package io.micronaut.security.filters;

import io.micronaut.context.annotation.Replaces;
import io.micronaut.core.annotation.Nullable;
import io.micronaut.core.async.publisher.Publishers;
import io.micronaut.http.HttpAttributes;
import io.micronaut.http.HttpRequest;
import io.micronaut.http.HttpStatus;
import io.micronaut.http.MutableHttpResponse;
import io.micronaut.http.annotation.Filter;
import io.micronaut.http.filter.OncePerRequestHttpServerFilter;
import io.micronaut.http.filter.ServerFilterChain;
import io.micronaut.http.filter.ServerFilterPhase;
import io.micronaut.management.endpoint.EndpointsFilter;
import io.micronaut.security.authentication.Authentication;
import io.micronaut.security.authentication.AuthorizationException;
import io.micronaut.security.config.SecurityConfiguration;
import io.micronaut.security.rules.SecurityRule;
import io.micronaut.security.rules.SecurityRuleResult;
import io.micronaut.security.token.propagation.TokenPropagationConfigurationProperties;
import io.micronaut.web.router.RouteMatch;
import io.reactivex.Flowable;
import jakarta.inject.Inject;
import java.util.Collection;
import java.util.Map;
import java.util.stream.Collectors;
import org.reactivestreams.Publisher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Filter({TokenPropagationConfigurationProperties.DEFAULT_PATH})
@Replaces(EndpointsFilter.class)
/* loaded from: input_file:io/micronaut/security/filters/SecurityFilter.class */
public class SecurityFilter extends OncePerRequestHttpServerFilter {
    public static final CharSequence AUTHENTICATION = HttpAttributes.PRINCIPAL.toString();
    public static final CharSequence REJECTION = "micronaut.security.REJECTION";
    public static final CharSequence TOKEN = "micronaut.TOKEN";
    private static final Logger LOG = LoggerFactory.getLogger(SecurityFilter.class);
    private static final Integer ORDER = Integer.valueOf(ServerFilterPhase.SECURITY.order());
    protected final Collection<SecurityRule> securityRules;
    protected final Collection<AuthenticationFetcher> authenticationFetchers;
    protected final SecurityConfiguration securityConfiguration;

    @Inject
    public SecurityFilter(Collection<SecurityRule> collection, Collection<AuthenticationFetcher> collection2, SecurityConfiguration securityConfiguration) {
        this.securityRules = collection;
        this.authenticationFetchers = collection2;
        this.securityConfiguration = securityConfiguration;
    }

    public int getOrder() {
        return ORDER.intValue();
    }

    protected Publisher<MutableHttpResponse<?>> doFilterOnce(HttpRequest<?> httpRequest, ServerFilterChain serverFilterChain) {
        String httpMethod = httpRequest.getMethod().toString();
        String path = httpRequest.getPath();
        RouteMatch routeMatch = (RouteMatch) httpRequest.getAttribute(HttpAttributes.ROUTE_MATCH, RouteMatch.class).orElse(null);
        return Flowable.fromIterable(this.authenticationFetchers).flatMap(authenticationFetcher -> {
            return authenticationFetcher.fetchAuthentication(httpRequest);
        }).firstElement().doOnEvent((authentication, th) -> {
            if (authentication == null) {
                httpRequest.setAttribute(AUTHENTICATION, (Object) null);
                if (LOG.isDebugEnabled()) {
                    LOG.debug("No Authentication fetched for request. {} {}.", httpMethod, path);
                    return;
                }
                return;
            }
            httpRequest.setAttribute(AUTHENTICATION, authentication);
            if (LOG.isDebugEnabled()) {
                LOG.debug("Attributes: {}", authentication.getAttributes().entrySet().stream().map(entry -> {
                    return ((String) entry.getKey()) + "=>" + entry.getValue().toString();
                }).collect(Collectors.joining(", ")));
            }
        }).toFlowable().flatMap(authentication2 -> {
            return checkRules(httpRequest, serverFilterChain, routeMatch, authentication2);
        }).switchIfEmpty(Flowable.defer(() -> {
            return checkRules(httpRequest, serverFilterChain, routeMatch, null);
        }));
    }

    protected Publisher<MutableHttpResponse<?>> checkRules(HttpRequest<?> httpRequest, ServerFilterChain serverFilterChain, @Nullable RouteMatch<?> routeMatch, @Nullable Authentication authentication) {
        boolean z = authentication != null;
        String httpMethod = httpRequest.getMethod().toString();
        String path = httpRequest.getPath();
        Map<String, Object> attributes = authentication != null ? authentication.getAttributes() : null;
        for (SecurityRule securityRule : this.securityRules) {
            SecurityRuleResult check = securityRule.check(httpRequest, routeMatch, attributes);
            if (check == SecurityRuleResult.REJECTED) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Unauthorized request {} {}. The rule provider {} rejected the request.", new Object[]{httpMethod, path, securityRule.getClass().getName()});
                }
                httpRequest.setAttribute(REJECTION, z ? HttpStatus.FORBIDDEN : HttpStatus.UNAUTHORIZED);
                return Publishers.just(new AuthorizationException(authentication));
            }
            if (check == SecurityRuleResult.ALLOWED) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Authorized request {} {}. The rule provider {} authorized the request.", new Object[]{httpMethod, path, securityRule.getClass().getName()});
                }
                return serverFilterChain.proceed(httpRequest);
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("Authorized request {} {}. No rule provider authorized or rejected the request.", httpMethod, path);
        }
        if (routeMatch == null && !this.securityConfiguration.isRejectNotFound()) {
            return serverFilterChain.proceed(httpRequest);
        }
        httpRequest.setAttribute(REJECTION, z ? HttpStatus.FORBIDDEN : HttpStatus.UNAUTHORIZED);
        return Publishers.just(new AuthorizationException(authentication));
    }
}
