package io.quarkus.vertx.http.runtime.security;

import io.quarkus.arc.Arc;
import io.quarkus.arc.ClientProxy;
import io.quarkus.arc.InjectableInstance;
import io.quarkus.security.identity.IdentityProvider;
import io.quarkus.security.identity.request.AuthenticationRequest;
import io.quarkus.security.identity.request.UsernamePasswordAuthenticationRequest;
import io.quarkus.vertx.http.runtime.AuthRuntimeConfig;
import io.quarkus.vertx.http.runtime.PolicyMappingConfig;
import io.quarkus.vertx.http.runtime.VertxHttpBuildTimeConfig;
import io.quarkus.vertx.http.runtime.VertxHttpConfig;
import io.quarkus.vertx.http.runtime.security.HttpAuthenticator;
import io.quarkus.vertx.http.runtime.security.annotation.BasicAuthentication;
import io.quarkus.vertx.http.security.HttpSecurity;
import io.smallrye.config.SmallRyeConfig;
import io.vertx.core.http.ClientAuth;
import jakarta.enterprise.inject.Instance;
import java.lang.annotation.Annotation;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import org.eclipse.microprofile.config.ConfigProvider;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration.class */
public final class HttpSecurityConfiguration {
    private static final Logger LOG = Logger.getLogger(HttpSecurityConfiguration.class);
    private static volatile HttpSecurityConfiguration instance = null;
    private final RolesMapping rolesMapping;
    private final List<HttpPermissionCarrier> httpPermissions;
    private final Optional<Boolean> basicAuthEnabled;
    private final boolean formAuthEnabled;
    private final String formPostLocation;
    private final List<HttpAuthenticationMechanism> additionalMechanisms;
    private final VertxHttpConfig httpConfig;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$AuthenticationMechanism.class */
    public static final class AuthenticationMechanism extends Record {
        private final String name;
        private final HttpAuthenticationMechanism instance;

        /* JADX INFO: Access modifiers changed from: package-private */
        public AuthenticationMechanism(String str, HttpAuthenticationMechanism httpAuthenticationMechanism) {
            this.name = str;
            this.instance = httpAuthenticationMechanism;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, AuthenticationMechanism.class), AuthenticationMechanism.class, "name;instance", "FIELD:Lio/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$AuthenticationMechanism;->name:Ljava/lang/String;", "FIELD:Lio/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$AuthenticationMechanism;->instance:Lio/quarkus/vertx/http/runtime/security/HttpAuthenticationMechanism;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, AuthenticationMechanism.class), AuthenticationMechanism.class, "name;instance", "FIELD:Lio/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$AuthenticationMechanism;->name:Ljava/lang/String;", "FIELD:Lio/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$AuthenticationMechanism;->instance:Lio/quarkus/vertx/http/runtime/security/HttpAuthenticationMechanism;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, AuthenticationMechanism.class, Object.class), AuthenticationMechanism.class, "name;instance", "FIELD:Lio/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$AuthenticationMechanism;->name:Ljava/lang/String;", "FIELD:Lio/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$AuthenticationMechanism;->instance:Lio/quarkus/vertx/http/runtime/security/HttpAuthenticationMechanism;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String name() {
            return this.name;
        }

        public HttpAuthenticationMechanism instance() {
            return this.instance;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$HttpPermissionCarrier.class */
    public interface HttpPermissionCarrier {
        Set<String> getPaths();

        boolean isShared();

        boolean shouldApplyToJaxRs();

        Set<String> getMethods();

        AuthenticationMechanism getAuthMechanism();

        Policy getPolicy();

        default PolicyMappingConfig.AppliesTo getAppliesTo() {
            return shouldApplyToJaxRs() ? PolicyMappingConfig.AppliesTo.JAXRS : PolicyMappingConfig.AppliesTo.ALL;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$Policy.class */
    public static final class Policy extends Record {
        private final String name;
        private final HttpSecurityPolicy instance;

        /* JADX INFO: Access modifiers changed from: package-private */
        public Policy(String str, HttpSecurityPolicy httpSecurityPolicy) {
            this.name = str;
            this.instance = httpSecurityPolicy;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, Policy.class), Policy.class, "name;instance", "FIELD:Lio/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$Policy;->name:Ljava/lang/String;", "FIELD:Lio/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$Policy;->instance:Lio/quarkus/vertx/http/runtime/security/HttpSecurityPolicy;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, Policy.class), Policy.class, "name;instance", "FIELD:Lio/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$Policy;->name:Ljava/lang/String;", "FIELD:Lio/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$Policy;->instance:Lio/quarkus/vertx/http/runtime/security/HttpSecurityPolicy;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, Policy.class, Object.class), Policy.class, "name;instance", "FIELD:Lio/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$Policy;->name:Ljava/lang/String;", "FIELD:Lio/quarkus/vertx/http/runtime/security/HttpSecurityConfiguration$Policy;->instance:Lio/quarkus/vertx/http/runtime/security/HttpSecurityPolicy;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String name() {
            return this.name;
        }

        public HttpSecurityPolicy instance() {
            return this.instance;
        }
    }

    private HttpSecurityConfiguration(RolesMapping rolesMapping, List<HttpPermissionCarrier> list, Optional<Boolean> optional, boolean z, String str, List<HttpAuthenticationMechanism> list2, VertxHttpConfig vertxHttpConfig) {
        this.rolesMapping = rolesMapping;
        this.httpPermissions = list;
        this.basicAuthEnabled = optional;
        this.formAuthEnabled = z;
        this.formPostLocation = str;
        this.additionalMechanisms = list2;
        this.httpConfig = vertxHttpConfig;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public BasicAuthenticationMechanism getBasicAuthenticationMechanism() {
        for (HttpAuthenticationMechanism httpAuthenticationMechanism : this.additionalMechanisms) {
            if (httpAuthenticationMechanism.getClass() == BasicAuthenticationMechanism.class) {
                return (BasicAuthenticationMechanism) httpAuthenticationMechanism;
            }
        }
        return new BasicAuthenticationMechanism(this.httpConfig.auth().realm().orElse(null), this.formAuthEnabled);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public FormAuthenticationMechanism getFormAuthenticationMechanism() {
        for (HttpAuthenticationMechanism httpAuthenticationMechanism : this.additionalMechanisms) {
            if (httpAuthenticationMechanism.getClass() == FormAuthenticationMechanism.class) {
                return (FormAuthenticationMechanism) httpAuthenticationMechanism;
            }
        }
        return new FormAuthenticationMechanism(this.httpConfig.auth().form(), this.httpConfig.encryptionKey());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public HttpAuthenticationMechanism[] getMechanisms(Instance<IdentityProvider<?>> instance2, boolean z) {
        HttpAuthenticationMechanism[] httpAuthenticationMechanismArr;
        InjectableInstance select = Arc.container().select(HttpAuthenticationMechanism.class, new Annotation[0]);
        ArrayList arrayList = new ArrayList();
        Iterator it = select.iterator();
        while (it.hasNext()) {
            addAuthenticationMechanism(instance2, (HttpAuthenticationMechanism) it.next(), arrayList);
        }
        Iterator<HttpAuthenticationMechanism> it2 = this.additionalMechanisms.iterator();
        while (it2.hasNext()) {
            addAuthenticationMechanism(instance2, it2.next(), arrayList);
        }
        addBasicAuthMechanismIfImplicitlyRequired(select, arrayList, instance2);
        if (arrayList.isEmpty()) {
            httpAuthenticationMechanismArr = new HttpAuthenticationMechanism[]{new HttpAuthenticator.NoAuthenticationMechanism()};
        } else {
            arrayList.sort(new Comparator<HttpAuthenticationMechanism>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.1
                @Override // java.util.Comparator
                public int compare(HttpAuthenticationMechanism httpAuthenticationMechanism, HttpAuthenticationMechanism httpAuthenticationMechanism2) {
                    return Integer.compare(httpAuthenticationMechanism2.getPriority(), httpAuthenticationMechanism.getPriority());
                }
            });
            httpAuthenticationMechanismArr = (HttpAuthenticationMechanism[]) arrayList.toArray(new HttpAuthenticationMechanism[arrayList.size()]);
            if (z && select.select(MtlsAuthenticationMechanism.class, new Annotation[0]).isResolvable()) {
                HttpAuthenticationMechanism httpAuthenticationMechanism = (HttpAuthenticationMechanism) ClientProxy.unwrap(httpAuthenticationMechanismArr[0]);
                if (!(httpAuthenticationMechanism instanceof MtlsAuthenticationMechanism)) {
                    throw new IllegalStateException("Inclusive authentication is enabled and '%s' does not have\nthe highest priority. Please lower priority of the '%s' authentication mechanism under '%s'.\n".formatted(MtlsAuthenticationMechanism.class.getName(), httpAuthenticationMechanism.getClass().getName(), Integer.valueOf(MtlsAuthenticationMechanism.INCLUSIVE_AUTHENTICATION_PRIORITY)));
                }
            }
        }
        return httpAuthenticationMechanismArr;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static HttpSecurityConfiguration get() {
        return get(null, null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static HttpSecurityConfiguration get(VertxHttpConfig vertxHttpConfig, VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig) {
        HttpSecurityConfiguration httpSecurityConfiguration = instance;
        return httpSecurityConfiguration == null ? initializeHttpSecurityConfiguration(vertxHttpConfig, vertxHttpBuildTimeConfig) : httpSecurityConfiguration;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void clear() {
        instance = null;
    }

    private static synchronized HttpSecurityConfiguration initializeHttpSecurityConfiguration(VertxHttpConfig vertxHttpConfig, VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig) {
        VertxHttpConfig vertxHttpConfig2;
        VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig2;
        if (instance == null) {
            if (vertxHttpConfig == null) {
                SmallRyeConfig smallRyeConfig = (SmallRyeConfig) ConfigProvider.getConfig().unwrap(SmallRyeConfig.class);
                vertxHttpConfig2 = (VertxHttpConfig) smallRyeConfig.getConfigMapping(VertxHttpConfig.class);
                vertxHttpBuildTimeConfig2 = (VertxHttpBuildTimeConfig) smallRyeConfig.getConfigMapping(VertxHttpBuildTimeConfig.class);
            } else {
                vertxHttpConfig2 = vertxHttpConfig;
                vertxHttpBuildTimeConfig2 = (VertxHttpBuildTimeConfig) Objects.requireNonNull(vertxHttpBuildTimeConfig);
            }
            HttpSecurityImpl prepareHttpSecurity = prepareHttpSecurity(vertxHttpConfig2, vertxHttpBuildTimeConfig2.tlsClientAuth());
            List<HttpAuthenticationMechanism> mechanisms = prepareHttpSecurity.getMechanisms();
            Optional<Boolean> basic = vertxHttpBuildTimeConfig2.auth().basic();
            if (basic.isEmpty() || !basic.get().booleanValue()) {
                Iterator<HttpAuthenticationMechanism> it = mechanisms.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (it.next().getClass() == BasicAuthenticationMechanism.class) {
                        basic = Optional.of(Boolean.TRUE);
                        break;
                    }
                }
            }
            boolean form = vertxHttpBuildTimeConfig2.auth().form();
            String postLocation = vertxHttpConfig2.auth().form().postLocation();
            if (!form) {
                Iterator<HttpAuthenticationMechanism> it2 = mechanisms.iterator();
                while (true) {
                    if (!it2.hasNext()) {
                        break;
                    }
                    HttpAuthenticationMechanism next = it2.next();
                    if (next.getClass() == FormAuthenticationMechanism.class) {
                        form = true;
                        postLocation = ((FormAuthenticationMechanism) next).getPostLocation();
                        break;
                    }
                }
            }
            instance = new HttpSecurityConfiguration(prepareHttpSecurity.getRolesMapping(), prepareHttpSecurity.getHttpPermissions(), basic, form, postLocation, mechanisms, vertxHttpConfig);
        }
        return instance;
    }

    private static HttpSecurityImpl prepareHttpSecurity(VertxHttpConfig vertxHttpConfig, ClientAuth clientAuth) {
        HttpSecurityImpl httpSecurityImpl = new HttpSecurityImpl(clientAuth, vertxHttpConfig);
        addAuthRuntimeConfigToHttpSecurity(vertxHttpConfig.auth(), httpSecurityImpl);
        Arc.container().beanManager().getEvent().select(HttpSecurity.class, new Annotation[0]).fire(httpSecurityImpl);
        return httpSecurityImpl;
    }

    private static void addAuthRuntimeConfigToHttpSecurity(AuthRuntimeConfig authRuntimeConfig, HttpSecurityImpl httpSecurityImpl) {
        if (!authRuntimeConfig.rolesMapping().isEmpty()) {
            httpSecurityImpl.rolesMapping(authRuntimeConfig.rolesMapping());
        }
        httpSecurityImpl.addHttpPermissions(adaptToHttpPermissionCarriers(authRuntimeConfig.permissions()));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static List<HttpPermissionCarrier> adaptToHttpPermissionCarriers(Map<String, PolicyMappingConfig> map) {
        ArrayList arrayList = new ArrayList();
        Iterator<PolicyMappingConfig> it = map.values().iterator();
        while (it.hasNext()) {
            HttpPermissionCarrier adaptToHttpPermissionCarrier = adaptToHttpPermissionCarrier(it.next());
            if (adaptToHttpPermissionCarrier != null) {
                arrayList.add(adaptToHttpPermissionCarrier);
            }
        }
        return arrayList;
    }

    private static HttpPermissionCarrier adaptToHttpPermissionCarrier(final PolicyMappingConfig policyMappingConfig) {
        if (!policyMappingConfig.enabled().orElse(true).booleanValue() || policyMappingConfig.paths().isEmpty() || policyMappingConfig.paths().get().isEmpty()) {
            return null;
        }
        return new HttpPermissionCarrier() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.2
            @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.HttpPermissionCarrier
            public Set<String> getPaths() {
                return Set.copyOf(PolicyMappingConfig.this.paths().get());
            }

            @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.HttpPermissionCarrier
            public boolean isShared() {
                return PolicyMappingConfig.this.shared();
            }

            @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.HttpPermissionCarrier
            public boolean shouldApplyToJaxRs() {
                return PolicyMappingConfig.this.appliesTo() == PolicyMappingConfig.AppliesTo.JAXRS;
            }

            @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.HttpPermissionCarrier
            public Set<String> getMethods() {
                return PolicyMappingConfig.this.methods().isEmpty() ? Set.of() : Set.copyOf(PolicyMappingConfig.this.methods().get());
            }

            @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.HttpPermissionCarrier
            public AuthenticationMechanism getAuthMechanism() {
                if (!PolicyMappingConfig.this.authMechanism().isPresent()) {
                    return null;
                }
                String str = PolicyMappingConfig.this.authMechanism().get();
                if (str.isEmpty()) {
                    return null;
                }
                return new AuthenticationMechanism(str, null);
            }

            @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.HttpPermissionCarrier
            public Policy getPolicy() {
                return new Policy(PolicyMappingConfig.this.policy(), null);
            }

            @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.HttpPermissionCarrier
            public PolicyMappingConfig.AppliesTo getAppliesTo() {
                return PolicyMappingConfig.this.appliesTo();
            }
        };
    }

    private void addAuthenticationMechanism(Instance<IdentityProvider<?>> instance2, HttpAuthenticationMechanism httpAuthenticationMechanism, List<HttpAuthenticationMechanism> list) {
        if (httpAuthenticationMechanism.getCredentialTypes().isEmpty()) {
            LOG.debugf("HttpAuthenticationMechanism '%s' provided no required credential types, therefore it needs to be able to perform authentication without any IdentityProvider", httpAuthenticationMechanism.getClass().getName());
            list.add(httpAuthenticationMechanism);
            return;
        }
        boolean z = false;
        for (Class<? extends AuthenticationRequest> cls : httpAuthenticationMechanism.getCredentialTypes()) {
            Iterator it = instance2.iterator();
            while (true) {
                if (it.hasNext()) {
                    if (((IdentityProvider) it.next()).getRequestType().equals(cls)) {
                        z = true;
                        break;
                    }
                } else {
                    break;
                }
            }
            if (z) {
                break;
            }
        }
        if (z) {
            list.add(httpAuthenticationMechanism);
        } else {
            if (!BasicAuthenticationMechanism.class.equals(httpAuthenticationMechanism.getClass()) || !this.basicAuthEnabled.isEmpty()) {
                throw new RuntimeException("HttpAuthenticationMechanism '%s' requires one or more IdentityProviders supporting at least one\nof the following credentials types: %s.\nPlease refer to the https://quarkus.io/guides/security-identity-providers for more information.\n".formatted(httpAuthenticationMechanism.getClass().getName(), httpAuthenticationMechanism.getCredentialTypes()));
            }
            LOG.debug("BasicAuthenticationMechanism has been enabled because no other authentication mechanism has been\ndetected, but there is no IdentityProvider based on username and password. Please use\none of supported extensions if you plan to use the mechanism.\nFor more information go to the https://quarkus.io/guides/security-basic-authentication-howto.\n");
        }
    }

    private void addBasicAuthMechanismIfImplicitlyRequired(Instance<HttpAuthenticationMechanism> instance2, List<HttpAuthenticationMechanism> list, Instance<IdentityProvider<?>> instance3) {
        if (this.basicAuthEnabled.orElse(Boolean.FALSE).booleanValue() || !Boolean.getBoolean(HttpAuthenticator.TEST_IF_BASIC_AUTH_IMPLICITLY_REQUIRED) || isBasicAuthNotRequired()) {
            return;
        }
        Instance select = instance2.select(BasicAuthenticationMechanism.class, new Annotation[0]);
        if (!select.isResolvable() || list.contains(select.get())) {
            return;
        }
        Iterator it = instance3.iterator();
        while (it.hasNext()) {
            if (UsernamePasswordAuthenticationRequest.class.equals(((IdentityProvider) it.next()).getRequestType())) {
                list.add((HttpAuthenticationMechanism) select.get());
                return;
            }
        }
        LOG.debug("BasicAuthenticationMechanism has been enabled because no custom authentication mechanism has been detected\nand basic authentication is required either by the HTTP Security Policy or '@BasicAuthentication', but\nthere is no IdentityProvider based on username and password. Please use one of supported extensions.\nFor more information, go to the https://quarkus.io/guides/security-basic-authentication-howto.\n");
    }

    private boolean isBasicAuthNotRequired() {
        if (Boolean.getBoolean(HttpAuthenticator.BASIC_AUTH_ANNOTATION_DETECTED)) {
            return false;
        }
        for (HttpPermissionCarrier httpPermissionCarrier : this.httpPermissions) {
            if (httpPermissionCarrier.getAuthMechanism() != null && BasicAuthentication.AUTH_MECHANISM_SCHEME.equals(httpPermissionCarrier.getAuthMechanism().name())) {
                return false;
            }
        }
        return true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RolesMapping rolesMapping() {
        return this.rolesMapping;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<HttpPermissionCarrier> httpPermissions() {
        return this.httpPermissions;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean formAuthEnabled() {
        return this.formAuthEnabled;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String formPostLocation() {
        return this.formPostLocation;
    }
}
