package com.vmware.vapi.security;

import com.vmware.vapi.ErrorValueFactory;
import com.vmware.vapi.MessageFactory;
import com.vmware.vapi.core.ApiProvider;
import com.vmware.vapi.core.AsyncHandle;
import com.vmware.vapi.core.DecoratorApiProvider;
import com.vmware.vapi.core.ExecutionContext;
import com.vmware.vapi.core.InterfaceIdentifier;
import com.vmware.vapi.core.MethodIdentifier;
import com.vmware.vapi.core.MethodResult;
import com.vmware.vapi.data.DataValue;
import com.vmware.vapi.data.ErrorDefinition;
import com.vmware.vapi.data.ErrorValue;
import com.vmware.vapi.internal.security.SecurityUtil;
import com.vmware.vapi.internal.util.StringUtils;
import com.vmware.vapi.internal.util.Validate;
import com.vmware.vapi.provider.introspection.ErrorAugmentingFilter;
import com.vmware.vapi.security.AuthenticationConfig;
import com.vmware.vapi.security.AuthenticationHandler;
import com.vmware.vapi.std.StandardDataFactory;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/vmware/vapi/security/AuthenticationFilter.class */
public final class AuthenticationFilter extends DecoratorApiProvider {
    private static final String PACKAGE_DELIMITER = ".";
    private static Logger logger = LoggerFactory.getLogger(AuthenticationFilter.class);
    private static final AuthenticationHandler NO_AUTHN_HANDLER = new NoAuthnHandler();
    private static final AuthenticationConfig.AuthnScheme NO_AUTHN_SCHEME = AuthenticationConfig.AuthnScheme.getNoAuthenticationScheme();
    static final Set<ErrorDefinition> AUTHN_FILTER_ERROR_DEFS = Collections.singleton(StandardDataFactory.createStandardErrorDefinition("com.vmware.vapi.std.errors.unauthenticated"));
    private final Map<String, List<AuthenticationConfig.AuthnScheme>> ifaceRulesTable;
    private final Map<String, List<AuthenticationConfig.AuthnScheme>> packageRulesTable;
    private final Map<String, List<AuthenticationConfig.AuthnScheme>> operationRulesTable;
    private final List<AuthenticationHandler> authnHandlers;

    /* loaded from: input_file:com/vmware/vapi/security/AuthenticationFilter$NoAuthnHandler.class */
    private static final class NoAuthnHandler implements AuthenticationHandler {
        private NoAuthnHandler() {
        }

        @Override // com.vmware.vapi.security.AuthenticationHandler
        public void authenticate(ExecutionContext.SecurityContext securityContext, AsyncHandle<AuthenticationHandler.AuthenticationResult> asyncHandle) {
            asyncHandle.setResult(null);
        }

        @Override // com.vmware.vapi.security.AuthenticationHandler
        public List<String> supportedAuthenticationSchemes() {
            return Collections.singletonList("com.vmware.vapi.std.security.no_authentication");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/vmware/vapi/security/AuthenticationFilter$SecurityContextImpl.class */
    public final class SecurityContextImpl implements ExecutionContext.SecurityContext {
        private final Map<String, Object> ctxData;

        private SecurityContextImpl(ExecutionContext.SecurityContext securityContext, AuthenticationHandler.AuthenticationResult authenticationResult) {
            this.ctxData = new HashMap(securityContext.getAllProperties());
            this.ctxData.put(ExecutionContext.SecurityContext.AUTHENTICATION_DATA_ID, authenticationResult);
        }

        @Override // com.vmware.vapi.core.ExecutionContext.SecurityContext
        public Object getProperty(String str) {
            return this.ctxData.get(str);
        }

        @Override // com.vmware.vapi.core.ExecutionContext.SecurityContext
        public Map<String, Object> getAllProperties() {
            return Collections.unmodifiableMap(this.ctxData);
        }
    }

    public AuthenticationFilter(ApiProvider apiProvider, AuthenticationConfig authenticationConfig, List<AuthenticationHandler> list) {
        super(new ErrorAugmentingFilter(apiProvider, AUTHN_FILTER_ERROR_DEFS));
        Validate.notNull(authenticationConfig);
        Validate.notNull(list);
        this.ifaceRulesTable = Collections.unmodifiableMap(authenticationConfig.getIFaceAuthenticationRules());
        this.packageRulesTable = Collections.unmodifiableMap(authenticationConfig.getPackageAuthenticationRules());
        this.operationRulesTable = Collections.unmodifiableMap(authenticationConfig.getOperationAuthenticationRules());
        this.authnHandlers = Collections.unmodifiableList(list);
    }

    @Override // com.vmware.vapi.core.DecoratorApiProvider, com.vmware.vapi.core.ApiProvider
    public void invoke(final String str, final String str2, final DataValue dataValue, final ExecutionContext executionContext, final AsyncHandle<MethodResult> asyncHandle) {
        MethodIdentifier methodIdentifier = new MethodIdentifier(new InterfaceIdentifier(str), str2);
        final ErrorValue buildErrorValue = ErrorValueFactory.buildErrorValue("com.vmware.vapi.std.errors.unauthenticated", MessageFactory.getMessage("vapi.method.authentication.required", new String[0]));
        List<AuthenticationConfig.AuthnScheme> methodAuthnScheme = getMethodAuthnScheme(methodIdentifier);
        final ExecutionContext.SecurityContext retrieveSecurityContext = executionContext.retrieveSecurityContext();
        AuthenticationConfig.AuthnScheme extractWireScheme = extractWireScheme(retrieveSecurityContext);
        boolean z = NO_AUTHN_SCHEME == extractWireScheme;
        boolean isSchemeAllowed = isSchemeAllowed(methodAuthnScheme, NO_AUTHN_SCHEME);
        boolean z2 = !isSchemeAllowed(methodAuthnScheme, extractWireScheme);
        if (z && isSchemeAllowed) {
            this.decoratedProvider.invoke(str, str2, dataValue, executionContext, asyncHandle);
            return;
        }
        if (z2 && isSchemeAllowed) {
            if (retrieveSecurityContext != null && logger.isDebugEnabled()) {
                logger.debug("Unexpected scheme found '" + extractWireScheme + "' for a method '" + methodIdentifier.getFullyQualifiedName() + "' that allows 'NoAuthentication'");
            }
            this.decoratedProvider.invoke(str, str2, dataValue, new ExecutionContext(executionContext.retrieveApplicationData(), null), asyncHandle);
            return;
        }
        if (z2) {
            if (logger.isDebugEnabled()) {
                logger.debug("Ivalid authentication for method: " + str + PACKAGE_DELIMITER + str2);
            }
            asyncHandle.setResult(MethodResult.newErrorResult(buildErrorValue));
        } else {
            AuthenticationHandler findHandler = findHandler(retrieveSecurityContext);
            if (findHandler == null) {
                asyncHandle.setResult(MethodResult.newErrorResult(buildErrorValue));
            } else {
                findHandler.authenticate(retrieveSecurityContext, new AsyncHandle<AuthenticationHandler.AuthenticationResult>() { // from class: com.vmware.vapi.security.AuthenticationFilter.1
                    @Override // com.vmware.vapi.core.AsyncHandle
                    public void updateProgress(DataValue dataValue2) {
                    }

                    @Override // com.vmware.vapi.core.AsyncHandle
                    public void setResult(AuthenticationHandler.AuthenticationResult authenticationResult) {
                        ExecutionContext.SecurityContext securityContext = retrieveSecurityContext;
                        if (authenticationResult != null && authenticationResult.getSecurityContext() != null) {
                            securityContext = authenticationResult.getSecurityContext();
                        }
                        AuthenticationFilter.this.decoratedProvider.invoke(str, str2, dataValue, new ExecutionContext(executionContext.retrieveApplicationData(), new SecurityContextImpl(securityContext, authenticationResult)), asyncHandle);
                    }

                    @Override // com.vmware.vapi.core.AsyncHandle
                    public void setError(RuntimeException runtimeException) {
                        AuthenticationFilter.logger.info("Not successful authentication", runtimeException);
                        asyncHandle.setResult(MethodResult.newErrorResult(buildErrorValue));
                    }
                });
            }
        }
    }

    private AuthenticationHandler findHandler(ExecutionContext.SecurityContext securityContext) {
        if (securityContext == null) {
            logger.debug("Unable to find an authn handler because there is no security context");
            return null;
        }
        String str = (String) SecurityUtil.narrowType(securityContext.getProperty(ExecutionContext.SecurityContext.AUTHENTICATION_SCHEME_ID), String.class);
        if (str == null) {
            logger.debug("schemeId is null. Assuming no authantication scheme.");
            str = "com.vmware.vapi.std.security.no_authentication";
        }
        for (AuthenticationHandler authenticationHandler : this.authnHandlers) {
            if (authenticationHandler.supportedAuthenticationSchemes().contains(str)) {
                logger.debug("Selected authentication handler is {}", authenticationHandler);
                return authenticationHandler;
            }
        }
        if (NO_AUTHN_HANDLER.supportedAuthenticationSchemes().contains(str)) {
            return NO_AUTHN_HANDLER;
        }
        logger.debug("No suitable authentication handler found for scheme '{}'", str);
        return null;
    }

    private List<AuthenticationConfig.AuthnScheme> getMethodAuthnScheme(MethodIdentifier methodIdentifier) {
        List<AuthenticationConfig.AuthnScheme> list = this.operationRulesTable.get(methodIdentifier.getFullyQualifiedName());
        if (list != null) {
            return list;
        }
        String name = methodIdentifier.getInterfaceIdentifier().getName();
        List<AuthenticationConfig.AuthnScheme> list2 = this.ifaceRulesTable.get(name);
        if (list2 != null) {
            return list2;
        }
        List<AuthenticationConfig.AuthnScheme> list3 = this.packageRulesTable.get(findClosestPackage(name, this.packageRulesTable.keySet()));
        if (list3 == null) {
            list3 = Arrays.asList(NO_AUTHN_SCHEME);
        }
        return list3;
    }

    private boolean isSchemeAllowed(List<AuthenticationConfig.AuthnScheme> list, AuthenticationConfig.AuthnScheme authnScheme) {
        Iterator<AuthenticationConfig.AuthnScheme> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().isAllowed(authnScheme)) {
                return true;
            }
        }
        return false;
    }

    private AuthenticationConfig.AuthnScheme extractWireScheme(ExecutionContext.SecurityContext securityContext) {
        AuthenticationConfig.AuthnScheme authnScheme;
        if (securityContext == null) {
            authnScheme = AuthenticationConfig.AuthnScheme.getNoAuthenticationScheme();
        } else {
            Object property = securityContext.getProperty(ExecutionContext.SecurityContext.AUTHENTICATION_SCHEME_ID);
            String str = (String) SecurityUtil.narrowType(property, String.class);
            if (str == null) {
                logger.debug("Invalid scheme id (assuming no authn scheme): " + property);
                authnScheme = AuthenticationConfig.AuthnScheme.getNoAuthenticationScheme();
            } else {
                authnScheme = new AuthenticationConfig.AuthnScheme(Collections.singletonList(str));
            }
        }
        return authnScheme;
    }

    private String findClosestPackage(String str, Set<String> set) {
        String str2 = StringUtils.EMPTY;
        for (String str3 : set) {
            if (startsWith(str, str3) && str3.length() > str2.length()) {
                str2 = str3;
            }
        }
        return str2;
    }

    private boolean startsWith(String str, String str2) {
        return str.equals(str2) || str.startsWith(new StringBuilder().append(str2).append(PACKAGE_DELIMITER).toString());
    }
}
