package io.quarkus.vertx.http.runtime.security;

import io.quarkus.arc.runtime.BeanContainer;
import io.quarkus.arc.runtime.BeanContainerListener;
import io.quarkus.runtime.RuntimeValue;
import io.quarkus.runtime.annotations.Recorder;
import io.quarkus.security.AuthenticationCompletionException;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.AuthenticationRedirectException;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.AnonymousAuthenticationRequest;
import io.quarkus.vertx.http.runtime.FormAuthConfig;
import io.quarkus.vertx.http.runtime.HttpBuildTimeConfig;
import io.quarkus.vertx.http.runtime.HttpConfiguration;
import io.smallrye.mutiny.CompositeException;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.subscription.UniSubscriber;
import io.smallrye.mutiny.subscription.UniSubscription;
import io.smallrye.mutiny.tuples.Functions;
import io.vertx.core.Handler;
import io.vertx.core.http.HttpHeaders;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.inject.spi.CDI;
import java.lang.annotation.Annotation;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Map;
import java.util.concurrent.CompletionException;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import org.jboss.logging.Logger;

@Recorder
/* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder.class */
public class HttpSecurityRecorder {
    private static final Logger log = Logger.getLogger(HttpSecurityRecorder.class);
    protected static final Consumer<Throwable> NOOP_CALLBACK = new Consumer<Throwable>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.1
        @Override // java.util.function.Consumer
        public void accept(Throwable th) {
        }
    };
    final RuntimeValue<HttpConfiguration> httpConfiguration;
    final HttpBuildTimeConfig buildTimeConfig;
    static volatile String encryptionKey;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder$2, reason: invalid class name */
    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder$2.class */
    public class AnonymousClass2 implements Handler<RoutingContext> {
        volatile HttpAuthenticator authenticator;
        final /* synthetic */ boolean val$proactiveAuthentication;

        AnonymousClass2(boolean z) {
            this.val$proactiveAuthentication = z;
        }

        public void handle(final RoutingContext routingContext) {
            if (this.authenticator == null) {
                this.authenticator = (HttpAuthenticator) CDI.current().select(HttpAuthenticator.class, new Annotation[0]).get();
            }
            routingContext.put(HttpAuthenticator.class.getName(), this.authenticator);
            if (this.val$proactiveAuthentication) {
                routingContext.put(QuarkusHttpUser.AUTH_FAILURE_HANDLER, new DefaultAuthFailureHandler() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2.1
                    @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.DefaultAuthFailureHandler
                    protected void proceed(Throwable th) {
                        if (routingContext.failed()) {
                            return;
                        }
                        routingContext.fail(th);
                    }
                });
            } else {
                routingContext.put(QuarkusHttpUser.AUTH_FAILURE_HANDLER, new DefaultAuthFailureHandler() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2.2
                    @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.DefaultAuthFailureHandler
                    protected void proceed(Throwable th) {
                        routingContext.end();
                    }
                });
            }
            if (this.val$proactiveAuthentication) {
                final Uni indefinitely = this.authenticator.attemptAuthentication(routingContext).memoize().indefinitely();
                indefinitely.subscribe().withSubscriber(new UniSubscriber<SecurityIdentity>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2.3
                    public void onSubscribe(UniSubscription uniSubscription) {
                    }

                    public void onItem(SecurityIdentity securityIdentity) {
                        if (routingContext.response().ended()) {
                            return;
                        }
                        if (securityIdentity == null) {
                            final Uni authenticate = AnonymousClass2.this.authenticator.getIdentityProviderManager().authenticate(AnonymousAuthenticationRequest.INSTANCE);
                            authenticate.subscribe().withSubscriber(new UniSubscriber<SecurityIdentity>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2.3.1
                                public void onSubscribe(UniSubscription uniSubscription) {
                                }

                                public void onItem(SecurityIdentity securityIdentity2) {
                                    routingContext.put(QuarkusHttpUser.DEFERRED_IDENTITY_KEY, authenticate);
                                    routingContext.setUser(new QuarkusHttpUser(securityIdentity2));
                                    routingContext.next();
                                }

                                public void onFailure(Throwable th) {
                                    BiConsumer biConsumer = (BiConsumer) routingContext.get(QuarkusHttpUser.AUTH_FAILURE_HANDLER);
                                    if (biConsumer != null) {
                                        biConsumer.accept(routingContext, th);
                                    }
                                }
                            });
                        } else {
                            routingContext.setUser(new QuarkusHttpUser(securityIdentity));
                            routingContext.put(QuarkusHttpUser.DEFERRED_IDENTITY_KEY, indefinitely);
                            routingContext.next();
                        }
                    }

                    public void onFailure(Throwable th) {
                        BiConsumer biConsumer = (BiConsumer) routingContext.get(QuarkusHttpUser.AUTH_FAILURE_HANDLER);
                        if (biConsumer != null) {
                            biConsumer.accept(routingContext, th);
                        }
                    }
                });
            } else {
                routingContext.put(QuarkusHttpUser.DEFERRED_IDENTITY_KEY, Uni.createFrom().nullItem().flatMap(obj -> {
                    return this.authenticator.attemptAuthentication(routingContext);
                }).memoize().indefinitely().flatMap(new Function<SecurityIdentity, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2.5
                    @Override // java.util.function.Function
                    public Uni<? extends SecurityIdentity> apply(SecurityIdentity securityIdentity) {
                        return securityIdentity == null ? AnonymousClass2.this.authenticator.getIdentityProviderManager().authenticate(AnonymousAuthenticationRequest.INSTANCE) : Uni.createFrom().item(securityIdentity);
                    }
                }).onTermination().invoke(new Functions.TriConsumer<SecurityIdentity, Throwable, Boolean>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2.4
                    public void accept(SecurityIdentity securityIdentity, Throwable th, Boolean bool) {
                        BiConsumer biConsumer;
                        if (securityIdentity != null) {
                            routingContext.setUser(new QuarkusHttpUser(securityIdentity));
                        } else {
                            if (th == null || (biConsumer = (BiConsumer) routingContext.get(QuarkusHttpUser.AUTH_FAILURE_HANDLER)) == null) {
                                return;
                            }
                            biConsumer.accept(routingContext, th);
                        }
                    }
                }).memoize().indefinitely());
                routingContext.next();
            }
        }
    }

    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder$DefaultAuthFailureHandler.class */
    public static abstract class DefaultAuthFailureHandler implements BiConsumer<RoutingContext, Throwable> {
        protected DefaultAuthFailureHandler() {
        }

        @Override // java.util.function.BiConsumer
        public void accept(final RoutingContext routingContext, Throwable th) {
            if (routingContext.response().ended()) {
                return;
            }
            AuthenticationFailedException extractRootCause = extractRootCause(th);
            if (extractRootCause instanceof AuthenticationFailedException) {
                final AuthenticationFailedException authenticationFailedException = extractRootCause;
                getAuthenticator(routingContext).sendChallenge(routingContext).subscribe().with(new Consumer<Boolean>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.DefaultAuthFailureHandler.1
                    @Override // java.util.function.Consumer
                    public void accept(Boolean bool) {
                        if (routingContext.response().ended()) {
                            return;
                        }
                        DefaultAuthFailureHandler.this.proceed(authenticationFailedException);
                    }
                }, new Consumer<Throwable>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.DefaultAuthFailureHandler.2
                    @Override // java.util.function.Consumer
                    public void accept(Throwable th2) {
                        routingContext.fail(th2);
                    }
                });
                return;
            }
            if (extractRootCause instanceof AuthenticationCompletionException) {
                HttpSecurityRecorder.log.debug("Authentication has failed, returning HTTP status 401");
                routingContext.response().setStatusCode(401);
                proceed(extractRootCause);
            } else {
                if (!(extractRootCause instanceof AuthenticationRedirectException)) {
                    routingContext.fail(extractRootCause);
                    return;
                }
                AuthenticationRedirectException authenticationRedirectException = (AuthenticationRedirectException) extractRootCause;
                routingContext.response().setStatusCode(authenticationRedirectException.getCode());
                routingContext.response().headers().set(HttpHeaders.LOCATION, authenticationRedirectException.getRedirectUri());
                routingContext.response().headers().set(HttpHeaders.CACHE_CONTROL, "no-store");
                routingContext.response().headers().set("Pragma", "no-cache");
                proceed(extractRootCause);
            }
        }

        protected abstract void proceed(Throwable th);

        private static HttpAuthenticator getAuthenticator(RoutingContext routingContext) {
            return (HttpAuthenticator) routingContext.get(HttpAuthenticator.class.getName());
        }

        public static Throwable extractRootCause(Throwable th) {
            while (true) {
                if ((!(th instanceof CompletionException) || th.getCause() == null) && !(th instanceof CompositeException)) {
                    return th;
                }
                th = th instanceof CompositeException ? (Throwable) ((CompositeException) th).getCauses().get(0) : th.getCause();
            }
        }
    }

    public HttpSecurityRecorder(RuntimeValue<HttpConfiguration> runtimeValue, HttpBuildTimeConfig httpBuildTimeConfig) {
        this.httpConfiguration = runtimeValue;
        this.buildTimeConfig = httpBuildTimeConfig;
    }

    public Handler<RoutingContext> authenticationMechanismHandler(boolean z) {
        return new AnonymousClass2(z);
    }

    public Handler<RoutingContext> permissionCheckHandler() {
        return new Handler<RoutingContext>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.3
            volatile HttpAuthorizer authorizer;

            public void handle(RoutingContext routingContext) {
                if (this.authorizer == null) {
                    this.authorizer = (HttpAuthorizer) CDI.current().select(HttpAuthorizer.class, new Annotation[0]).get();
                }
                this.authorizer.checkPermission(routingContext);
            }
        };
    }

    public BeanContainerListener initPermissions(final HttpBuildTimeConfig httpBuildTimeConfig, final Map<String, Supplier<HttpSecurityPolicy>> map) {
        return new BeanContainerListener() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.4
            public void created(BeanContainer beanContainer) {
                ((PathMatchingHttpSecurityPolicy) beanContainer.beanInstance(PathMatchingHttpSecurityPolicy.class, new Annotation[0])).init(httpBuildTimeConfig, map);
            }
        };
    }

    public Supplier<FormAuthenticationMechanism> setupFormAuth() {
        return new Supplier<FormAuthenticationMechanism>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public FormAuthenticationMechanism get() {
                String str;
                if (((HttpConfiguration) HttpSecurityRecorder.this.httpConfiguration.getValue()).encryptionKey.isPresent()) {
                    str = ((HttpConfiguration) HttpSecurityRecorder.this.httpConfiguration.getValue()).encryptionKey.get();
                } else if (HttpSecurityRecorder.encryptionKey != null) {
                    str = HttpSecurityRecorder.encryptionKey;
                } else {
                    byte[] bArr = new byte[32];
                    new SecureRandom().nextBytes(bArr);
                    String encodeToString = Base64.getEncoder().encodeToString(bArr);
                    HttpSecurityRecorder.encryptionKey = encodeToString;
                    str = encodeToString;
                    HttpSecurityRecorder.log.warn("Encryption key was not specified for persistent FORM auth, using temporary key " + str);
                }
                FormAuthConfig formAuthConfig = HttpSecurityRecorder.this.buildTimeConfig.auth.form;
                PersistentLoginManager persistentLoginManager = new PersistentLoginManager(str, formAuthConfig.cookieName, formAuthConfig.timeout.toMillis(), formAuthConfig.newCookieInterval.toMillis(), formAuthConfig.httpOnlyCookie, formAuthConfig.cookieSameSite.name(), formAuthConfig.cookiePath.orElse(null));
                String startWithSlash = HttpSecurityRecorder.startWithSlash(formAuthConfig.loginPage.orElse(null));
                String startWithSlash2 = HttpSecurityRecorder.startWithSlash(formAuthConfig.errorPage.orElse(null));
                String startWithSlash3 = HttpSecurityRecorder.startWithSlash(formAuthConfig.landingPage.orElse(null));
                return new FormAuthenticationMechanism(startWithSlash, HttpSecurityRecorder.startWithSlash(formAuthConfig.postLocation), formAuthConfig.usernameParameter, formAuthConfig.passwordParameter, startWithSlash2, startWithSlash3, formAuthConfig.redirectAfterLogin, formAuthConfig.locationCookie, formAuthConfig.cookieSameSite.name(), formAuthConfig.cookiePath.orElse(null), persistentLoginManager);
            }
        };
    }

    private static String startWithSlash(String str) {
        if (str == null) {
            return null;
        }
        return str.startsWith("/") ? str : "/" + str;
    }

    public Supplier<?> setupBasicAuth(final HttpBuildTimeConfig httpBuildTimeConfig) {
        return new Supplier<BasicAuthenticationMechanism>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public BasicAuthenticationMechanism get() {
                return new BasicAuthenticationMechanism(httpBuildTimeConfig.auth.realm.orElse(null), httpBuildTimeConfig.auth.form.enabled);
            }
        };
    }

    public Supplier<?> setupMtlsClientAuth() {
        return new Supplier<MtlsAuthenticationMechanism>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.7
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public MtlsAuthenticationMechanism get() {
                return new MtlsAuthenticationMechanism();
            }
        };
    }

    public Handler<RoutingContext> formAuthPostHandler() {
        return new Handler<RoutingContext>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.8
            public void handle(final RoutingContext routingContext) {
                ((Uni) routingContext.get(QuarkusHttpUser.DEFERRED_IDENTITY_KEY)).subscribe().withSubscriber(new UniSubscriber<SecurityIdentity>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.8.1
                    public void onSubscribe(UniSubscription uniSubscription) {
                    }

                    public void onItem(SecurityIdentity securityIdentity) {
                        routingContext.next();
                    }

                    public void onFailure(Throwable th) {
                        routingContext.fail(th);
                    }
                });
            }
        };
    }
}
