package io.quarkus.keycloak.pep.runtime;

import io.quarkus.arc.Arc;
import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.context.RequestScoped;
import jakarta.enterprise.inject.Produces;
import jakarta.inject.Inject;
import jakarta.inject.Singleton;
import java.lang.annotation.Annotation;
import java.security.Permission;
import java.util.HashMap;
import java.util.function.BiFunction;
import java.util.function.Function;
import org.keycloak.AuthorizationContext;
import org.keycloak.adapters.authorization.KeycloakAdapterPolicyEnforcer;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;

@Singleton
/* loaded from: input_file:io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.class */
public class KeycloakPolicyEnforcerAuthorizer implements HttpSecurityPolicy, BiFunction<RoutingContext, SecurityIdentity, HttpSecurityPolicy.CheckResult> {
    private static final String TENANT_ID_ATTRIBUTE = "tenant-id";
    private static final String PERMISSIONS_ATTRIBUTE = "permissions";

    @Inject
    PolicyEnforcerResolver resolver;

    public Uni<HttpSecurityPolicy.CheckResult> checkPermission(RoutingContext routingContext, Uni<SecurityIdentity> uni, HttpSecurityPolicy.AuthorizationRequestContext authorizationRequestContext) {
        return authorizationRequestContext.runBlocking(routingContext, uni, this);
    }

    @Override // java.util.function.BiFunction
    public HttpSecurityPolicy.CheckResult apply(RoutingContext routingContext, SecurityIdentity securityIdentity) {
        PolicyEnforcerConfig.PathConfig matches;
        if (securityIdentity.isAnonymous() && (matches = this.resolver.getPolicyEnforcer(null).getPathMatcher().matches(routingContext.request().path())) != null && matches.getEnforcementMode() == PolicyEnforcerConfig.EnforcementMode.ENFORCING) {
            return HttpSecurityPolicy.CheckResult.DENY;
        }
        AccessTokenCredential credential = securityIdentity.getCredential(AccessTokenCredential.class);
        if (credential == null) {
            return HttpSecurityPolicy.CheckResult.PERMIT;
        }
        AuthorizationContext authorize = new KeycloakAdapterPolicyEnforcer(this.resolver.getPolicyEnforcer((String) securityIdentity.getAttribute(TENANT_ID_ATTRIBUTE))).authorize(new VertxHttpFacade(routingContext, credential.getToken(), this.resolver.getReadTimeout()));
        return authorize.isGranted() ? new HttpSecurityPolicy.CheckResult(true, enhanceSecurityIdentity(securityIdentity, authorize)) : HttpSecurityPolicy.CheckResult.DENY;
    }

    @RequestScoped
    @Produces
    public AuthzClient getAuthzClient() {
        return this.resolver.getPolicyEnforcer((String) ((SecurityIdentity) Arc.container().instance(SecurityIdentity.class, new Annotation[0]).get()).getAttribute(TENANT_ID_ATTRIBUTE)).getClient();
    }

    private SecurityIdentity enhanceSecurityIdentity(SecurityIdentity securityIdentity, final AuthorizationContext authorizationContext) {
        HashMap hashMap = new HashMap(securityIdentity.getAttributes());
        if (authorizationContext != null) {
            hashMap.put(PERMISSIONS_ATTRIBUTE, authorizationContext.getPermissions());
        }
        return new QuarkusSecurityIdentity.Builder().addAttributes(hashMap).setPrincipal(securityIdentity.getPrincipal()).addRoles(securityIdentity.getRoles()).addCredentials(securityIdentity.getCredentials()).addPermissionChecker(new Function<Permission, Uni<Boolean>>() { // from class: io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer.1
            @Override // java.util.function.Function
            public Uni<Boolean> apply(Permission permission) {
                if (authorizationContext == null) {
                    return Uni.createFrom().item(false);
                }
                String actions = permission.getActions();
                if (actions == null || actions.isEmpty()) {
                    return Uni.createFrom().item(Boolean.valueOf(authorizationContext.hasResourcePermission(permission.getName())));
                }
                for (String str : actions.split(",")) {
                    if (!authorizationContext.hasPermission(permission.getName(), str)) {
                        return Uni.createFrom().item(false);
                    }
                }
                return Uni.createFrom().item(true);
            }
        }).build();
    }
}
