package io.helidon.security.provider.httpauth;

import io.helidon.common.CollectionsHelper;
import io.helidon.common.OptionalHelper;
import io.helidon.config.Config;
import io.helidon.security.AuthenticationResponse;
import io.helidon.security.EndpointConfig;
import io.helidon.security.OutboundSecurityResponse;
import io.helidon.security.Principal;
import io.helidon.security.ProviderRequest;
import io.helidon.security.Role;
import io.helidon.security.SecurityContext;
import io.helidon.security.SecurityEnvironment;
import io.helidon.security.SecurityResponse;
import io.helidon.security.Subject;
import io.helidon.security.SubjectType;
import io.helidon.security.provider.httpauth.UserStore;
import io.helidon.security.spi.AuthenticationProvider;
import io.helidon.security.spi.OutboundSecurityProvider;
import io.helidon.security.spi.SynchronousProvider;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.regex.Pattern;

/* loaded from: input_file:io/helidon/security/provider/httpauth/HttpBasicAuthProvider.class */
public class HttpBasicAuthProvider extends SynchronousProvider implements AuthenticationProvider, OutboundSecurityProvider {
    public static final String EP_PROPERTY_OUTBOUND_USER = "io.helidon.security.outbound.user";
    public static final String EP_PROPERTY_OUTBOUND_PASSWORD = "io.helidon.security.outbound.password";
    static final String HEADER_AUTHENTICATION_REQUIRED = "WWW-Authenticate";
    static final String HEADER_AUTHENTICATION = "authorization";
    static final String BASIC_PREFIX = "basic ";
    private static final Logger LOGGER = Logger.getLogger(HttpBasicAuthProvider.class.getName());
    private static final Pattern CREDENTIAL_PATTERN = Pattern.compile("(.*):(.*)");
    private static final char[] EMPTY_PASSWORD = new char[0];
    private final UserStore userStore;
    private final String realm;
    private final SubjectType subjectType;

    /* renamed from: io.helidon.security.provider.httpauth.HttpBasicAuthProvider$3, reason: invalid class name */
    /* loaded from: input_file:io/helidon/security/provider/httpauth/HttpBasicAuthProvider$3.class */
    static /* synthetic */ class AnonymousClass3 {
        static final /* synthetic */ int[] $SwitchMap$io$helidon$security$SubjectType = new int[SubjectType.values().length];

        static {
            try {
                $SwitchMap$io$helidon$security$SubjectType[SubjectType.USER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$helidon$security$SubjectType[SubjectType.SERVICE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:io/helidon/security/provider/httpauth/HttpBasicAuthProvider$Builder.class */
    public static class Builder implements io.helidon.common.Builder<HttpBasicAuthProvider> {
        private static final UserStore EMPTY_STORE = str -> {
            return Optional.empty();
        };
        private UserStore userStore;
        private String realm;
        private SubjectType subjectType;

        private Builder() {
            this.userStore = EMPTY_STORE;
            this.subjectType = SubjectType.USER;
        }

        static Builder fromConfig(Config config) {
            Builder builder = new Builder();
            builder.realm(config.get("realm").asString("realm"));
            Optional asOptional = config.get("principal-type").asOptional(SubjectType.class);
            Objects.requireNonNull(builder);
            asOptional.ifPresent(builder::subjectType);
            Config config2 = config.get("users");
            if (config2.exists() && !config2.isLeaf()) {
                builder.userStore((UserStore) config2.asOptional(ConfigUserStore.class).orElseThrow(() -> {
                    return new HttpAuthException("No users configured! Key \"users\" must be in configuration");
                }));
            }
            return builder;
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public HttpBasicAuthProvider m5build() {
            if (this.userStore == EMPTY_STORE) {
                HttpBasicAuthProvider.LOGGER.info("Basic authentication configured with no users. Inbound will always fail, outbound would workonly with explicit username and password");
            }
            return new HttpBasicAuthProvider(this);
        }

        public Builder subjectType(SubjectType subjectType) {
            this.subjectType = subjectType;
            switch (AnonymousClass3.$SwitchMap$io$helidon$security$SubjectType[subjectType.ordinal()]) {
                case 1:
                case 2:
                    return this;
                default:
                    throw new SecurityException("Invalid configuration. Principal type not supported: " + subjectType);
            }
        }

        public Builder userStore(UserStore userStore) {
            this.userStore = userStore;
            return this;
        }

        public Builder realm(String str) {
            this.realm = str;
            return this;
        }
    }

    private HttpBasicAuthProvider(Builder builder) {
        this.userStore = builder.userStore;
        this.realm = builder.realm;
        this.subjectType = builder.subjectType;
    }

    public static Builder builder() {
        return new Builder();
    }

    public static HttpBasicAuthProvider fromConfig(Config config) {
        return Builder.fromConfig(config).m5build();
    }

    private static OutboundSecurityResponse toBasicAuthOutbound(UserStore.User user) {
        return OutboundSecurityResponse.withHeaders(CollectionsHelper.mapOf("Authorization", CollectionsHelper.listOf(new String[]{BASIC_PREFIX + Base64.getEncoder().encodeToString((user.getLogin() + ":" + new String(user.getPassword())).getBytes(StandardCharsets.UTF_8))})));
    }

    public boolean isOutboundSupported(ProviderRequest providerRequest, SecurityEnvironment securityEnvironment, EndpointConfig endpointConfig) {
        if (endpointConfig.getAttributeNames().contains(EP_PROPERTY_OUTBOUND_USER)) {
            return true;
        }
        SecurityContext context = providerRequest.getContext();
        return ((Boolean) context.getUser().map(subject -> {
            return Boolean.valueOf(subject.getPrivateCredential(UserStore.User.class).isPresent());
        }).orElse(false)).booleanValue() || ((Boolean) context.getService().map(subject2 -> {
            return Boolean.valueOf(subject2.getPrivateCredential(UserStore.User.class).isPresent());
        }).orElse(false)).booleanValue();
    }

    protected OutboundSecurityResponse syncOutbound(ProviderRequest providerRequest, SecurityEnvironment securityEnvironment, EndpointConfig endpointConfig) {
        Optional attribute = endpointConfig.getAttribute(EP_PROPERTY_OUTBOUND_USER);
        if (attribute.isPresent()) {
            String obj = attribute.get().toString();
            return toBasicAuthOutbound(this.userStore.getUser(obj).orElseGet(() -> {
                return userFromEndpoint(obj, endpointConfig);
            }));
        }
        SecurityContext context = providerRequest.getContext();
        return (OutboundSecurityResponse) OptionalHelper.from(context.getUser().flatMap(subject -> {
            return subject.getPrivateCredential(UserStore.User.class);
        })).or(() -> {
            return context.getService().flatMap(subject2 -> {
                return subject2.getPrivateCredential(UserStore.User.class);
            });
        }).asOptional().map(user -> {
            final Optional attribute2 = endpointConfig.getAttribute(EP_PROPERTY_OUTBOUND_PASSWORD);
            return attribute2.isPresent() ? toBasicAuthOutbound(new UserStore.User() { // from class: io.helidon.security.provider.httpauth.HttpBasicAuthProvider.1
                @Override // io.helidon.security.provider.httpauth.UserStore.User
                public String getLogin() {
                    return user.getLogin();
                }

                @Override // io.helidon.security.provider.httpauth.UserStore.User
                public char[] getPassword() {
                    return (char[]) attribute2.map(String::valueOf).map((v0) -> {
                        return v0.toCharArray();
                    }).orElse(HttpBasicAuthProvider.EMPTY_PASSWORD);
                }
            }) : toBasicAuthOutbound(user);
        }).orElseGet(OutboundSecurityResponse::abstain);
    }

    private UserStore.User userFromEndpoint(final String str, final EndpointConfig endpointConfig) {
        return new UserStore.User() { // from class: io.helidon.security.provider.httpauth.HttpBasicAuthProvider.2
            @Override // io.helidon.security.provider.httpauth.UserStore.User
            public String getLogin() {
                return str;
            }

            @Override // io.helidon.security.provider.httpauth.UserStore.User
            public char[] getPassword() {
                return (char[]) endpointConfig.getAttribute(HttpBasicAuthProvider.EP_PROPERTY_OUTBOUND_PASSWORD).map(String::valueOf).map((v0) -> {
                    return v0.toCharArray();
                }).orElse(HttpBasicAuthProvider.EMPTY_PASSWORD);
            }
        };
    }

    protected AuthenticationResponse syncAuthenticate(ProviderRequest providerRequest) {
        List list = (List) providerRequest.getEnv().getHeaders().get(HEADER_AUTHENTICATION);
        return null == list ? fail("No authorization header") : (AuthenticationResponse) list.stream().filter(str -> {
            return str.toLowerCase().startsWith(BASIC_PREFIX);
        }).findFirst().map(this::validateBasicAuth).orElseGet(() -> {
            return fail("Authorization header does not contain basic authentication: " + list);
        });
    }

    private AuthenticationResponse validateBasicAuth(String str) {
        try {
            String str2 = new String(Base64.getDecoder().decode(str.substring(BASIC_PREFIX.length())), StandardCharsets.UTF_8);
            Matcher matcher = CREDENTIAL_PATTERN.matcher(str2);
            if (!matcher.matches()) {
                LOGGER.finest(() -> {
                    return "Basic authentication header with invalid content: " + str2;
                });
                return fail("Basic authentication header with invalid content");
            }
            String group = matcher.group(1);
            char[] charArray = matcher.group(2).toCharArray();
            return (AuthenticationResponse) this.userStore.getUser(group).map(user -> {
                return Arrays.equals(charArray, user.getPassword()) ? this.subjectType == SubjectType.USER ? AuthenticationResponse.success(buildSubject(user)) : AuthenticationResponse.successService(buildSubject(user)) : fail("Invalid username or password");
            }).orElse(fail("Invalid username or password"));
        } catch (IllegalArgumentException e) {
            return fail("Basic authentication header with invalid content - not base64 encoded");
        }
    }

    private AuthenticationResponse fail(String str) {
        return AuthenticationResponse.builder().statusCode(401).responseHeader(HEADER_AUTHENTICATION_REQUIRED, buildChallenge()).status(SecurityResponse.SecurityStatus.FAILURE).description(str).build();
    }

    private String buildChallenge() {
        return "Basic realm=\"" + this.realm + "\"";
    }

    private Subject buildSubject(UserStore.User user) {
        Subject.Builder addPrivateCredential = Subject.builder().principal(Principal.builder().name(user.getLogin()).build()).addPrivateCredential(UserStore.User.class, user);
        user.getRoles().forEach(str -> {
            addPrivateCredential.addGrant(Role.create(str));
        });
        return addPrivateCredential.build();
    }
}
