package io.helidon.security.webserver;

import io.helidon.common.CollectionsHelper;
import io.helidon.common.OptionalHelper;
import io.helidon.common.http.DataChunk;
import io.helidon.common.http.Http;
import io.helidon.common.reactive.Flow;
import io.helidon.config.Config;
import io.helidon.security.AuditEvent;
import io.helidon.security.AuthenticationResponse;
import io.helidon.security.ClassToInstanceStore;
import io.helidon.security.Entity;
import io.helidon.security.QueryParamMapping;
import io.helidon.security.SecurityClientBuilder;
import io.helidon.security.SecurityContext;
import io.helidon.security.SecurityRequest;
import io.helidon.security.SecurityRequestBuilder;
import io.helidon.security.SecurityResponse;
import io.helidon.security.internal.SecurityAuditEvent;
import io.helidon.security.util.TokenHandler;
import io.helidon.webserver.Handler;
import io.helidon.webserver.ResponseHeaders;
import io.helidon.webserver.ServerRequest;
import io.helidon.webserver.ServerResponse;
import io.opentracing.Span;
import io.opentracing.Tracer;
import io.opentracing.tag.Tags;
import java.nio.ByteBuffer;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Consumer;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Stream;

/* loaded from: input_file:io/helidon/security/webserver/SecurityHandler.class */
public final class SecurityHandler implements Handler {
    private static final String KEY_ROLES_ALLOWED = "roles-allowed";
    private static final String KEY_AUTHENTICATOR = "authenticator";
    private static final String KEY_AUTHORIZER = "authorizer";
    private static final String KEY_AUTHENTICATE = "authenticate";
    private static final String KEY_AUTHENTICATION_OPTIONAL = "authentication-optional";
    private static final String KEY_AUTHORIZE = "authorize";
    private static final String KEY_AUDIT = "audit";
    private static final String KEY_AUDIT_EVENT_TYPE = "audit-event-type";
    private static final String KEY_AUDIT_MESSAGE_FORMAT = "audit-message-format";
    private static final String KEY_QUERY_PARAM_HANDLERS = "query-params";
    private static final String DEFAULT_AUDIT_EVENT_TYPE = "request";
    private static final String DEFAULT_AUDIT_MESSAGE_FORMAT = "%3$s %1$s \"%2$s\" %5$s %6$s requested by %4$s";
    private final Optional<Set<String>> rolesAllowed;
    private final Optional<ClassToInstanceStore<Object>> customObjects;
    private final Optional<Config> config;
    private final Optional<String> explicitAuthenticator;
    private final Optional<String> explicitAuthorizer;
    private final Optional<Boolean> authenticate;
    private final Optional<Boolean> authenticationOptional;
    private final Optional<Boolean> authorize;
    private final Optional<Boolean> audited;
    private final Optional<String> auditEventType;
    private final Optional<String> auditMessageFormat;
    private final List<QueryParamHandler> queryParamHandlers;
    private final boolean combined;
    private final Map<String, Config> configMap;
    private final AtomicReference<SecurityHandler> combinedHandler;
    private static final Logger LOGGER = Logger.getLogger(SecurityHandler.class.getName());
    private static final SecurityHandler DEFAULT_INSTANCE = builder().m3build();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.helidon.security.webserver.SecurityHandler$5, reason: invalid class name */
    /* loaded from: input_file:io/helidon/security/webserver/SecurityHandler$5.class */
    public static /* synthetic */ class AnonymousClass5 {
        static final /* synthetic */ int[] $SwitchMap$io$helidon$common$http$Http$Method;
        static final /* synthetic */ int[] $SwitchMap$io$helidon$common$http$Http$ResponseStatus$Family;
        static final /* synthetic */ int[] $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus = new int[SecurityResponse.SecurityStatus.values().length];

        static {
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.SUCCESS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.FAILURE_FINISH.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.SUCCESS_FINISH.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.ABSTAIN.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[SecurityResponse.SecurityStatus.FAILURE.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            $SwitchMap$io$helidon$common$http$Http$ResponseStatus$Family = new int[Http.ResponseStatus.Family.values().length];
            try {
                $SwitchMap$io$helidon$common$http$Http$ResponseStatus$Family[Http.ResponseStatus.Family.INFORMATIONAL.ordinal()] = 1;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$io$helidon$common$http$Http$ResponseStatus$Family[Http.ResponseStatus.Family.SUCCESSFUL.ordinal()] = 2;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$io$helidon$common$http$Http$ResponseStatus$Family[Http.ResponseStatus.Family.REDIRECTION.ordinal()] = 3;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$io$helidon$common$http$Http$ResponseStatus$Family[Http.ResponseStatus.Family.CLIENT_ERROR.ordinal()] = 4;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$io$helidon$common$http$Http$ResponseStatus$Family[Http.ResponseStatus.Family.SERVER_ERROR.ordinal()] = 5;
            } catch (NoSuchFieldError e10) {
            }
            try {
                $SwitchMap$io$helidon$common$http$Http$ResponseStatus$Family[Http.ResponseStatus.Family.OTHER.ordinal()] = 6;
            } catch (NoSuchFieldError e11) {
            }
            $SwitchMap$io$helidon$common$http$Http$Method = new int[Http.Method.values().length];
            try {
                $SwitchMap$io$helidon$common$http$Http$Method[Http.Method.GET.ordinal()] = 1;
            } catch (NoSuchFieldError e12) {
            }
            try {
                $SwitchMap$io$helidon$common$http$Http$Method[Http.Method.HEAD.ordinal()] = 2;
            } catch (NoSuchFieldError e13) {
            }
            try {
                $SwitchMap$io$helidon$common$http$Http$Method[Http.Method.OPTIONS.ordinal()] = 3;
            } catch (NoSuchFieldError e14) {
            }
            try {
                $SwitchMap$io$helidon$common$http$Http$Method[Http.Method.POST.ordinal()] = 4;
            } catch (NoSuchFieldError e15) {
            }
            try {
                $SwitchMap$io$helidon$common$http$Http$Method[Http.Method.PUT.ordinal()] = 5;
            } catch (NoSuchFieldError e16) {
            }
            try {
                $SwitchMap$io$helidon$common$http$Http$Method[Http.Method.DELETE.ordinal()] = 6;
            } catch (NoSuchFieldError e17) {
            }
            try {
                $SwitchMap$io$helidon$common$http$Http$Method[Http.Method.TRACE.ordinal()] = 7;
            } catch (NoSuchFieldError e18) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/helidon/security/webserver/SecurityHandler$AtxResult.class */
    public static final class AtxResult {
        private static final AtxResult PROCEED = new AtxResult(true);
        private static final AtxResult STOP = new AtxResult(false);
        private final boolean proceed;

        private AtxResult(boolean z) {
            this.proceed = z;
        }

        private AtxResult(SecurityRequest securityRequest) {
            this.proceed = true;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/helidon/security/webserver/SecurityHandler$Builder.class */
    public static final class Builder implements io.helidon.common.Builder<SecurityHandler> {
        private Optional<Set<String>> rolesAllowed;
        private Optional<ClassToInstanceStore<Object>> customObjects;
        private Optional<Config> config;
        private Optional<String> explicitAuthenticator;
        private Optional<String> explicitAuthorizer;
        private Optional<Boolean> authenticate;
        private Optional<Boolean> authenticationOptional;
        private Optional<Boolean> authorize;
        private Optional<Boolean> audited;
        private Optional<String> auditEventType;
        private Optional<String> auditMessageFormat;
        private final List<QueryParamHandler> queryParamHandlers;
        private boolean combined;

        private Builder() {
            this.rolesAllowed = Optional.empty();
            this.customObjects = Optional.empty();
            this.config = Optional.empty();
            this.explicitAuthenticator = Optional.empty();
            this.explicitAuthorizer = Optional.empty();
            this.authenticate = Optional.empty();
            this.authenticationOptional = Optional.empty();
            this.authorize = Optional.empty();
            this.audited = Optional.empty();
            this.auditEventType = Optional.empty();
            this.auditMessageFormat = Optional.empty();
            this.queryParamHandlers = new LinkedList();
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public SecurityHandler m3build() {
            return new SecurityHandler(this);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Builder combined() {
            this.combined = true;
            return this;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Builder configureFrom(SecurityHandler securityHandler) {
            securityHandler.rolesAllowed.ifPresent((v1) -> {
                rolesAllowed(v1);
            });
            securityHandler.customObjects.ifPresent(this::customObjects);
            securityHandler.config.ifPresent(this::config);
            securityHandler.explicitAuthenticator.ifPresent(this::authenticator);
            securityHandler.explicitAuthorizer.ifPresent(this::authorizer);
            securityHandler.authenticate.ifPresent((v1) -> {
                authenticate(v1);
            });
            securityHandler.authenticationOptional.ifPresent((v1) -> {
                authenticationOptional(v1);
            });
            securityHandler.audited.ifPresent((v1) -> {
                audit(v1);
            });
            securityHandler.auditEventType.ifPresent(this::auditEventType);
            securityHandler.auditMessageFormat.ifPresent(this::auditMessageFormat);
            securityHandler.authorize.ifPresent((v1) -> {
                authorize(v1);
            });
            this.queryParamHandlers.addAll(securityHandler.getQueryParamHandlers());
            return this;
        }

        private Builder customObjects(ClassToInstanceStore<Object> classToInstanceStore) {
            OptionalHelper.from(this.customObjects).ifPresentOrElse(classToInstanceStore2 -> {
                classToInstanceStore2.putAll(classToInstanceStore);
            }, () -> {
                ClassToInstanceStore classToInstanceStore3 = new ClassToInstanceStore();
                classToInstanceStore3.putAll(classToInstanceStore);
                this.customObjects = Optional.of(classToInstanceStore3);
            });
            return this;
        }

        public Builder addQueryParamHandler(QueryParamHandler queryParamHandler) {
            this.queryParamHandlers.add(queryParamHandler);
            return this;
        }

        Builder authenticator(String str) {
            this.explicitAuthenticator = Optional.of(str);
            return this;
        }

        Builder authorizer(String str) {
            this.explicitAuthorizer = Optional.of(str);
            return this;
        }

        Builder rolesAllowed(String... strArr) {
            return rolesAllowed(Arrays.asList(strArr));
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Builder config(Config config) {
            this.config = Optional.of(config);
            return this;
        }

        Builder authenticationOptional(boolean z) {
            this.authenticationOptional = Optional.of(Boolean.valueOf(z));
            return this;
        }

        Builder authenticate(boolean z) {
            this.authenticate = Optional.of(Boolean.valueOf(z));
            return this;
        }

        Builder customObject(Object obj) {
            OptionalHelper.from(this.customObjects).ifPresentOrElse(classToInstanceStore -> {
                classToInstanceStore.putInstance(obj);
            }, () -> {
                ClassToInstanceStore classToInstanceStore2 = new ClassToInstanceStore();
                classToInstanceStore2.putInstance(obj);
                this.customObjects = Optional.of(classToInstanceStore2);
            });
            return this;
        }

        Builder auditEventType(String str) {
            this.auditEventType = Optional.of(str);
            return this;
        }

        Builder auditMessageFormat(String str) {
            this.auditMessageFormat = Optional.of(str);
            return this;
        }

        Builder authorize(boolean z) {
            this.authorize = Optional.of(Boolean.valueOf(z));
            return this;
        }

        Builder audit(boolean z) {
            this.audited = Optional.of(Boolean.valueOf(z));
            return this;
        }

        Builder rolesAllowed(Collection<String> collection) {
            OptionalHelper.from(this.rolesAllowed).ifPresentOrElse(set -> {
                set.addAll(collection);
            }, () -> {
                this.rolesAllowed = Optional.of(new HashSet(collection));
            });
            return this;
        }
    }

    /* loaded from: input_file:io/helidon/security/webserver/SecurityHandler$QueryParamHandler.class */
    public static final class QueryParamHandler {
        private final String queryParamName;
        private final TokenHandler headerHandler;

        private QueryParamHandler(QueryParamMapping queryParamMapping) {
            this.queryParamName = queryParamMapping.getQueryParamName();
            this.headerHandler = queryParamMapping.getTokenHandler();
        }

        public static QueryParamHandler from(Config config) {
            return from(QueryParamMapping.from(config));
        }

        public static QueryParamHandler from(QueryParamMapping queryParamMapping) {
            return new QueryParamHandler(queryParamMapping);
        }

        public static QueryParamHandler from(String str, TokenHandler tokenHandler) {
            return from(QueryParamMapping.create(str, tokenHandler));
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public void extract(ServerRequest serverRequest, Map<String, List<String>> map) {
            serverRequest.queryParams().all(this.queryParamName).forEach(str -> {
                this.headerHandler.addHeader(map, this.headerHandler.extractToken(str));
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/helidon/security/webserver/SecurityHandler$ResponseProcessor.class */
    public static abstract class ResponseProcessor<T, R> implements Flow.Processor<T, R> {
        private final Flow.Publisher<T> externalPublisher;
        private Flow.Subscriber<? super R> subscriber;
        private volatile Flow.Subscription mySubscription;
        private volatile Flow.Subscription subscribersSubscription;
        private final CountDownLatch subscribedLatch = new CountDownLatch(1);
        private final AtomicBoolean isSubscribed = new AtomicBoolean();

        ResponseProcessor(Flow.Publisher<T> publisher) {
            this.externalPublisher = publisher;
        }

        public void subscribe(Flow.Subscriber<? super R> subscriber) {
            if (!this.isSubscribed.compareAndSet(false, true)) {
                subscriber.onError(new IllegalStateException("This publisher only supports a single subscriber."));
                return;
            }
            this.subscriber = subscriber;
            this.subscribersSubscription = new Flow.Subscription() { // from class: io.helidon.security.webserver.SecurityHandler.ResponseProcessor.1
                public void request(long j) {
                    try {
                        ResponseProcessor.this.subscribedLatch.await();
                        ResponseProcessor.this.mySubscription.request(j);
                    } catch (InterruptedException e) {
                        Thread.currentThread().interrupt();
                        ResponseProcessor.this.mySubscription.cancel();
                    }
                }

                public void cancel() {
                    try {
                        ResponseProcessor.this.subscribedLatch.await();
                    } catch (InterruptedException e) {
                        Thread.currentThread().interrupt();
                    }
                    ResponseProcessor.this.mySubscription.cancel();
                }
            };
            this.externalPublisher.subscribe(this);
            subscriber.onSubscribe(this.subscribersSubscription);
        }

        public void onSubscribe(Flow.Subscription subscription) {
            this.mySubscription = subscription;
            this.subscribedLatch.countDown();
        }

        public void onError(Throwable th) {
            this.subscriber.onError(th);
        }

        public void onComplete() {
            this.subscriber.onComplete();
        }

        Flow.Subscriber<? super R> getSubscriber() {
            return this.subscriber;
        }
    }

    private SecurityHandler(Builder builder) {
        this.queryParamHandlers = new LinkedList();
        this.configMap = new HashMap();
        this.combinedHandler = new AtomicReference<>();
        this.rolesAllowed = builder.rolesAllowed.flatMap(set -> {
            return Optional.of(new HashSet(set));
        });
        this.customObjects = builder.customObjects.flatMap(classToInstanceStore -> {
            ClassToInstanceStore classToInstanceStore = new ClassToInstanceStore();
            classToInstanceStore.putAll(classToInstanceStore);
            return Optional.of(classToInstanceStore);
        });
        this.config = builder.config;
        this.explicitAuthenticator = builder.explicitAuthenticator;
        this.explicitAuthorizer = builder.explicitAuthorizer;
        this.authenticate = builder.authenticate;
        this.authenticationOptional = builder.authenticationOptional;
        this.audited = builder.audited;
        this.auditEventType = builder.auditEventType;
        this.auditMessageFormat = builder.auditMessageFormat;
        this.authorize = builder.authorize;
        this.combined = builder.combined;
        this.queryParamHandlers.addAll(builder.queryParamHandlers);
        this.config.ifPresent(config -> {
            config.asNodeList().forEach(config -> {
                this.configMap.put(config.name(), config);
            });
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SecurityHandler from(Config config, SecurityHandler securityHandler) {
        Builder builder = builder(securityHandler);
        OptionalHelper from = OptionalHelper.from(config.get(KEY_ROLES_ALLOWED).asOptionalList(String.class));
        Objects.requireNonNull(builder);
        from.ifPresentOrElse((v1) -> {
            r1.rolesAllowed(v1);
        }, () -> {
            Optional<Set<String>> optional = securityHandler.rolesAllowed;
            Objects.requireNonNull(builder);
            optional.ifPresent((v1) -> {
                r1.rolesAllowed(v1);
            });
        });
        if (config.exists()) {
            builder.config(config);
        }
        Optional asOptional = OptionalHelper.from(config.get(KEY_AUTHENTICATOR).value()).or(() -> {
            return securityHandler.explicitAuthenticator;
        }).asOptional();
        Objects.requireNonNull(builder);
        asOptional.ifPresent(builder::authenticator);
        Optional asOptional2 = OptionalHelper.from(config.get(KEY_AUTHORIZER).value()).or(() -> {
            return securityHandler.explicitAuthorizer;
        }).asOptional();
        Objects.requireNonNull(builder);
        asOptional2.ifPresent(builder::authorizer);
        Optional asOptional3 = OptionalHelper.from(config.get(KEY_AUTHENTICATE).asOptional(Boolean.class)).or(() -> {
            return securityHandler.authenticate;
        }).asOptional();
        Objects.requireNonNull(builder);
        asOptional3.ifPresent((v1) -> {
            r1.authenticate(v1);
        });
        Optional asOptional4 = OptionalHelper.from(config.get(KEY_AUTHENTICATION_OPTIONAL).asOptional(Boolean.class)).or(() -> {
            return securityHandler.authenticationOptional;
        }).asOptional();
        Objects.requireNonNull(builder);
        asOptional4.ifPresent((v1) -> {
            r1.authenticationOptional(v1);
        });
        Optional asOptional5 = OptionalHelper.from(config.get(KEY_AUDIT).asOptional(Boolean.class)).or(() -> {
            return securityHandler.audited;
        }).asOptional();
        Objects.requireNonNull(builder);
        asOptional5.ifPresent((v1) -> {
            r1.audit(v1);
        });
        Optional asOptional6 = OptionalHelper.from(config.get(KEY_AUTHORIZE).asOptional(Boolean.class)).or(() -> {
            return securityHandler.authorize;
        }).asOptional();
        Objects.requireNonNull(builder);
        asOptional6.ifPresent((v1) -> {
            r1.authorize(v1);
        });
        Optional asOptional7 = OptionalHelper.from(config.get(KEY_AUDIT_EVENT_TYPE).value()).or(() -> {
            return securityHandler.auditEventType;
        }).asOptional();
        Objects.requireNonNull(builder);
        asOptional7.ifPresent(builder::auditEventType);
        Optional asOptional8 = OptionalHelper.from(config.get(KEY_AUDIT_MESSAGE_FORMAT).value()).or(() -> {
            return securityHandler.auditMessageFormat;
        }).asOptional();
        Objects.requireNonNull(builder);
        asOptional8.ifPresent(builder::auditMessageFormat);
        config.get(KEY_QUERY_PARAM_HANDLERS).asOptionalList(QueryParamHandler.class).ifPresent(list -> {
            Objects.requireNonNull(builder);
            list.forEach(builder::addQueryParamHandler);
        });
        if (config.get(KEY_ROLES_ALLOWED).exists()) {
            if (!config.get(KEY_AUTHENTICATE).exists()) {
                builder.authenticate(true);
            }
            if (!config.get(KEY_AUTHORIZE).exists()) {
                builder.authorize(true);
            }
        }
        config.get(KEY_AUTHENTICATION_OPTIONAL).asOptional(Boolean.class).ifPresent(bool -> {
            if (!bool.booleanValue() || config.get(KEY_AUTHENTICATE).exists()) {
                return;
            }
            builder.authenticate(true);
        });
        config.get(KEY_AUTHENTICATOR).value().ifPresent(str -> {
            if (config.get(KEY_AUTHENTICATE).exists()) {
                return;
            }
            builder.authenticate(true);
        });
        config.get(KEY_AUTHORIZER).value().ifPresent(str2 -> {
            if (config.get(KEY_AUTHORIZE).exists()) {
                return;
            }
            builder.authorize(true);
        });
        return builder.m3build();
    }

    private static <T> void configure(Config config, String str, Optional<T> optional, Consumer<T> consumer, Class<T> cls) {
        OptionalHelper.from(config.get(str).asOptional(cls)).or(() -> {
            return optional;
        }).asOptional().ifPresent(consumer);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static SecurityHandler newInstance() {
        return DEFAULT_INSTANCE;
    }

    private static Builder builder() {
        return new Builder();
    }

    private static Builder builder(SecurityHandler securityHandler) {
        return new Builder().configureFrom(securityHandler);
    }

    static void traceError(Span span, Throwable th) {
        Tags.ERROR.set(span, true);
        span.log(CollectionsHelper.mapOf("event", "error", "error.object", th));
        span.finish();
    }

    void extractQueryParams(SecurityContext securityContext, ServerRequest serverRequest) {
        HashMap hashMap = new HashMap();
        this.queryParamHandlers.forEach(queryParamHandler -> {
            queryParamHandler.extract(serverRequest, hashMap);
        });
        securityContext.setEnv(securityContext.getEnv().derive().headers(hashMap).build());
    }

    public void accept(ServerRequest serverRequest, ServerResponse serverResponse) {
        SecurityContext securityContext = (SecurityContext) serverRequest.context().get(SecurityContext.class).orElseThrow(() -> {
            return new SecurityException("Security context not present. Maybe you forgot to Routing.builder().register(SecurityAdapter.from(security))...");
        });
        if (this.combined) {
            processSecurity(securityContext, serverRequest, serverResponse);
            return;
        }
        if (null == this.combinedHandler.get()) {
            SecurityHandler securityHandler = (SecurityHandler) serverRequest.context().get(SecurityHandler.class).orElse(DEFAULT_INSTANCE);
            if (securityHandler == DEFAULT_INSTANCE) {
                this.combinedHandler.set(this);
            } else {
                this.combinedHandler.compareAndSet(null, builder(securityHandler).configureFrom(this).combined().m3build());
            }
        }
        this.combinedHandler.get().processSecurity(securityContext, serverRequest, serverResponse);
    }

    private void processSecurity(SecurityContext securityContext, ServerRequest serverRequest, ServerResponse serverResponse) {
        Tracer tracer = securityContext.getTracer();
        Span start = tracer.buildSpan("security").asChildOf(securityContext.getTracingSpan()).start();
        start.log(CollectionsHelper.mapOf("securityId", securityContext.getId()));
        extractQueryParams(securityContext, serverRequest);
        securityContext.setEndpointConfig(securityContext.getEndpointConfig().derive().configMap(this.configMap).customObjects(this.customObjects.orElse(new ClassToInstanceStore<>())).build());
        processAuthentication(serverRequest, serverResponse, securityContext, tracer, start).thenCompose(atxResult -> {
            return atxResult.proceed ? processAuthorization(serverRequest, serverResponse, securityContext, tracer, start) : CompletableFuture.completedFuture(AtxResult.STOP);
        }).thenAccept(atxResult2 -> {
            if (!atxResult2.proceed) {
                start.log("status: DENY");
                start.finish();
            } else {
                start.log("status: PROCEED");
                start.finish();
                serverRequest.next();
            }
        }).exceptionally(th -> {
            traceError(start, th);
            LOGGER.log(Level.SEVERE, "Unexpected exception during security processing", th);
            abortRequest(serverResponse, null, Http.Status.INTERNAL_SERVER_ERROR_500.code(), CollectionsHelper.mapOf());
            return null;
        });
        serverResponse.whenSent().thenAccept(serverResponse2 -> {
            processAudit(serverRequest, serverResponse2, securityContext);
        });
    }

    private void processAudit(ServerRequest serverRequest, ServerResponse serverResponse, SecurityContext securityContext) {
        AuditEvent.AuditSeverity auditSeverity;
        if (this.audited.orElse(true).booleanValue()) {
            if (!this.audited.isPresent() && (serverRequest.method() instanceof Http.Method)) {
                switch (AnonymousClass5.$SwitchMap$io$helidon$common$http$Http$Method[serverRequest.method().ordinal()]) {
                    case 1:
                    case 2:
                        return;
                }
            }
            switch (AnonymousClass5.$SwitchMap$io$helidon$common$http$Http$ResponseStatus$Family[serverResponse.status().family().ordinal()]) {
                case 1:
                case 2:
                case 3:
                    auditSeverity = AuditEvent.AuditSeverity.SUCCESS;
                    break;
                case 4:
                case 5:
                case 6:
                default:
                    auditSeverity = AuditEvent.AuditSeverity.FAILURE;
                    break;
            }
            SecurityAuditEvent addParam = SecurityAuditEvent.audit(auditSeverity, this.auditEventType.orElse(DEFAULT_AUDIT_EVENT_TYPE), this.auditMessageFormat.orElse(DEFAULT_AUDIT_MESSAGE_FORMAT)).addParam(AuditEvent.AuditParam.plain("method", serverRequest.method())).addParam(AuditEvent.AuditParam.plain("path", serverRequest.path())).addParam(AuditEvent.AuditParam.plain("status", String.valueOf(serverResponse.status().code()))).addParam(AuditEvent.AuditParam.plain("subject", securityContext.getUser().orElse(SecurityContext.ANONYMOUS))).addParam(AuditEvent.AuditParam.plain("transport", "http")).addParam(AuditEvent.AuditParam.plain("resourceType", "http")).addParam(AuditEvent.AuditParam.plain("targetUri", serverRequest.uri()));
            securityContext.getService().ifPresent(subject -> {
                addParam.addParam(AuditEvent.AuditParam.plain("service", subject.toString()));
            });
            securityContext.audit(addParam);
        }
    }

    private CompletionStage<AtxResult> processAuthentication(ServerRequest serverRequest, ServerResponse serverResponse, SecurityContext securityContext, Tracer tracer, Span span) {
        if (!this.authenticate.orElse(false).booleanValue()) {
            return CompletableFuture.completedFuture(AtxResult.PROCEED);
        }
        CompletableFuture completableFuture = new CompletableFuture();
        Span start = tracer.buildSpan("security:atn").asChildOf(span).start();
        SecurityClientBuilder atnClientBuilder = securityContext.atnClientBuilder();
        configureSecurityRequest(atnClientBuilder, serverRequest, serverResponse, start);
        atnClientBuilder.explicitProvider(this.explicitAuthenticator.orElse(null)).submit().thenAccept(authenticationResponse -> {
            switch (AnonymousClass5.$SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[authenticationResponse.getStatus().ordinal()]) {
                case 1:
                    break;
                case 2:
                    if (atnFinishFailure(serverResponse, completableFuture, authenticationResponse)) {
                        atnSpanFinish(start, authenticationResponse);
                        return;
                    }
                    break;
                case 3:
                    atnFinish(serverResponse, completableFuture, authenticationResponse);
                    atnSpanFinish(start, authenticationResponse);
                    return;
                case 4:
                case 5:
                    if (atnAbstainFailure(serverResponse, completableFuture, authenticationResponse)) {
                        atnSpanFinish(start, authenticationResponse);
                        return;
                    }
                    break;
                default:
                    SecurityException securityException = new SecurityException("Invalid SecurityStatus returned: " + authenticationResponse.getStatus());
                    completableFuture.completeExceptionally(securityException);
                    traceError(start, securityException);
                    return;
            }
            atnSpanFinish(start, authenticationResponse);
            completableFuture.complete(new AtxResult(atnClientBuilder.buildRequest()));
        }).exceptionally(th -> {
            traceError(start, th);
            completableFuture.completeExceptionally(th);
            return null;
        });
        return completableFuture;
    }

    private void atnSpanFinish(Span span, AuthenticationResponse authenticationResponse) {
        authenticationResponse.getUser().ifPresent(subject -> {
            span.log("security.user: " + subject.getPrincipal().getName());
        });
        authenticationResponse.getService().ifPresent(subject2 -> {
            span.log("security.service: " + subject2.getPrincipal().getName());
        });
        span.log("status: " + authenticationResponse.getStatus());
        span.finish();
    }

    private boolean atnAbstainFailure(ServerResponse serverResponse, CompletableFuture<AtxResult> completableFuture, AuthenticationResponse authenticationResponse) {
        if (this.authenticationOptional.orElse(false).booleanValue()) {
            LOGGER.finest("Authentication failed, but was optional, so assuming anonymous");
            return false;
        }
        abortRequest(serverResponse, authenticationResponse, Http.Status.UNAUTHORIZED_401.code(), CollectionsHelper.mapOf("WWW-Authenticate", CollectionsHelper.listOf(new String[]{"Basic realm=\"Security Realm\""})));
        completableFuture.complete(AtxResult.STOP);
        return true;
    }

    private boolean atnFinishFailure(ServerResponse serverResponse, CompletableFuture<AtxResult> completableFuture, AuthenticationResponse authenticationResponse) {
        if (this.authenticationOptional.orElse(false).booleanValue()) {
            LOGGER.finest("Authentication failed, but was optional, so assuming anonymous");
            return false;
        }
        abortRequest(serverResponse, authenticationResponse, Http.Status.UNAUTHORIZED_401.code(), CollectionsHelper.mapOf());
        completableFuture.complete(AtxResult.STOP);
        return true;
    }

    private void atnFinish(ServerResponse serverResponse, CompletableFuture<AtxResult> completableFuture, AuthenticationResponse authenticationResponse) {
        abortRequest(serverResponse, authenticationResponse, Http.Status.OK_200.code(), CollectionsHelper.mapOf());
        completableFuture.complete(AtxResult.STOP);
    }

    private void abortRequest(ServerResponse serverResponse, SecurityResponse securityResponse, int i, Map<String, List<String>> map) {
        int orElse = null == securityResponse ? i : securityResponse.getStatusCode().orElse(i);
        Map<String, List<String>> responseHeaders = null == securityResponse ? map : securityResponse.getResponseHeaders();
        Map<String, List<String>> map2 = responseHeaders.isEmpty() ? map : responseHeaders;
        ResponseHeaders headers = serverResponse.headers();
        for (Map.Entry<String, List<String>> entry : map2.entrySet()) {
            headers.put(entry.getKey(), entry.getValue());
        }
        serverResponse.status(orElse);
        serverResponse.send();
    }

    private void configureSecurityRequest(SecurityRequestBuilder<? extends SecurityRequestBuilder<?>> securityRequestBuilder, ServerRequest serverRequest, ServerResponse serverResponse, Span span) {
        securityRequestBuilder.optional(this.authenticationOptional.orElse(false).booleanValue()).tracingSpan(span).requestMessage(toRequestMessage(serverRequest)).responseMessage(toResponseMessage(serverResponse));
    }

    private Entity toResponseMessage(ServerResponse serverResponse) {
        return function -> {
            serverResponse.registerFilter(publisher -> {
                return new ResponseProcessor<ByteBuffer, DataChunk>((Flow.Publisher) function.apply(new ResponseProcessor<DataChunk, ByteBuffer>(publisher) { // from class: io.helidon.security.webserver.SecurityHandler.1
                    public void onNext(DataChunk dataChunk) {
                        getSubscriber().onNext(dataChunk.data());
                    }
                })) { // from class: io.helidon.security.webserver.SecurityHandler.2
                    public void onNext(ByteBuffer byteBuffer) {
                        getSubscriber().onNext(DataChunk.create(true, byteBuffer));
                    }
                };
            });
        };
    }

    private Entity toRequestMessage(ServerRequest serverRequest) {
        return function -> {
            serverRequest.content().registerFilter(publisher -> {
                return new ResponseProcessor<ByteBuffer, DataChunk>((Flow.Publisher) function.apply(new ResponseProcessor<DataChunk, ByteBuffer>(publisher) { // from class: io.helidon.security.webserver.SecurityHandler.3
                    public void onNext(DataChunk dataChunk) {
                        getSubscriber().onNext(dataChunk.data());
                    }
                })) { // from class: io.helidon.security.webserver.SecurityHandler.4
                    public void onNext(ByteBuffer byteBuffer) {
                        getSubscriber().onNext(DataChunk.create(byteBuffer));
                    }
                };
            });
        };
    }

    private CompletionStage<AtxResult> processAuthorization(ServerRequest serverRequest, ServerResponse serverResponse, SecurityContext securityContext, Tracer tracer, Span span) {
        CompletableFuture completableFuture = new CompletableFuture();
        if (!this.authorize.orElse(false).booleanValue()) {
            completableFuture.complete(AtxResult.PROCEED);
            return completableFuture;
        }
        Span start = tracer.buildSpan("security:atz").asChildOf(span).start();
        Set<String> orElse = this.rolesAllowed.orElse(CollectionsHelper.setOf());
        if (!orElse.isEmpty()) {
            if (!this.explicitAuthorizer.isPresent()) {
                Stream<String> stream = orElse.stream();
                Objects.requireNonNull(securityContext);
                if (stream.noneMatch(securityContext::isUserInRole)) {
                    abortRequest(serverResponse, null, Http.Status.FORBIDDEN_403.code(), CollectionsHelper.mapOf());
                    completableFuture.complete(AtxResult.STOP);
                    start.finish();
                    return completableFuture;
                }
            } else if (orElse.stream().noneMatch(str -> {
                return securityContext.isUserInRole(str, this.explicitAuthorizer.get());
            })) {
                abortRequest(serverResponse, null, Http.Status.FORBIDDEN_403.code(), CollectionsHelper.mapOf());
                completableFuture.complete(AtxResult.STOP);
                start.finish();
                return completableFuture;
            }
        }
        SecurityClientBuilder atzClientBuilder = securityContext.atzClientBuilder();
        configureSecurityRequest(atzClientBuilder, serverRequest, serverResponse, start);
        atzClientBuilder.explicitProvider(this.explicitAuthorizer.orElse(null)).submit().thenAccept(authorizationResponse -> {
            switch (AnonymousClass5.$SwitchMap$io$helidon$security$SecurityResponse$SecurityStatus[authorizationResponse.getStatus().ordinal()]) {
                case 1:
                    start.finish();
                    completableFuture.complete(AtxResult.PROCEED);
                    return;
                case 2:
                case 3:
                    int code = authorizationResponse.getStatus() == SecurityResponse.SecurityStatus.FAILURE_FINISH ? Http.Status.FORBIDDEN_403.code() : Http.Status.OK_200.code();
                    start.finish();
                    abortRequest(serverResponse, authorizationResponse, code, CollectionsHelper.mapOf());
                    completableFuture.complete(AtxResult.STOP);
                    return;
                case 4:
                case 5:
                    start.finish();
                    abortRequest(serverResponse, authorizationResponse, Http.Status.FORBIDDEN_403.code(), CollectionsHelper.mapOf());
                    completableFuture.complete(AtxResult.STOP);
                    return;
                default:
                    SecurityException securityException = new SecurityException("Invalid SecurityStatus returned: " + authorizationResponse.getStatus());
                    traceError(start, securityException);
                    completableFuture.completeExceptionally(securityException);
                    return;
            }
        }).exceptionally(th -> {
            traceError(start, th);
            completableFuture.completeExceptionally(th);
            return null;
        });
        return completableFuture;
    }

    public List<QueryParamHandler> getQueryParamHandlers() {
        return Collections.unmodifiableList(this.queryParamHandlers);
    }

    public SecurityHandler authenticator(String str) {
        return builder(this).authenticator(str).m3build();
    }

    public SecurityHandler authorizer(String str) {
        return builder(this).authorizer(str).m3build();
    }

    public SecurityHandler rolesAllowed(String... strArr) {
        return builder(this).rolesAllowed(strArr).authorize(true).authenticate(true).m3build();
    }

    public SecurityHandler authenticationOptional() {
        return builder(this).authenticationOptional(true).m3build();
    }

    public SecurityHandler authenticate() {
        return builder(this).authenticate(true).m3build();
    }

    public SecurityHandler skipAuthentication() {
        return builder(this).authenticate(false).m3build();
    }

    public SecurityHandler customObject(Object obj) {
        return builder(this).customObject(obj).m3build();
    }

    public SecurityHandler auditEventType(String str) {
        return builder(this).auditEventType(str).m3build();
    }

    public SecurityHandler auditMessageFormat(String str) {
        return builder(this).auditMessageFormat(str).m3build();
    }

    public SecurityHandler authorize() {
        return builder(this).authorize(true).m3build();
    }

    public SecurityHandler skipAuthorization() {
        return builder(this).authorize(false).m3build();
    }

    public SecurityHandler audit() {
        return builder(this).audit(true).m3build();
    }

    public SecurityHandler skipAudit() {
        return builder(this).audit(false).m3build();
    }

    public SecurityHandler queryParam(String str, TokenHandler tokenHandler) {
        return builder(this).addQueryParamHandler(QueryParamHandler.from(str, tokenHandler)).m3build();
    }
}
