package io.helidon.security;

import io.helidon.common.LazyValue;
import io.helidon.common.config.Config;
import io.helidon.security.AuditEvent;
import io.helidon.security.Security;
import io.helidon.security.SecurityContext;
import io.helidon.security.SecurityEnvironment;
import io.helidon.security.internal.SecurityAuditEvent;
import io.helidon.security.spi.AuditProvider;
import io.helidon.security.spi.AuthenticationProvider;
import io.helidon.security.spi.AuthorizationProvider;
import io.helidon.security.spi.DigestProvider;
import io.helidon.security.spi.EncryptionProvider;
import io.helidon.security.spi.OutboundSecurityProvider;
import io.helidon.security.spi.ProviderSelectionPolicy;
import io.helidon.security.spi.SecurityProvider;
import io.helidon.security.spi.SubjectMappingProvider;
import io.helidon.tracing.Tracer;
import java.lang.System;
import java.lang.annotation.Annotation;
import java.util.Collection;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.UUID;
import java.util.function.Consumer;
import java.util.function.Supplier;
import java.util.stream.Stream;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/helidon/security/SecurityImpl.class */
public final class SecurityImpl implements Security {
    static final Set<String> RESERVED_PROVIDER_KEYS = Set.of("name", "type", "class", "is-authentication-provider", "is-authorization-provider", "is-client-security-provider", "is-audit-provider");
    private static final Set<String> CONFIG_INTERNAL_PREFIXES = Set.of("provider-policy", "providers", "environment");
    private static final System.Logger LOGGER = System.getLogger(SecurityImpl.class.getName());
    private final Optional<SubjectMappingProvider> subjectMappingProvider;
    private final ProviderSelectionPolicy providerSelectionPolicy;
    private final LazyValue<Tracer> securityTracer;
    private final SecurityTime serverTime;
    private final Config securityConfig;
    private final boolean enabled;
    private final Map<String, Supplier<Optional<String>>> secrets;
    private final Map<String, EncryptionProvider.EncryptionSupport> encryptions;
    private final Map<String, DigestProvider.DigestSupport> digests;
    private final Collection<Class<? extends Annotation>> annotations = new LinkedList();
    private final List<Consumer<AuditProvider.TracedAuditEvent>> auditors = new LinkedList();
    private final String instanceUuid = UUID.randomUUID().toString();

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityImpl(Security.Builder builder) {
        this.enabled = builder.enabled();
        this.serverTime = builder.serverTime();
        this.annotations.addAll(SecurityUtil.getAnnotations(builder.allProviders()));
        this.securityTracer = LazyValue.create(() -> {
            return SecurityUtil.getTracer(builder.tracingEnabled(), builder.tracer());
        });
        this.subjectMappingProvider = Optional.ofNullable(builder.subjectMappingProvider());
        this.securityConfig = builder.config();
        if (!this.enabled) {
            audit(this.instanceUuid, SecurityAuditEvent.info("security.configure", "Security is disabled."));
        }
        final LinkedList linkedList = new LinkedList();
        final LinkedList linkedList2 = new LinkedList();
        final LinkedList linkedList3 = new LinkedList();
        linkedList.addAll(builder.atzProviders());
        linkedList2.addAll(builder.atnProviders());
        linkedList3.addAll(builder.outboundProviders());
        builder.auditProviders().forEach(auditProvider -> {
            this.auditors.add(auditProvider.auditConsumer());
        });
        audit(this.instanceUuid, SecurityAuditEvent.info("security.configure", "Security initialized. Providers: audit: \"%s\"; authn: \"%s\"; authz: \"%s\"; identity propagation: \"%s\";").addParam(AuditEvent.AuditParam.plain("auditProviders", SecurityUtil.forAudit(builder.auditProviders()))).addParam(AuditEvent.AuditParam.plain("authenticationProvider", SecurityUtil.forAuditNamed(linkedList2))).addParam(AuditEvent.AuditParam.plain("authorizationProvider", SecurityUtil.forAuditNamed(linkedList))).addParam(AuditEvent.AuditParam.plain("identityPropagationProvider", SecurityUtil.forAuditNamed(linkedList3))));
        final NamedProvider<AuthenticationProvider> authnProvider = builder.authnProvider();
        final NamedProvider<AuthorizationProvider> authzProvider = builder.authzProvider();
        this.providerSelectionPolicy = builder.providerSelectionPolicy().apply(new ProviderSelectionPolicy.Providers(this) { // from class: io.helidon.security.SecurityImpl.1
            @Override // io.helidon.security.spi.ProviderSelectionPolicy.Providers
            public <T extends SecurityProvider> List<NamedProvider<T>> getProviders(Class<T> cls) {
                if (cls.equals(AuthenticationProvider.class)) {
                    LinkedList linkedList4 = new LinkedList();
                    linkedList4.add(authnProvider);
                    Stream stream = linkedList2.stream();
                    NamedProvider namedProvider = authnProvider;
                    stream.filter(namedProvider2 -> {
                        return namedProvider2 != namedProvider;
                    }).forEach(namedProvider3 -> {
                        linkedList4.add(namedProvider3);
                    });
                    return linkedList4;
                }
                if (!cls.equals(AuthorizationProvider.class)) {
                    if (!cls.equals(OutboundSecurityProvider.class)) {
                        throw new SecurityException("Security only supports AuthenticationProvider, AuthorizationProvider and OutboundSecurityProvider in provider selection policy, not " + cls.getName());
                    }
                    LinkedList linkedList5 = new LinkedList();
                    linkedList3.forEach(namedProvider4 -> {
                        linkedList5.add(namedProvider4);
                    });
                    return linkedList5;
                }
                LinkedList linkedList6 = new LinkedList();
                linkedList6.add(authzProvider);
                Stream stream2 = linkedList.stream();
                NamedProvider namedProvider5 = authzProvider;
                stream2.filter(namedProvider6 -> {
                    return namedProvider6 != namedProvider5;
                }).forEach(namedProvider7 -> {
                    linkedList6.add(namedProvider7);
                });
                return linkedList6;
            }
        });
        this.secrets = Map.copyOf(builder.secrets());
        this.encryptions = Map.copyOf(builder.encryptions());
        this.digests = Map.copyOf(builder.digests());
    }

    @Override // io.helidon.security.Security
    public SecurityTime serverTime() {
        return this.serverTime;
    }

    @Override // io.helidon.security.Security
    public SecurityContext.Builder contextBuilder(String str) {
        return new SecurityContext.Builder(this).id((null == str || str.isEmpty()) ? this.instanceUuid + ":?" : this.instanceUuid + ":" + str).tracingTracer((Tracer) this.securityTracer.get()).serverTime(this.serverTime);
    }

    @Override // io.helidon.security.Security
    public SecurityContext createContext(String str) {
        return contextBuilder(str).m24build();
    }

    @Override // io.helidon.security.Security
    public Tracer tracer() {
        return (Tracer) this.securityTracer.get();
    }

    @Override // io.helidon.security.Security
    public Collection<Class<? extends Annotation>> customAnnotations() {
        return this.annotations;
    }

    @Override // io.helidon.security.Security
    public Config configFor(String str) {
        if (str.trim().isEmpty()) {
            throw new IllegalArgumentException("Root of security configuration is not available");
        }
        for (String str2 : CONFIG_INTERNAL_PREFIXES) {
            if (str.equals(str2) || str.startsWith(str2 + ".")) {
                throw new IllegalArgumentException("Security configuration for " + str2 + " is not available");
            }
        }
        return this.securityConfig.get(str);
    }

    @Override // io.helidon.security.Security
    public String encrypt(String str, byte[] bArr) {
        EncryptionProvider.EncryptionSupport encryptionSupport = this.encryptions.get(str);
        if (encryptionSupport == null) {
            throw new SecurityException("There is no configured encryption named " + str);
        }
        return encryptionSupport.encrypt(bArr);
    }

    @Override // io.helidon.security.Security
    public byte[] decrypt(String str, String str2) {
        EncryptionProvider.EncryptionSupport encryptionSupport = this.encryptions.get(str);
        if (encryptionSupport == null) {
            throw new SecurityException("There is no configured encryption named " + str);
        }
        return encryptionSupport.decrypt(str2);
    }

    @Override // io.helidon.security.Security
    public String digest(String str, byte[] bArr, boolean z) {
        DigestProvider.DigestSupport digestSupport = this.digests.get(str);
        if (digestSupport == null) {
            throw new SecurityException("There is no configured digest named " + str);
        }
        return digestSupport.digest(bArr, z);
    }

    @Override // io.helidon.security.Security
    public String digest(String str, byte[] bArr) {
        return digest(str, bArr, false);
    }

    @Override // io.helidon.security.Security
    public boolean verifyDigest(String str, byte[] bArr, String str2, boolean z) {
        DigestProvider.DigestSupport digestSupport = this.digests.get(str);
        if (str2 == null) {
            throw new SecurityException("There is no configured digest named " + str);
        }
        return digestSupport.verify(bArr, z, str2);
    }

    @Override // io.helidon.security.Security
    public boolean verifyDigest(String str, byte[] bArr, String str2) {
        return verifyDigest(str, bArr, str2, false);
    }

    @Override // io.helidon.security.Security
    public Optional<String> secret(String str) {
        Supplier<Optional<String>> supplier = this.secrets.get(str);
        if (supplier == null) {
            throw new SecurityException("Secret \"" + str + "\" is not configured.");
        }
        return supplier.get();
    }

    @Override // io.helidon.security.Security
    public String secret(String str, String str2) {
        Supplier<Optional<String>> supplier = this.secrets.get(str);
        if (supplier != null) {
            return supplier.get().orElse(str2);
        }
        LOGGER.log(System.Logger.Level.TRACE, () -> {
            return "There is no configured secret named " + str + ", using default value";
        });
        return str2;
    }

    @Override // io.helidon.security.Security
    public SecurityEnvironment.Builder environmentBuilder() {
        return SecurityEnvironment.builder(this.serverTime);
    }

    @Override // io.helidon.security.Security
    public Optional<SubjectMappingProvider> subjectMapper() {
        return this.subjectMappingProvider;
    }

    @Override // io.helidon.security.Security
    public boolean enabled() {
        return this.enabled;
    }

    @Override // io.helidon.security.Security
    public void audit(String str, AuditEvent auditEvent) {
        AuditProvider.AuditSource create = AuditProvider.AuditSource.create();
        Iterator<Consumer<AuditProvider.TracedAuditEvent>> it = this.auditors.iterator();
        while (it.hasNext()) {
            it.next().accept(SecurityUtil.wrapEvent(str, create, auditEvent));
        }
    }

    @Override // io.helidon.security.Security
    public ProviderSelectionPolicy providerSelectionPolicy() {
        return this.providerSelectionPolicy;
    }

    @Override // io.helidon.security.Security
    public Optional<? extends AuthenticationProvider> resolveAtnProvider(String str) {
        return resolveProvider(AuthenticationProvider.class, str);
    }

    @Override // io.helidon.security.Security
    public Optional<AuthorizationProvider> resolveAtzProvider(String str) {
        return resolveProvider(AuthorizationProvider.class, str);
    }

    @Override // io.helidon.security.Security
    public List<? extends OutboundSecurityProvider> resolveOutboundProvider(String str) {
        return null != str ? (List) resolveProvider(OutboundSecurityProvider.class, str).map((v0) -> {
            return List.of(v0);
        }).orElse(List.of()) : this.providerSelectionPolicy.selectOutboundProviders();
    }

    private <T extends SecurityProvider> Optional<T> resolveProvider(Class<T> cls, String str) {
        if (null == str) {
            return this.providerSelectionPolicy.selectProvider(cls);
        }
        Optional<T> selectProvider = this.providerSelectionPolicy.selectProvider(cls, str);
        if (selectProvider.isPresent()) {
            return selectProvider;
        }
        throw new SecurityException("Named " + cls.getSimpleName() + " expected for name \"" + str + "\" yet none is configured for such a name");
    }
}
