package io.quarkus.vertx.http.deployment;

import io.quarkus.arc.deployment.AdditionalBeanBuildItem;
import io.quarkus.arc.deployment.BeanContainerListenerBuildItem;
import io.quarkus.arc.deployment.SyntheticBeanBuildItem;
import io.quarkus.deployment.Capabilities;
import io.quarkus.deployment.annotations.BuildProducer;
import io.quarkus.deployment.annotations.BuildStep;
import io.quarkus.deployment.annotations.ExecutionTime;
import io.quarkus.deployment.annotations.Record;
import io.quarkus.deployment.builditem.CombinedIndexBuildItem;
import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.quarkus.security.StringPermission;
import io.quarkus.vertx.http.runtime.HttpBuildTimeConfig;
import io.quarkus.vertx.http.runtime.PolicyConfig;
import io.quarkus.vertx.http.runtime.management.ManagementInterfaceBuildTimeConfig;
import io.quarkus.vertx.http.runtime.security.AuthenticatedHttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.BasicAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.DenySecurityPolicy;
import io.quarkus.vertx.http.runtime.security.FormAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.HttpAuthenticator;
import io.quarkus.vertx.http.runtime.security.HttpAuthorizer;
import io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder;
import io.quarkus.vertx.http.runtime.security.MtlsAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.PathMatchingHttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.PermitSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.RolesAllowedHttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.SupplierImpl;
import io.vertx.core.http.ClientAuth;
import jakarta.inject.Singleton;
import java.security.Permission;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.function.BiFunction;
import java.util.function.Function;
import org.jboss.jandex.ClassInfo;
import org.jboss.jandex.DotName;
import org.jboss.jandex.IndexView;
import org.jboss.jandex.MethodInfo;
import org.jboss.jandex.Type;

/* loaded from: input_file:io/quarkus/vertx/http/deployment/HttpSecurityProcessor.class */
public class HttpSecurityProcessor {
    private static final DotName PERMISSION = DotName.createSimple(Permission.class.getName());

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    public void builtins(BuildProducer<HttpSecurityPolicyBuildItem> buildProducer, BuildProducer<ReflectiveClassBuildItem> buildProducer2, final CombinedIndexBuildItem combinedIndexBuildItem, HttpBuildTimeConfig httpBuildTimeConfig, final HttpSecurityRecorder httpSecurityRecorder, BuildProducer<AdditionalBeanBuildItem> buildProducer3) {
        buildProducer.produce(new HttpSecurityPolicyBuildItem("deny", new SupplierImpl(new DenySecurityPolicy())));
        buildProducer.produce(new HttpSecurityPolicyBuildItem("permit", new SupplierImpl(new PermitSecurityPolicy())));
        buildProducer.produce(new HttpSecurityPolicyBuildItem("authenticated", new SupplierImpl(new AuthenticatedHttpSecurityPolicy())));
        if (!httpBuildTimeConfig.auth.permissions.isEmpty()) {
            buildProducer3.produce(AdditionalBeanBuildItem.unremovableOf(PathMatchingHttpSecurityPolicy.class));
        }
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : httpBuildTimeConfig.auth.rolePolicy.entrySet()) {
            final PolicyConfig policyConfig = (PolicyConfig) entry.getValue();
            if (policyConfig.permissions.isEmpty()) {
                buildProducer.produce(new HttpSecurityPolicyBuildItem((String) entry.getKey(), new SupplierImpl(new RolesAllowedHttpSecurityPolicy(((PolicyConfig) entry.getValue()).rolesAllowed))));
            } else {
                buildProducer.produce(new HttpSecurityPolicyBuildItem((String) entry.getKey(), httpSecurityRecorder.createRolesAllowedPolicy(policyConfig.rolesAllowed, policyConfig.permissions, (BiFunction) hashMap.computeIfAbsent(policyConfig.permissionClass, new Function<String, BiFunction<String, String[], Permission>>() { // from class: io.quarkus.vertx.http.deployment.HttpSecurityProcessor.1
                    @Override // java.util.function.Function
                    public BiFunction<String, String[], Permission> apply(String str) {
                        if (StringPermission.class.getName().equals(str)) {
                            return httpSecurityRecorder.stringPermissionCreator();
                        }
                        return httpSecurityRecorder.customPermissionCreator(str, HttpSecurityProcessor.validateConstructor(combinedIndexBuildItem.getIndex(), policyConfig.permissionClass));
                    }
                }))));
            }
        }
        if (hashMap.isEmpty()) {
            return;
        }
        buildProducer2.produce(ReflectiveClassBuildItem.builder((String[]) hashMap.keySet().toArray(new String[0])).constructors().fields().methods().build());
    }

    private static boolean validateConstructor(IndexView indexView, String str) {
        ClassInfo classByName = indexView.getClassByName(str);
        if (classByName == null) {
            throw new ConfigurationException(String.format("Permission class '%s' is missing", str));
        }
        if (classByName.constructors().size() != 1) {
            throw new ConfigurationException(String.format("Permission class '%s' must have exactly one constructor", str));
        }
        MethodInfo methodInfo = (MethodInfo) classByName.constructors().get(0);
        if (methodInfo.parametersCount() == 0 || !isString(methodInfo.parameterType(0))) {
            throw new ConfigurationException(String.format("Permission class '%s' constructor first parameter must be '%s' (permission name)", str, String.class.getName()));
        }
        if (methodInfo.parametersCount() == 1) {
            return false;
        }
        if (methodInfo.parametersCount() != 2) {
            throw new ConfigurationException(String.format("Permission class '%s' constructor must accept either one parameter (String permissionName), or two parameters (String permissionName, String[] actions)", str));
        }
        if (isStringArray(methodInfo.parameterType(1))) {
            return true;
        }
        throw new ConfigurationException(String.format("Permission class '%s' constructor second parameter must be '%s' array", str, String.class.getName()));
    }

    private static boolean isStringArray(Type type) {
        return type.kind() == Type.Kind.ARRAY && isString(type.asArrayType().component());
    }

    private static boolean isString(Type type) {
        return type.kind() == Type.Kind.CLASS && type.name().toString().equals(String.class.getName());
    }

    @BuildStep
    @Record(ExecutionTime.RUNTIME_INIT)
    SyntheticBeanBuildItem initFormAuth(HttpSecurityRecorder httpSecurityRecorder, HttpBuildTimeConfig httpBuildTimeConfig, BuildProducer<RouteBuildItem> buildProducer) {
        if (!httpBuildTimeConfig.auth.proactive) {
            buildProducer.produce(RouteBuildItem.builder().route(httpBuildTimeConfig.auth.form.postLocation).handler(httpSecurityRecorder.formAuthPostHandler()).build());
        }
        if (httpBuildTimeConfig.auth.form.enabled) {
            return SyntheticBeanBuildItem.configure(FormAuthenticationMechanism.class).types(new Class[]{HttpAuthenticationMechanism.class}).setRuntimeInit().scope(Singleton.class).supplier(httpSecurityRecorder.setupFormAuth()).done();
        }
        return null;
    }

    @BuildStep
    @Record(ExecutionTime.RUNTIME_INIT)
    SyntheticBeanBuildItem initMtlsClientAuth(HttpSecurityRecorder httpSecurityRecorder, HttpBuildTimeConfig httpBuildTimeConfig) {
        if (isMtlsClientAuthenticationEnabled(httpBuildTimeConfig)) {
            return SyntheticBeanBuildItem.configure(MtlsAuthenticationMechanism.class).types(new Class[]{HttpAuthenticationMechanism.class}).setRuntimeInit().scope(Singleton.class).supplier(httpSecurityRecorder.setupMtlsClientAuth()).done();
        }
        return null;
    }

    @BuildStep
    @Record(ExecutionTime.RUNTIME_INIT)
    SyntheticBeanBuildItem initBasicAuth(HttpSecurityRecorder httpSecurityRecorder, HttpBuildTimeConfig httpBuildTimeConfig, ManagementInterfaceBuildTimeConfig managementInterfaceBuildTimeConfig, BuildProducer<SecurityInformationBuildItem> buildProducer) {
        if (!applicationBasicAuthRequired(httpBuildTimeConfig, managementInterfaceBuildTimeConfig)) {
            return null;
        }
        SyntheticBeanBuildItem.ExtendedBeanConfigurator supplier = SyntheticBeanBuildItem.configure(BasicAuthenticationMechanism.class).types(new Class[]{HttpAuthenticationMechanism.class}).setRuntimeInit().scope(Singleton.class).supplier(httpSecurityRecorder.setupBasicAuth(httpBuildTimeConfig));
        if (!httpBuildTimeConfig.auth.form.enabled && !isMtlsClientAuthenticationEnabled(httpBuildTimeConfig) && !((Boolean) httpBuildTimeConfig.auth.basic.orElse(false)).booleanValue()) {
            supplier.defaultBean();
            buildProducer.produce(SecurityInformationBuildItem.BASIC());
        }
        return supplier.done();
    }

    public static boolean applicationBasicAuthRequired(HttpBuildTimeConfig httpBuildTimeConfig, ManagementInterfaceBuildTimeConfig managementInterfaceBuildTimeConfig) {
        if (httpBuildTimeConfig.auth.basic.isPresent() && !((Boolean) httpBuildTimeConfig.auth.basic.get()).booleanValue()) {
            return false;
        }
        if (((Boolean) httpBuildTimeConfig.auth.basic.orElse(false)).booleanValue()) {
            return true;
        }
        return (httpBuildTimeConfig.auth.form.enabled || isMtlsClientAuthenticationEnabled(httpBuildTimeConfig) || ((Boolean) managementInterfaceBuildTimeConfig.auth.basic.orElse(false)).booleanValue()) ? false : true;
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void setupAuthenticationMechanisms(HttpSecurityRecorder httpSecurityRecorder, BuildProducer<FilterBuildItem> buildProducer, BuildProducer<AdditionalBeanBuildItem> buildProducer2, Capabilities capabilities, BuildProducer<BeanContainerListenerBuildItem> buildProducer3, HttpBuildTimeConfig httpBuildTimeConfig, List<HttpSecurityPolicyBuildItem> list, BuildProducer<SecurityInformationBuildItem> buildProducer4) {
        HashMap hashMap = new HashMap();
        for (HttpSecurityPolicyBuildItem httpSecurityPolicyBuildItem : list) {
            if (hashMap.containsKey(httpSecurityPolicyBuildItem.getName())) {
                throw new RuntimeException("Multiple HTTP security policies defined with name " + httpSecurityPolicyBuildItem.getName());
            }
            hashMap.put(httpSecurityPolicyBuildItem.getName(), httpSecurityPolicyBuildItem.policySupplier);
        }
        if (!httpBuildTimeConfig.auth.form.enabled && ((Boolean) httpBuildTimeConfig.auth.basic.orElse(false)).booleanValue()) {
            buildProducer4.produce(SecurityInformationBuildItem.BASIC());
        }
        if (!capabilities.isPresent("io.quarkus.security")) {
            if (!httpBuildTimeConfig.auth.permissions.isEmpty()) {
                throw new IllegalStateException("HTTP permissions have been set however security is not enabled");
            }
            return;
        }
        buildProducer2.produce(AdditionalBeanBuildItem.builder().setUnremovable().addBeanClass(HttpAuthenticator.class).addBeanClass(HttpAuthorizer.class).build());
        buildProducer.produce(new FilterBuildItem(httpSecurityRecorder.authenticationMechanismHandler(httpBuildTimeConfig.auth.proactive), FilterBuildItem.AUTHENTICATION));
        buildProducer.produce(new FilterBuildItem(httpSecurityRecorder.permissionCheckHandler(), 100));
        if (httpBuildTimeConfig.auth.permissions.isEmpty()) {
            return;
        }
        buildProducer3.produce(new BeanContainerListenerBuildItem(httpSecurityRecorder.initPermissions(httpBuildTimeConfig, hashMap)));
    }

    private static boolean isMtlsClientAuthenticationEnabled(HttpBuildTimeConfig httpBuildTimeConfig) {
        return !ClientAuth.NONE.equals(httpBuildTimeConfig.tlsClientAuth);
    }
}
