package io.helidon.security.abac.role;

import io.helidon.common.Errors;
import io.helidon.common.config.Config;
import io.helidon.security.EndpointConfig;
import io.helidon.security.ProviderRequest;
import io.helidon.security.Role;
import io.helidon.security.SecurityLevel;
import io.helidon.security.Subject;
import io.helidon.security.SubjectType;
import io.helidon.security.providers.abac.AbacAnnotation;
import io.helidon.security.providers.abac.AbacValidatorConfig;
import io.helidon.security.providers.abac.spi.AbacValidator;
import jakarta.annotation.security.DenyAll;
import jakarta.annotation.security.PermitAll;
import jakarta.annotation.security.RolesAllowed;
import java.lang.annotation.Annotation;
import java.lang.annotation.Documented;
import java.lang.annotation.ElementType;
import java.lang.annotation.Inherited;
import java.lang.annotation.Repeatable;
import java.lang.annotation.Retention;
import java.lang.annotation.RetentionPolicy;
import java.lang.annotation.Target;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;

/* loaded from: input_file:io/helidon/security/abac/role/RoleValidator.class */
public final class RoleValidator implements AbacValidator<RoleConfig> {

    /* loaded from: input_file:io/helidon/security/abac/role/RoleValidator$RoleConfig.class */
    public static final class RoleConfig implements AbacValidatorConfig {
        private final Set<String> userRolesAllowed = new HashSet();
        private final Set<String> serviceRolesAllowed = new HashSet();
        private boolean permitAll;
        private boolean denyAll;

        /* loaded from: input_file:io/helidon/security/abac/role/RoleValidator$RoleConfig$Builder.class */
        public static class Builder implements io.helidon.common.Builder<Builder, RoleConfig> {
            private final Set<String> userRolesAllowed = new LinkedHashSet();
            private final Set<String> serviceRolesAllowed = new LinkedHashSet();
            private boolean permitAll = false;
            private boolean denyAll = false;

            /* renamed from: build, reason: merged with bridge method [inline-methods] */
            public RoleConfig m2build() {
                return new RoleConfig(this);
            }

            public Builder addRoles(Collection<String> collection) {
                this.userRolesAllowed.addAll(collection);
                return this;
            }

            public Builder clearRoles() {
                this.userRolesAllowed.clear();
                return this;
            }

            public Builder clearServiceRoles() {
                this.serviceRolesAllowed.clear();
                return this;
            }

            public Builder addRole(String str) {
                this.userRolesAllowed.add(str);
                return this;
            }

            public Builder addServiceRoles(Collection<String> collection) {
                this.serviceRolesAllowed.addAll(collection);
                return this;
            }

            private Builder addServiceRole(String str) {
                this.serviceRolesAllowed.add(str);
                return this;
            }

            private Builder permitAll(boolean z) {
                this.permitAll = z;
                return this;
            }

            private Builder denyAll(boolean z) {
                this.denyAll = z;
                return this;
            }

            public Builder config(Config config) {
                config.get("user").asList(String.class).ifPresent((v1) -> {
                    addRoles(v1);
                });
                config.get("service").asList(String.class).ifPresent((v1) -> {
                    addServiceRoles(v1);
                });
                config.get("permit-all").asBoolean().ifPresent((v1) -> {
                    permitAll(v1);
                });
                config.get("deny-all").asBoolean().ifPresent((v1) -> {
                    denyAll(v1);
                });
                return this;
            }
        }

        private RoleConfig(Builder builder) {
            this.permitAll = builder.permitAll;
            this.denyAll = builder.denyAll;
            this.userRolesAllowed.addAll(builder.userRolesAllowed);
            this.serviceRolesAllowed.addAll(builder.serviceRolesAllowed);
        }

        public static Builder builder() {
            return new Builder();
        }

        public static RoleConfig create(Collection<String> collection) {
            return builder().addRoles(collection).m2build();
        }

        public static RoleConfig create(String... strArr) {
            return builder().addRoles(Arrays.asList(strArr)).m2build();
        }

        public static RoleConfig create(Config config) {
            return builder().config(config).m2build();
        }

        public Set<String> serviceRolesAllowed() {
            return Collections.unmodifiableSet(this.serviceRolesAllowed);
        }

        public Set<String> userRolesAllowed() {
            return Collections.unmodifiableSet(this.userRolesAllowed);
        }

        public boolean permitAll() {
            return this.permitAll;
        }

        public boolean denyAll() {
            return this.denyAll;
        }
    }

    @Target({ElementType.METHOD, ElementType.TYPE})
    @AbacAnnotation
    @Inherited
    @Retention(RetentionPolicy.RUNTIME)
    @Documented
    @Repeatable(RolesContainer.class)
    /* loaded from: input_file:io/helidon/security/abac/role/RoleValidator$Roles.class */
    public @interface Roles {
        String[] value();

        SubjectType subjectType() default SubjectType.USER;
    }

    @Target({ElementType.METHOD, ElementType.TYPE})
    @AbacAnnotation
    @Inherited
    @Retention(RetentionPolicy.RUNTIME)
    @Documented
    /* loaded from: input_file:io/helidon/security/abac/role/RoleValidator$RolesContainer.class */
    public @interface RolesContainer {
        Roles[] value();
    }

    private RoleValidator() {
    }

    public static RoleValidator create() {
        return new RoleValidator();
    }

    public Class<RoleConfig> configClass() {
        return RoleConfig.class;
    }

    public String configKey() {
        return "roles-allowed";
    }

    /* renamed from: fromConfig, reason: merged with bridge method [inline-methods] */
    public RoleConfig m1fromConfig(Config config) {
        return RoleConfig.create(config);
    }

    /* renamed from: fromAnnotations, reason: merged with bridge method [inline-methods] */
    public RoleConfig m0fromAnnotations(EndpointConfig endpointConfig) {
        RoleConfig.Builder builder = RoleConfig.builder();
        for (SecurityLevel securityLevel : endpointConfig.securityLevels()) {
            for (EndpointConfig.AnnotationScope annotationScope : EndpointConfig.AnnotationScope.values()) {
                ArrayList<RolesAllowed> arrayList = new ArrayList();
                Iterator<Class<? extends Annotation>> it = supportedAnnotations().iterator();
                while (it.hasNext()) {
                    arrayList.addAll(securityLevel.filterAnnotations(it.next(), annotationScope));
                }
                ArrayList arrayList2 = new ArrayList();
                ArrayList arrayList3 = new ArrayList();
                for (RolesAllowed rolesAllowed : arrayList) {
                    if (rolesAllowed instanceof RolesAllowed) {
                        arrayList2.addAll(Arrays.asList(rolesAllowed.value()));
                        builder.permitAll(false);
                        builder.denyAll(false);
                    } else if (rolesAllowed instanceof Roles) {
                        Roles roles = (Roles) rolesAllowed;
                        if (roles.subjectType() == SubjectType.USER) {
                            arrayList2.addAll(Arrays.asList(roles.value()));
                        } else {
                            arrayList3.addAll(Arrays.asList(roles.value()));
                        }
                        builder.permitAll(false);
                        builder.denyAll(false);
                    } else if (rolesAllowed instanceof RolesContainer) {
                        RolesContainer rolesContainer = (RolesContainer) rolesAllowed;
                        for (Roles roles2 : rolesContainer.value()) {
                            if (roles2.subjectType() == SubjectType.USER) {
                                arrayList2.addAll(Arrays.asList(roles2.value()));
                            } else {
                                arrayList3.addAll(Arrays.asList(roles2.value()));
                            }
                        }
                        if (rolesContainer.value().length != 0) {
                            builder.permitAll(false);
                            builder.denyAll(false);
                        }
                    } else if (rolesAllowed instanceof PermitAll) {
                        builder.permitAll(true);
                        builder.denyAll(false);
                    } else if (rolesAllowed instanceof DenyAll) {
                        builder.permitAll(false);
                        builder.denyAll(true);
                    }
                }
                if (!arrayList2.isEmpty()) {
                    builder.clearRoles().addRoles(arrayList2);
                }
                if (!arrayList3.isEmpty()) {
                    builder.clearServiceRoles().addServiceRoles(arrayList3);
                }
            }
        }
        return builder.m2build();
    }

    public void validate(RoleConfig roleConfig, Errors.Collector collector, ProviderRequest providerRequest) {
        if (roleConfig.denyAll()) {
            collector.fatal(this, "Access denied by DenyAll.");
        } else {
            if (roleConfig.permitAll()) {
                return;
            }
            validate(roleConfig.userRolesAllowed(), collector, providerRequest.subject(), SubjectType.USER);
            validate(roleConfig.serviceRolesAllowed(), collector, providerRequest.service(), SubjectType.SERVICE);
        }
    }

    private void validate(Set<String> set, Errors.Collector collector, Optional<Subject> optional, SubjectType subjectType) {
        if (set.isEmpty()) {
            return;
        }
        Set set2 = (Set) ((List) optional.map(subject -> {
            return subject.grants(Role.class);
        }).orElse(List.of())).stream().map((v0) -> {
            return v0.getName();
        }).collect(Collectors.toSet());
        boolean z = true;
        Iterator<String> it = set.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            } else if (set2.contains(it.next())) {
                z = false;
                break;
            }
        }
        if (z) {
            collector.fatal(this, String.valueOf(subjectType) + " is not in required roles: " + String.valueOf(set) + ", only in: " + String.valueOf(set2));
        }
    }

    public Collection<Class<? extends Annotation>> supportedAnnotations() {
        return List.of(RolesAllowed.class, Roles.class, RolesContainer.class, PermitAll.class, DenyAll.class);
    }
}
