package io.quarkus.keycloak.pep.runtime;

import io.quarkus.arc.Arc;
import io.quarkus.keycloak.pep.PolicyEnforcerResolver;
import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.runtime.BlockingOperationControl;
import io.quarkus.runtime.BlockingOperationNotAllowedException;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.quarkus.security.spi.runtime.BlockingSecurityExecutor;
import io.quarkus.vertx.http.runtime.CurrentVertxRequest;
import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.context.RequestScoped;
import jakarta.enterprise.inject.Instance;
import jakarta.enterprise.inject.Produces;
import jakarta.inject.Inject;
import jakarta.inject.Singleton;
import java.lang.annotation.Annotation;
import java.security.Permission;
import java.util.function.Function;
import java.util.function.Supplier;
import org.keycloak.AuthorizationContext;
import org.keycloak.adapters.authorization.PolicyEnforcer;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.representations.adapters.config.PolicyEnforcerConfig;

@Singleton
/* loaded from: input_file:io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer.class */
public class KeycloakPolicyEnforcerAuthorizer implements HttpSecurityPolicy {
    private static final String PERMISSIONS_ATTRIBUTE = "permissions";
    private static final String POLICY_ENFORCER = "io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer#POLICY_ENFORCER";

    @Inject
    PolicyEnforcerResolver resolver;

    @Inject
    Instance<SecurityIdentity> identityInstance;

    @Inject
    BlockingSecurityExecutor blockingExecutor;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer$1, reason: invalid class name */
    /* loaded from: input_file:io/quarkus/keycloak/pep/runtime/KeycloakPolicyEnforcerAuthorizer$1.class */
    public class AnonymousClass1 implements Function<SecurityIdentity, Uni<? extends HttpSecurityPolicy.CheckResult>> {
        final /* synthetic */ RoutingContext val$routingContext;

        AnonymousClass1(RoutingContext routingContext) {
            this.val$routingContext = routingContext;
        }

        @Override // java.util.function.Function
        public Uni<? extends HttpSecurityPolicy.CheckResult> apply(final SecurityIdentity securityIdentity) {
            return securityIdentity.isAnonymous() ? KeycloakPolicyEnforcerAuthorizer.this.resolver.resolvePolicyEnforcer(this.val$routingContext, null).flatMap(new Function<PolicyEnforcer, Uni<? extends HttpSecurityPolicy.CheckResult>>() { // from class: io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer.1.1
                @Override // java.util.function.Function
                public Uni<HttpSecurityPolicy.CheckResult> apply(final PolicyEnforcer policyEnforcer) {
                    KeycloakPolicyEnforcerAuthorizer.storePolicyEnforcerOnContext(policyEnforcer, AnonymousClass1.this.val$routingContext);
                    return KeycloakPolicyEnforcerAuthorizer.this.blockingExecutor.executeBlocking(new Supplier<PolicyEnforcerConfig.PathConfig>() { // from class: io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer.1.1.2
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.util.function.Supplier
                        public PolicyEnforcerConfig.PathConfig get() {
                            return policyEnforcer.getPathMatcher().matches(AnonymousClass1.this.val$routingContext.normalizedPath());
                        }
                    }).flatMap(new Function<PolicyEnforcerConfig.PathConfig, Uni<? extends HttpSecurityPolicy.CheckResult>>() { // from class: io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer.1.1.1
                        @Override // java.util.function.Function
                        public Uni<HttpSecurityPolicy.CheckResult> apply(PolicyEnforcerConfig.PathConfig pathConfig) {
                            return (pathConfig == null || pathConfig.getEnforcementMode() != PolicyEnforcerConfig.EnforcementMode.ENFORCING) ? KeycloakPolicyEnforcerAuthorizer.this.checkPermissionInternal(AnonymousClass1.this.val$routingContext, securityIdentity) : Uni.createFrom().item(HttpSecurityPolicy.CheckResult.DENY);
                        }
                    });
                }
            }) : KeycloakPolicyEnforcerAuthorizer.this.checkPermissionInternal(this.val$routingContext, securityIdentity);
        }
    }

    public Uni<HttpSecurityPolicy.CheckResult> checkPermission(RoutingContext routingContext, Uni<SecurityIdentity> uni, HttpSecurityPolicy.AuthorizationRequestContext authorizationRequestContext) {
        return uni.flatMap(new AnonymousClass1(routingContext));
    }

    @RequestScoped
    @Produces
    public AuthzClient getAuthzClient() {
        SecurityIdentity securityIdentity = (SecurityIdentity) this.identityInstance.get();
        RoutingContext current = securityIdentity.getAttribute(RoutingContext.class.getName()) != null ? (RoutingContext) securityIdentity.getAttribute(RoutingContext.class.getName()) : ((CurrentVertxRequest) Arc.container().instance(CurrentVertxRequest.class, new Annotation[0]).get()).getCurrent();
        if (current != null && current.get(POLICY_ENFORCER) != null) {
            return ((PolicyEnforcer) current.get(POLICY_ENFORCER)).getAuthzClient();
        }
        if (BlockingOperationControl.isBlockingAllowed()) {
            return ((PolicyEnforcer) this.resolver.resolvePolicyEnforcer(current, current == null ? null : (OidcTenantConfig) current.get(OidcTenantConfig.class.getName())).await().indefinitely()).getAuthzClient();
        }
        PolicyEnforcerResolver policyEnforcerResolver = this.resolver;
        if (policyEnforcerResolver instanceof DefaultPolicyEnforcerResolver) {
            DefaultPolicyEnforcerResolver defaultPolicyEnforcerResolver = (DefaultPolicyEnforcerResolver) policyEnforcerResolver;
            if (!defaultPolicyEnforcerResolver.hasDynamicPolicyEnforcers()) {
                return defaultPolicyEnforcerResolver.getStaticPolicyEnforcer((String) securityIdentity.getAttribute("tenant-id")).getAuthzClient();
            }
        }
        throw new BlockingOperationNotAllowedException("You have attempted to inject AuthzClient on a IO thread.\nThis is not allowed when PolicyEnforcer is resolved dynamically as blocking operations are required.\nMake sure you are injecting AuthzClient from a worker thread.\n");
    }

    private Uni<HttpSecurityPolicy.CheckResult> checkPermissionInternal(final RoutingContext routingContext, final SecurityIdentity securityIdentity) {
        AccessTokenCredential credential = securityIdentity.getCredential(AccessTokenCredential.class);
        if (credential == null) {
            return Uni.createFrom().item(HttpSecurityPolicy.CheckResult.PERMIT);
        }
        final VertxHttpFacade vertxHttpFacade = new VertxHttpFacade(routingContext, credential.getToken(), this.resolver.getReadTimeout());
        return this.resolver.resolvePolicyEnforcer(routingContext, (OidcTenantConfig) routingContext.get(OidcTenantConfig.class.getName())).flatMap(new Function<PolicyEnforcer, Uni<? extends AuthorizationContext>>() { // from class: io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer.3
            @Override // java.util.function.Function
            public Uni<AuthorizationContext> apply(final PolicyEnforcer policyEnforcer) {
                KeycloakPolicyEnforcerAuthorizer.storePolicyEnforcerOnContext(policyEnforcer, routingContext);
                return KeycloakPolicyEnforcerAuthorizer.this.blockingExecutor.executeBlocking(new Supplier<AuthorizationContext>() { // from class: io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer.3.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.function.Supplier
                    public AuthorizationContext get() {
                        return policyEnforcer.enforce(vertxHttpFacade, vertxHttpFacade);
                    }
                });
            }
        }).map(new Function<AuthorizationContext, HttpSecurityPolicy.CheckResult>() { // from class: io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer.2
            @Override // java.util.function.Function
            public HttpSecurityPolicy.CheckResult apply(AuthorizationContext authorizationContext) {
                return authorizationContext.isGranted() ? new HttpSecurityPolicy.CheckResult(true, KeycloakPolicyEnforcerAuthorizer.enhanceSecurityIdentity(securityIdentity, authorizationContext)) : HttpSecurityPolicy.CheckResult.DENY;
            }
        });
    }

    private static void storePolicyEnforcerOnContext(PolicyEnforcer policyEnforcer, RoutingContext routingContext) {
        routingContext.put(POLICY_ENFORCER, policyEnforcer);
    }

    private static SecurityIdentity enhanceSecurityIdentity(SecurityIdentity securityIdentity, final AuthorizationContext authorizationContext) {
        return QuarkusSecurityIdentity.builder(securityIdentity).addAttribute(PERMISSIONS_ATTRIBUTE, authorizationContext.getPermissions()).addPermissionChecker(new Function<Permission, Uni<Boolean>>() { // from class: io.quarkus.keycloak.pep.runtime.KeycloakPolicyEnforcerAuthorizer.4
            @Override // java.util.function.Function
            public Uni<Boolean> apply(Permission permission) {
                String actions = permission.getActions();
                if (actions == null || actions.isEmpty()) {
                    return Uni.createFrom().item(Boolean.valueOf(authorizationContext.hasResourcePermission(permission.getName())));
                }
                for (String str : actions.split(",")) {
                    if (!authorizationContext.hasPermission(permission.getName(), str)) {
                        return Uni.createFrom().item(false);
                    }
                }
                return Uni.createFrom().item(true);
            }
        }).build();
    }
}
