package io.quarkus.vertx.http.runtime.security;

import io.quarkus.arc.Arc;
import io.quarkus.arc.InstanceHandle;
import io.quarkus.runtime.RuntimeValue;
import io.quarkus.runtime.annotations.Recorder;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.quarkus.security.AuthenticationCompletionException;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.AuthenticationRedirectException;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.AnonymousAuthenticationRequest;
import io.quarkus.security.spi.runtime.MethodDescription;
import io.quarkus.vertx.http.runtime.HttpConfiguration;
import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy;
import io.smallrye.mutiny.CompositeException;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.subscription.UniSubscriber;
import io.smallrye.mutiny.subscription.UniSubscription;
import io.smallrye.mutiny.tuples.Functions;
import io.vertx.core.Handler;
import io.vertx.core.http.HttpHeaders;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.inject.Instance;
import jakarta.enterprise.inject.spi.CDI;
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.lang.annotation.Annotation;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.CompletionException;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import org.jboss.logging.Logger;

@Recorder
/* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder.class */
public class HttpSecurityRecorder {
    private static final Logger log = Logger.getLogger(HttpSecurityRecorder.class);

    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder$AbstractAuthenticationHandler.class */
    public static abstract class AbstractAuthenticationHandler implements Handler<RoutingContext> {
        volatile HttpAuthenticator authenticator;
        volatile Boolean patchMatchingPolicyEnabled = null;
        final boolean proactiveAuthentication;

        public AbstractAuthenticationHandler(boolean z) {
            this.proactiveAuthentication = z;
        }

        public void handle(final RoutingContext routingContext) {
            if (this.authenticator == null) {
                this.authenticator = (HttpAuthenticator) CDI.current().select(HttpAuthenticator.class, new Annotation[0]).get();
            }
            routingContext.put(HttpAuthenticator.class.getName(), this.authenticator);
            if (this.patchMatchingPolicyEnabled == null) {
                setPatchMatchingPolicyEnabled();
            }
            if (this.patchMatchingPolicyEnabled.booleanValue()) {
                setPathMatchingPolicy(routingContext);
            }
            if (this.proactiveAuthentication) {
                routingContext.put(QuarkusHttpUser.AUTH_FAILURE_HANDLER, new DefaultAuthFailureHandler() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.AbstractAuthenticationHandler.1
                    @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.DefaultAuthFailureHandler
                    protected void proceed(Throwable th) {
                        if (routingContext.failed()) {
                            return;
                        }
                        routingContext.fail(th);
                    }
                });
            } else {
                routingContext.put(QuarkusHttpUser.AUTH_FAILURE_HANDLER, new DefaultAuthFailureHandler() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.AbstractAuthenticationHandler.2
                    @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.DefaultAuthFailureHandler
                    protected void proceed(Throwable th) {
                        routingContext.end();
                    }
                });
            }
            if (this.proactiveAuthentication) {
                final Uni indefinitely = this.authenticator.attemptAuthentication(routingContext).memoize().indefinitely();
                indefinitely.subscribe().withSubscriber(new UniSubscriber<SecurityIdentity>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.AbstractAuthenticationHandler.3
                    public void onSubscribe(UniSubscription uniSubscription) {
                    }

                    public void onItem(SecurityIdentity securityIdentity) {
                        if (routingContext.response().ended()) {
                            return;
                        }
                        if (securityIdentity == null) {
                            final Uni authenticate = AbstractAuthenticationHandler.this.authenticator.getIdentityProviderManager().authenticate(AnonymousAuthenticationRequest.INSTANCE);
                            authenticate.subscribe().withSubscriber(new UniSubscriber<SecurityIdentity>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.AbstractAuthenticationHandler.3.1
                                public void onSubscribe(UniSubscription uniSubscription) {
                                }

                                public void onItem(SecurityIdentity securityIdentity2) {
                                    routingContext.put(QuarkusHttpUser.DEFERRED_IDENTITY_KEY, authenticate);
                                    routingContext.setUser(new QuarkusHttpUser(securityIdentity2));
                                    routingContext.next();
                                }

                                public void onFailure(Throwable th) {
                                    BiConsumer biConsumer = (BiConsumer) routingContext.get(QuarkusHttpUser.AUTH_FAILURE_HANDLER);
                                    if (biConsumer != null) {
                                        biConsumer.accept(routingContext, th);
                                    }
                                }
                            });
                        } else {
                            routingContext.setUser(new QuarkusHttpUser(securityIdentity));
                            routingContext.put(QuarkusHttpUser.DEFERRED_IDENTITY_KEY, indefinitely);
                            routingContext.next();
                        }
                    }

                    public void onFailure(Throwable th) {
                        BiConsumer biConsumer = (BiConsumer) routingContext.get(QuarkusHttpUser.AUTH_FAILURE_HANDLER);
                        if (biConsumer != null) {
                            biConsumer.accept(routingContext, th);
                        }
                    }
                });
            } else {
                routingContext.put(QuarkusHttpUser.DEFERRED_IDENTITY_KEY, Uni.createFrom().nullItem().flatMap(obj -> {
                    return this.authenticator.attemptAuthentication(routingContext);
                }).memoize().indefinitely().flatMap(new Function<SecurityIdentity, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.AbstractAuthenticationHandler.5
                    @Override // java.util.function.Function
                    public Uni<? extends SecurityIdentity> apply(SecurityIdentity securityIdentity) {
                        return securityIdentity == null ? AbstractAuthenticationHandler.this.authenticator.getIdentityProviderManager().authenticate(AnonymousAuthenticationRequest.INSTANCE) : Uni.createFrom().item(securityIdentity);
                    }
                }).onTermination().invoke(new Functions.TriConsumer<SecurityIdentity, Throwable, Boolean>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.AbstractAuthenticationHandler.4
                    public void accept(SecurityIdentity securityIdentity, Throwable th, Boolean bool) {
                        BiConsumer biConsumer;
                        if (securityIdentity != null) {
                            routingContext.setUser(new QuarkusHttpUser(securityIdentity));
                        } else {
                            if (th == null || (biConsumer = (BiConsumer) routingContext.get(QuarkusHttpUser.AUTH_FAILURE_HANDLER)) == null) {
                                return;
                            }
                            biConsumer.accept(routingContext, th);
                        }
                    }
                }).memoize().indefinitely());
                routingContext.next();
            }
        }

        private synchronized void setPatchMatchingPolicyEnabled() {
            if (this.patchMatchingPolicyEnabled == null) {
                this.patchMatchingPolicyEnabled = Boolean.valueOf(!httpPermissionsEmpty());
            }
        }

        protected abstract void setPathMatchingPolicy(RoutingContext routingContext);

        protected abstract boolean httpPermissionsEmpty();
    }

    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder$DefaultAuthFailureHandler.class */
    public static abstract class DefaultAuthFailureHandler implements BiConsumer<RoutingContext, Throwable> {
        protected DefaultAuthFailureHandler() {
        }

        @Override // java.util.function.BiConsumer
        public void accept(final RoutingContext routingContext, Throwable th) {
            if (routingContext.response().ended()) {
                return;
            }
            AuthenticationFailedException extractRootCause = extractRootCause(th);
            if (extractRootCause instanceof AuthenticationFailedException) {
                final AuthenticationFailedException authenticationFailedException = extractRootCause;
                getAuthenticator(routingContext).sendChallenge(routingContext).subscribe().with(new Consumer<Boolean>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.DefaultAuthFailureHandler.1
                    @Override // java.util.function.Consumer
                    public void accept(Boolean bool) {
                        if (routingContext.response().ended()) {
                            return;
                        }
                        DefaultAuthFailureHandler.this.proceed(authenticationFailedException);
                    }
                }, new Consumer<Throwable>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.DefaultAuthFailureHandler.2
                    @Override // java.util.function.Consumer
                    public void accept(Throwable th2) {
                        routingContext.fail(th2);
                    }
                });
                return;
            }
            if (extractRootCause instanceof AuthenticationCompletionException) {
                HttpSecurityRecorder.log.debug("Authentication has failed, returning HTTP status 401");
                routingContext.response().setStatusCode(401);
                proceed(extractRootCause);
            } else {
                if (!(extractRootCause instanceof AuthenticationRedirectException)) {
                    routingContext.fail(extractRootCause);
                    return;
                }
                AuthenticationRedirectException authenticationRedirectException = (AuthenticationRedirectException) extractRootCause;
                routingContext.response().setStatusCode(authenticationRedirectException.getCode());
                routingContext.response().headers().set(HttpHeaders.LOCATION, authenticationRedirectException.getRedirectUri());
                routingContext.response().headers().set(HttpHeaders.CACHE_CONTROL, "no-store");
                routingContext.response().headers().set("Pragma", "no-cache");
                proceed(extractRootCause);
            }
        }

        protected abstract void proceed(Throwable th);

        private static HttpAuthenticator getAuthenticator(RoutingContext routingContext) {
            return (HttpAuthenticator) routingContext.get(HttpAuthenticator.class.getName());
        }

        public static Throwable extractRootCause(Throwable th) {
            while (true) {
                if ((!(th instanceof CompletionException) || th.getCause() == null) && !(th instanceof CompositeException)) {
                    return th;
                }
                th = th instanceof CompositeException ? (Throwable) ((CompositeException) th).getCauses().get(0) : th.getCause();
            }
        }
    }

    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder$HttpAuthenticationHandler.class */
    static class HttpAuthenticationHandler extends AbstractAuthenticationHandler {
        volatile PathMatchingHttpSecurityPolicy pathMatchingPolicy;

        public HttpAuthenticationHandler(boolean z) {
            super(z);
        }

        @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.AbstractAuthenticationHandler
        protected void setPathMatchingPolicy(RoutingContext routingContext) {
            if (this.pathMatchingPolicy == null) {
                Instance select = CDI.current().select(PathMatchingHttpSecurityPolicy.class, new Annotation[0]);
                this.pathMatchingPolicy = select.isResolvable() ? (PathMatchingHttpSecurityPolicy) select.get() : null;
            }
            if (this.pathMatchingPolicy != null) {
                routingContext.put(AbstractPathMatchingHttpSecurityPolicy.class.getName(), this.pathMatchingPolicy);
            }
        }

        @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.AbstractAuthenticationHandler
        protected boolean httpPermissionsEmpty() {
            return ((HttpConfiguration) CDI.current().select(HttpConfiguration.class, new Annotation[0]).get()).auth.permissions.isEmpty();
        }
    }

    public Handler<RoutingContext> authenticationMechanismHandler(boolean z) {
        return new HttpAuthenticationHandler(z);
    }

    public Handler<RoutingContext> permissionCheckHandler() {
        return new Handler<RoutingContext>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.1
            volatile HttpAuthorizer authorizer;

            public void handle(RoutingContext routingContext) {
                if (this.authorizer == null) {
                    this.authorizer = (HttpAuthorizer) CDI.current().select(HttpAuthorizer.class, new Annotation[0]).get();
                }
                this.authorizer.checkPermission(routingContext);
            }
        };
    }

    public Handler<RoutingContext> formAuthPostHandler() {
        return new Handler<RoutingContext>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2
            public void handle(final RoutingContext routingContext) {
                ((Uni) routingContext.get(QuarkusHttpUser.DEFERRED_IDENTITY_KEY)).subscribe().withSubscriber(new UniSubscriber<SecurityIdentity>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2.1
                    public void onSubscribe(UniSubscription uniSubscription) {
                    }

                    public void onItem(SecurityIdentity securityIdentity) {
                        routingContext.next();
                    }

                    public void onFailure(Throwable th) {
                        routingContext.fail(th);
                    }
                });
            }
        };
    }

    public Supplier<EagerSecurityInterceptorStorage> createSecurityInterceptorStorage(Map<RuntimeValue<MethodDescription>, Consumer<RoutingContext>> map) {
        final HashMap hashMap = new HashMap();
        for (Map.Entry<RuntimeValue<MethodDescription>, Consumer<RoutingContext>> entry : map.entrySet()) {
            hashMap.put((MethodDescription) entry.getKey().getValue(), entry.getValue());
        }
        return new Supplier<EagerSecurityInterceptorStorage>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public EagerSecurityInterceptorStorage get() {
                return new EagerSecurityInterceptorStorage(hashMap);
            }
        };
    }

    public RuntimeValue<HttpSecurityPolicy> createNamedHttpSecurityPolicy(final Supplier<HttpSecurityPolicy> supplier, final String str) {
        return new RuntimeValue<>(new HttpSecurityPolicy() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.4
            private final HttpSecurityPolicy delegate;

            {
                this.delegate = (HttpSecurityPolicy) supplier.get();
            }

            @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy
            public Uni<HttpSecurityPolicy.CheckResult> checkPermission(RoutingContext routingContext, Uni<SecurityIdentity> uni, HttpSecurityPolicy.AuthorizationRequestContext authorizationRequestContext) {
                return this.delegate.checkPermission(routingContext, uni, authorizationRequestContext);
            }

            @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy
            public String name() {
                return str;
            }
        });
    }

    public void setMtlsCertificateRoleProperties(HttpConfiguration httpConfiguration) {
        InstanceHandle instance = Arc.container().instance(MtlsAuthenticationMechanism.class, new Annotation[0]);
        if (instance.isAvailable() && httpConfiguration.auth.certificateRoleProperties.isPresent()) {
            Path path = httpConfiguration.auth.certificateRoleProperties.get();
            URL url = null;
            if (Files.exists(path, new LinkOption[0])) {
                try {
                    url = path.toUri().toURL();
                } catch (MalformedURLException e) {
                }
            } else {
                url = Thread.currentThread().getContextClassLoader().getResource(path.toString());
            }
            if (url == null) {
                throw new ConfigurationException("quarkus.http.auth.certificate-role-properties location can not be resolved", Set.of("quarkus.http.auth.certificate-role-properties"));
            }
            try {
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(url.openStream(), StandardCharsets.UTF_8));
                try {
                    Properties properties = new Properties();
                    properties.load(bufferedReader);
                    HashMap hashMap = new HashMap();
                    for (Map.Entry entry : properties.entrySet()) {
                        log.debugf("Added role mapping for %s:%s", entry.getKey(), entry.getValue());
                        hashMap.put((String) entry.getKey(), parseRoles((String) entry.getValue()));
                    }
                    ((MtlsAuthenticationMechanism) instance.get()).setRoleMappings(hashMap);
                    bufferedReader.close();
                } finally {
                }
            } catch (Exception e2) {
                log.warnf("Unable to read roles mappings from %s:%s", path, e2.getMessage());
            }
        }
    }

    private static Set<String> parseRoles(String str) {
        HashSet hashSet = new HashSet();
        for (String str2 : str.split(",")) {
            hashSet.add(str2.trim());
        }
        return Set.copyOf(hashSet);
    }
}
