package io.quarkus.oidc.runtime;

import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.IdTokenCredential;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.TokenIntrospection;
import io.quarkus.oidc.TokenIntrospectionCache;
import io.quarkus.oidc.UserInfo;
import io.quarkus.oidc.UserInfoCache;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.credential.TokenCredential;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.identity.IdentityProvider;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.TokenAuthenticationRequest;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.quarkus.vertx.http.runtime.security.HttpSecurityUtils;
import io.smallrye.mutiny.Uni;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.RoutingContext;
import java.security.Principal;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.function.Supplier;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.jose4j.lang.UnresolvableKeyException;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/oidc/runtime/OidcIdentityProvider.class */
public class OidcIdentityProvider implements IdentityProvider<TokenAuthenticationRequest> {
    static final String REFRESH_TOKEN_GRANT_RESPONSE = "refresh_token_grant_response";
    static final String NEW_AUTHENTICATION = "new_authentication";
    private static final Uni<TokenVerificationResult> NULL_CODE_ACCESS_TOKEN_UNI = Uni.createFrom().nullItem();
    private static final Uni<UserInfo> NULL_USER_INFO_UNI = Uni.createFrom().nullItem();
    private static final String CODE_ACCESS_TOKEN_RESULT = "code_flow_access_token_result";

    @Inject
    DefaultTenantConfigResolver tenantResolver;
    private BlockingTaskRunner<Void> uniVoidOidcContext = new BlockingTaskRunner<>();
    private BlockingTaskRunner<TokenIntrospection> getIntrospectionRequestContext = new BlockingTaskRunner<>();
    private BlockingTaskRunner<UserInfo> getUserInfoRequestContext = new BlockingTaskRunner<>();

    public Class<TokenAuthenticationRequest> getRequestType() {
        return TokenAuthenticationRequest.class;
    }

    public Uni<SecurityIdentity> authenticate(final TokenAuthenticationRequest tokenAuthenticationRequest, AuthenticationRequestContext authenticationRequestContext) {
        if (!(tokenAuthenticationRequest.getToken() instanceof AccessTokenCredential) && !(tokenAuthenticationRequest.getToken() instanceof IdTokenCredential)) {
            return Uni.createFrom().nullItem();
        }
        final RoutingContext routingContextAttribute = HttpSecurityUtils.getRoutingContextAttribute(tokenAuthenticationRequest);
        routingContextAttribute.put(AuthenticationRequestContext.class.getName(), authenticationRequestContext);
        return this.tenantResolver.resolveContext(routingContextAttribute).onItem().transformToUni(new Function<TenantConfigContext, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.1
            @Override // java.util.function.Function
            public Uni<SecurityIdentity> apply(final TenantConfigContext tenantConfigContext) {
                return Uni.createFrom().deferred(new Supplier<Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.1.1
                    @Override // java.util.function.Supplier
                    /* renamed from: get, reason: merged with bridge method [inline-methods] */
                    public Uni<? extends SecurityIdentity> get2() {
                        return OidcIdentityProvider.this.authenticate(tokenAuthenticationRequest, routingContextAttribute, tenantConfigContext);
                    }
                });
            }
        });
    }

    private Uni<SecurityIdentity> authenticate(TokenAuthenticationRequest tokenAuthenticationRequest, RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        return tenantConfigContext.oidcConfig.publicKey.isPresent() ? validateTokenWithoutOidcServer(tokenAuthenticationRequest, tenantConfigContext) : validateAllTokensWithOidcServer(routingContext, tokenAuthenticationRequest, tenantConfigContext);
    }

    private Uni<SecurityIdentity> validateAllTokensWithOidcServer(final RoutingContext routingContext, final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext) {
        return verifyCodeFlowAccessTokenUni(routingContext, tokenAuthenticationRequest, tenantConfigContext).onItemOrFailure().transformToUni(new BiFunction<TokenVerificationResult, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.2
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(TokenVerificationResult tokenVerificationResult, Throwable th) {
                return th != null ? Uni.createFrom().failure(new AuthenticationFailedException(th)) : OidcIdentityProvider.this.validateTokenWithOidcServer(routingContext, tokenAuthenticationRequest, tenantConfigContext, tokenVerificationResult);
            }
        });
    }

    private Uni<SecurityIdentity> validateTokenWithOidcServer(final RoutingContext routingContext, final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext, TokenVerificationResult tokenVerificationResult) {
        if (tokenVerificationResult != null) {
            routingContext.put(CODE_ACCESS_TOKEN_RESULT, tokenVerificationResult);
        }
        return (tenantConfigContext.oidcConfig.authentication.isUserInfoRequired().orElse(false).booleanValue() ? getUserInfoUni(routingContext, tokenAuthenticationRequest, tenantConfigContext) : NULL_USER_INFO_UNI).onItemOrFailure().transformToUni(new BiFunction<UserInfo, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.3
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(UserInfo userInfo, Throwable th) {
                return th != null ? Uni.createFrom().failure(new AuthenticationFailedException(th)) : OidcIdentityProvider.this.createSecurityIdentityWithOidcServer(routingContext, tokenAuthenticationRequest, tenantConfigContext, userInfo);
            }
        });
    }

    private Uni<SecurityIdentity> createSecurityIdentityWithOidcServer(final RoutingContext routingContext, final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext, final UserInfo userInfo) {
        return (isInternalIdToken(tokenAuthenticationRequest) ? routingContext.get(NEW_AUTHENTICATION) == Boolean.TRUE ? Uni.createFrom().item(new TokenVerificationResult(OidcUtils.decodeJwtContent(tokenAuthenticationRequest.getToken().getToken()), null)) : verifySelfSignedTokenUni(tenantConfigContext, tokenAuthenticationRequest.getToken().getToken()) : verifyTokenUni(tenantConfigContext, tokenAuthenticationRequest.getToken().getToken())).onItemOrFailure().transformToUni(new BiFunction<TokenVerificationResult, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.4
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(TokenVerificationResult tokenVerificationResult, Throwable th) {
                if (th != null) {
                    return Uni.createFrom().failure(new AuthenticationFailedException(th));
                }
                TokenCredential token = tokenAuthenticationRequest.getToken();
                JsonObject jsonObject = tokenVerificationResult.localVerificationResult;
                if (jsonObject == null) {
                    jsonObject = OidcUtils.decodeJwtContent(token.getToken());
                }
                if (jsonObject != null) {
                    try {
                        OidcUtils.validatePrimaryJwtTokenType(tenantConfigContext.oidcConfig.token, jsonObject);
                        QuarkusSecurityIdentity validateAndCreateIdentity = OidcUtils.validateAndCreateIdentity(routingContext, token, tenantConfigContext, jsonObject, OidcIdentityProvider.getRolesJson(routingContext, tenantConfigContext, token, jsonObject, userInfo), userInfo, tokenVerificationResult.introspectionResult);
                        return OidcIdentityProvider.tokenAutoRefreshPrepared(jsonObject, routingContext, tenantConfigContext.oidcConfig) ? Uni.createFrom().failure(new TokenAutoRefreshException(validateAndCreateIdentity)) : Uni.createFrom().item(validateAndCreateIdentity);
                    } catch (Throwable th2) {
                        return Uni.createFrom().failure(new AuthenticationFailedException(th2));
                    }
                }
                if ((token instanceof IdTokenCredential) || ((token instanceof AccessTokenCredential) && !((AccessTokenCredential) token).isOpaque())) {
                    return Uni.createFrom().failure(new AuthenticationFailedException("JWT token can not be converted to JSON"));
                }
                QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
                builder.addCredential(token);
                OidcUtils.setSecurityIdentityUserInfo(builder, userInfo);
                OidcUtils.setSecurityIdentityIntrospection(builder, tokenVerificationResult.introspectionResult);
                OidcUtils.setSecurityIdentityConfigMetadata(builder, tenantConfigContext);
                String str = "";
                if (tokenVerificationResult.introspectionResult.contains("username")) {
                    str = "username";
                } else if (tokenVerificationResult.introspectionResult.contains("sub")) {
                    str = "sub";
                }
                final String string = str.isEmpty() ? "" : tokenVerificationResult.introspectionResult.getString(str);
                builder.setPrincipal(new Principal() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.4.1
                    @Override // java.security.Principal
                    public String getName() {
                        return string;
                    }
                });
                if (tokenVerificationResult.introspectionResult.contains("scope")) {
                    for (String str2 : tokenVerificationResult.introspectionResult.getString("scope").split(" ")) {
                        builder.addRole(str2.trim());
                    }
                }
                if (userInfo != null) {
                    OidcUtils.setSecurityIdentityRoles(builder, tenantConfigContext.oidcConfig, new JsonObject(userInfo.getJsonObject().toString()));
                }
                OidcUtils.setBlockingApiAttribute(builder, routingContext);
                OidcUtils.setTenantIdAttribute(builder, tenantConfigContext.oidcConfig);
                OidcUtils.setRoutingContextAttribute(builder, routingContext);
                return Uni.createFrom().item(builder.build());
            }
        });
    }

    private static boolean isInternalIdToken(TokenAuthenticationRequest tokenAuthenticationRequest) {
        return (tokenAuthenticationRequest.getToken() instanceof IdTokenCredential) && ((IdTokenCredential) tokenAuthenticationRequest.getToken()).isInternal();
    }

    private static boolean tokenAutoRefreshPrepared(JsonObject jsonObject, RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        if (jsonObject == null || !oidcTenantConfig.token.refreshExpired || !oidcTenantConfig.token.getRefreshTokenTimeSkew().isPresent() || routingContext.get(REFRESH_TOKEN_GRANT_RESPONSE) == Boolean.TRUE || routingContext.get(NEW_AUTHENTICATION) == Boolean.TRUE) {
            return false;
        }
        return (System.currentTimeMillis() / 1000) + oidcTenantConfig.token.getRefreshTokenTimeSkew().get().getSeconds() > jsonObject.getLong("exp").longValue();
    }

    private static JsonObject getRolesJson(RoutingContext routingContext, TenantConfigContext tenantConfigContext, TokenCredential tokenCredential, JsonObject jsonObject, UserInfo userInfo) {
        JsonObject jsonObject2 = jsonObject;
        if (tenantConfigContext.oidcConfig.roles.source.isPresent()) {
            if (tenantConfigContext.oidcConfig.roles.source.get() == OidcTenantConfig.Roles.Source.userinfo) {
                jsonObject2 = new JsonObject(userInfo.getJsonObject().toString());
            } else if ((tokenCredential instanceof IdTokenCredential) && tenantConfigContext.oidcConfig.roles.source.get() == OidcTenantConfig.Roles.Source.accesstoken) {
                jsonObject2 = ((TokenVerificationResult) routingContext.get(CODE_ACCESS_TOKEN_RESULT)).localVerificationResult;
                if (jsonObject2 == null) {
                    jsonObject2 = OidcUtils.decodeJwtContent((String) routingContext.get("access_token"));
                }
            }
        }
        return jsonObject2;
    }

    private Uni<TokenVerificationResult> verifyCodeFlowAccessTokenUni(RoutingContext routingContext, TokenAuthenticationRequest tokenAuthenticationRequest, TenantConfigContext tenantConfigContext) {
        return ((tokenAuthenticationRequest.getToken() instanceof IdTokenCredential) && (tenantConfigContext.oidcConfig.authentication.verifyAccessToken || tenantConfigContext.oidcConfig.roles.source.orElse(null) == OidcTenantConfig.Roles.Source.accesstoken)) ? verifyTokenUni(tenantConfigContext, (String) routingContext.get("access_token")) : NULL_CODE_ACCESS_TOKEN_UNI;
    }

    private Uni<TokenVerificationResult> verifyTokenUni(TenantConfigContext tenantConfigContext, String str) {
        if (OidcUtils.isOpaqueToken(str)) {
            if (tenantConfigContext.oidcConfig.token.allowOpaqueTokenIntrospection) {
                return introspectTokenUni(tenantConfigContext, str);
            }
            throw new AuthenticationFailedException();
        }
        if (tenantConfigContext.provider.getMetadata().getJsonWebKeySetUri() == null || tenantConfigContext.oidcConfig.token.requireJwtIntrospectionOnly) {
            return introspectTokenUni(tenantConfigContext, str);
        }
        try {
            return Uni.createFrom().item(tenantConfigContext.provider.verifyJwtToken(str));
        } catch (Throwable th) {
            return th.getCause() instanceof UnresolvableKeyException ? refreshJwksAndVerifyTokenUni(tenantConfigContext, str) : Uni.createFrom().failure(th);
        }
    }

    private Uni<TokenVerificationResult> verifySelfSignedTokenUni(TenantConfigContext tenantConfigContext, String str) {
        try {
            return Uni.createFrom().item(tenantConfigContext.provider.verifySelfSignedJwtToken(str));
        } catch (Throwable th) {
            return Uni.createFrom().failure(th);
        }
    }

    private Uni<TokenVerificationResult> refreshJwksAndVerifyTokenUni(TenantConfigContext tenantConfigContext, String str) {
        return tenantConfigContext.provider.refreshJwksAndVerifyJwtToken(str).onFailure(th -> {
            return (th.getCause() instanceof UnresolvableKeyException) && tenantConfigContext.oidcConfig.token.allowJwtIntrospection;
        }).recoverWithUni(th2 -> {
            return introspectTokenUni(tenantConfigContext, str);
        });
    }

    private Uni<TokenVerificationResult> introspectTokenUni(TenantConfigContext tenantConfigContext, String str) {
        TokenIntrospectionCache tokenIntrospectionCache = this.tenantResolver.getTokenIntrospectionCache();
        Uni<TokenIntrospection> introspection = tokenIntrospectionCache == null ? null : tokenIntrospectionCache.getIntrospection(str, tenantConfigContext.oidcConfig, this.getIntrospectionRequestContext);
        return (introspection == null ? newTokenIntrospectionUni(tenantConfigContext, str) : introspection.onItem().ifNull().switchTo(newTokenIntrospectionUni(tenantConfigContext, str))).onItem().transform(tokenIntrospection -> {
            return new TokenVerificationResult(null, tokenIntrospection);
        });
    }

    private Uni<TokenIntrospection> newTokenIntrospectionUni(final TenantConfigContext tenantConfigContext, final String str) {
        Uni<TokenIntrospection> introspectToken = tenantConfigContext.provider.introspectToken(str);
        return (this.tenantResolver.getTokenIntrospectionCache() == null || !tenantConfigContext.oidcConfig.allowTokenIntrospectionCache) ? introspectToken : introspectToken.call(new Function<TokenIntrospection, Uni<?>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.5
            @Override // java.util.function.Function
            public Uni<?> apply(TokenIntrospection tokenIntrospection) {
                return OidcIdentityProvider.this.tenantResolver.getTokenIntrospectionCache().addIntrospection(str, tokenIntrospection, tenantConfigContext.oidcConfig, OidcIdentityProvider.this.uniVoidOidcContext);
            }
        });
    }

    private static Uni<SecurityIdentity> validateTokenWithoutOidcServer(TokenAuthenticationRequest tokenAuthenticationRequest, TenantConfigContext tenantConfigContext) {
        try {
            TokenVerificationResult verifyJwtToken = tenantConfigContext.provider.verifyJwtToken(tokenAuthenticationRequest.getToken().getToken());
            return Uni.createFrom().item(OidcUtils.validateAndCreateIdentity(null, tokenAuthenticationRequest.getToken(), tenantConfigContext, verifyJwtToken.localVerificationResult, verifyJwtToken.localVerificationResult, null, null));
        } catch (Throwable th) {
            return Uni.createFrom().failure(new AuthenticationFailedException(th));
        }
    }

    private Uni<UserInfo> getUserInfoUni(RoutingContext routingContext, TokenAuthenticationRequest tokenAuthenticationRequest, TenantConfigContext tenantConfigContext) {
        JsonObject jsonObject;
        if (isInternalIdToken(tokenAuthenticationRequest) && tenantConfigContext.oidcConfig.cacheUserInfoInIdtoken && (jsonObject = OidcUtils.decodeJwtContent(tokenAuthenticationRequest.getToken().getToken()).getJsonObject(OidcUtils.USER_INFO_ATTRIBUTE)) != null) {
            return Uni.createFrom().item(new UserInfo(jsonObject.encode()));
        }
        String str = (String) routingContext.get("access_token");
        if (str == null) {
            str = tokenAuthenticationRequest.getToken().getToken();
        }
        UserInfoCache userInfoCache = this.tenantResolver.getUserInfoCache();
        Uni<UserInfo> userInfo = userInfoCache == null ? null : userInfoCache.getUserInfo(str, tenantConfigContext.oidcConfig, this.getUserInfoRequestContext);
        return userInfo == null ? newUserInfoUni(tenantConfigContext, str) : userInfo.onItem().ifNull().switchTo(newUserInfoUni(tenantConfigContext, str));
    }

    private Uni<UserInfo> newUserInfoUni(final TenantConfigContext tenantConfigContext, final String str) {
        Uni<UserInfo> userInfo = tenantConfigContext.provider.getUserInfo(str);
        return (this.tenantResolver.getUserInfoCache() == null || !tenantConfigContext.oidcConfig.allowUserInfoCache || tenantConfigContext.oidcConfig.cacheUserInfoInIdtoken) ? userInfo : userInfo.call(new Function<UserInfo, Uni<?>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.6
            @Override // java.util.function.Function
            public Uni<?> apply(UserInfo userInfo2) {
                return OidcIdentityProvider.this.tenantResolver.getUserInfoCache().addUserInfo(str, userInfo2, tenantConfigContext.oidcConfig, OidcIdentityProvider.this.uniVoidOidcContext);
            }
        });
    }
}
