package io.quarkus.oidc.runtime;

import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.runtime.OidcTenantConfig;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.AuthenticationRequest;
import io.quarkus.security.identity.request.TokenAuthenticationRequest;
import io.quarkus.security.spi.runtime.BlockingSecurityExecutor;
import io.quarkus.vertx.http.runtime.security.ChallengeData;
import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.HttpCredentialTransport;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.context.ApplicationScoped;
import java.util.Collections;
import java.util.Set;
import java.util.function.Function;
import org.jboss.logging.Logger;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/oidc/runtime/OidcAuthenticationMechanism.class */
public class OidcAuthenticationMechanism implements HttpAuthenticationMechanism {
    private static final Logger LOG = Logger.getLogger(OidcAuthenticationMechanism.class);
    private static final HttpCredentialTransport OIDC_WEB_APP_TRANSPORT = new HttpCredentialTransport(HttpCredentialTransport.Type.AUTHORIZATION_CODE, "code");
    private final BearerAuthenticationMechanism bearerAuth = new BearerAuthenticationMechanism();
    private final CodeAuthenticationMechanism codeAuth;
    private final DefaultTenantConfigResolver resolver;

    public OidcAuthenticationMechanism(DefaultTenantConfigResolver defaultTenantConfigResolver, BlockingSecurityExecutor blockingSecurityExecutor) {
        this.resolver = defaultTenantConfigResolver;
        this.codeAuth = new CodeAuthenticationMechanism(blockingSecurityExecutor);
        this.bearerAuth.init(this, defaultTenantConfigResolver);
        this.codeAuth.init(this, defaultTenantConfigResolver);
    }

    public Uni<SecurityIdentity> authenticate(final RoutingContext routingContext, final IdentityProviderManager identityProviderManager) {
        return resolve(routingContext).chain(new Function<io.quarkus.oidc.OidcTenantConfig, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcAuthenticationMechanism.1
            @Override // java.util.function.Function
            public Uni<? extends SecurityIdentity> apply(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
                return !oidcTenantConfig.tenantEnabled() ? Uni.createFrom().nullItem() : OidcAuthenticationMechanism.this.isWebApp(routingContext, oidcTenantConfig) ? OidcAuthenticationMechanism.this.codeAuth.authenticate(routingContext, identityProviderManager, oidcTenantConfig) : OidcAuthenticationMechanism.this.bearerAuth.authenticate(routingContext, identityProviderManager, oidcTenantConfig);
            }
        });
    }

    public Uni<ChallengeData> getChallenge(final RoutingContext routingContext) {
        return resolve(routingContext).chain(new Function<io.quarkus.oidc.OidcTenantConfig, Uni<? extends ChallengeData>>() { // from class: io.quarkus.oidc.runtime.OidcAuthenticationMechanism.2
            @Override // java.util.function.Function
            public Uni<? extends ChallengeData> apply(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
                return !oidcTenantConfig.tenantEnabled() ? Uni.createFrom().nullItem() : OidcAuthenticationMechanism.this.isWebApp(routingContext, oidcTenantConfig) ? OidcAuthenticationMechanism.this.codeAuth.getChallenge(routingContext) : OidcAuthenticationMechanism.this.bearerAuth.getChallenge(routingContext);
            }
        });
    }

    private Uni<io.quarkus.oidc.OidcTenantConfig> resolve(final RoutingContext routingContext) {
        io.quarkus.oidc.OidcTenantConfig oidcTenantConfig = (io.quarkus.oidc.OidcTenantConfig) routingContext.get(io.quarkus.oidc.OidcTenantConfig.class.getName());
        if (oidcTenantConfig != null) {
            return Uni.createFrom().item(oidcTenantConfig);
        }
        setTenantIdAttribute(routingContext);
        return this.resolver.resolveConfig(routingContext).map(new Function<io.quarkus.oidc.OidcTenantConfig, io.quarkus.oidc.OidcTenantConfig>() { // from class: io.quarkus.oidc.runtime.OidcAuthenticationMechanism.3
            @Override // java.util.function.Function
            public io.quarkus.oidc.OidcTenantConfig apply(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig2) {
                if (oidcTenantConfig2 == null) {
                    throw new OIDCException("Tenant configuration has not been resolved");
                }
                String orElse = oidcTenantConfig2.tenantId().orElse(OidcUtils.DEFAULT_TENANT_ID);
                OidcAuthenticationMechanism.LOG.debugf("Resolved OIDC tenant id: %s", orElse);
                routingContext.put(io.quarkus.oidc.OidcTenantConfig.class.getName(), oidcTenantConfig2);
                if (routingContext.get(OidcUtils.TENANT_ID_ATTRIBUTE) == null) {
                    routingContext.put(OidcUtils.TENANT_ID_ATTRIBUTE, orElse);
                }
                return oidcTenantConfig2;
            }
        });
    }

    private boolean isWebApp(RoutingContext routingContext, io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        OidcTenantConfig.ApplicationType orElse = oidcTenantConfig.applicationType().orElse(OidcTenantConfig.ApplicationType.SERVICE);
        return OidcTenantConfig.ApplicationType.HYBRID == orElse ? routingContext.request().getHeader("Authorization") == null : OidcTenantConfig.ApplicationType.WEB_APP == orElse;
    }

    public Set<Class<? extends AuthenticationRequest>> getCredentialTypes() {
        return Collections.singleton(TokenAuthenticationRequest.class);
    }

    public Uni<HttpCredentialTransport> getCredentialTransport(final RoutingContext routingContext) {
        return resolve(routingContext).onItem().transform(new Function<io.quarkus.oidc.OidcTenantConfig, HttpCredentialTransport>() { // from class: io.quarkus.oidc.runtime.OidcAuthenticationMechanism.4
            @Override // java.util.function.Function
            public HttpCredentialTransport apply(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
                if (oidcTenantConfig.tenantEnabled()) {
                    return OidcAuthenticationMechanism.this.isWebApp(routingContext, oidcTenantConfig) ? OidcAuthenticationMechanism.OIDC_WEB_APP_TRANSPORT : new HttpCredentialTransport(HttpCredentialTransport.Type.AUTHORIZATION, oidcTenantConfig.token().authorizationScheme());
                }
                return null;
            }
        });
    }

    private static void setTenantIdAttribute(RoutingContext routingContext) {
        if (routingContext.get(OidcUtils.TENANT_ID_ATTRIBUTE) == null) {
            for (String str : routingContext.cookieMap().keySet()) {
                if (OidcUtils.isSessionCookie(str)) {
                    setTenantIdAttribute(routingContext, OidcUtils.SESSION_COOKIE_NAME, str, true);
                    return;
                } else if (str.startsWith(OidcUtils.STATE_COOKIE_NAME)) {
                    setTenantIdAttribute(routingContext, OidcUtils.STATE_COOKIE_NAME, str, false);
                    return;
                }
            }
        }
    }

    private static void setTenantIdAttribute(RoutingContext routingContext, String str, String str2, boolean z) {
        String tenantIdFromCookie = OidcUtils.getTenantIdFromCookie(str, str2, z);
        routingContext.put(OidcUtils.TENANT_ID_ATTRIBUTE, tenantIdFromCookie);
        routingContext.put(z ? OidcUtils.TENANT_ID_SET_BY_SESSION_COOKIE : OidcUtils.TENANT_ID_SET_BY_STATE_COOKIE, tenantIdFromCookie);
        LOG.debugf("%s cookie set a '%s' tenant id on the %s request path", str2, tenantIdFromCookie, routingContext.request().path());
    }

    public int getPriority() {
        return 1001;
    }
}
