package feast.common.auth.config;

import feast.common.auth.authentication.DefaultJwtAuthenticationProvider;
import feast.common.auth.authorization.AuthorizationProvider;
import feast.common.auth.config.SecurityProperties;
import feast.common.auth.providers.http.HttpAuthorizationProvider;
import feast.common.auth.providers.http.client.model.CheckAccessRequest;
import feast.common.auth.providers.keto.KetoAuthorizationProvider;
import java.util.ArrayList;
import java.util.Map;
import net.devh.boot.grpc.server.security.authentication.BearerAuthenticationReader;
import net.devh.boot.grpc.server.security.authentication.GrpcAuthenticationReader;
import net.devh.boot.grpc.server.security.check.AccessPredicateVoter;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.access.AccessDecisionManager;
import org.springframework.security.access.vote.UnanimousBased;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.ProviderManager;
import org.springframework.security.oauth2.server.resource.BearerTokenAuthenticationToken;

@Configuration
/* loaded from: input_file:feast/common/auth/config/SecurityConfig.class */
public class SecurityConfig {
    private final SecurityProperties securityProperties;

    public SecurityConfig(SecurityProperties securityProperties) {
        this.securityProperties = securityProperties;
    }

    @ConditionalOnProperty(prefix = "feast.security.authentication", name = {"enabled"})
    @Bean
    AuthenticationManager authenticationManager() {
        ArrayList arrayList = new ArrayList();
        if (this.securityProperties.getAuthentication().isEnabled()) {
            String provider = this.securityProperties.getAuthentication().getProvider();
            boolean z = -1;
            switch (provider.hashCode()) {
                case 105671:
                    if (provider.equals("jwt")) {
                        z = false;
                        break;
                    }
                    break;
            }
            switch (z) {
                case false:
                    arrayList.add(new DefaultJwtAuthenticationProvider(this.securityProperties.getAuthentication().getOptions()));
                    break;
                default:
                    throw new IllegalArgumentException("Please configure an Authentication Provider if you have enabled authentication.");
            }
        }
        return new ProviderManager(arrayList);
    }

    @ConditionalOnProperty(prefix = "feast.security.authentication", name = {"enabled"})
    @Bean
    GrpcAuthenticationReader authenticationReader() {
        return new BearerAuthenticationReader(BearerTokenAuthenticationToken::new);
    }

    @ConditionalOnProperty(prefix = "feast.security.authorization", name = {"enabled"})
    @Bean
    AccessDecisionManager accessDecisionManager() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new AccessPredicateVoter());
        return new UnanimousBased(arrayList);
    }

    @ConditionalOnProperty(prefix = "feast.security.authorization", name = {"enabled"})
    @Bean
    AuthorizationProvider authorizationProvider() {
        if (!this.securityProperties.getAuthentication().isEnabled() || !this.securityProperties.getAuthorization().isEnabled()) {
            return null;
        }
        Map<String, String> options = this.securityProperties.getAuthorization().getOptions();
        options.putAll(this.securityProperties.getAuthentication().getOptions());
        String provider = this.securityProperties.getAuthorization().getProvider();
        boolean z = -1;
        switch (provider.hashCode()) {
            case 3213448:
                if (provider.equals("http")) {
                    z = false;
                    break;
                }
                break;
            case 3288405:
                if (provider.equals("keto")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return new HttpAuthorizationProvider(options);
            case true:
                String str = options.get(SecurityProperties.AuthenticationProperties.SUBJECT_CLAIM);
                String str2 = options.get("flavor");
                String str3 = options.get(CheckAccessRequest.SERIALIZED_NAME_ACTION);
                String str4 = options.get("subjectPrefix");
                String str5 = options.get("resourcePrefix");
                KetoAuthorizationProvider.Builder builder = new KetoAuthorizationProvider.Builder(options.get("authorizationUrl"));
                if (str != null) {
                    builder = builder.withSubjectClaim(str);
                }
                if (str2 != null) {
                    builder = builder.withFlavor(str2);
                }
                if (str3 != null) {
                    builder = builder.withAction(str3);
                }
                if (str4 != null) {
                    builder = builder.withSubjectPrefix(str4);
                }
                if (str5 != null) {
                    builder = builder.withResourcePrefix(str5);
                }
                return builder.build();
            default:
                throw new IllegalArgumentException("Please configure an Authorization Provider if you have enabled authorization.");
        }
    }
}
