package io.micronaut.security.filters;

import io.micronaut.http.HttpAttributes;
import io.micronaut.http.HttpRequest;
import io.micronaut.http.MutableHttpResponse;
import io.micronaut.http.annotation.Filter;
import io.micronaut.http.filter.OncePerRequestHttpServerFilter;
import io.micronaut.http.filter.ServerFilterChain;
import io.micronaut.security.handlers.RejectionHandler;
import io.micronaut.security.rules.SecurityRule;
import io.micronaut.security.rules.SecurityRuleResult;
import io.micronaut.security.token.propagation.TokenPropagationConfigurationProperties;
import io.micronaut.web.router.RouteMatch;
import io.micronaut.web.router.RouteMatchUtils;
import io.reactivex.Flowable;
import java.util.Collection;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
import java.util.stream.Collectors;
import javax.annotation.Nullable;
import org.reactivestreams.Publisher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Filter({TokenPropagationConfigurationProperties.DEFAULT_PATH})
/* loaded from: input_file:io/micronaut/security/filters/SecurityFilter.class */
public class SecurityFilter extends OncePerRequestHttpServerFilter {
    public static final CharSequence AUTHENTICATION = HttpAttributes.PRINCIPAL;
    public static final CharSequence TOKEN = "micronaut.TOKEN";
    private static final Logger LOG = LoggerFactory.getLogger(SecurityFilter.class);
    protected final Integer order;
    protected final Collection<SecurityRule> securityRules;
    protected final Collection<AuthenticationFetcher> authenticationFetchers;
    protected final RejectionHandler rejectionHandler;

    public SecurityFilter(Collection<SecurityRule> collection, Collection<AuthenticationFetcher> collection2, RejectionHandler rejectionHandler, @Nullable SecurityFilterOrderProvider securityFilterOrderProvider) {
        this.securityRules = collection;
        this.authenticationFetchers = collection2;
        this.rejectionHandler = rejectionHandler;
        this.order = Integer.valueOf(securityFilterOrderProvider != null ? securityFilterOrderProvider.getOrder() : 0);
    }

    public int getOrder() {
        return this.order.intValue();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Publisher<MutableHttpResponse<?>> doFilterOnce(HttpRequest<?> httpRequest, ServerFilterChain serverFilterChain) {
        String httpMethod = httpRequest.getMethod().toString();
        String path = httpRequest.getPath();
        return Flowable.fromIterable(this.authenticationFetchers).flatMap(authenticationFetcher -> {
            return authenticationFetcher.fetchAuthentication(httpRequest);
        }).firstElement().toFlowable().flatMap(authentication -> {
            httpRequest.setAttribute(AUTHENTICATION, authentication);
            Map<String, Object> attributes = authentication.getAttributes();
            Optional findRouteMatchAtRequest = RouteMatchUtils.findRouteMatchAtRequest(httpRequest);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Attributes: {}", attributes.entrySet().stream().map(entry -> {
                    return ((String) entry.getKey()) + "=>" + entry.getValue().toString();
                }).collect(Collectors.joining(", ")));
            }
            for (SecurityRule securityRule : this.securityRules) {
                SecurityRuleResult check = securityRule.check(httpRequest, (RouteMatch) findRouteMatchAtRequest.orElse(null), attributes);
                if (check == SecurityRuleResult.REJECTED) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Unauthorized request {} {}. The rule provider {} rejected the request.", new Object[]{httpMethod, path, securityRule.getClass().getName()});
                    }
                    return this.rejectionHandler.reject(httpRequest, true);
                }
                if (check == SecurityRuleResult.ALLOWED) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Authorized request {} {}. The rule provider {} authorized the request.", new Object[]{httpMethod, path, securityRule.getClass().getName()});
                    }
                    return serverFilterChain.proceed(httpRequest);
                }
            }
            return this.rejectionHandler.reject(httpRequest, true);
        }).switchIfEmpty(Flowable.just(this.securityRules).flatMap(collection -> {
            httpRequest.setAttribute(AUTHENTICATION, (Object) null);
            Optional findRouteMatchAtRequest = RouteMatchUtils.findRouteMatchAtRequest(httpRequest);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Failure to authenticate request. {} {}.", httpMethod, path);
            }
            Iterator it = collection.iterator();
            while (it.hasNext()) {
                SecurityRule securityRule = (SecurityRule) it.next();
                SecurityRuleResult check = securityRule.check(httpRequest, (RouteMatch) findRouteMatchAtRequest.orElse(null), null);
                if (check == SecurityRuleResult.REJECTED) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Unauthorized request {} {}. The rule provider {} rejected the request.", new Object[]{httpMethod, path, securityRule.getClass().getName()});
                    }
                    return this.rejectionHandler.reject(httpRequest, false);
                }
                if (check == SecurityRuleResult.ALLOWED) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Authorized request {} {}. The rule provider {} authorized the request.", new Object[]{httpMethod, path, securityRule.getClass().getName()});
                    }
                    return serverFilterChain.proceed(httpRequest);
                }
            }
            return this.rejectionHandler.reject(httpRequest, false);
        }));
    }
}
