package io.quarkus.oidc.runtime;

import io.quarkus.arc.Arc;
import io.quarkus.arc.SyntheticCreationalContext;
import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.Oidc;
import io.quarkus.oidc.TenantIdentityProvider;
import io.quarkus.runtime.annotations.Recorder;
import io.quarkus.runtime.configuration.DurationConverter;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.TokenAuthenticationRequest;
import io.quarkus.security.runtime.SecurityConfig;
import io.quarkus.security.spi.runtime.BlockingSecurityExecutor;
import io.quarkus.tls.TlsConfigurationRegistry;
import io.quarkus.vertx.http.runtime.security.HttpSecurityUtils;
import io.smallrye.mutiny.Uni;
import io.vertx.core.Vertx;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.event.Event;
import jakarta.enterprise.inject.CreationException;
import jakarta.enterprise.util.TypeLiteral;
import java.lang.annotation.Annotation;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import org.jboss.logging.Logger;

@Recorder
/* loaded from: input_file:io/quarkus/oidc/runtime/OidcRecorder.class */
public class OidcRecorder {
    public static final String ACR_VALUES_TO_MAX_AGE_SEPARATOR = "@#$%@";
    static final Logger LOG = Logger.getLogger(OidcRecorder.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/oidc/runtime/OidcRecorder$TenantSpecificOidcIdentityProvider.class */
    public static final class TenantSpecificOidcIdentityProvider extends OidcIdentityProvider implements TenantIdentityProvider {
        private final String tenantId;
        private final BlockingSecurityExecutor blockingExecutor;

        private TenantSpecificOidcIdentityProvider(String str) {
            super((DefaultTenantConfigResolver) Arc.container().instance(DefaultTenantConfigResolver.class, new Annotation[0]).get(), (BlockingSecurityExecutor) Arc.container().instance(BlockingSecurityExecutor.class, new Annotation[0]).get());
            this.blockingExecutor = (BlockingSecurityExecutor) Arc.container().instance(BlockingSecurityExecutor.class, new Annotation[0]).get();
            this.tenantId = str;
        }

        @Override // io.quarkus.oidc.TenantIdentityProvider
        public Uni<SecurityIdentity> authenticate(AccessTokenCredential accessTokenCredential) {
            return authenticate(new TokenAuthenticationRequest(accessTokenCredential));
        }

        @Override // io.quarkus.oidc.runtime.OidcIdentityProvider
        protected Uni<TenantConfigContext> resolveTenantConfigContext(TokenAuthenticationRequest tokenAuthenticationRequest, AuthenticationRequestContext authenticationRequestContext) {
            return this.tenantResolver.resolveContext(this.tenantId).onItem().ifNull().failWith(new Supplier<Throwable>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.TenantSpecificOidcIdentityProvider.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.function.Supplier
                public Throwable get() {
                    return new OIDCException("Failed to resolve tenant context");
                }
            });
        }

        @Override // io.quarkus.oidc.runtime.OidcIdentityProvider
        protected Map<String, Object> getRequestData(TokenAuthenticationRequest tokenAuthenticationRequest) {
            RoutingContext routingContextAttribute = HttpSecurityUtils.getRoutingContextAttribute(tokenAuthenticationRequest);
            return routingContextAttribute != null ? routingContextAttribute.data() : new HashMap();
        }

        private Uni<SecurityIdentity> authenticate(TokenAuthenticationRequest tokenAuthenticationRequest) {
            return authenticate(tokenAuthenticationRequest, new AuthenticationRequestContext() { // from class: io.quarkus.oidc.runtime.OidcRecorder.TenantSpecificOidcIdentityProvider.2
                public Uni<SecurityIdentity> runBlocking(Supplier<SecurityIdentity> supplier) {
                    return TenantSpecificOidcIdentityProvider.this.blockingExecutor.executeBlocking(supplier);
                }
            });
        }
    }

    public Supplier<DefaultTokenIntrospectionUserInfoCache> setupTokenCache(final OidcConfig oidcConfig, final Supplier<Vertx> supplier) {
        return new Supplier<DefaultTokenIntrospectionUserInfoCache>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public DefaultTokenIntrospectionUserInfoCache get() {
                return new DefaultTokenIntrospectionUserInfoCache(oidcConfig, (Vertx) supplier.get());
            }
        };
    }

    public void setUserInfoInjectionPointDetected(boolean z) {
        TenantContextFactory.userInfoInjectionPointDetected = z;
    }

    public Function<SyntheticCreationalContext<TenantConfigBean>, TenantConfigBean> createTenantConfigBean(final OidcConfig oidcConfig, final Supplier<Vertx> supplier, final Supplier<TlsConfigurationRegistry> supplier2, final SecurityConfig securityConfig) {
        return new Function<SyntheticCreationalContext<TenantConfigBean>, TenantConfigBean>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.2
            @Override // java.util.function.Function
            public TenantConfigBean apply(SyntheticCreationalContext<TenantConfigBean> syntheticCreationalContext) {
                OidcImpl oidcImpl = new OidcImpl(oidcConfig);
                ((Event) syntheticCreationalContext.getInjectedReference(new TypeLiteral<Event<Oidc>>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.2.1
                }, new Annotation[0])).fire(oidcImpl);
                return new TenantConfigBean((Vertx) supplier.get(), (TlsConfigurationRegistry) supplier2.get(), oidcImpl, securityConfig.events().enabled());
            }
        };
    }

    public void initTenantConfigBean() {
        try {
            Arc.container().instance(TenantConfigBean.class, new Annotation[0]).get();
        } catch (CreationException e) {
            Throwable cause = e.getCause();
            if (!(cause instanceof RuntimeException)) {
                throw e;
            }
            throw ((RuntimeException) cause);
        }
    }

    public Function<String, Consumer<RoutingContext>> tenantResolverInterceptorCreator() {
        return new Function<String, Consumer<RoutingContext>>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.3
            @Override // java.util.function.Function
            public Consumer<RoutingContext> apply(final String str) {
                return new Consumer<RoutingContext>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.3.1
                    @Override // java.util.function.Consumer
                    public void accept(RoutingContext routingContext) {
                        io.quarkus.oidc.OidcTenantConfig oidcTenantConfig = (io.quarkus.oidc.OidcTenantConfig) routingContext.get(io.quarkus.oidc.OidcTenantConfig.class.getName());
                        if (oidcTenantConfig != null) {
                            String orElse = oidcTenantConfig.tenantId().orElse(null);
                            if (!str.equals(orElse)) {
                                throw new AuthenticationFailedException("The '%1$s' selected with the @Tenant annotation must be used to authenticate\nthe request but it was already authenticated with the '%2$s' tenant. It\ncan happen if the '%1$s' is selected with an annotation but '%2$s' is\nresolved during authentication required by the HTTP Security Policy which\nis enforced before the JAX-RS chain is run. In such cases, please set the\n'quarkus.http.auth.permission.\"permissions\".applies-to=JAXRS' to all HTTP\nSecurity Policies which secure the same REST endpoints as the ones\nwhere the '%1$s' tenant is resolved by the '@Tenant' annotation.\n".formatted(str, orElse));
                            }
                        } else {
                            OidcRecorder.LOG.debugf("@Tenant annotation set a '%s' tenant id on the %s request path", str, routingContext.request().path());
                            routingContext.put(OidcUtils.TENANT_ID_SET_BY_ANNOTATION, str);
                            routingContext.put(OidcUtils.TENANT_ID_ATTRIBUTE, str);
                        }
                    }
                };
            }
        };
    }

    public Supplier<TenantIdentityProvider> createTenantIdentityProvider(final String str) {
        return new Supplier<TenantIdentityProvider>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public TenantIdentityProvider get() {
                return new TenantSpecificOidcIdentityProvider(str);
            }
        };
    }

    public Function<String, Consumer<RoutingContext>> authenticationContextInterceptorCreator() {
        StepUpAuthenticationPolicy.markAsEnabled();
        return new Function<String, Consumer<RoutingContext>>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.5
            @Override // java.util.function.Function
            public Consumer<RoutingContext> apply(String str) {
                int indexOf = str.indexOf(OidcRecorder.ACR_VALUES_TO_MAX_AGE_SEPARATOR);
                final String substring = str.substring(0, indexOf);
                final String substring2 = str.substring(indexOf + OidcRecorder.ACR_VALUES_TO_MAX_AGE_SEPARATOR.length());
                final StepUpAuthenticationPolicy stepUpAuthenticationPolicy = new StepUpAuthenticationPolicy(substring, substring2.isEmpty() ? null : DurationConverter.parseDuration(substring2));
                return new Consumer<RoutingContext>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.5.1
                    @Override // java.util.function.Consumer
                    public void accept(RoutingContext routingContext) {
                        String path = routingContext.request().path();
                        if (((io.quarkus.oidc.OidcTenantConfig) routingContext.get(io.quarkus.oidc.OidcTenantConfig.class.getName())) != null || routingContext.user() != null) {
                            throw new AuthenticationFailedException("Authentication has happened before the '@AuthenticationContext' annotation was\nmatched with the HTTP request path '%s'. It can happen when the authentication\nis required by an HTTP Security Policy before the JAX-RS chain is run. In such\ncases, please set the 'quarkus.http.auth.permission.\"permissions\".applies-to=JAXRS'\nto all HTTP Security Policies which secure the same REST endpoints as the ones\nannotated with the '@AuthenticationContext' annotation.\n".formatted(path));
                        }
                        OidcRecorder.LOG.debugf("The '@AuthenticationContext' annotation set required 'acr' values '%s' and max age '%s' for the request path '%s'", substring, substring2, path);
                        stepUpAuthenticationPolicy.storeSelfOnContext(routingContext);
                    }
                };
            }
        };
    }
}
