package cloud.piranha.security.exousia;

import cloud.piranha.DefaultAuthenticatedIdentity;
import cloud.piranha.DefaultWebXml;
import cloud.piranha.api.WebApplication;
import java.security.Permission;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.security.jacc.PolicyConfiguration;
import javax.security.jacc.PolicyContextException;
import javax.servlet.ServletContainerInitializer;
import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.ServletSecurityElement;
import javax.servlet.annotation.ServletSecurity;
import org.omnifaces.exousia.AuthorizationService;
import org.omnifaces.exousia.constraints.SecurityConstraint;
import org.omnifaces.exousia.constraints.WebResourceCollection;
import org.omnifaces.exousia.constraints.transformer.ElementsToConstraintsTransformer;

/* loaded from: input_file:cloud/piranha/security/exousia/AuthorizationPreInitializer.class */
public class AuthorizationPreInitializer implements ServletContainerInitializer {
    public static final String AUTHZ_SERVICE = AuthorizationPreInitializer.class.getName() + ".authz.service";
    public static final String AUTHZ_FACTORY_CLASS = AuthorizationPreInitializer.class.getName() + ".authz.factory.class";
    public static final String AUTHZ_POLICY_CLASS = AuthorizationPreInitializer.class.getName() + ".authz.module.class";
    public static final String UNCHECKED_PERMISSIONS = AuthorizationPreInitializer.class.getName() + ".unchecked.permissions";
    public static final String PERROLE_PERMISSIONS = AuthorizationPreInitializer.class.getName() + ".perrole.permissions";
    public static final String CONSTRAINTS = AuthorizationPreInitializer.class.getName() + ".constraints";
    public static final String SECURITY_ELEMENTS = AuthorizationPreInitializer.class.getName() + ".security.elements";
    public static final String SECURITY_ANNOTATIONS = AuthorizationPreInitializer.class.getName() + ".security.annotations";

    public void onStartup(Set<Class<?>> set, ServletContext servletContext) throws ServletException {
        WebApplication webApplication = (WebApplication) servletContext;
        AuthorizationService authorizationService = new AuthorizationService((Class) getAttribute(servletContext, AUTHZ_FACTORY_CLASS), (Class) getAttribute(servletContext, AUTHZ_POLICY_CLASS), webApplication.getServletContextId(), () -> {
            return AuthorizationPreFilter.localServletRequest.get();
        }, () -> {
            return DefaultAuthenticatedIdentity.getCurrentSubject();
        }, new PiranhaPrincipalMapper());
        List<SecurityConstraint> join = join(getConstraintsFromSecurityElements(servletContext, authorizationService), getConstraintsFromSecurityAnnotations(servletContext, authorizationService), (List) getOptionalAttribute(servletContext, CONSTRAINTS), getConstraintsFromWebXMl(webApplication));
        if (hasPermissionsSet(webApplication)) {
            setPermissions(webApplication, authorizationService);
        } else {
            authorizationService.addConstraintsToPolicy(join != null ? join : Collections.emptyList(), Collections.emptySet(), isDenyUncoveredHttpMethods(webApplication), webApplication.getServletRegistrations().keySet());
        }
        servletContext.setAttribute(AUTHZ_SERVICE, authorizationService);
        servletContext.addFilter(AuthorizationPreFilter.class.getSimpleName(), AuthorizationPreFilter.class);
        webApplication.addFilterMapping(AuthorizationPreFilter.class.getSimpleName(), new String[]{"/*"});
    }

    private boolean isDenyUncoveredHttpMethods(WebApplication webApplication) throws ServletException {
        DefaultWebXml webXml = webApplication.getWebXmlManager().getWebXml();
        if (webXml == null) {
            return false;
        }
        return webXml.denyUncoveredHttpMethods;
    }

    public static void addToRole(PolicyConfiguration policyConfiguration, String str, Permission permission) {
        try {
            policyConfiguration.addToRole(str, permission);
        } catch (PolicyContextException e) {
            throw new IllegalStateException((Throwable) e);
        }
    }

    public <T> T getAttribute(ServletContext servletContext, String str) throws ServletException {
        T t = (T) getOptionalAttribute(servletContext, str);
        if (t == null) {
            throw new ServletException("Attribute " + str + " not specified");
        }
        return t;
    }

    public <T> T getOptionalAttribute(ServletContext servletContext, String str) throws ServletException {
        return (T) servletContext.getAttribute(str);
    }

    public List<SecurityConstraint> getConstraintsFromSecurityElements(ServletContext servletContext, AuthorizationService authorizationService) throws ServletException {
        List<Map.Entry> list = (List) getOptionalAttribute(servletContext, SECURITY_ELEMENTS);
        if (list == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (Map.Entry entry : list) {
            arrayList.addAll(ElementsToConstraintsTransformer.createConstraints(new HashSet((Collection) entry.getKey()), (ServletSecurityElement) entry.getValue()));
        }
        return arrayList;
    }

    public List<SecurityConstraint> getConstraintsFromSecurityAnnotations(ServletContext servletContext, AuthorizationService authorizationService) throws ServletException {
        List<Map.Entry> list = (List) getOptionalAttribute(servletContext, SECURITY_ANNOTATIONS);
        if (list == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (Map.Entry entry : list) {
            arrayList.addAll(ElementsToConstraintsTransformer.createConstraints(new HashSet((Collection) entry.getKey()), (ServletSecurity) entry.getValue()));
        }
        return arrayList;
    }

    public List<SecurityConstraint> getConstraintsFromWebXMl(WebApplication webApplication) throws ServletException {
        DefaultWebXml webXml = webApplication.getWebXmlManager().getWebXml();
        if (webXml == null || webXml.securityConstraints == null) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        for (DefaultWebXml.SecurityConstraint securityConstraint : webXml.securityConstraints) {
            ArrayList arrayList2 = new ArrayList();
            for (DefaultWebXml.SecurityConstraint.WebResourceCollection webResourceCollection : securityConstraint.webResourceCollections) {
                arrayList2.add(new WebResourceCollection(webResourceCollection.urlPatterns, webResourceCollection.httpMethods, webResourceCollection.httpMethodOmissions));
            }
            arrayList.add(new SecurityConstraint(arrayList2, new HashSet(securityConstraint.roleNames), "confidential".equalsIgnoreCase(securityConstraint.transportGuarantee) ? ServletSecurity.TransportGuarantee.CONFIDENTIAL : ServletSecurity.TransportGuarantee.NONE));
        }
        return arrayList;
    }

    public List<SecurityConstraint> join(List<SecurityConstraint> list, List<SecurityConstraint> list2, List<SecurityConstraint> list3, List<SecurityConstraint> list4) {
        return join(join(list, list2, list3), list4);
    }

    public List<SecurityConstraint> join(List<SecurityConstraint> list, List<SecurityConstraint> list2, List<SecurityConstraint> list3) {
        return join(join(list, list2), list3);
    }

    public List<SecurityConstraint> join(List<SecurityConstraint> list, List<SecurityConstraint> list2) {
        if (list == null && list2 == null) {
            return null;
        }
        return (list == null || list2 == null) ? list != null ? list : list2 : (List) Stream.concat(list.stream(), list2.stream()).collect(Collectors.toList());
    }

    public boolean hasPermissionsSet(ServletContext servletContext) throws ServletException {
        return (getOptionalAttribute(servletContext, UNCHECKED_PERMISSIONS) == null && getOptionalAttribute(servletContext, PERROLE_PERMISSIONS) == null) ? false : true;
    }

    public void setPermissions(ServletContext servletContext, AuthorizationService authorizationService) throws ServletException {
        PolicyConfiguration policyConfiguration = authorizationService.getPolicyConfiguration();
        try {
            List list = (List) getOptionalAttribute(servletContext, UNCHECKED_PERMISSIONS);
            if (list != null) {
                Iterator it = list.iterator();
                while (it.hasNext()) {
                    policyConfiguration.addToUncheckedPolicy((Permission) it.next());
                }
            }
            List<Map.Entry> list2 = (List) getOptionalAttribute(servletContext, PERROLE_PERMISSIONS);
            if (list2 != null) {
                for (Map.Entry entry : list2) {
                    policyConfiguration.addToRole((String) entry.getKey(), (Permission) entry.getValue());
                }
            }
            policyConfiguration.commit();
        } catch (PolicyContextException e) {
            throw new IllegalStateException((Throwable) e);
        }
    }
}
