package io.quarkus.oidc.runtime;

import io.quarkus.arc.Arc;
import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.OidcConfigurationMetadata;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.common.runtime.OidcCommonConfig;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.runtime.BlockingOperationControl;
import io.quarkus.runtime.ExecutorRecorder;
import io.quarkus.runtime.TlsConfig;
import io.quarkus.runtime.annotations.Recorder;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.smallrye.mutiny.Uni;
import io.vertx.core.Vertx;
import io.vertx.core.net.ProxyOptions;
import io.vertx.ext.web.client.WebClientOptions;
import io.vertx.mutiny.ext.web.client.WebClient;
import java.lang.annotation.Annotation;
import java.net.ConnectException;
import java.net.URI;
import java.time.Duration;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.function.Supplier;
import org.jboss.logging.Logger;

@Recorder
/* loaded from: input_file:io/quarkus/oidc/runtime/OidcRecorder.class */
public class OidcRecorder {
    private static final String DEFAULT_TENANT_ID = "Default";
    private static final Logger LOG = Logger.getLogger(OidcRecorder.class);
    private static final Duration CONNECTION_BACKOFF_DURATION = Duration.ofSeconds(2);
    private static final Map<String, TenantConfigContext> dynamicTenantsConfig = new ConcurrentHashMap();

    public Supplier<TenantConfigBean> setup(OidcConfig oidcConfig, Supplier<Vertx> supplier, final TlsConfig tlsConfig) {
        final Vertx vertx = supplier.get();
        String orElse = oidcConfig.defaultTenant.getTenantId().orElse(DEFAULT_TENANT_ID);
        final TenantConfigContext createStaticTenantContext = createStaticTenantContext(vertx, oidcConfig.defaultTenant, tlsConfig, orElse);
        final HashMap hashMap = new HashMap();
        for (Map.Entry<String, OidcTenantConfig> entry : oidcConfig.namedTenants.entrySet()) {
            OidcCommonUtils.verifyConfigurationId(orElse, entry.getKey(), entry.getValue().getTenantId());
            hashMap.put(entry.getKey(), createStaticTenantContext(vertx, entry.getValue(), tlsConfig, entry.getKey()));
        }
        return new Supplier<TenantConfigBean>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public TenantConfigBean get() {
                return new TenantConfigBean(hashMap, OidcRecorder.dynamicTenantsConfig, createStaticTenantContext, new Function<OidcTenantConfig, Uni<TenantConfigContext>>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.1.1
                    @Override // java.util.function.Function
                    public Uni<TenantConfigContext> apply(OidcTenantConfig oidcTenantConfig) {
                        return OidcRecorder.this.createDynamicTenantContext(vertx, oidcTenantConfig, tlsConfig, oidcTenantConfig.getTenantId().get()).plug(uni -> {
                            return !BlockingOperationControl.isBlockingAllowed() ? uni.runSubscriptionOn(ExecutorRecorder.getCurrent()) : uni;
                        });
                    }
                }, ExecutorRecorder.getCurrent());
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Uni<TenantConfigContext> createDynamicTenantContext(Vertx vertx, OidcTenantConfig oidcTenantConfig, TlsConfig tlsConfig, final String str) {
        if (dynamicTenantsConfig.containsKey(str)) {
            return Uni.createFrom().item(dynamicTenantsConfig.get(str));
        }
        Uni<TenantConfigContext> createTenantContext = createTenantContext(vertx, oidcTenantConfig, tlsConfig, str);
        createTenantContext.onFailure().transform(th -> {
            return logTenantConfigContextFailure(th, str);
        });
        return createTenantContext.onItem().transform(new Function<TenantConfigContext, TenantConfigContext>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.2
            @Override // java.util.function.Function
            public TenantConfigContext apply(TenantConfigContext tenantConfigContext) {
                OidcRecorder.dynamicTenantsConfig.putIfAbsent(str, tenantConfigContext);
                return tenantConfigContext;
            }
        });
    }

    private TenantConfigContext createStaticTenantContext(Vertx vertx, final OidcTenantConfig oidcTenantConfig, TlsConfig tlsConfig, final String str) {
        return (TenantConfigContext) createTenantContext(vertx, oidcTenantConfig, tlsConfig, str).onFailure().recoverWithItem(new Function<Throwable, TenantConfigContext>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.3
            @Override // java.util.function.Function
            public TenantConfigContext apply(Throwable th) {
                OidcRecorder.logTenantConfigContextFailure(th, str);
                return new TenantConfigContext(null, oidcTenantConfig, false);
            }
        }).await().indefinitely();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Throwable logTenantConfigContextFailure(Throwable th, String str) {
        LOG.debugf("'%s' tenant initialization has failed: '%s'. Access to resources protected by this tenant will fail with HTTP 401.", str, th.getMessage());
        return th;
    }

    private Uni<TenantConfigContext> createTenantContext(Vertx vertx, OidcTenantConfig oidcTenantConfig, TlsConfig tlsConfig, String str) {
        if (!oidcTenantConfig.tenantId.isPresent()) {
            oidcTenantConfig.tenantId = Optional.of(str);
        }
        if (!oidcTenantConfig.tenantEnabled) {
            LOG.debugf("'%s' tenant configuration is disabled", str);
            return Uni.createFrom().item(new TenantConfigContext(new OidcProvider(null, null, null), oidcTenantConfig));
        }
        if (oidcTenantConfig.getPublicKey().isPresent()) {
            return Uni.createFrom().item(createTenantContextFromPublicKey(oidcTenantConfig));
        }
        try {
            OidcCommonUtils.verifyCommonConfiguration(oidcTenantConfig, true);
            if (!oidcTenantConfig.discoveryEnabled) {
                if (oidcTenantConfig.applicationType != OidcTenantConfig.ApplicationType.SERVICE && (!oidcTenantConfig.authorizationPath.isPresent() || !oidcTenantConfig.tokenPath.isPresent())) {
                    throw new OIDCException("'web-app' applications must have 'authorization-path' and 'token-path' properties set when the discovery is disabled.");
                }
                if (!oidcTenantConfig.jwksPath.isPresent() && !oidcTenantConfig.introspectionPath.isPresent()) {
                    throw new OIDCException("Either 'jwks-path' or 'introspection-path' properties must be set when the discovery is disabled.");
                }
            }
            if (OidcTenantConfig.ApplicationType.SERVICE.equals(oidcTenantConfig.applicationType)) {
                if (oidcTenantConfig.token.refreshExpired) {
                    throw new ConfigurationException("The 'token.refresh-expired' property can only be enabled for " + OidcTenantConfig.ApplicationType.WEB_APP + " application types");
                }
                if (oidcTenantConfig.logout.path.isPresent()) {
                    throw new ConfigurationException("The 'logout.path' property can only be enabled for " + OidcTenantConfig.ApplicationType.WEB_APP + " application types");
                }
                if (oidcTenantConfig.roles.source.isPresent() && oidcTenantConfig.roles.source.get() == OidcTenantConfig.Roles.Source.idtoken) {
                    throw new ConfigurationException("The 'roles.source' property can only be set to 'idtoken' for " + OidcTenantConfig.ApplicationType.WEB_APP + " application types");
                }
            }
            if (oidcTenantConfig.tokenStateManager.strategy != OidcTenantConfig.TokenStateManager.Strategy.KEEP_ALL_TOKENS) {
                if (oidcTenantConfig.authentication.userInfoRequired || oidcTenantConfig.roles.source.orElse(null) == OidcTenantConfig.Roles.Source.userinfo) {
                    throw new ConfigurationException("UserInfo is required but DefaultTokenStateManager is configured to not keep the access token");
                }
                if (oidcTenantConfig.roles.source.orElse(null) == OidcTenantConfig.Roles.Source.accesstoken) {
                    throw new ConfigurationException("Access token is required to check the roles but DefaultTokenStateManager is configured to not keep the access token");
                }
            }
            return createOidcProvider(oidcTenantConfig, tlsConfig, vertx).onItem().transform(oidcProvider -> {
                return new TenantConfigContext(oidcProvider, oidcTenantConfig);
            });
        } catch (Throwable th) {
            return Uni.createFrom().failure(th);
        }
    }

    private static TenantConfigContext createTenantContextFromPublicKey(OidcTenantConfig oidcTenantConfig) {
        if (oidcTenantConfig.applicationType != OidcTenantConfig.ApplicationType.SERVICE) {
            throw new ConfigurationException("'public-key' property can only be used with the 'service' applications");
        }
        LOG.debug("'public-key' property for the local token verification is set, no connection to the OIDC server will be created");
        return new TenantConfigContext(new OidcProvider(oidcTenantConfig.publicKey.get(), oidcTenantConfig), oidcTenantConfig);
    }

    public void setSecurityEventObserved(boolean z) {
        ((DefaultTenantConfigResolver) Arc.container().instance(DefaultTenantConfigResolver.class, new Annotation[0]).get()).setSecurityEventObserved(z);
    }

    public static Optional<ProxyOptions> toProxyOptions(OidcCommonConfig.Proxy proxy) {
        return OidcCommonUtils.toProxyOptions(proxy);
    }

    protected static OIDCException toOidcException(Throwable th, String str) {
        return new OIDCException(OidcCommonUtils.formatConnectionErrorMessage(str), th);
    }

    protected static Uni<OidcProvider> createOidcProvider(final OidcTenantConfig oidcTenantConfig, TlsConfig tlsConfig, Vertx vertx) {
        return createOidcClientUni(oidcTenantConfig, tlsConfig, vertx).onItem().transformToUni(new Function<OidcProviderClient, Uni<? extends OidcProvider>>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.4
            @Override // java.util.function.Function
            public Uni<OidcProvider> apply(final OidcProviderClient oidcProviderClient) {
                return oidcProviderClient.getMetadata().getJsonWebKeySetUri() != null ? oidcProviderClient.getJsonWebKeySet().onItem().transform(new Function<JsonWebKeyCache, OidcProvider>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.4.1
                    @Override // java.util.function.Function
                    public OidcProvider apply(JsonWebKeyCache jsonWebKeyCache) {
                        return new OidcProvider(oidcProviderClient, OidcTenantConfig.this, jsonWebKeyCache);
                    }
                }) : Uni.createFrom().item(new OidcProvider(oidcProviderClient, OidcTenantConfig.this, null));
            }
        });
    }

    protected static Uni<OidcProviderClient> createOidcClientUni(final OidcTenantConfig oidcTenantConfig, TlsConfig tlsConfig, Vertx vertx) {
        Uni expireIn;
        String authServerUrl = OidcCommonUtils.getAuthServerUrl(oidcTenantConfig);
        WebClientOptions webClientOptions = new WebClientOptions();
        final URI create = URI.create(authServerUrl);
        OidcCommonUtils.setHttpClientOptions(oidcTenantConfig, tlsConfig, webClientOptions);
        final WebClient create2 = WebClient.create(new io.vertx.mutiny.core.Vertx(vertx), webClientOptions);
        if (oidcTenantConfig.discoveryEnabled) {
            long connectionRetryCount = OidcCommonUtils.getConnectionRetryCount(oidcTenantConfig);
            long connectionDelayInMillis = OidcCommonUtils.getConnectionDelayInMillis(oidcTenantConfig);
            if (connectionRetryCount > 1) {
                LOG.infof("Connecting to IDP for up to %d times every 2 seconds", Long.valueOf(connectionRetryCount));
            }
            expireIn = discoverMetadata(create2, create.toString(), oidcTenantConfig).onFailure(ConnectException.class).retry().withBackOff(CONNECTION_BACKOFF_DURATION, CONNECTION_BACKOFF_DURATION).expireIn(connectionDelayInMillis);
        } else {
            expireIn = Uni.createFrom().item(new OidcConfigurationMetadata(OidcCommonUtils.getOidcEndpointUrl(create.toString(), oidcTenantConfig.tokenPath), OidcCommonUtils.getOidcEndpointUrl(create.toString(), oidcTenantConfig.introspectionPath), OidcCommonUtils.getOidcEndpointUrl(create.toString(), oidcTenantConfig.authorizationPath), OidcCommonUtils.getOidcEndpointUrl(create.toString(), oidcTenantConfig.jwksPath), OidcCommonUtils.getOidcEndpointUrl(create.toString(), oidcTenantConfig.userInfoPath), OidcCommonUtils.getOidcEndpointUrl(create.toString(), oidcTenantConfig.endSessionPath), oidcTenantConfig.token.issuer.orElse(null)));
        }
        return expireIn.onItemOrFailure().transformToUni(new BiFunction<OidcConfigurationMetadata, Throwable, Uni<? extends OidcProviderClient>>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.5
            @Override // java.util.function.BiFunction
            public Uni<OidcProviderClient> apply(OidcConfigurationMetadata oidcConfigurationMetadata, Throwable th) {
                return th != null ? Uni.createFrom().failure(OidcRecorder.toOidcException(th, create.toString())) : oidcConfigurationMetadata == null ? Uni.createFrom().failure(new ConfigurationException("OpenId Connect Provider configuration metadata is not configured and can not be discovered")) : (oidcTenantConfig.logout.path.isPresent() && !oidcTenantConfig.endSessionPath.isPresent() && oidcConfigurationMetadata.getEndSessionUri() == null) ? Uni.createFrom().failure(new ConfigurationException("The application supports RP-Initiated Logout but the OpenID Provider does not advertise the end_session_endpoint")) : Uni.createFrom().item(new OidcProviderClient(create2, oidcConfigurationMetadata, oidcTenantConfig));
            }
        });
    }

    private static Uni<OidcConfigurationMetadata> discoverMetadata(WebClient webClient, String str, OidcTenantConfig oidcTenantConfig) {
        return webClient.getAbs(str + "/.well-known/openid-configuration").send().onItem().transform(httpResponse -> {
            if (httpResponse.statusCode() == 200) {
                return new OidcConfigurationMetadata(httpResponse.bodyAsJsonObject());
            }
            return null;
        });
    }
}
