package com.vmware.vapi.security;

import com.vmware.vapi.ErrorValueFactory;
import com.vmware.vapi.MessageFactory;
import com.vmware.vapi.core.ApiProvider;
import com.vmware.vapi.core.AsyncHandle;
import com.vmware.vapi.core.DecoratorApiProvider;
import com.vmware.vapi.core.ExecutionContext;
import com.vmware.vapi.core.MethodIdentifier;
import com.vmware.vapi.core.MethodResult;
import com.vmware.vapi.data.DataValue;
import com.vmware.vapi.data.ErrorDefinition;
import com.vmware.vapi.data.ErrorValue;
import com.vmware.vapi.internal.security.SecurityUtil;
import com.vmware.vapi.internal.util.Validate;
import com.vmware.vapi.provider.introspection.ErrorAugmentingFilter;
import com.vmware.vapi.security.AuthenticationConfig;
import com.vmware.vapi.security.AuthenticationHandler;
import com.vmware.vapi.std.StandardDataFactory;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/vmware/vapi/security/AuthenticationFilter.class */
public final class AuthenticationFilter extends DecoratorApiProvider {
    private static final char PACKAGE_DELIMITER = '.';
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) AuthenticationFilter.class);
    private static final AuthenticationConfig.AuthnScheme NO_AUTHN_SCHEME = AuthenticationConfig.AuthnScheme.getNoAuthenticationScheme();
    private static final ErrorValue UNAUTHENTICATED = ErrorValueFactory.buildErrorValue("com.vmware.vapi.std.errors.unauthenticated", MessageFactory.getMessage("vapi.method.authentication.required", new String[0]));
    private static final ErrorValue OPERATION_NOT_FOUND = ErrorValueFactory.buildErrorValue("com.vmware.vapi.std.errors.operation_not_found", MessageFactory.getMessage("vapi.authentication.metadata.required", new String[0]));
    private static Set<String> VAPI_ANON_OPERATIONS = new HashSet(Arrays.asList("com.vmware.vapi.metadata.routing.component.list", "com.vmware.vapi.metadata.routing.component.get", "com.vmware.vapi.metadata.routing.component.fingerprint", "com.vmware.vapi.metadata.routing.service.operation.list", "com.vmware.vapi.metadata.routing.service.operation.get", "com.vmware.vapi.metadata.routing.package.list", "com.vmware.vapi.metadata.routing.package.get", "com.vmware.vapi.metadata.routing.service.list", "com.vmware.vapi.metadata.routing.service.get", "com.vmware.vapi.metadata.cli.command.list", "com.vmware.vapi.metadata.cli.command.get", "com.vmware.vapi.metadata.cli.command.fingerprint", "com.vmware.vapi.metadata.cli.namespace.list", "com.vmware.vapi.metadata.cli.namespace.get", "com.vmware.vapi.metadata.cli.namespace.fingerprint", "com.vmware.vapi.metadata.privilege.component.list", "com.vmware.vapi.metadata.privilege.component.get", "com.vmware.vapi.metadata.privilege.component.fingerprint", "com.vmware.vapi.metadata.privilege.service.operation.list", "com.vmware.vapi.metadata.privilege.service.operation.get", "com.vmware.vapi.metadata.privilege.package.list", "com.vmware.vapi.metadata.privilege.package.get", "com.vmware.vapi.metadata.privilege.service.list", "com.vmware.vapi.metadata.privilege.service.get", "com.vmware.vapi.metadata.authentication.component.list", "com.vmware.vapi.metadata.authentication.component.get", "com.vmware.vapi.metadata.authentication.component.fingerprint", "com.vmware.vapi.metadata.authentication.service.operation.list", "com.vmware.vapi.metadata.authentication.service.operation.get", "com.vmware.vapi.metadata.authentication.package.list", "com.vmware.vapi.metadata.authentication.package.get", "com.vmware.vapi.metadata.authentication.service.list", "com.vmware.vapi.metadata.authentication.service.get", "com.vmware.vapi.metadata.metamodel.component.list", "com.vmware.vapi.metadata.metamodel.component.get", "com.vmware.vapi.metadata.metamodel.component.fingerprint", "com.vmware.vapi.metadata.metamodel.enumeration.list", "com.vmware.vapi.metadata.metamodel.enumeration.get", "com.vmware.vapi.metadata.metamodel.resource.model.list", "com.vmware.vapi.metadata.metamodel.service.operation.list", "com.vmware.vapi.metadata.metamodel.service.operation.get", "com.vmware.vapi.metadata.metamodel.service.hidden.list", "com.vmware.vapi.metadata.metamodel.package.list", "com.vmware.vapi.metadata.metamodel.package.get", "com.vmware.vapi.metadata.metamodel.resource.list", "com.vmware.vapi.metadata.metamodel.service.list", "com.vmware.vapi.metadata.metamodel.service.get", "com.vmware.vapi.metadata.metamodel.structure.list", "com.vmware.vapi.metadata.metamodel.structure.get", "com.vmware.vapi.rest.navigation.component.list", "com.vmware.vapi.rest.navigation.options.get", "com.vmware.vapi.rest.navigation.resource.get", "com.vmware.vapi.rest.navigation.resource.list", "com.vmware.vapi.rest.navigation.root.get", "com.vmware.vapi.rest.navigation.service.list", "com.vmware.vapi.std.introspection.operation.list", "com.vmware.vapi.std.introspection.operation.get", "com.vmware.vapi.std.introspection.provider.get", "com.vmware.vapi.std.introspection.service.list", "com.vmware.vapi.std.introspection.service.get"));
    static final Set<ErrorDefinition> AUTHN_FILTER_ERROR_DEFS = Collections.singleton(StandardDataFactory.createStandardErrorDefinition("com.vmware.vapi.std.errors.unauthenticated"));
    private final Map<String, List<AuthenticationConfig.AuthnScheme>> ifaceRulesTable;
    private final Map<String, List<AuthenticationConfig.AuthnScheme>> packageRulesTable;
    private final Map<String, List<AuthenticationConfig.AuthnScheme>> operationRulesTable;
    private final List<AuthenticationHandler> authnHandlers;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/vmware/vapi/security/AuthenticationFilter$SecurityContextImpl.class */
    public static class SecurityContextImpl implements ExecutionContext.SecurityContext {
        private final Map<String, Object> ctxData;

        private SecurityContextImpl(ExecutionContext.SecurityContext securityContext, AuthenticationHandler.AuthenticationResult authenticationResult) {
            this.ctxData = new HashMap(securityContext.getAllProperties());
            this.ctxData.put(ExecutionContext.SecurityContext.AUTHENTICATION_DATA_ID, authenticationResult);
        }

        @Override // com.vmware.vapi.core.ExecutionContext.SecurityContext
        public Object getProperty(String str) {
            return this.ctxData.get(str);
        }

        @Override // com.vmware.vapi.core.ExecutionContext.SecurityContext
        public Map<String, Object> getAllProperties() {
            return Collections.unmodifiableMap(this.ctxData);
        }
    }

    public AuthenticationFilter(ApiProvider apiProvider, AuthenticationConfig authenticationConfig, List<AuthenticationHandler> list) {
        super(new ErrorAugmentingFilter(apiProvider, AUTHN_FILTER_ERROR_DEFS));
        Validate.notNull(authenticationConfig);
        Validate.notNull(list);
        this.ifaceRulesTable = authenticationConfig.getIFaceAuthenticationRules();
        this.packageRulesTable = authenticationConfig.getPackageAuthenticationRules();
        this.operationRulesTable = authenticationConfig.getOperationAuthenticationRules();
        this.authnHandlers = list;
    }

    @Override // com.vmware.vapi.core.DecoratorApiProvider, com.vmware.vapi.core.ApiProvider
    public void invoke(final String str, final String str2, final DataValue dataValue, final ExecutionContext executionContext, final AsyncHandle<MethodResult> asyncHandle) {
        List<AuthenticationConfig.AuthnScheme> methodAuthnScheme = getMethodAuthnScheme(str, str2);
        if (methodAuthnScheme == null || methodAuthnScheme.isEmpty()) {
            asyncHandle.setResult(MethodResult.newErrorResult(OPERATION_NOT_FOUND));
            return;
        }
        final ExecutionContext.SecurityContext retrieveSecurityContext = executionContext.retrieveSecurityContext();
        String extractWireScheme = extractWireScheme(retrieveSecurityContext);
        AuthenticationConfig.AuthnScheme createAuthnScheme = createAuthnScheme(extractWireScheme);
        if (!isSchemeAllowed(methodAuthnScheme, createAuthnScheme)) {
            if (isSchemeAllowed(methodAuthnScheme, NO_AUTHN_SCHEME)) {
                logger.debug("Unexpected scheme '{}' found in the invocation of method '{}.{}' which allows 'NoAuthentication'", createAuthnScheme, str, str2);
                this.decoratedProvider.invoke(str, str2, dataValue, executionContext.withSecurityContext(null), asyncHandle);
                return;
            } else {
                logger.debug("Invalid authentication scheme '{}' for method {}.{} which allows {}", createAuthnScheme, str, str2, methodAuthnScheme);
                asyncHandle.setResult(MethodResult.newErrorResult(UNAUTHENTICATED));
                return;
            }
        }
        if (NO_AUTHN_SCHEME == createAuthnScheme) {
            this.decoratedProvider.invoke(str, str2, dataValue, executionContext, asyncHandle);
            return;
        }
        AuthenticationHandler findHandler = findHandler(extractWireScheme);
        if (findHandler == null) {
            asyncHandle.setResult(MethodResult.newErrorResult(UNAUTHENTICATED));
        } else {
            findHandler.authenticate(retrieveSecurityContext, new AsyncHandle<AuthenticationHandler.AuthenticationResult>() { // from class: com.vmware.vapi.security.AuthenticationFilter.1
                @Override // com.vmware.vapi.core.AsyncHandle
                public void updateProgress(DataValue dataValue2) {
                }

                @Override // com.vmware.vapi.core.AsyncHandle
                public void setResult(AuthenticationHandler.AuthenticationResult authenticationResult) {
                    ExecutionContext.SecurityContext securityContext = retrieveSecurityContext;
                    if (authenticationResult != null && authenticationResult.getSecurityContext() != null) {
                        securityContext = authenticationResult.getSecurityContext();
                    }
                    AuthenticationFilter.this.decoratedProvider.invoke(str, str2, dataValue, executionContext.withSecurityContext(new SecurityContextImpl(securityContext, authenticationResult)), asyncHandle);
                }

                @Override // com.vmware.vapi.core.AsyncHandle
                public void setError(RuntimeException runtimeException) {
                    AuthenticationFilter.logger.info("Authentication failed", (Throwable) runtimeException);
                    asyncHandle.setResult(MethodResult.newErrorResult(AuthenticationFilter.UNAUTHENTICATED));
                }
            });
        }
    }

    private AuthenticationHandler findHandler(String str) {
        for (AuthenticationHandler authenticationHandler : this.authnHandlers) {
            if (authenticationHandler.supportedAuthenticationSchemes().contains(str)) {
                logger.debug("Selected authentication handler is {}", authenticationHandler);
                return authenticationHandler;
            }
        }
        logger.debug("No suitable authentication handler found for scheme '{}'", str);
        return null;
    }

    private List<AuthenticationConfig.AuthnScheme> getMethodAuthnScheme(String str, String str2) {
        String fullyQualifiedName = MethodIdentifier.getFullyQualifiedName(str, str2);
        List<AuthenticationConfig.AuthnScheme> list = this.operationRulesTable.get(fullyQualifiedName);
        if (list != null) {
            return list;
        }
        if (VAPI_ANON_OPERATIONS.contains(fullyQualifiedName)) {
            return Collections.singletonList(NO_AUTHN_SCHEME);
        }
        List<AuthenticationConfig.AuthnScheme> list2 = this.ifaceRulesTable.get(str);
        if (list2 != null) {
            return list2;
        }
        return this.packageRulesTable.get(findClosestPackage(str, this.packageRulesTable.keySet()));
    }

    private static boolean isSchemeAllowed(List<AuthenticationConfig.AuthnScheme> list, AuthenticationConfig.AuthnScheme authnScheme) {
        Iterator<AuthenticationConfig.AuthnScheme> it = list.iterator();
        while (it.hasNext()) {
            if (it.next().isAllowed(authnScheme)) {
                return true;
            }
        }
        return false;
    }

    private static String extractWireScheme(ExecutionContext.SecurityContext securityContext) {
        if (securityContext == null) {
            return null;
        }
        return (String) SecurityUtil.narrowType(securityContext.getProperty(ExecutionContext.SecurityContext.AUTHENTICATION_SCHEME_ID), String.class);
    }

    private static AuthenticationConfig.AuthnScheme createAuthnScheme(String str) {
        return str == null ? AuthenticationConfig.AuthnScheme.getNoAuthenticationScheme() : new AuthenticationConfig.AuthnScheme(Collections.singletonList(str));
    }

    static String findClosestPackage(String str, Iterable<String> iterable) {
        String str2 = "";
        for (String str3 : iterable) {
            int length = str3.length();
            if (length > str2.length() && str.startsWith(str3) && str.length() > length && str.charAt(length) == '.') {
                str2 = str3;
            }
        }
        return str2;
    }
}
