package io.quarkus.oidc.runtime;

import io.quarkus.arc.Arc;
import io.quarkus.arc.ArcContainer;
import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.OidcConfigurationMetadata;
import io.quarkus.oidc.SecurityEvent;
import io.quarkus.oidc.TenantConfigResolver;
import io.quarkus.oidc.common.OidcRequestContextProperties;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.oidc.common.runtime.OidcTlsSupport;
import io.quarkus.oidc.runtime.OidcTenantConfig;
import io.quarkus.runtime.LaunchMode;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.quarkus.security.spi.runtime.SecurityEventHelper;
import io.quarkus.tls.TlsConfigurationRegistry;
import io.smallrye.jwt.algorithm.KeyEncryptionAlgorithm;
import io.smallrye.jwt.util.KeyUtils;
import io.smallrye.mutiny.TimeoutException;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.groups.UniOnFailure;
import io.vertx.core.Vertx;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.client.WebClientOptions;
import io.vertx.mutiny.ext.web.client.WebClient;
import java.lang.annotation.Annotation;
import java.security.Key;
import java.security.PrivateKey;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.function.Supplier;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.PublicJsonWebKey;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/quarkus/oidc/runtime/TenantContextFactory.class */
public final class TenantContextFactory {
    static volatile boolean userInfoInjectionPointDetected = false;
    private final Set<String> tenantsExpectingServerAvailableEvents = ConcurrentHashMap.newKeySet();
    private final Vertx vertx;
    private final OidcTlsSupport tlsSupport;
    private final boolean securityEventsEnabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public TenantContextFactory(Vertx vertx, TlsConfigurationRegistry tlsConfigurationRegistry, boolean z) {
        this.vertx = vertx;
        this.tlsSupport = OidcTlsSupport.of(tlsConfigurationRegistry);
        this.securityEventsEnabled = z;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TenantConfigContext createDefaultTenantConfig(Map<String, io.quarkus.oidc.OidcTenantConfig> map, io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        String str = oidcTenantConfig.tenantId().get();
        boolean z = !map.isEmpty();
        return createStaticTenantContext(oidcTenantConfig, z, str, createStaticTenantContextCreator(oidcTenantConfig, z, str));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Map<String, TenantConfigContext> createStaticTenantConfigs(Map<String, io.quarkus.oidc.OidcTenantConfig> map, io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        String str = oidcTenantConfig.tenantId().get();
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, io.quarkus.oidc.OidcTenantConfig> entry : map.entrySet()) {
            createStaticTenantConfig(str, entry.getKey(), entry.getValue(), hashMap);
        }
        return Map.copyOf(hashMap);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Uni<TenantConfigContext> createDynamic(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        final String orElseThrow = oidcTenantConfig.tenantId().orElseThrow();
        if (OidcUtils.DEFAULT_TENANT_ID.equals(orElseThrow)) {
            throw new ConfigurationException("Dynamic tenant ID cannot be same as the default tenant ID: " + orElseThrow);
        }
        if (oidcTenantConfig.logout().backchannel().path().isPresent()) {
            throw new ConfigurationException("BackChannel Logout is currently not supported for dynamic tenants");
        }
        return createTenantContext(oidcTenantConfig, false, orElseThrow).onFailure().transform(new Function<Throwable, Throwable>() { // from class: io.quarkus.oidc.runtime.TenantContextFactory.1
            @Override // java.util.function.Function
            public Throwable apply(Throwable th) {
                return TenantContextFactory.this.logTenantConfigContextFailure(th, orElseThrow);
            }
        });
    }

    private void createStaticTenantConfig(String str, String str2, io.quarkus.oidc.OidcTenantConfig oidcTenantConfig, Map<String, TenantConfigContext> map) {
        OidcCommonUtils.verifyConfigurationId(str, str2, oidcTenantConfig.tenantId());
        map.put(str2, createStaticTenantContext(oidcTenantConfig, false, str2, createStaticTenantContextCreator(oidcTenantConfig, false, str2)));
    }

    private TenantConfigContext createStaticTenantContext(final io.quarkus.oidc.OidcTenantConfig oidcTenantConfig, boolean z, final String str, final Supplier<Uni<TenantConfigContext>> supplier) {
        try {
            return (TenantConfigContext) createTenantContext(oidcTenantConfig, z, str).onFailure().recoverWithItem(new Function<Throwable, TenantConfigContext>() { // from class: io.quarkus.oidc.runtime.TenantContextFactory.2
                @Override // java.util.function.Function
                public TenantConfigContext apply(Throwable th) {
                    if (th instanceof OIDCException) {
                        OidcRecorder.LOG.warnf("Tenant '%s': '%s'. OIDC server is not available yet, an attempt to connect will be made during the first request. Access to resources protected by this tenant may fail if OIDC server will not become available", str, th.getMessage());
                        return TenantConfigContext.createNotReady(null, oidcTenantConfig, supplier);
                    }
                    TenantContextFactory.this.logTenantConfigContextFailure(th, str);
                    if ((th instanceof ConfigurationException) && !oidcTenantConfig.authServerUrl().isPresent() && LaunchMode.DEVELOPMENT == LaunchMode.current()) {
                        return TenantConfigContext.createNotReady(null, oidcTenantConfig, supplier);
                    }
                    throw new OIDCException(th);
                }
            }).await().atMost(oidcTenantConfig.connectionTimeout());
        } catch (TimeoutException e) {
            OidcRecorder.LOG.warnf("Tenant '%s': OIDC server is not available after a %d seconds timeout, an attempt to connect will be made during the first request. Access to resources protected by this tenant may fail if OIDC server will not become available", str, Long.valueOf(oidcTenantConfig.connectionTimeout().getSeconds()));
            return TenantConfigContext.createNotReady(null, oidcTenantConfig, supplier);
        }
    }

    private Supplier<Uni<TenantConfigContext>> createStaticTenantContextCreator(final io.quarkus.oidc.OidcTenantConfig oidcTenantConfig, final boolean z, final String str) {
        return new Supplier<Uni<TenantConfigContext>>() { // from class: io.quarkus.oidc.runtime.TenantContextFactory.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public Uni<TenantConfigContext> get() {
                return TenantContextFactory.this.createTenantContext(oidcTenantConfig, z, str).onFailure().transform(new Function<Throwable, Throwable>() { // from class: io.quarkus.oidc.runtime.TenantContextFactory.3.1
                    @Override // java.util.function.Function
                    public Throwable apply(Throwable th) {
                        return TenantContextFactory.this.logTenantConfigContextFailure(th, str);
                    }
                });
            }
        };
    }

    private Throwable logTenantConfigContextFailure(Throwable th, String str) {
        OidcRecorder.LOG.debugf("'%s' tenant is not initialized: '%s'. Access to resources protected by this tenant will fail.", str, th.getMessage());
        return th;
    }

    private Uni<TenantConfigContext> createTenantContext(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig, boolean z, String str) {
        ArcContainer container;
        final io.quarkus.oidc.OidcTenantConfig resolveProviderConfig = OidcUtils.resolveProviderConfig(oidcTenantConfig);
        if (!resolveProviderConfig.tenantEnabled()) {
            OidcRecorder.LOG.debugf("'%s' tenant configuration is disabled", str);
            return Uni.createFrom().item(TenantConfigContext.createReady(new OidcProvider(null, null, null, null), resolveProviderConfig));
        }
        if (resolveProviderConfig.authServerUrl().isEmpty()) {
            if (resolveProviderConfig.publicKey().isPresent() && resolveProviderConfig.certificateChain().trustStoreFile().isPresent()) {
                throw new ConfigurationException("Both public key and certificate chain verification modes are enabled");
            }
            if (resolveProviderConfig.publicKey().isPresent()) {
                return Uni.createFrom().item(createTenantContextFromPublicKey(resolveProviderConfig));
            }
            if (resolveProviderConfig.certificateChain().trustStoreFile().isPresent()) {
                return Uni.createFrom().item(createTenantContextToVerifyCertChain(resolveProviderConfig));
            }
        }
        try {
            if (resolveProviderConfig.authServerUrl().isEmpty()) {
                if (!OidcUtils.DEFAULT_TENANT_ID.equals(resolveProviderConfig.tenantId().get()) || (container = Arc.container()) == null || (!container.instance(TenantConfigResolver.class, new Annotation[0]).isAvailable() && !z)) {
                    throw new ConfigurationException("'" + getConfigPropertyForTenant(str, SecurityEvent.AUTH_SERVER_URL) + "' property must be configured");
                }
                OidcRecorder.LOG.debugf("Default tenant is not configured and will be disabled because either 'TenantConfigResolver' which will resolve tenant configurations is registered or named tenants are configured.", new Object[0]);
                resolveProviderConfig.tenantEnabled = false;
                return Uni.createFrom().item(TenantConfigContext.createReady(new OidcProvider(null, null, null, null), resolveProviderConfig));
            }
            OidcCommonUtils.verifyEndpointUrl((String) resolveProviderConfig.authServerUrl().get());
            OidcCommonUtils.verifyCommonConfiguration(resolveProviderConfig, OidcUtils.isServiceApp(resolveProviderConfig), true);
            if (resolveProviderConfig.roles().source().orElse(null) == OidcTenantConfig.Roles.Source.userinfo && !enableUserInfo(resolveProviderConfig)) {
                throw new ConfigurationException("UserInfo is not required but UserInfo is expected to be the source of authorization roles");
            }
            if (resolveProviderConfig.token().verifyAccessTokenWithUserInfo().orElse(false).booleanValue() && !OidcUtils.isWebApp(resolveProviderConfig) && !enableUserInfo(resolveProviderConfig)) {
                throw new ConfigurationException("UserInfo is not required but '%s' is enabled".formatted(getConfigPropertyForTenant(str, "token.verify-access-token-with-user-info")));
            }
            if (!resolveProviderConfig.authentication().idTokenRequired().orElse(true).booleanValue() && !enableUserInfo(resolveProviderConfig)) {
                throw new ConfigurationException("UserInfo is not required for OIDC tenant '%s' but it will be needed to verify a code flow access token".formatted(str));
            }
            if (!((Boolean) resolveProviderConfig.discoveryEnabled().orElse(true)).booleanValue()) {
                if (!OidcUtils.isServiceApp(resolveProviderConfig) && (resolveProviderConfig.authorizationPath().isEmpty() || resolveProviderConfig.tokenPath().isEmpty())) {
                    String configPropertyForTenant = getConfigPropertyForTenant(str, "authorization-path");
                    String configPropertyForTenant2 = getConfigPropertyForTenant(str, "token-path");
                    throw new ConfigurationException("'web-app' applications must have '" + configPropertyForTenant + "' and '" + configPropertyForTenant2 + "' properties set when the discovery is disabled.", Set.of(configPropertyForTenant, configPropertyForTenant2));
                }
                if (resolveProviderConfig.jwksPath().isEmpty() && resolveProviderConfig.introspectionPath().isEmpty()) {
                    if (resolveProviderConfig.authentication().idTokenRequired().orElse(true).booleanValue() || !resolveProviderConfig.authentication().userInfoRequired().orElse(false).booleanValue()) {
                        throw new ConfigurationException("Either 'jwks-path' or 'introspection-path' properties must be set when the discovery is disabled.", Set.of("quarkus.oidc.jwks-path", "quarkus.oidc.introspection-path"));
                    }
                    OidcRecorder.LOG.debugf("tenant %s supports only UserInfo", resolveProviderConfig.tenantId().get());
                }
                if (resolveProviderConfig.authentication().userInfoRequired().orElse(false).booleanValue() && resolveProviderConfig.userInfoPath().isEmpty()) {
                    String configPropertyForTenant3 = getConfigPropertyForTenant(str, "user-info-path");
                    throw new ConfigurationException("UserInfo is required but '" + configPropertyForTenant3 + "' is not configured.", Set.of(configPropertyForTenant3));
                }
            }
            if (OidcUtils.isServiceApp(resolveProviderConfig)) {
                if (resolveProviderConfig.token().refreshExpired()) {
                    throw new ConfigurationException("The '" + getConfigPropertyForTenant(str, "token.refresh-expired") + "' property can only be enabled for " + String.valueOf(OidcTenantConfig.ApplicationType.WEB_APP) + " application types");
                }
                if (resolveProviderConfig.token().refreshTokenTimeSkew().isPresent()) {
                    throw new ConfigurationException("The '" + getConfigPropertyForTenant(str, "token.refresh-token-time-skew") + "' property can only be enabled for " + String.valueOf(OidcTenantConfig.ApplicationType.WEB_APP) + " application types");
                }
                if (resolveProviderConfig.logout().path().isPresent()) {
                    throw new ConfigurationException("The '" + getConfigPropertyForTenant(str, "logout.path") + "' property can only be enabled for " + String.valueOf(OidcTenantConfig.ApplicationType.WEB_APP) + " application types");
                }
                if (resolveProviderConfig.roles().source().isPresent() && resolveProviderConfig.roles().source().get() == OidcTenantConfig.Roles.Source.idtoken) {
                    throw new ConfigurationException("The '" + getConfigPropertyForTenant(str, "roles.source") + "' property can only be set to 'idtoken' for " + String.valueOf(OidcTenantConfig.ApplicationType.WEB_APP) + " application types");
                }
            } else if (resolveProviderConfig.token().refreshTokenTimeSkew().isPresent()) {
                resolveProviderConfig.token.setRefreshExpired(true);
            }
            if (resolveProviderConfig.tokenStateManager().strategy() != OidcTenantConfig.TokenStateManager.Strategy.KEEP_ALL_TOKENS) {
                if (resolveProviderConfig.authentication().userInfoRequired().orElse(false).booleanValue() || resolveProviderConfig.roles().source().orElse(null) == OidcTenantConfig.Roles.Source.userinfo) {
                    throw new ConfigurationException("UserInfo is required but DefaultTokenStateManager is configured to not keep the access token");
                }
                if (resolveProviderConfig.roles().source().orElse(null) == OidcTenantConfig.Roles.Source.accesstoken) {
                    throw new ConfigurationException("Access token is required to check the roles but DefaultTokenStateManager is configured to not keep the access token");
                }
            }
            if (resolveProviderConfig.token().verifyAccessTokenWithUserInfo().orElse(false).booleanValue() && !((Boolean) resolveProviderConfig.discoveryEnabled().orElse(true)).booleanValue()) {
                if (resolveProviderConfig.userInfoPath().isEmpty()) {
                    throw new ConfigurationException("UserInfo path is missing but 'verifyAccessTokenWithUserInfo' is enabled");
                }
                if (resolveProviderConfig.introspectionPath().isPresent()) {
                    throw new ConfigurationException("Introspection path is configured and 'verifyAccessTokenWithUserInfo' is enabled, these options are mutually exclusive");
                }
            }
            if (resolveProviderConfig.token().issuedAtRequired() || !resolveProviderConfig.token().age().isPresent()) {
                return createOidcProvider(resolveProviderConfig).onItem().transform(new Function<OidcProvider, TenantConfigContext>() { // from class: io.quarkus.oidc.runtime.TenantContextFactory.4
                    @Override // java.util.function.Function
                    public TenantConfigContext apply(OidcProvider oidcProvider) {
                        return TenantConfigContext.createReady(oidcProvider, resolveProviderConfig);
                    }
                });
            }
            String configPropertyForTenant4 = getConfigPropertyForTenant(str, "token.issued-at-required");
            String configPropertyForTenant5 = getConfigPropertyForTenant(str, "token.age");
            throw new ConfigurationException("The '" + configPropertyForTenant4 + "' can only be set to false if '" + configPropertyForTenant5 + "' is not set. Either set '" + configPropertyForTenant4 + "' to true or do not set '" + configPropertyForTenant5 + "'.", Set.of(configPropertyForTenant4, configPropertyForTenant5));
        } catch (ConfigurationException e) {
            return Uni.createFrom().failure(e);
        }
    }

    private String getConfigPropertyForTenant(String str, String str2) {
        return OidcUtils.DEFAULT_TENANT_ID.equals(str) ? "quarkus.oidc." + str2 : "quarkus.oidc." + str + "." + str2;
    }

    private boolean enableUserInfo(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        Optional<Boolean> userInfoRequired = oidcTenantConfig.authentication().userInfoRequired();
        if (userInfoRequired.isPresent()) {
            return userInfoRequired.get().booleanValue();
        }
        oidcTenantConfig.authentication.setUserInfoRequired(true);
        return true;
    }

    private TenantConfigContext createTenantContextFromPublicKey(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        if (!OidcUtils.isServiceApp(oidcTenantConfig)) {
            throw new ConfigurationException("'public-key' property can only be used with the 'service' applications");
        }
        OidcRecorder.LOG.debug("'public-key' property for the local token verification is set, no connection to the OIDC server will be created");
        return TenantConfigContext.createReady(new OidcProvider(oidcTenantConfig.publicKey().get(), oidcTenantConfig, readTokenDecryptionKey(oidcTenantConfig)), oidcTenantConfig);
    }

    private TenantConfigContext createTenantContextToVerifyCertChain(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        if (OidcUtils.isServiceApp(oidcTenantConfig)) {
            return TenantConfigContext.createReady(new OidcProvider(null, oidcTenantConfig, readTokenDecryptionKey(oidcTenantConfig)), oidcTenantConfig);
        }
        throw new ConfigurationException("Currently only 'service' applications can be used to verify tokens with inlined certificate chains");
    }

    private OIDCException toOidcException(Throwable th, String str, String str2) {
        OidcRecorder.LOG.warn(OidcCommonUtils.formatConnectionErrorMessage(str));
        fireOidcServerNotAvailableEvent(str, str2);
        return new OIDCException("OIDC Server is not available", th);
    }

    private Uni<OidcProvider> createOidcProvider(final io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        return createOidcClientUni(oidcTenantConfig).flatMap(new Function<OidcProviderClientImpl, Uni<? extends OidcProvider>>() { // from class: io.quarkus.oidc.runtime.TenantContextFactory.5
            @Override // java.util.function.Function
            public Uni<OidcProvider> apply(final OidcProviderClientImpl oidcProviderClientImpl) {
                return (!oidcTenantConfig.jwks().resolveEarly() || oidcProviderClientImpl.getMetadata().getJsonWebKeySetUri() == null || oidcTenantConfig.token().requireJwtIntrospectionOnly()) ? Uni.createFrom().item(new OidcProvider(oidcProviderClientImpl, oidcTenantConfig, null, TenantContextFactory.this.readTokenDecryptionKey(oidcTenantConfig))) : TenantContextFactory.this.getJsonWebSetUni(oidcProviderClientImpl, oidcTenantConfig).onItem().transform(new Function<JsonWebKeySet, OidcProvider>() { // from class: io.quarkus.oidc.runtime.TenantContextFactory.5.1
                    @Override // java.util.function.Function
                    public OidcProvider apply(JsonWebKeySet jsonWebKeySet) {
                        return new OidcProvider(oidcProviderClientImpl, oidcTenantConfig, jsonWebKeySet, TenantContextFactory.this.readTokenDecryptionKey(oidcTenantConfig));
                    }
                });
            }
        });
    }

    private Key readTokenDecryptionKey(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        List loadJsonWebKeys;
        if (!oidcTenantConfig.token().decryptionKeyLocation().isPresent()) {
            return null;
        }
        try {
            PrivateKey privateKey = null;
            String readKeyContent = KeyUtils.readKeyContent(oidcTenantConfig.token().decryptionKeyLocation().get());
            if (readKeyContent != null && (loadJsonWebKeys = KeyUtils.loadJsonWebKeys(readKeyContent)) != null && loadJsonWebKeys.size() == 1 && ((((JsonWebKey) loadJsonWebKeys.get(0)).getAlgorithm() == null || ((JsonWebKey) loadJsonWebKeys.get(0)).getAlgorithm().equals(KeyEncryptionAlgorithm.RSA_OAEP.getAlgorithm())) && ("enc".equals(((JsonWebKey) loadJsonWebKeys.get(0)).getUse()) || ((JsonWebKey) loadJsonWebKeys.get(0)).getUse() == null))) {
                privateKey = ((PublicJsonWebKey) PublicJsonWebKey.class.cast(loadJsonWebKeys.get(0))).getPrivateKey();
            }
            if (privateKey == null) {
                privateKey = KeyUtils.decodeDecryptionPrivateKey(readKeyContent);
            }
            return privateKey;
        } catch (Exception e) {
            throw new ConfigurationException(String.format("Token decryption key for tenant %s can not be read from %s", oidcTenantConfig.tenantId().get(), oidcTenantConfig.token().decryptionKeyLocation().get()), e);
        }
    }

    private Uni<JsonWebKeySet> getJsonWebSetUni(OidcProviderClientImpl oidcProviderClientImpl, final io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        if (((Boolean) oidcTenantConfig.discoveryEnabled().orElse(true)).booleanValue()) {
            return oidcProviderClientImpl.getJsonWebKeySet(null);
        }
        final String orElse = oidcTenantConfig.tenantId().orElse(OidcUtils.DEFAULT_TENANT_ID);
        return shouldFireOidcServerAvailableEvent(orElse) ? getJsonWebSetUniWhenDiscoveryDisabled(oidcProviderClientImpl, oidcTenantConfig).invoke(new Runnable() { // from class: io.quarkus.oidc.runtime.TenantContextFactory.6
            @Override // java.lang.Runnable
            public void run() {
                TenantContextFactory.this.fireOidcServerAvailableEvent((String) oidcTenantConfig.authServerUrl().get(), orElse);
            }
        }) : getJsonWebSetUniWhenDiscoveryDisabled(oidcProviderClientImpl, oidcTenantConfig);
    }

    private Uni<JsonWebKeySet> getJsonWebSetUniWhenDiscoveryDisabled(OidcProviderClientImpl oidcProviderClientImpl, final io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        UniOnFailure onFailure = oidcProviderClientImpl.getJsonWebKeySet(null).onFailure(OidcCommonUtils.oidcEndpointNotAvailable()).retry().withBackOff(OidcCommonUtils.CONNECTION_BACKOFF_DURATION, OidcCommonUtils.CONNECTION_BACKOFF_DURATION).expireIn(OidcCommonUtils.getConnectionDelayInMillis(oidcTenantConfig)).onFailure().transform(new Function<Throwable, Throwable>() { // from class: io.quarkus.oidc.runtime.TenantContextFactory.7
            @Override // java.util.function.Function
            public Throwable apply(Throwable th) {
                return TenantContextFactory.this.toOidcException(th, (String) oidcTenantConfig.authServerUrl().get(), oidcTenantConfig.tenantId().orElse(OidcUtils.DEFAULT_TENANT_ID));
            }
        }).onFailure();
        Objects.requireNonNull(oidcProviderClientImpl);
        return onFailure.invoke(oidcProviderClientImpl::close);
    }

    private Uni<OidcProviderClientImpl> createOidcClientUni(final io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        Uni transform;
        final String authServerUrl = OidcCommonUtils.getAuthServerUrl(oidcTenantConfig);
        WebClientOptions webClientOptions = new WebClientOptions();
        webClientOptions.setFollowRedirects(oidcTenantConfig.followRedirects());
        OidcCommonUtils.setHttpClientOptions(oidcTenantConfig, webClientOptions, this.tlsSupport.forConfig(oidcTenantConfig.tls()));
        io.vertx.mutiny.core.Vertx vertx = new io.vertx.mutiny.core.Vertx(this.vertx);
        final WebClient create = WebClient.create(vertx, webClientOptions);
        final Map oidcRequestFilters = OidcCommonUtils.getOidcRequestFilters();
        final Map oidcResponseFilters = OidcCommonUtils.getOidcResponseFilters();
        if (((Boolean) oidcTenantConfig.discoveryEnabled().orElse(true)).booleanValue()) {
            transform = OidcCommonUtils.discoverMetadata(create, oidcRequestFilters, new OidcRequestContextProperties(Map.of(OidcUtils.TENANT_ID_ATTRIBUTE, oidcTenantConfig.tenantId().orElse(OidcUtils.DEFAULT_TENANT_ID))), oidcResponseFilters, authServerUrl, OidcCommonUtils.getConnectionDelayInMillis(oidcTenantConfig), vertx, oidcTenantConfig.useBlockingDnsLookup()).onItem().transform(new Function<JsonObject, OidcConfigurationMetadata>() { // from class: io.quarkus.oidc.runtime.TenantContextFactory.8
                @Override // java.util.function.Function
                public OidcConfigurationMetadata apply(JsonObject jsonObject) {
                    return new OidcConfigurationMetadata(jsonObject, TenantContextFactory.this.createLocalMetadata(oidcTenantConfig, authServerUrl), OidcCommonUtils.getDiscoveryUri(authServerUrl));
                }
            });
        } else {
            transform = Uni.createFrom().item(createLocalMetadata(oidcTenantConfig, authServerUrl));
        }
        return transform.onItemOrFailure().transformToUni(new BiFunction<OidcConfigurationMetadata, Throwable, Uni<? extends OidcProviderClientImpl>>() { // from class: io.quarkus.oidc.runtime.TenantContextFactory.9
            @Override // java.util.function.BiFunction
            public Uni<OidcProviderClientImpl> apply(OidcConfigurationMetadata oidcConfigurationMetadata, Throwable th) {
                String orElse = oidcTenantConfig.tenantId().orElse(OidcUtils.DEFAULT_TENANT_ID);
                if (th != null) {
                    create.close();
                    return Uni.createFrom().failure(TenantContextFactory.this.toOidcException(th, authServerUrl, orElse));
                }
                if (TenantContextFactory.this.shouldFireOidcServerAvailableEvent(orElse)) {
                    TenantContextFactory.this.fireOidcServerAvailableEvent(authServerUrl, orElse);
                }
                if (oidcConfigurationMetadata == null) {
                    create.close();
                    return Uni.createFrom().failure(new ConfigurationException("OpenId Connect Provider configuration metadata is not configured and can not be discovered"));
                }
                if (oidcTenantConfig.logout().path().isPresent() && oidcTenantConfig.endSessionPath().isEmpty() && oidcConfigurationMetadata.getEndSessionUri() == null) {
                    create.close();
                    return Uni.createFrom().failure(new ConfigurationException("The application supports RP-Initiated Logout but the OpenID Provider does not advertise the end_session_endpoint"));
                }
                if (TenantContextFactory.userInfoInjectionPointDetected && oidcConfigurationMetadata.getUserInfoUri() != null) {
                    TenantContextFactory.this.enableUserInfo(oidcTenantConfig);
                }
                if (!oidcTenantConfig.authentication().userInfoRequired().orElse(false).booleanValue() || oidcConfigurationMetadata.getUserInfoUri() != null) {
                    return Uni.createFrom().item(new OidcProviderClientImpl(create, TenantContextFactory.this.vertx, oidcConfigurationMetadata, oidcTenantConfig, oidcRequestFilters, oidcResponseFilters));
                }
                create.close();
                return Uni.createFrom().failure(new ConfigurationException("UserInfo is required but the OpenID Provider UserInfo endpoint is not configured. Use 'quarkus.oidc.user-info-path' if the discovery is disabled."));
            }
        });
    }

    private OidcConfigurationMetadata createLocalMetadata(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig, String str) {
        return new OidcConfigurationMetadata(OidcCommonUtils.getOidcEndpointUrl(str, oidcTenantConfig.tokenPath()), OidcCommonUtils.getOidcEndpointUrl(str, oidcTenantConfig.introspectionPath()), OidcCommonUtils.getOidcEndpointUrl(str, oidcTenantConfig.authorizationPath()), OidcCommonUtils.getOidcEndpointUrl(str, oidcTenantConfig.jwksPath()), OidcCommonUtils.getOidcEndpointUrl(str, oidcTenantConfig.userInfoPath()), OidcCommonUtils.getOidcEndpointUrl(str, oidcTenantConfig.endSessionPath()), OidcCommonUtils.getOidcEndpointUrl(str, oidcTenantConfig.registrationPath()), OidcCommonUtils.getOidcEndpointUrl(str, oidcTenantConfig.revokePath()), oidcTenantConfig.token().issuer().orElse(null));
    }

    private void fireOidcServerNotAvailableEvent(String str, String str2) {
        if (fireOidcServerEvent(str, SecurityEvent.Type.OIDC_SERVER_NOT_AVAILABLE)) {
            this.tenantsExpectingServerAvailableEvents.add(str2);
        }
    }

    private void fireOidcServerAvailableEvent(String str, String str2) {
        if (fireOidcServerEvent(str, SecurityEvent.Type.OIDC_SERVER_AVAILABLE)) {
            this.tenantsExpectingServerAvailableEvents.remove(str2);
        }
    }

    private boolean shouldFireOidcServerAvailableEvent(String str) {
        return this.tenantsExpectingServerAvailableEvents.contains(str);
    }

    private boolean fireOidcServerEvent(String str, SecurityEvent.Type type) {
        if (!this.securityEventsEnabled) {
            return false;
        }
        SecurityEventHelper.fire(Arc.container().beanManager().getEvent().select(SecurityEvent.class, new Annotation[0]), new SecurityEvent(type, (Map<String, Object>) Map.of(SecurityEvent.AUTH_SERVER_URL, str)));
        return true;
    }
}
