package io.quarkus.oidc.runtime;

import io.quarkus.oidc.TenantResolver;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.vertx.http.runtime.security.ImmutablePathMatcher;
import io.smallrye.mutiny.Uni;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.inject.Instance;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.function.BiFunction;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/quarkus/oidc/runtime/StaticTenantResolver.class */
public final class StaticTenantResolver {
    private static final Logger LOG = Logger.getLogger(StaticTenantResolver.class);
    private final TenantResolver[] staticTenantResolvers;
    private final IssuerBasedTenantResolver issuerBasedTenantResolver;

    /* loaded from: input_file:io/quarkus/oidc/runtime/StaticTenantResolver$DefaultStaticTenantResolver.class */
    private static final class DefaultStaticTenantResolver implements TenantResolver {
        private final TenantConfigBean tenantConfigBean;

        private DefaultStaticTenantResolver(TenantConfigBean tenantConfigBean) {
            this.tenantConfigBean = tenantConfigBean;
        }

        @Override // io.quarkus.oidc.TenantResolver
        public String resolve(RoutingContext routingContext) {
            String[] split = routingContext.request().path().split("/");
            if (split.length <= 0) {
                return null;
            }
            String str = split[split.length - 1];
            if (this.tenantConfigBean.getStaticTenant(str) == null) {
                return null;
            }
            StaticTenantResolver.LOG.debugf("Tenant id '%s' is selected on the '%s' request path", str, routingContext.normalizedPath());
            return str;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/oidc/runtime/StaticTenantResolver$IssuerBasedTenantResolver.class */
    public static final class IssuerBasedTenantResolver {
        private final TenantConfigContext[] tenantConfigContexts;
        private final boolean detectedTenantWithoutMetadata;
        private final Map<String, AtomicBoolean> tenantToRetry;

        private IssuerBasedTenantResolver(TenantConfigContext[] tenantConfigContextArr, boolean z, Map<String, AtomicBoolean> map) {
            this.tenantConfigContexts = tenantConfigContextArr;
            this.detectedTenantWithoutMetadata = z;
            this.tenantToRetry = map;
        }

        private Uni<String> resolveTenant(RoutingContext routingContext) {
            return resolveTenant(routingContext, 0);
        }

        private Uni<String> resolveTenant(final RoutingContext routingContext, final int i) {
            if (i == this.tenantConfigContexts.length) {
                return Uni.createFrom().nullItem();
            }
            TenantConfigContext tenantConfigContext = this.tenantConfigContexts[i];
            if (this.detectedTenantWithoutMetadata) {
                if (tenantConfigContext.getOidcMetadata() == null) {
                    if (!tenantConfigContext.ready() && tryToInitialize(tenantConfigContext)) {
                        return tenantConfigContext.initialize().onItemOrFailure().transformToUni(new BiFunction<TenantConfigContext, Throwable, Uni<? extends String>>() { // from class: io.quarkus.oidc.runtime.StaticTenantResolver.IssuerBasedTenantResolver.1
                            @Override // java.util.function.BiFunction
                            public Uni<String> apply(TenantConfigContext tenantConfigContext2, Throwable th) {
                                return th != null ? IssuerBasedTenantResolver.this.resolveTenant(routingContext, i + 1) : (!tenantConfigContext2.ready() || IssuerBasedTenantResolver.isTenantWithoutIssuer(tenantConfigContext2)) ? IssuerBasedTenantResolver.this.resolveTenant(routingContext, i + 1) : IssuerBasedTenantResolver.this.getTenantId(tenantConfigContext2, routingContext, i);
                            }
                        });
                    }
                    return resolveTenant(routingContext, i + 1);
                }
                if (isTenantWithoutIssuer(tenantConfigContext)) {
                    return resolveTenant(routingContext, i + 1);
                }
            }
            return getTenantId(tenantConfigContext, routingContext, i);
        }

        private Uni<String> getTenantId(TenantConfigContext tenantConfigContext, RoutingContext routingContext, int i) {
            String tenantId = getTenantId(routingContext, tenantConfigContext);
            return tenantId == null ? resolveTenant(routingContext, i + 1) : Uni.createFrom().item(tenantId);
        }

        private boolean tryToInitialize(TenantConfigContext tenantConfigContext) {
            return this.tenantToRetry.get(tenantConfigContext.oidcConfig().tenantId().get()).compareAndExchange(true, false);
        }

        private static String getTenantId(RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
            JsonObject decodeJwtContent;
            String extractBearerToken = OidcUtils.extractBearerToken(routingContext, tenantConfigContext.oidcConfig());
            if (extractBearerToken == null || OidcUtils.isOpaqueToken(extractBearerToken) || (decodeJwtContent = OidcCommonUtils.decodeJwtContent(extractBearerToken)) == null) {
                return null;
            }
            String string = decodeJwtContent.getString(Claims.iss.name());
            if (!tenantConfigContext.getOidcMetadata().getIssuer().equals(string)) {
                return null;
            }
            String str = tenantConfigContext.oidcConfig().tenantId().get();
            if (!requiredClaimsMatch(tenantConfigContext.oidcConfig().token().requiredClaims(), decodeJwtContent)) {
                StaticTenantResolver.LOG.debugf("OIDC tenant '%s' issuer matches the token issuer '%s' but does not match the token required claims", str, string);
                return null;
            }
            OidcUtils.storeExtractedBearerToken(routingContext, extractBearerToken);
            StaticTenantResolver.LOG.debugf("Resolved the '%s' OIDC tenant based on the matching issuer '%s'", str, string);
            return str;
        }

        private static boolean requiredClaimsMatch(Map<String, String> map, JsonObject jsonObject) {
            for (Map.Entry<String, String> entry : map.entrySet()) {
                if (!entry.getValue().equals(jsonObject.getString(entry.getKey()))) {
                    return false;
                }
            }
            return true;
        }

        private static boolean isTenantWithoutIssuer(TenantConfigContext tenantConfigContext) {
            return tenantConfigContext.getOidcMetadata().getIssuer() == null || "any".equals(tenantConfigContext.getOidcMetadata().getIssuer());
        }

        private static IssuerBasedTenantResolver of(Map<String, TenantConfigContext> map) {
            ArrayList arrayList = new ArrayList();
            boolean z = false;
            HashMap hashMap = new HashMap();
            for (TenantConfigContext tenantConfigContext : map.values()) {
                if (tenantConfigContext.oidcConfig().tenantEnabled() && !OidcUtils.isWebApp(tenantConfigContext.oidcConfig())) {
                    if (tenantConfigContext.getOidcMetadata() == null) {
                        z = true;
                        arrayList.add(tenantConfigContext);
                        hashMap.put(tenantConfigContext.oidcConfig().tenantId().get(), new AtomicBoolean(true));
                    } else if (tenantConfigContext.getOidcMetadata().getIssuer() != null && !"any".equals(tenantConfigContext.getOidcMetadata().getIssuer())) {
                        arrayList.add(tenantConfigContext);
                    }
                }
            }
            if (arrayList.isEmpty()) {
                return null;
            }
            return new IssuerBasedTenantResolver((TenantConfigContext[]) arrayList.toArray(new TenantConfigContext[0]), z, z ? Map.copyOf(hashMap) : null);
        }

        private static IssuerBasedTenantResolver of(Map<String, TenantConfigContext> map, TenantConfigContext tenantConfigContext) {
            HashMap hashMap = new HashMap(map);
            hashMap.put(OidcUtils.DEFAULT_TENANT_ID, tenantConfigContext);
            IssuerBasedTenantResolver of = of(hashMap);
            if (of != null) {
                return of;
            }
            StaticTenantResolver.LOG.debug("The 'quarkus.oidc.resolve-tenants-with-issuer' configuration property is set to true, but no static tenant supports this feature. To use this feature, please configure at least one static tenant with the discovered or configured issuer and set either 'service' or 'hybrid' application type");
            return null;
        }
    }

    /* loaded from: input_file:io/quarkus/oidc/runtime/StaticTenantResolver$PathMatchingTenantResolver.class */
    private static final class PathMatchingTenantResolver implements TenantResolver {
        private static final String DEFAULT_TENANT = "PathMatchingTenantResolver#DefaultTenant";
        private final ImmutablePathMatcher<String> staticTenantPaths;

        private PathMatchingTenantResolver(ImmutablePathMatcher<String> immutablePathMatcher) {
            this.staticTenantPaths = immutablePathMatcher;
        }

        private static PathMatchingTenantResolver of(Map<String, TenantConfigContext> map, String str, TenantConfigContext tenantConfigContext) {
            ImmutablePathMatcher.ImmutablePathMatcherBuilder rootPath = ImmutablePathMatcher.builder().rootPath(str);
            addPath(DEFAULT_TENANT, tenantConfigContext.oidcConfig(), rootPath);
            for (Map.Entry<String, TenantConfigContext> entry : map.entrySet()) {
                addPath(entry.getKey(), entry.getValue().oidcConfig(), rootPath);
            }
            if (rootPath.hasPaths()) {
                return new PathMatchingTenantResolver(rootPath.build());
            }
            return null;
        }

        @Override // io.quarkus.oidc.TenantResolver
        public String resolve(RoutingContext routingContext) {
            String str = (String) this.staticTenantPaths.match(routingContext.normalizedPath()).getValue();
            if (str == null) {
                return null;
            }
            StaticTenantResolver.LOG.debugf("Tenant id '%s' is selected on the '%s' request path", str, routingContext.normalizedPath());
            return str;
        }

        private static ImmutablePathMatcher.ImmutablePathMatcherBuilder<String> addPath(String str, io.quarkus.oidc.OidcTenantConfig oidcTenantConfig, ImmutablePathMatcher.ImmutablePathMatcherBuilder<String> immutablePathMatcherBuilder) {
            if (oidcTenantConfig != null && oidcTenantConfig.tenantPaths().isPresent()) {
                Iterator<String> it = oidcTenantConfig.tenantPaths().get().iterator();
                while (it.hasNext()) {
                    immutablePathMatcherBuilder.addPath(it.next(), str);
                }
            }
            return immutablePathMatcherBuilder;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public StaticTenantResolver(TenantConfigBean tenantConfigBean, String str, boolean z, Instance<TenantResolver> instance) {
        ArrayList arrayList = new ArrayList();
        if (instance.isResolvable()) {
            if (instance.isAmbiguous()) {
                throw new IllegalStateException("Multiple " + String.valueOf(TenantResolver.class) + " beans registered");
            }
            arrayList.add((TenantResolver) instance.get());
        }
        PathMatchingTenantResolver of = PathMatchingTenantResolver.of(tenantConfigBean.getStaticTenantsConfig(), str, tenantConfigBean.getDefaultTenant());
        if (of != null) {
            arrayList.add(of);
        }
        if (!tenantConfigBean.getStaticTenantsConfig().isEmpty()) {
            arrayList.add(new DefaultStaticTenantResolver(tenantConfigBean));
        }
        this.staticTenantResolvers = (TenantResolver[]) arrayList.toArray(new TenantResolver[0]);
        if (z) {
            this.issuerBasedTenantResolver = IssuerBasedTenantResolver.of(tenantConfigBean.getStaticTenantsConfig(), tenantConfigBean.getDefaultTenant());
        } else {
            this.issuerBasedTenantResolver = null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Uni<String> resolve(RoutingContext routingContext) {
        for (TenantResolver tenantResolver : this.staticTenantResolvers) {
            String resolve = tenantResolver.resolve(routingContext);
            if (resolve != null) {
                return Uni.createFrom().item(resolve);
            }
        }
        return this.issuerBasedTenantResolver != null ? this.issuerBasedTenantResolver.resolveTenant(routingContext) : Uni.createFrom().nullItem();
    }
}
