package com.predic8.membrane.core.openapi.validators;

import com.predic8.membrane.core.openapi.model.Request;
import com.predic8.membrane.core.security.ApiKeySecurityScheme;
import com.predic8.membrane.core.security.BasicHttpSecurityScheme;
import com.predic8.membrane.core.security.JWTSecurityScheme;
import com.predic8.membrane.core.security.OAuth2SecurityScheme;
import io.swagger.v3.oas.models.OpenAPI;
import io.swagger.v3.oas.models.Operation;
import io.swagger.v3.oas.models.security.SecurityRequirement;
import io.swagger.v3.oas.models.security.SecurityScheme;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.stream.Stream;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/service-proxy-core-6.0.2.jar:com/predic8/membrane/core/openapi/validators/SecurityValidator.class */
public class SecurityValidator {
    private final Logger log = LoggerFactory.getLogger((Class<?>) SecurityValidator.class);
    private final OpenAPI api;
    static final /* synthetic */ boolean $assertionsDisabled;

    public SecurityValidator(OpenAPI openAPI) {
        this.api = openAPI;
    }

    public ValidationErrors validateSecurity(ValidationContext validationContext, Request<?> request, Operation operation) {
        ValidationContext statusCode = validationContext.statusCode(403);
        ValidationErrors checkGlobalSecurity = checkGlobalSecurity(statusCode, request);
        checkGlobalSecurity.add(checkOperationSecurity(statusCode, operation, request));
        return checkGlobalSecurity;
    }

    private ValidationErrors checkGlobalSecurity(ValidationContext validationContext, Request<?> request) {
        return this.api.getSecurity() == null ? new ValidationErrors() : validateDisjunctiveSecurityRequirement(validationContext, this.api.getSecurity(), request);
    }

    private ValidationErrors checkOperationSecurity(ValidationContext validationContext, Operation operation, Request<?> request) {
        return operation.getSecurity() == null ? new ValidationErrors() : validateDisjunctiveSecurityRequirement(validationContext, operation.getSecurity(), request);
    }

    private ValidationErrors validateDisjunctiveSecurityRequirement(ValidationContext validationContext, List<SecurityRequirement> list, Request<?> request) {
        ValidationErrors validationErrors = new ValidationErrors();
        Iterator<SecurityRequirement> it = list.iterator();
        while (it.hasNext()) {
            ValidationErrors checkSecurityRequirements = checkSecurityRequirements(validationContext, it.next(), request);
            if (checkSecurityRequirements.isEmpty()) {
                return new ValidationErrors();
            }
            validationErrors.add(checkSecurityRequirements);
        }
        return validationErrors;
    }

    private ValidationErrors checkSecurityRequirements(ValidationContext validationContext, SecurityRequirement securityRequirement, Request<?> request) {
        return (ValidationErrors) securityRequirement.keySet().stream().map(str -> {
            return checkSingleRequirement(validationContext, securityRequirement, request, str);
        }).reduce(new ValidationErrors(), (v0, v1) -> {
            return v0.add(v1);
        });
    }

    private ValidationErrors checkSingleRequirement(ValidationContext validationContext, SecurityRequirement securityRequirement, Request<?> request, String str) {
        this.log.debug("Checking mechanism: " + str);
        ValidationErrors validationErrors = new ValidationErrors();
        Map<String, SecurityScheme> securitySchemes = this.api.getComponents().getSecuritySchemes();
        if (securitySchemes == null) {
            this.log.error("In OpenAPI with title '%s' there are no securitySchemes. Check the OpenAPI document!".formatted(getOpenAPITitle()));
            return getValidationErrorsProblemServerSide(validationContext);
        }
        SecurityScheme securityScheme = securitySchemes.get(str);
        if (securityScheme == null) {
            this.log.error("In OpenAPI with title '%s' there is no securityScheme '%s'. Check the OpenAPI document!".formatted(getOpenAPITitle(), str));
            return getValidationErrorsProblemServerSide(validationContext);
        }
        if (securityScheme.getType() == null) {
            this.log.error("In OpenAPI with title '%s' the securityScheme '%s' has no type. Check the OpenAPI document!".formatted(this.api.getInfo().getTitle(), str));
            return getValidationErrorsProblemServerSide(validationContext);
        }
        ValidationErrors checkSecuritySchemeType = checkSecuritySchemeType(validationContext, request, securityScheme, validationErrors);
        if (!$assertionsDisabled && checkSecuritySchemeType == null) {
            throw new AssertionError();
        }
        if (!checkSecuritySchemeType.isEmpty()) {
            return checkSecuritySchemeType;
        }
        validationErrors.add(checkScopes(validationContext, securityRequirement, request, str));
        return validationErrors;
    }

    @NotNull
    private static ValidationErrors getValidationErrorsProblemServerSide(ValidationContext validationContext) {
        return ValidationErrors.create(validationContext, "There is a problem with the OpenAPI configuration at the server side.");
    }

    private String getOpenAPITitle() {
        return this.api.getInfo().getTitle();
    }

    @Nullable
    private ValidationErrors checkSecuritySchemeType(ValidationContext validationContext, Request<?> request, SecurityScheme securityScheme, ValidationErrors validationErrors) {
        switch (securityScheme.getType()) {
            case HTTP:
                return checkHttp(validationContext, request, securityScheme);
            case APIKEY:
                return validationErrors.add(checkApiKey(validationContext, request, securityScheme));
            case OAUTH2:
            case OPENIDCONNECT:
                return checkOAuth2OrOpenIdConnectScheme(validationContext, request);
            case MUTUALTLS:
                throw new RuntimeException("Security scheme mutualTLS is not implemented yet.");
            default:
                throw new MatchException((String) null, (Throwable) null);
        }
    }

    private ValidationErrors checkScopes(ValidationContext validationContext, SecurityRequirement securityRequirement, Request<?> request, String str) {
        ValidationErrors validationErrors = new ValidationErrors();
        for (String str2 : securityRequirement.get(str)) {
            this.log.debug("Checking scope: " + str2);
            AtomicBoolean atomicBoolean = new AtomicBoolean();
            request.getSecuritySchemes().forEach(securityScheme -> {
                if (securityScheme.hasScope(str2)) {
                    atomicBoolean.set(true);
                }
            });
            if (!atomicBoolean.get()) {
                this.log.info("Caller of {} {} ist not in scope {} required by OpenAPI definition.", validationContext.getMethod(), validationContext.getPath(), str2);
                validationErrors.add(validationContext, "Caller ist not in scope %s".formatted(str2));
            }
        }
        return validationErrors;
    }

    private static ValidationErrors checkHttp(ValidationContext validationContext, Request<?> request, SecurityScheme securityScheme) {
        ValidationErrors validationErrors = new ValidationErrors();
        String lowerCase = securityScheme.getScheme().toLowerCase();
        boolean z = -1;
        switch (lowerCase.hashCode()) {
            case -1393032351:
                if (lowerCase.equals("bearer")) {
                    z = true;
                    break;
                }
                break;
            case 93508654:
                if (lowerCase.equals("basic")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (request.hasScheme(BasicHttpSecurityScheme.BASIC())) {
                    return validationErrors;
                }
                validationErrors.add(validationContext.statusCode(401), "Caller ist not authenticated with HTTP and %s.".formatted(BasicHttpSecurityScheme.BASIC()));
                return validationErrors;
            case true:
                if (request.hasScheme(BasicHttpSecurityScheme.BEARER())) {
                    return validationErrors;
                }
                validationErrors.add(validationContext.statusCode(401), "Caller ist not authenticated with HTTP and %s.".formatted(BasicHttpSecurityScheme.BEARER()));
                return validationErrors;
            default:
                validationErrors.add(validationContext.statusCode(401), "Scheme %s is not supported".formatted(securityScheme.getScheme()));
                return validationErrors;
        }
    }

    private ValidationErrors checkOAuth2OrOpenIdConnectScheme(ValidationContext validationContext, Request<?> request) {
        return (securitySchemeIsNotPresent(request, OAuth2SecurityScheme.class) && securitySchemeIsNotPresent(request, JWTSecurityScheme.class)) ? ValidationErrors.create(validationContext.statusCode(401), "OAuth2 or JWT authentication is required.") : ValidationErrors.empty();
    }

    private ValidationErrors checkApiKey(ValidationContext validationContext, Request<?> request, SecurityScheme securityScheme) {
        ValidationErrors validationErrors = new ValidationErrors();
        AtomicBoolean atomicBoolean = new AtomicBoolean();
        List<ValidationError> list = getSecuritySchemes(request, ApiKeySecurityScheme.class).map(securityScheme2 -> {
            if (securityScheme2 instanceof ApiKeySecurityScheme) {
                ApiKeySecurityScheme apiKeySecurityScheme = (ApiKeySecurityScheme) securityScheme2;
                atomicBoolean.set(true);
                if (securityScheme.getName() != null && !securityScheme.getName().equalsIgnoreCase(apiKeySecurityScheme.parameterName)) {
                    return Optional.of(new ValidationError(validationContext, "Name of api-key is %s but should be %s".formatted(apiKeySecurityScheme.parameterName, securityScheme.getName())));
                }
                if (securityScheme.getIn() != null && !securityScheme.getIn().toString().equalsIgnoreCase(apiKeySecurityScheme.in.toString())) {
                    return Optional.of(new ValidationError(validationContext, "Api-key is in %s but should be in %s".formatted(apiKeySecurityScheme.in, securityScheme.getIn())));
                }
            }
            return Optional.empty();
        }).flatMap((v0) -> {
            return v0.stream();
        }).toList();
        if (!atomicBoolean.get()) {
            validationErrors.add(validationContext.statusCode(401), "Authentication by API key is required.");
        }
        validationErrors.add(list);
        return validationErrors;
    }

    private boolean securitySchemeIsNotPresent(Request<?> request, Class<? extends com.predic8.membrane.core.security.SecurityScheme> cls) {
        return getSecuritySchemes(request, cls).findFirst().isEmpty();
    }

    private Stream<com.predic8.membrane.core.security.SecurityScheme> getSecuritySchemes(Request<?> request, Class<? extends com.predic8.membrane.core.security.SecurityScheme> cls) {
        return request.getSecuritySchemes() == null ? Stream.empty() : request.getSecuritySchemes().stream().filter(securityScheme -> {
            return securityScheme.getClass().equals(cls);
        });
    }

    static {
        $assertionsDisabled = !SecurityValidator.class.desiredAssertionStatus();
    }
}
