package cloud.piranha.extension.exousia;

import cloud.piranha.core.api.SecurityManager;
import cloud.piranha.core.api.WebApplication;
import cloud.piranha.core.impl.DefaultAuthenticatedIdentity;
import cloud.piranha.extension.webxml.WebXmlManager;
import jakarta.security.jacc.PolicyConfiguration;
import jakarta.security.jacc.PolicyContextException;
import jakarta.servlet.ServletContainerInitializer;
import jakarta.servlet.ServletContext;
import jakarta.servlet.ServletException;
import java.security.Permission;
import java.security.Policy;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import org.glassfish.exousia.AuthorizationService;
import org.glassfish.exousia.constraints.SecurityConstraint;
import org.glassfish.exousia.constraints.WebResourceCollection;
import org.glassfish.exousia.mapping.SecurityRoleRef;

/* loaded from: input_file:cloud/piranha/extension/exousia/AuthorizationPreInitializer.class */
public class AuthorizationPreInitializer implements ServletContainerInitializer {
    public static final String AUTHZ_SERVICE = AuthorizationPreInitializer.class.getName() + ".authz.service";
    public static final String AUTHZ_FACTORY_CLASS = AuthorizationPreInitializer.class.getName() + ".authz.factory.class";
    public static final String AUTHZ_POLICY_CLASS = AuthorizationPreInitializer.class.getName() + ".authz.module.class";
    public static final String UNCHECKED_PERMISSIONS = AuthorizationPreInitializer.class.getName() + ".unchecked.permissions";
    public static final String PERROLE_PERMISSIONS = AuthorizationPreInitializer.class.getName() + ".perrole.permissions";
    public static final String CONSTRAINTS = AuthorizationPreInitializer.class.getName() + ".constraints";
    public static final String SECURITY_ELEMENTS = AuthorizationPreInitializer.class.getName() + ".security.elements";
    public static final String SECURITY_ANNOTATIONS = "cloud.piranha.authorization.exousia.AuthorizationPreInitializer.security.annotations";
    PiranhaToExousiaConverter piranhaToExousiaConverter = new PiranhaToExousiaConverter();

    @Override // jakarta.servlet.ServletContainerInitializer
    public void onStartup(Set<Class<?>> set, ServletContext servletContext) throws ServletException {
        WebApplication webApplication = (WebApplication) servletContext;
        AuthorizationService authorizationService = getAuthorizationService(webApplication);
        List<SecurityConstraint> allScurityConstraints = getAllScurityConstraints(webApplication);
        Iterator<SecurityConstraint> it = allScurityConstraints.iterator();
        while (it.hasNext()) {
            ((SecurityManager) webApplication.getManager(SecurityManager.class)).declareRoles(it.next().getRolesAllowed());
        }
        if (hasPermissionsSet(webApplication)) {
            setPermissions(webApplication, authorizationService);
        } else {
            setConstraints(webApplication, authorizationService, allScurityConstraints);
        }
        authorizationService.commitPolicy();
        addAuthorizationPreFilter(webApplication);
    }

    private AuthorizationService getAuthorizationService(WebApplication webApplication) throws ServletException {
        AuthorizationService authorizationService = new AuthorizationService((Class<?>) getAttribute(webApplication, AUTHZ_FACTORY_CLASS), (Class<? extends Policy>) getAttribute(webApplication, AUTHZ_POLICY_CLASS), webApplication.getServletContextId(), (Supplier<Subject>) DefaultAuthenticatedIdentity::getCurrentSubject, new PiranhaPrincipalMapper());
        authorizationService.setRequestSupplier(() -> {
            return AuthorizationPreFilter.getLocalServletRequest().get();
        });
        webApplication.setAttribute(AUTHZ_SERVICE, authorizationService);
        return authorizationService;
    }

    private List<SecurityConstraint> getAllScurityConstraints(WebApplication webApplication) throws ServletException {
        List<SecurityConstraint> constraintsFromWebXml = getConstraintsFromWebXml(webApplication);
        List<SecurityConstraint> join = SecurityConstraint.join(getConstraintsFromSecurityElements(webApplication), filterAnnotatedConstraints(constraintsFromWebXml, getConstraintsFromSecurityAnnotations(webApplication)), (List) getOptionalAttribute(webApplication, CONSTRAINTS), constraintsFromWebXml);
        return join == null ? Collections.emptyList() : join;
    }

    private void addAuthorizationPreFilter(WebApplication webApplication) {
        webApplication.addFilter(AuthorizationPreFilter.class.getSimpleName(), AuthorizationPreFilter.class).setAsyncSupported(true);
        webApplication.addFilterMapping(AuthorizationPreFilter.class.getSimpleName(), "/*");
    }

    private List<SecurityConstraint> filterAnnotatedConstraints(List<SecurityConstraint> list, List<SecurityConstraint> list2) {
        if (isAnyNull(list, list2)) {
            return list2;
        }
        Set set = (Set) list.stream().flatMap(securityConstraint -> {
            return securityConstraint.getWebResourceCollections().stream();
        }).flatMap(webResourceCollection -> {
            return webResourceCollection.getUrlPatterns().stream();
        }).collect(Collectors.toSet());
        ArrayList arrayList = new ArrayList();
        for (SecurityConstraint securityConstraint2 : list2) {
            ArrayList arrayList2 = new ArrayList();
            for (WebResourceCollection webResourceCollection2 : securityConstraint2.getWebResourceCollections()) {
                WebResourceCollection webResourceCollection3 = webResourceCollection2;
                if (!Collections.disjoint(set, webResourceCollection2.getUrlPatterns())) {
                    HashSet hashSet = new HashSet(webResourceCollection2.getUrlPatterns());
                    hashSet.removeAll(set);
                    webResourceCollection3 = hashSet.isEmpty() ? null : new WebResourceCollection(hashSet, webResourceCollection2.getHttpMethods(), webResourceCollection2.getHttpMethodOmissions());
                }
                if (webResourceCollection3 != null) {
                    arrayList2.add(webResourceCollection3);
                }
            }
            if (!arrayList2.isEmpty()) {
                arrayList.add(new SecurityConstraint(arrayList2, securityConstraint2.getRolesAllowed(), securityConstraint2.getTransportGuarantee()));
            }
        }
        return arrayList;
    }

    private List<SecurityConstraint> getConstraintsFromSecurityElements(ServletContext servletContext) {
        return this.piranhaToExousiaConverter.getConstraintsFromSecurityElements((List) getOptionalAttribute(servletContext, SECURITY_ELEMENTS));
    }

    private List<SecurityConstraint> getConstraintsFromSecurityAnnotations(ServletContext servletContext) {
        return this.piranhaToExousiaConverter.getConstraintsFromSecurityAnnotations((List) getOptionalAttribute(servletContext, SECURITY_ANNOTATIONS));
    }

    private List<SecurityConstraint> getConstraintsFromWebXml(WebApplication webApplication) throws ServletException {
        return this.piranhaToExousiaConverter.getConstraintsFromWebXml(((WebXmlManager) getAttribute(webApplication, WebXmlManager.KEY)).getWebXml());
    }

    public Map<String, List<SecurityRoleRef>> getSecurityRoleRefsFromWebXml(WebApplication webApplication) throws ServletException {
        return this.piranhaToExousiaConverter.getSecurityRoleRefsFromWebXml(webApplication.getServletRegistrations().keySet(), ((WebXmlManager) getAttribute(webApplication, WebXmlManager.KEY)).getWebXml());
    }

    private boolean hasPermissionsSet(ServletContext servletContext) {
        return (getOptionalAttribute(servletContext, UNCHECKED_PERMISSIONS) == null && getOptionalAttribute(servletContext, PERROLE_PERMISSIONS) == null) ? false : true;
    }

    private void setPermissions(ServletContext servletContext, AuthorizationService authorizationService) {
        PolicyConfiguration policyConfiguration = authorizationService.getPolicyConfiguration();
        try {
            List list = (List) getOptionalAttribute(servletContext, UNCHECKED_PERMISSIONS);
            if (list != null) {
                Iterator it = list.iterator();
                while (it.hasNext()) {
                    policyConfiguration.addToUncheckedPolicy((Permission) it.next());
                }
            }
            List<Map.Entry> list2 = (List) getOptionalAttribute(servletContext, PERROLE_PERMISSIONS);
            if (list2 != null) {
                for (Map.Entry entry : list2) {
                    policyConfiguration.addToRole((String) entry.getKey(), (Permission) entry.getValue());
                }
            }
        } catch (PolicyContextException e) {
            throw new IllegalStateException(e);
        }
    }

    private void setConstraints(WebApplication webApplication, AuthorizationService authorizationService, List<SecurityConstraint> list) throws ServletException {
        authorizationService.addConstraintsToPolicy(list, ((SecurityManager) webApplication.getManager(SecurityManager.class)).getRoles(), webApplication.getDenyUncoveredHttpMethods(), getSecurityRoleRefsFromWebXml(webApplication));
    }

    private static <T> T getAttribute(ServletContext servletContext, String str) throws ServletException {
        T t = (T) getOptionalAttribute(servletContext, str);
        if (t == null) {
            throw new ServletException("Attribute " + str + " not specified");
        }
        return t;
    }

    private static <T> T getOptionalAttribute(ServletContext servletContext, String str) {
        return (T) servletContext.getAttribute(str);
    }

    private static boolean isAnyNull(Object... objArr) {
        for (Object obj : objArr) {
            if (obj == null) {
                return true;
            }
        }
        return false;
    }
}
