinition.class).asOptional();
                }).orElse((OutboundTargetDefinition) outboundTarget.customObject(OutboundTargetDefinition.class).orElseThrow(() -> {
                    return new HttpSignatureException("Failed to find configuration for outbound signatures for target " + outboundTarget.name());
                }));
            });
            TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
            treeMap.putAll(securityEnvironment.headers());
            HttpSignature sign = HttpSignature.sign(securityEnvironment, computeIfAbsent, treeMap, computeIfAbsent.backwardCompatibleEol());
            OutboundSecurityResponse.Builder status = OutboundSecurityResponse.builder().requestHeaders(treeMap).status(SecurityResponse.SecurityStatus.SUCCESS);
            switch (computeIfAbsent.header()) {
                case SIGNATURE:
                    status.requestHeader("Signature", sign.toSignatureHeader());
                    break;
                case AUTHORIZATION:
                    status.requestHeader("Authorization", "Signature " + sign.toSignatureHeader());
                    break;
                case CUSTOM:
                    HashMap hashMap = new HashMap();
                    computeIfAbsent.tokenHandler().addHeader(hashMap, sign.toSignatureHeader());
                    Objects.requireNonNull(status);
                    hashMap.forEach((str2, list) -> {
                        status.requestHeader(str2, list);
                    });
                    break;
                default:
                    throw new HttpSignatureException("Invalid header configuration: " + computeIfAbsent.header());
            }
            Map headers = securityEnvironment.headers();
            if (headers.containsKey("host")) {
                status.requestHeader("host", (List) headers.get("host"));
            }
            if (headers.containsKey("date")) {
                status.requestHeader("date", (List) headers.get("date"));
            }
            return status.build();
        }).orElse(OutboundSecurityResponse.empty());
    }
}
