package io.helidon.security.providers.oidc;

import io.helidon.common.configurable.LruCache;
import io.helidon.common.reactive.Single;
import io.helidon.common.serviceloader.HelidonServiceLoader;
import io.helidon.config.Config;
import io.helidon.config.DeprecatedConfig;
import io.helidon.config.metadata.Configured;
import io.helidon.security.AuthenticationResponse;
import io.helidon.security.EndpointConfig;
import io.helidon.security.OutboundSecurityResponse;
import io.helidon.security.ProviderRequest;
import io.helidon.security.SecurityEnvironment;
import io.helidon.security.Subject;
import io.helidon.security.abac.scope.ScopeValidator;
import io.helidon.security.providers.common.OutboundConfig;
import io.helidon.security.providers.common.OutboundTarget;
import io.helidon.security.providers.common.TokenCredential;
import io.helidon.security.providers.oidc.common.OidcConfig;
import io.helidon.security.providers.oidc.common.Tenant;
import io.helidon.security.providers.oidc.common.TenantConfig;
import io.helidon.security.providers.oidc.common.spi.TenantConfigFinder;
import io.helidon.security.providers.oidc.common.spi.TenantConfigProvider;
import io.helidon.security.providers.oidc.common.spi.TenantIdFinder;
import io.helidon.security.providers.oidc.common.spi.TenantIdProvider;
import io.helidon.security.spi.AuthenticationProvider;
import io.helidon.security.spi.OutboundSecurityProvider;
import io.helidon.security.spi.SecurityProvider;
import io.helidon.security.util.TokenHandler;
import java.lang.annotation.Annotation;
import java.util.Collection;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.ServiceLoader;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;

/* loaded from: input_file:io/helidon/security/providers/oidc/OidcProvider.class */
public final class OidcProvider implements AuthenticationProvider, OutboundSecurityProvider {
    private static final Logger LOGGER = Logger.getLogger(OidcProvider.class.getName());
    private final boolean optional;
    private final OidcConfig oidcConfig;
    private final List<TenantIdFinder> tenantIdFinders;
    private final List<TenantConfigFinder> tenantConfigFinders;
    private final boolean propagate;
    private final OidcOutboundConfig outboundConfig;
    private final boolean useJwtGroups;
    private final LruCache<String, TenantAuthenticationHandler> tenantAuthHandlers = LruCache.create();

    @Configured(prefix = OidcProviderService.PROVIDER_CONFIG_KEY, description = "Open ID Connect security provider", provides = {AuthenticationProvider.class, SecurityProvider.class})
    /* loaded from: input_file:io/helidon/security/providers/oidc/OidcProvider$Builder.class */
    public static final class Builder implements io.helidon.common.Builder<Builder, OidcProvider> {
        private static final int BUILDER_PRIORITY = 50000;
        private static final int DEFAULT_PRIORITY = 100000;
        private OidcConfig oidcConfig;
        private List<TenantIdFinder> tenantIdFinders;
        private List<TenantConfigFinder> tenantConfigFinders;
        private Boolean propagate;
        private OutboundConfig outboundConfig;
        private final HelidonServiceLoader.Builder<TenantConfigProvider> tenantConfigProviders = HelidonServiceLoader.builder(ServiceLoader.load(TenantConfigProvider.class)).defaultPriority(DEFAULT_PRIORITY);
        private final HelidonServiceLoader.Builder<TenantIdProvider> tenantIdProviders = HelidonServiceLoader.builder(ServiceLoader.load(TenantIdProvider.class)).defaultPriority(DEFAULT_PRIORITY);
        private boolean optional = false;
        private boolean useJwtGroups = true;
        private Config config = Config.empty();
        private TokenHandler defaultOutboundHandler = TokenHandler.builder().tokenHeader("Authorization").tokenPrefix("Bearer ").build();

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public OidcProvider m2build() {
            if (null == this.oidcConfig) {
                throw new IllegalArgumentException("OidcConfig must be configured");
            }
            this.tenantIdProviders.addService(new DefaultTenantIdProvider());
            this.tenantConfigFinders = (List) this.tenantConfigProviders.build().asList().stream().map(tenantConfigProvider -> {
                return tenantConfigProvider.createTenantConfigFinder(this.config);
            }).collect(Collectors.toList());
            this.tenantIdFinders = (List) this.tenantIdProviders.build().asList().stream().map(tenantIdProvider -> {
                return tenantIdProvider.createTenantIdFinder(this.config);
            }).collect(Collectors.toList());
            if (this.outboundConfig == null) {
                this.outboundConfig = OutboundConfig.builder().build();
            }
            if (this.propagate == null) {
                this.propagate = Boolean.valueOf(this.outboundConfig.targets().size() > 0);
            }
            return new OidcProvider(this, new OidcOutboundConfig(this.outboundConfig, this.defaultOutboundHandler));
        }

        public Builder config(Config config) {
            this.config = config;
            config.get("optional").asBoolean().ifPresent((v1) -> {
                optional(v1);
            });
            if (null == this.oidcConfig && config.get("identity-uri").exists()) {
                this.oidcConfig = OidcConfig.create(config);
            }
            config.get("propagate").asBoolean().ifPresent((v1) -> {
                propagate(v1);
            });
            if (null == this.outboundConfig) {
                config.get("outbound").ifExists(config2 -> {
                    outboundConfig(OutboundConfig.create(config));
                });
            }
            config.get("use-jwt-groups").asBoolean().ifPresent((v1) -> {
                useJwtGroups(v1);
            });
            config.get("discover-tenant-config-providers").asBoolean().ifPresent((v1) -> {
                discoverTenantConfigProviders(v1);
            });
            config.get("discover-tenant-id-providers").asBoolean().ifPresent((v1) -> {
                discoverTenantIdProviders(v1);
            });
            return this;
        }

        public Builder propagate(boolean z) {
            this.propagate = Boolean.valueOf(z);
            return this;
        }

        public Builder outboundConfig(OutboundConfig outboundConfig) {
            this.outboundConfig = outboundConfig;
            return this;
        }

        public Builder oidcConfig(OidcConfig oidcConfig) {
            this.oidcConfig = oidcConfig;
            return this;
        }

        public Builder optional(boolean z) {
            this.optional = z;
            return this;
        }

        public Builder useJwtGroups(boolean z) {
            this.useJwtGroups = z;
            return this;
        }

        public Builder discoverTenantConfigProviders(boolean z) {
            this.tenantConfigProviders.useSystemServiceLoader(z);
            return this;
        }

        public Builder discoverTenantIdProviders(boolean z) {
            this.tenantIdProviders.useSystemServiceLoader(z);
            return this;
        }

        public Builder addTenantConfigFinder(TenantConfigFinder tenantConfigFinder) {
            return addTenantConfigFinder(tenantConfigFinder, BUILDER_PRIORITY);
        }

        public Builder addTenantConfigFinder(TenantConfigFinder tenantConfigFinder, int i) {
            this.tenantConfigProviders.addService(config -> {
                return tenantConfigFinder;
            }, i);
            return this;
        }

        public Builder addTenantConfigFinder(TenantIdFinder tenantIdFinder) {
            return addTenantConfigFinder(tenantIdFinder, BUILDER_PRIORITY);
        }

        public Builder addTenantConfigFinder(TenantIdFinder tenantIdFinder, int i) {
            this.tenantIdProviders.addService(config -> {
                return tenantIdFinder;
            }, i);
            return this;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/helidon/security/providers/oidc/OidcProvider$OidcOutboundConfig.class */
    public static final class OidcOutboundConfig {
        private final Map<OutboundTarget, OidcOutboundTarget> targetCache = new HashMap();
        private final OutboundConfig outboundConfig;
        private final TokenHandler defaultTokenHandler;
        private final OidcOutboundTarget defaultTarget;

        private OidcOutboundConfig(OutboundConfig outboundConfig, TokenHandler tokenHandler) {
            this.outboundConfig = outboundConfig;
            this.defaultTokenHandler = tokenHandler;
            this.defaultTarget = new OidcOutboundTarget(true, tokenHandler);
        }

        private boolean hasOutbound() {
            return this.outboundConfig.targets().size() > 0;
        }

        private OidcOutboundTarget findTarget(SecurityEnvironment securityEnvironment) {
            return (OidcOutboundTarget) this.outboundConfig.findTarget(securityEnvironment).map(outboundTarget -> {
                return this.targetCache.computeIfAbsent(outboundTarget, outboundTarget -> {
                    return new OidcOutboundTarget(((Boolean) outboundTarget.getConfig().flatMap(config -> {
                        return config.get("propagate").asBoolean().asOptional();
                    }).orElse(true)).booleanValue(), (TokenHandler) outboundTarget.getConfig().flatMap(config2 -> {
                        return DeprecatedConfig.get(config2, "outbound-token", "token").as(TokenHandler::create).asOptional();
                    }).orElse(this.defaultTokenHandler));
                });
            }).orElse(this.defaultTarget);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/helidon/security/providers/oidc/OidcProvider$OidcOutboundTarget.class */
    public static final class OidcOutboundTarget {
        private final boolean propagate;
        private final TokenHandler tokenHandler;

        private OidcOutboundTarget(boolean z, TokenHandler tokenHandler) {
            this.propagate = z;
            this.tokenHandler = tokenHandler;
        }
    }

    private OidcProvider(Builder builder, OidcOutboundConfig oidcOutboundConfig) {
        this.optional = builder.optional;
        this.oidcConfig = builder.oidcConfig;
        this.propagate = builder.propagate.booleanValue() && oidcOutboundConfig.hasOutbound();
        this.useJwtGroups = builder.useJwtGroups;
        this.outboundConfig = oidcOutboundConfig;
        this.tenantConfigFinders = List.copyOf(builder.tenantConfigFinders);
        this.tenantIdFinders = List.copyOf(builder.tenantIdFinders);
        this.tenantConfigFinders.forEach(tenantConfigFinder -> {
            LruCache<String, TenantAuthenticationHandler> lruCache = this.tenantAuthHandlers;
            Objects.requireNonNull(lruCache);
            tenantConfigFinder.onChange((v1) -> {
                r1.remove(v1);
            });
        });
    }

    public static OidcProvider create(Config config) {
        return builder().config(config).m2build();
    }

    public static OidcProvider create(OidcConfig oidcConfig) {
        return builder().oidcConfig(oidcConfig).m2build();
    }

    public static Builder builder() {
        return new Builder();
    }

    public Collection<Class<? extends Annotation>> supportedAnnotations() {
        return Set.of(ScopeValidator.Scope.class, ScopeValidator.Scopes.class);
    }

    public CompletionStage<AuthenticationResponse> authenticate(ProviderRequest providerRequest) {
        return ((Single) this.tenantIdFinders.stream().map(tenantIdFinder -> {
            return tenantIdFinder.tenantId(providerRequest);
        }).flatMap((v0) -> {
            return v0.stream();
        }).findFirst().map((v0) -> {
            return Single.just(v0);
        }).orElseGet(() -> {
            return findTenantIdFromRedirects(providerRequest);
        })).flatMapCompletionStage(str -> {
            return authenticateWithTenant(str, providerRequest);
        });
    }

    private CompletionStage<AuthenticationResponse> authenticateWithTenant(String str, ProviderRequest providerRequest) {
        Optional optional = this.tenantAuthHandlers.get(str);
        return optional.isPresent() ? ((TenantAuthenticationHandler) optional.get()).authenticate(str, providerRequest) : CompletableFuture.supplyAsync(() -> {
            TenantAuthenticationHandler tenantAuthenticationHandler = new TenantAuthenticationHandler(this.oidcConfig, Tenant.create(this.oidcConfig, (TenantConfig) this.tenantConfigFinders.stream().map(tenantConfigFinder -> {
                return tenantConfigFinder.config(str);
            }).flatMap((v0) -> {
                return v0.stream();
            }).findFirst().orElse(this.oidcConfig.tenantConfig(str))), this.useJwtGroups, this.optional);
            return (TenantAuthenticationHandler) this.tenantAuthHandlers.computeValue(str, () -> {
                return Optional.of(tenantAuthenticationHandler);
            }).get();
        }, providerRequest.securityContext().executorService()).thenCompose(tenantAuthenticationHandler -> {
            return tenantAuthenticationHandler.authenticate(str, providerRequest);
        });
    }

    private Single<String> findTenantIdFromRedirects(ProviderRequest providerRequest) {
        LinkedList linkedList = new LinkedList();
        Optional empty = Optional.empty();
        linkedList.add("tenant-id-finder");
        if (this.oidcConfig.useParam()) {
            empty = providerRequest.env().queryParams().first(this.oidcConfig.tenantParamName());
            if (empty.isEmpty()) {
                linkedList.add("query-param");
            }
        }
        if (this.oidcConfig.useCookie() && empty.isEmpty()) {
            Optional findCookie = this.oidcConfig.tenantCookieHandler().findCookie(providerRequest.env().headers());
            if (findCookie.isPresent()) {
                return (Single) findCookie.get();
            }
            linkedList.add("cookie");
        }
        if (empty.isPresent()) {
            return Single.just((String) empty.get());
        }
        if (LOGGER.isLoggable(Level.FINEST)) {
            LOGGER.finest("Missing tenant id, could not find in either of: " + linkedList + "Falling back to the default tenant id: @default");
        }
        return Single.just("@default");
    }

    public boolean isOutboundSupported(ProviderRequest providerRequest, SecurityEnvironment securityEnvironment, EndpointConfig endpointConfig) {
        if (this.propagate) {
            return this.outboundConfig.findTarget(securityEnvironment).propagate;
        }
        return false;
    }

    public CompletionStage<OutboundSecurityResponse> outboundSecurity(ProviderRequest providerRequest, SecurityEnvironment securityEnvironment, EndpointConfig endpointConfig) {
        Optional user = providerRequest.securityContext().user();
        if (user.isPresent()) {
            Optional publicCredential = ((Subject) user.get()).publicCredential(TokenCredential.class);
            if (publicCredential.isPresent()) {
                String str = ((TokenCredential) publicCredential.get()).token();
                OidcOutboundTarget findTarget = this.outboundConfig.findTarget(securityEnvironment);
                if (findTarget.propagate) {
                    HashMap hashMap = new HashMap(securityEnvironment.headers());
                    findTarget.tokenHandler.header(hashMap, str);
                    return CompletableFuture.completedFuture(OutboundSecurityResponse.withHeaders(hashMap));
                }
            }
        }
        return CompletableFuture.completedFuture(OutboundSecurityResponse.empty());
    }
}
