package io.quarkus.oidc.runtime;

import io.quarkus.oidc.OIDCException;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.ForbiddenException;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.identity.IdentityProvider;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.TokenAuthenticationRequest;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.vertx.core.AsyncResult;
import io.vertx.core.Handler;
import io.vertx.ext.auth.oauth2.AccessToken;
import java.util.Iterator;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.function.Supplier;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.eclipse.microprofile.jwt.Claims;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/oidc/runtime/OidcIdentityProvider.class */
public class OidcIdentityProvider implements IdentityProvider<TokenAuthenticationRequest> {

    @Inject
    DefaultTenantConfigResolver tenantResolver;

    public Class<TokenAuthenticationRequest> getRequestType() {
        return TokenAuthenticationRequest.class;
    }

    public CompletionStage<SecurityIdentity> authenticate(final TokenAuthenticationRequest tokenAuthenticationRequest, AuthenticationRequestContext authenticationRequestContext) {
        return authenticationRequestContext.runBlocking(new Supplier<SecurityIdentity>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public SecurityIdentity get() {
                final CompletableFuture completableFuture = new CompletableFuture();
                final ContextAwareTokenCredential contextAwareTokenCredential = (ContextAwareTokenCredential) tokenAuthenticationRequest.getToken();
                TenantConfigContext resolve = OidcIdentityProvider.this.tenantResolver.resolve(contextAwareTokenCredential.getContext());
                final OidcTenantConfig oidcTenantConfig = resolve.oidcConfig;
                resolve.auth.decodeToken(tokenAuthenticationRequest.getToken().getToken(), new Handler<AsyncResult<AccessToken>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.1.1
                    public void handle(AsyncResult<AccessToken> asyncResult) {
                        if (asyncResult.failed()) {
                            completableFuture.completeExceptionally(new AuthenticationFailedException());
                            return;
                        }
                        AccessToken accessToken = (AccessToken) asyncResult.result();
                        try {
                            OidcUtils.validateClaims(oidcTenantConfig.getToken(), accessToken.accessToken());
                            QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
                            builder.addCredential(tokenAuthenticationRequest.getToken());
                            try {
                                JwtClaims parse = JwtClaims.parse(accessToken.accessToken().encode());
                                parse.setClaim(Claims.raw_token.name(), contextAwareTokenCredential.getToken());
                                builder.setPrincipal(new OidcJwtCallerPrincipal(parse, tokenAuthenticationRequest.getToken(), oidcTenantConfig.token.principalClaim.isPresent() ? oidcTenantConfig.token.principalClaim.get() : null));
                                try {
                                    Iterator<String> it = OidcUtils.findRoles(oidcTenantConfig.getClientId().isPresent() ? oidcTenantConfig.getClientId().get() : null, oidcTenantConfig.getRoles(), accessToken.accessToken()).iterator();
                                    while (it.hasNext()) {
                                        builder.addRole(it.next());
                                    }
                                    completableFuture.complete(builder.build());
                                } catch (Exception e) {
                                    completableFuture.completeExceptionally(new ForbiddenException(e));
                                }
                            } catch (InvalidJwtException e2) {
                                completableFuture.completeExceptionally(new AuthenticationFailedException(e2));
                            }
                        } catch (OIDCException e3) {
                            completableFuture.completeExceptionally(new AuthenticationFailedException(e3));
                        }
                    }
                });
                return (SecurityIdentity) completableFuture.join();
            }
        });
    }
}
