package io.quarkus.oidc.runtime;

import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.IdTokenCredential;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.OidcTokenCredential;
import io.quarkus.runtime.BlockingOperationControl;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.credential.TokenCredential;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.identity.IdentityProvider;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.TokenAuthenticationRequest;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.subscription.UniEmitter;
import io.vertx.core.AsyncResult;
import io.vertx.core.Handler;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.oauth2.AccessToken;
import io.vertx.ext.auth.oauth2.impl.OAuth2AuthProviderImpl;
import io.vertx.ext.auth.oauth2.impl.OAuth2TokenImpl;
import io.vertx.ext.jwt.JWT;
import io.vertx.ext.web.RoutingContext;
import java.security.Principal;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/oidc/runtime/OidcIdentityProvider.class */
public class OidcIdentityProvider implements IdentityProvider<TokenAuthenticationRequest> {
    static final String CODE_FLOW_ACCESS_TOKEN = "access_token";
    static final String REFRESH_TOKEN_GRANT_RESPONSE = "refresh_token_grant_response";
    static final String NEW_AUTHENTICATION = "new_authentication";
    private static final Uni<AccessToken> NULL_CODE_ACCESS_TOKEN_UNI = Uni.createFrom().nullItem();
    private static final Uni<JsonObject> NULL_USER_INFO_UNI = Uni.createFrom().nullItem();
    private static final String CODE_ACCESS_TOKEN_RESULT = "code_flow_access_token_result";

    @Inject
    DefaultTenantConfigResolver tenantResolver;

    public Class<TokenAuthenticationRequest> getRequestType() {
        return TokenAuthenticationRequest.class;
    }

    public Uni<SecurityIdentity> authenticate(final TokenAuthenticationRequest tokenAuthenticationRequest, AuthenticationRequestContext authenticationRequestContext) {
        final RoutingContext routingContext = ((OidcTokenCredential) tokenAuthenticationRequest.getToken()).getRoutingContext();
        routingContext.put(AuthenticationRequestContext.class.getName(), authenticationRequestContext);
        return this.tenantResolver.resolveContext(routingContext).onItem().transformToUni(new Function<TenantConfigContext, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.1
            @Override // java.util.function.Function
            public Uni<SecurityIdentity> apply(final TenantConfigContext tenantConfigContext) {
                return Uni.createFrom().deferred(new Supplier<Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.1.1
                    @Override // java.util.function.Supplier
                    /* renamed from: get, reason: merged with bridge method [inline-methods] */
                    public Uni<? extends SecurityIdentity> get2() {
                        return OidcIdentityProvider.this.authenticate(tokenAuthenticationRequest, routingContext, tenantConfigContext);
                    }
                });
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Uni<SecurityIdentity> authenticate(TokenAuthenticationRequest tokenAuthenticationRequest, RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        return tenantConfigContext.oidcConfig.publicKey.isPresent() ? validateTokenWithoutOidcServer(tokenAuthenticationRequest, tenantConfigContext) : validateAllTokensWithOidcServer(routingContext, tokenAuthenticationRequest, tenantConfigContext);
    }

    private Uni<SecurityIdentity> validateAllTokensWithOidcServer(final RoutingContext routingContext, final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext) {
        return verifyCodeFlowAccessTokenUni(routingContext, tokenAuthenticationRequest, tenantConfigContext).onItem().transformToUni(new Function<AccessToken, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.2
            @Override // java.util.function.Function
            public Uni<SecurityIdentity> apply(AccessToken accessToken) {
                return OidcIdentityProvider.this.validateTokenWithOidcServer(routingContext, tokenAuthenticationRequest, tenantConfigContext, accessToken);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Uni<SecurityIdentity> validateTokenWithOidcServer(final RoutingContext routingContext, final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext, AccessToken accessToken) {
        if (accessToken != null) {
            routingContext.put(CODE_ACCESS_TOKEN_RESULT, accessToken);
        }
        return getUserInfoUni(routingContext, tokenAuthenticationRequest, tenantConfigContext).onItem().transformToUni(new Function<JsonObject, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.3
            @Override // java.util.function.Function
            public Uni<SecurityIdentity> apply(JsonObject jsonObject) {
                return OidcIdentityProvider.this.createSecurityIdentityWithOidcServerUni(routingContext, tokenAuthenticationRequest, tenantConfigContext, jsonObject);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Uni<SecurityIdentity> createSecurityIdentityWithOidcServerUni(final RoutingContext routingContext, final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext, final JsonObject jsonObject) {
        TokenCredential token = tokenAuthenticationRequest.getToken();
        return ((token instanceof AccessTokenCredential) && ((AccessTokenCredential) token).isOpaque()) ? Uni.createFrom().emitter(new Consumer<UniEmitter<? super SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.4
            @Override // java.util.function.Consumer
            public void accept(final UniEmitter<? super SecurityIdentity> uniEmitter) {
                if (BlockingOperationControl.isBlockingAllowed()) {
                    OidcIdentityProvider.this.createSecurityIdentityWithOidcServer(uniEmitter, routingContext, tokenAuthenticationRequest, tenantConfigContext, jsonObject);
                } else {
                    OidcIdentityProvider.this.tenantResolver.getBlockingExecutor().execute(new Runnable() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.4.1
                        @Override // java.lang.Runnable
                        public void run() {
                            OidcIdentityProvider.this.createSecurityIdentityWithOidcServer(uniEmitter, routingContext, tokenAuthenticationRequest, tenantConfigContext, jsonObject);
                        }
                    });
                }
            }
        }) : Uni.createFrom().emitter(new Consumer<UniEmitter<? super SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.5
            @Override // java.util.function.Consumer
            public void accept(UniEmitter<? super SecurityIdentity> uniEmitter) {
                OidcIdentityProvider.this.createSecurityIdentityWithOidcServer(uniEmitter, routingContext, tokenAuthenticationRequest, tenantConfigContext, jsonObject);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void createSecurityIdentityWithOidcServer(final UniEmitter<? super SecurityIdentity> uniEmitter, final RoutingContext routingContext, final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext, final JsonObject jsonObject) {
        tenantConfigContext.auth.decodeToken(tokenAuthenticationRequest.getToken().getToken(), new Handler<AsyncResult<AccessToken>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.6
            public void handle(AsyncResult<AccessToken> asyncResult) {
                if (asyncResult.failed()) {
                    uniEmitter.fail(new AuthenticationFailedException(asyncResult.cause()));
                    return;
                }
                TokenCredential token = tokenAuthenticationRequest.getToken();
                JsonObject accessToken = ((AccessToken) asyncResult.result()).accessToken();
                if (accessToken == null) {
                    accessToken = OidcUtils.decodeJwtContent(token.getToken());
                }
                if (accessToken != null) {
                    OidcUtils.validatePrimaryJwtTokenType(tenantConfigContext.oidcConfig.token, accessToken);
                    try {
                        QuarkusSecurityIdentity validateAndCreateIdentity = OidcUtils.validateAndCreateIdentity(routingContext, token, tenantConfigContext.oidcConfig, accessToken, OidcIdentityProvider.getRolesJson(routingContext, tenantConfigContext, token, accessToken, jsonObject), jsonObject);
                        if (OidcIdentityProvider.tokenAutoRefreshPrepared(accessToken, routingContext, tenantConfigContext.oidcConfig)) {
                            uniEmitter.fail(new TokenAutoRefreshException(validateAndCreateIdentity));
                        } else {
                            uniEmitter.complete(validateAndCreateIdentity);
                        }
                        return;
                    } catch (Throwable th) {
                        uniEmitter.fail(th);
                        return;
                    }
                }
                if ((token instanceof IdTokenCredential) || ((token instanceof AccessTokenCredential) && !((AccessTokenCredential) token).isOpaque())) {
                    uniEmitter.fail(new AuthenticationFailedException("JWT token can not be converted to JSON"));
                    return;
                }
                QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
                builder.addCredential(token);
                OidcUtils.setSecurityIdentityUserInfo(builder, jsonObject);
                if (((AccessToken) asyncResult.result()).principal().containsKey("username")) {
                    final String string = ((AccessToken) asyncResult.result()).principal().getString("username");
                    builder.setPrincipal(new Principal() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.6.1
                        @Override // java.security.Principal
                        public String getName() {
                            return string;
                        }
                    });
                }
                if (((AccessToken) asyncResult.result()).principal().containsKey("scope")) {
                    for (String str : ((AccessToken) asyncResult.result()).principal().getString("scope").split(" ")) {
                        builder.addRole(str.trim());
                    }
                }
                if (jsonObject != null) {
                    OidcUtils.setSecurityIdentityRoles(builder, tenantConfigContext.oidcConfig, jsonObject);
                }
                OidcUtils.setBlockinApiAttribute(builder, routingContext);
                OidcUtils.setTenantIdAttribute(builder, tenantConfigContext.oidcConfig);
                uniEmitter.complete(builder.build());
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean tokenAutoRefreshPrepared(JsonObject jsonObject, RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        if (jsonObject == null || !oidcTenantConfig.token.refreshExpired || !oidcTenantConfig.token.autoRefreshInterval.isPresent() || routingContext.get(REFRESH_TOKEN_GRANT_RESPONSE) == Boolean.TRUE || routingContext.get(NEW_AUTHENTICATION) == Boolean.TRUE) {
            return false;
        }
        return (System.currentTimeMillis() / 1000) + oidcTenantConfig.token.autoRefreshInterval.get().getSeconds() > jsonObject.getLong("exp").longValue();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static JsonObject getRolesJson(RoutingContext routingContext, TenantConfigContext tenantConfigContext, TokenCredential tokenCredential, JsonObject jsonObject, JsonObject jsonObject2) {
        JsonObject jsonObject3 = jsonObject;
        if (tenantConfigContext.oidcConfig.roles.source.isPresent()) {
            if (tenantConfigContext.oidcConfig.roles.source.get() == OidcTenantConfig.Roles.Source.userinfo) {
                jsonObject3 = jsonObject2;
            } else if ((tokenCredential instanceof IdTokenCredential) && tenantConfigContext.oidcConfig.roles.source.get() == OidcTenantConfig.Roles.Source.accesstoken) {
                AccessToken accessToken = (AccessToken) routingContext.get(CODE_ACCESS_TOKEN_RESULT);
                jsonObject3 = accessToken != null ? accessToken.accessToken() : null;
                if (jsonObject3 == null) {
                    jsonObject3 = OidcUtils.decodeJwtContent((String) routingContext.get(CODE_FLOW_ACCESS_TOKEN));
                }
                if (jsonObject3 == null) {
                    jsonObject3 = accessToken.principal();
                }
            }
        }
        return jsonObject3;
    }

    private Uni<AccessToken> verifyCodeFlowAccessTokenUni(RoutingContext routingContext, TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext) {
        if (!(tokenAuthenticationRequest.getToken() instanceof IdTokenCredential) || (!tenantConfigContext.oidcConfig.authentication.verifyAccessToken && tenantConfigContext.oidcConfig.roles.source.orElse(null) != OidcTenantConfig.Roles.Source.accesstoken)) {
            return NULL_CODE_ACCESS_TOKEN_UNI;
        }
        final String str = (String) routingContext.get(CODE_FLOW_ACCESS_TOKEN);
        return OidcUtils.isOpaqueToken(str) ? Uni.createFrom().emitter(new Consumer<UniEmitter<? super AccessToken>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.7
            @Override // java.util.function.Consumer
            public void accept(final UniEmitter<? super AccessToken> uniEmitter) {
                if (BlockingOperationControl.isBlockingAllowed()) {
                    OidcIdentityProvider.this.verifyCodeFlowAccessToken(uniEmitter, tenantConfigContext, str);
                } else {
                    OidcIdentityProvider.this.tenantResolver.getBlockingExecutor().execute(new Runnable() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.7.1
                        @Override // java.lang.Runnable
                        public void run() {
                            OidcIdentityProvider.this.verifyCodeFlowAccessToken(uniEmitter, tenantConfigContext, str);
                        }
                    });
                }
            }
        }) : Uni.createFrom().emitter(new Consumer<UniEmitter<? super AccessToken>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.8
            @Override // java.util.function.Consumer
            public void accept(UniEmitter<? super AccessToken> uniEmitter) {
                OidcIdentityProvider.this.verifyCodeFlowAccessToken(uniEmitter, tenantConfigContext, str);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void verifyCodeFlowAccessToken(final UniEmitter<? super AccessToken> uniEmitter, TenantConfigContext tenantConfigContext, String str) {
        tenantConfigContext.auth.decodeToken(str, new Handler<AsyncResult<AccessToken>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.9
            public void handle(AsyncResult<AccessToken> asyncResult) {
                if (asyncResult.failed()) {
                    uniEmitter.fail(new AuthenticationFailedException(asyncResult.cause()));
                }
                uniEmitter.complete(asyncResult.result());
            }
        });
    }

    private static Uni<SecurityIdentity> validateTokenWithoutOidcServer(TokenAuthenticationRequest tokenAuthenticationRequest, TenantConfigContext tenantConfigContext) {
        OAuth2AuthProviderImpl oAuth2AuthProviderImpl = tenantConfigContext.auth;
        JWT jwt = oAuth2AuthProviderImpl.getJWT();
        try {
            JsonObject decode = jwt.decode(tokenAuthenticationRequest.getToken().getToken());
            try {
                return jwt.isExpired(decode, oAuth2AuthProviderImpl.getConfig().getJWTOptions()) ? Uni.createFrom().failure(new AuthenticationFailedException()) : Uni.createFrom().item(OidcUtils.validateAndCreateIdentity(null, tokenAuthenticationRequest.getToken(), tenantConfigContext.oidcConfig, decode, decode, null));
            } catch (Throwable th) {
                return Uni.createFrom().failure(new AuthenticationFailedException(th));
            }
        } catch (Throwable th2) {
            return Uni.createFrom().failure(new AuthenticationFailedException(th2));
        }
    }

    private Uni<JsonObject> getUserInfoUni(final RoutingContext routingContext, final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext) {
        return tenantConfigContext.oidcConfig.authentication.isUserInfoRequired() ? Uni.createFrom().emitter(new Consumer<UniEmitter<? super JsonObject>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.10
            @Override // java.util.function.Consumer
            public void accept(final UniEmitter<? super JsonObject> uniEmitter) {
                if (BlockingOperationControl.isBlockingAllowed()) {
                    OidcIdentityProvider.this.createUserInfoToken(uniEmitter, routingContext, tokenAuthenticationRequest, tenantConfigContext);
                } else {
                    OidcIdentityProvider.this.tenantResolver.getBlockingExecutor().execute(new Runnable() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.10.1
                        @Override // java.lang.Runnable
                        public void run() {
                            OidcIdentityProvider.this.createUserInfoToken(uniEmitter, routingContext, tokenAuthenticationRequest, tenantConfigContext);
                        }
                    });
                }
            }
        }) : NULL_USER_INFO_UNI;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void createUserInfoToken(final UniEmitter<? super JsonObject> uniEmitter, RoutingContext routingContext, TokenAuthenticationRequest tokenAuthenticationRequest, TenantConfigContext tenantConfigContext) {
        OAuth2TokenImpl oAuth2TokenImpl = new OAuth2TokenImpl(tenantConfigContext.auth, new JsonObject());
        String str = (String) routingContext.get(CODE_FLOW_ACCESS_TOKEN);
        if (str == null) {
            str = tokenAuthenticationRequest.getToken().getToken();
        }
        oAuth2TokenImpl.principal().put(CODE_FLOW_ACCESS_TOKEN, str);
        oAuth2TokenImpl.userInfo(new Handler<AsyncResult<JsonObject>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.11
            public void handle(AsyncResult<JsonObject> asyncResult) {
                if (asyncResult.failed()) {
                    uniEmitter.fail(new AuthenticationFailedException(asyncResult.cause()));
                } else {
                    uniEmitter.complete(asyncResult.result());
                }
            }
        });
    }
}
