package io.quarkus.vertx.http.deployment;

import io.quarkus.arc.deployment.AdditionalBeanBuildItem;
import io.quarkus.arc.deployment.BeanContainerListenerBuildItem;
import io.quarkus.arc.deployment.SyntheticBeanBuildItem;
import io.quarkus.deployment.Capabilities;
import io.quarkus.deployment.annotations.BuildProducer;
import io.quarkus.deployment.annotations.BuildStep;
import io.quarkus.deployment.annotations.ExecutionTime;
import io.quarkus.deployment.annotations.Record;
import io.quarkus.vertx.http.runtime.HttpBuildTimeConfig;
import io.quarkus.vertx.http.runtime.PolicyConfig;
import io.quarkus.vertx.http.runtime.management.ManagementInterfaceBuildTimeConfig;
import io.quarkus.vertx.http.runtime.management.ManagementInterfaceSecurityRecorder;
import io.quarkus.vertx.http.runtime.security.AuthenticatedHttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.BasicAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.DenySecurityPolicy;
import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.HttpAuthenticator;
import io.quarkus.vertx.http.runtime.security.ManagementInterfaceHttpAuthorizer;
import io.quarkus.vertx.http.runtime.security.ManagementPathMatchingHttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.PermitSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.RolesAllowedHttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.SupplierImpl;
import jakarta.inject.Singleton;
import java.util.HashMap;
import java.util.Map;

/* loaded from: input_file:io/quarkus/vertx/http/deployment/ManagementInterfaceSecurityProcessor.class */
public class ManagementInterfaceSecurityProcessor {
    @BuildStep
    public void builtins(ManagementInterfaceBuildTimeConfig managementInterfaceBuildTimeConfig, BuildProducer<AdditionalBeanBuildItem> buildProducer) {
        if (managementInterfaceBuildTimeConfig.auth.permissions.isEmpty()) {
            return;
        }
        buildProducer.produce(AdditionalBeanBuildItem.unremovableOf(ManagementPathMatchingHttpSecurityPolicy.class));
    }

    @BuildStep
    @Record(ExecutionTime.RUNTIME_INIT)
    SyntheticBeanBuildItem initBasicAuth(HttpBuildTimeConfig httpBuildTimeConfig, ManagementInterfaceSecurityRecorder managementInterfaceSecurityRecorder, ManagementInterfaceBuildTimeConfig managementInterfaceBuildTimeConfig) {
        if (!HttpSecurityProcessor.applicationBasicAuthRequired(httpBuildTimeConfig, managementInterfaceBuildTimeConfig) && ((Boolean) managementInterfaceBuildTimeConfig.auth.basic.orElse(false)).booleanValue()) {
            return SyntheticBeanBuildItem.configure(BasicAuthenticationMechanism.class).types(new Class[]{HttpAuthenticationMechanism.class}).setRuntimeInit().scope(Singleton.class).supplier(managementInterfaceSecurityRecorder.setupBasicAuth()).done();
        }
        return null;
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void setupAuthenticationMechanisms(ManagementInterfaceSecurityRecorder managementInterfaceSecurityRecorder, BuildProducer<ManagementInterfaceFilterBuildItem> buildProducer, BuildProducer<AdditionalBeanBuildItem> buildProducer2, Capabilities capabilities, BuildProducer<BeanContainerListenerBuildItem> buildProducer3, ManagementInterfaceBuildTimeConfig managementInterfaceBuildTimeConfig) {
        HashMap hashMap = new HashMap();
        for (Map.Entry entry : managementInterfaceBuildTimeConfig.auth.rolePolicy.entrySet()) {
            hashMap.put((String) entry.getKey(), new SupplierImpl(new RolesAllowedHttpSecurityPolicy(((PolicyConfig) entry.getValue()).rolesAllowed)));
        }
        hashMap.put("deny", new SupplierImpl(new DenySecurityPolicy()));
        hashMap.put("permit", new SupplierImpl(new PermitSecurityPolicy()));
        hashMap.put("authenticated", new SupplierImpl(new AuthenticatedHttpSecurityPolicy()));
        if (!((Boolean) managementInterfaceBuildTimeConfig.auth.basic.orElse(false)).booleanValue() || !capabilities.isPresent("io.quarkus.security")) {
            if (!managementInterfaceBuildTimeConfig.auth.permissions.isEmpty()) {
                throw new IllegalStateException("HTTP permissions have been set however security is not enabled");
            }
            return;
        }
        buildProducer2.produce(AdditionalBeanBuildItem.builder().setUnremovable().addBeanClass(HttpAuthenticator.class).addBeanClass(ManagementInterfaceHttpAuthorizer.class).build());
        buildProducer.produce(new ManagementInterfaceFilterBuildItem(managementInterfaceSecurityRecorder.authenticationMechanismHandler(managementInterfaceBuildTimeConfig.auth.proactive), ManagementInterfaceFilterBuildItem.AUTHENTICATION));
        buildProducer.produce(new ManagementInterfaceFilterBuildItem(managementInterfaceSecurityRecorder.permissionCheckHandler(managementInterfaceBuildTimeConfig, hashMap), -100));
        if (managementInterfaceBuildTimeConfig.auth.permissions.isEmpty()) {
            return;
        }
        buildProducer3.produce(new BeanContainerListenerBuildItem(managementInterfaceSecurityRecorder.initPermissions(managementInterfaceBuildTimeConfig, hashMap)));
    }
}
