package io.quarkus.vertx.http.runtime.security;

import io.quarkus.security.StringPermission;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.vertx.http.runtime.VertxHttpConfig;
import io.quarkus.vertx.http.runtime.VertxHttpRecorder;
import io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration;
import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.annotation.BasicAuthentication;
import io.quarkus.vertx.http.runtime.security.annotation.FormAuthentication;
import io.quarkus.vertx.http.runtime.security.annotation.MTLSAuthentication;
import io.quarkus.vertx.http.security.Basic;
import io.quarkus.vertx.http.security.HttpSecurity;
import io.smallrye.config.SmallRyeConfigBuilder;
import io.smallrye.mutiny.Uni;
import io.vertx.core.http.ClientAuth;
import io.vertx.ext.web.RoutingContext;
import java.security.Permission;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.BiConsumer;
import java.util.function.BiFunction;
import java.util.function.BiPredicate;
import java.util.function.Predicate;
import org.jboss.logging.Logger;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityImpl.class */
public final class HttpSecurityImpl implements HttpSecurity {
    private static final Logger LOG = Logger.getLogger(HttpSecurityImpl.class.getName());
    private final VertxHttpConfig vertxHttpConfig;
    private ClientAuth clientAuth;
    private RolesMapping rolesMapping = null;
    private final List<HttpSecurityConfiguration.HttpPermissionCarrier> httpPermissions = new ArrayList();
    private final List<HttpAuthenticationMechanism> mechanisms = new ArrayList();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityImpl$AuthorizationPolicy.class */
    public final class AuthorizationPolicy implements HttpSecurity.Authorization {
        private HttpSecurityConfiguration.Policy policy = null;

        private AuthorizationPolicy() {
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.Authorization
        public HttpSecurity permit() {
            validatePolicyNotSetYet();
            this.policy = new HttpSecurityConfiguration.Policy(PermitSecurityPolicy.NAME, null);
            return HttpSecurityImpl.this;
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.Authorization
        public HttpSecurity deny() {
            validatePolicyNotSetYet();
            this.policy = new HttpSecurityConfiguration.Policy(DenySecurityPolicy.NAME, null);
            return HttpSecurityImpl.this;
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.Authorization
        public HttpSecurity roles(Map<String, List<String>> map, String... strArr) {
            validatePolicyNotSetYet();
            if (strArr == null || strArr.length == 0) {
                throw new IllegalArgumentException("Roles must not be empty");
            }
            if (map == null) {
                throw new IllegalArgumentException("Role to roles mapping must not be null");
            }
            this.policy = new HttpSecurityConfiguration.Policy(null, new RolesAllowedHttpSecurityPolicy(Arrays.asList(strArr), null, map));
            return HttpSecurityImpl.this;
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.Authorization
        public HttpSecurity roles(String... strArr) {
            return roles(Map.of(), strArr);
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.Authorization
        public HttpSecurity permissions(Permission... permissionArr) {
            validatePolicyNotSetYet();
            if (permissionArr == null || permissionArr.length == 0) {
                throw new IllegalArgumentException("Permissions must not be empty");
            }
            this.policy = new HttpSecurityConfiguration.Policy(null, new PermissionsHttpSecurityPolicy(permissionArr));
            return HttpSecurityImpl.this;
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.Authorization
        public HttpSecurity permissions(String... strArr) {
            Objects.requireNonNull(strArr);
            StringPermission[] stringPermissionArr = new StringPermission[strArr.length];
            for (int i = 0; i < strArr.length; i++) {
                stringPermissionArr[i] = new StringPermission(strArr[i], new String[0]);
            }
            return permissions((Permission[]) stringPermissionArr);
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.Authorization
        public HttpSecurity policy(HttpSecurityPolicy httpSecurityPolicy) {
            validatePolicyNotSetYet();
            if (httpSecurityPolicy == null) {
                throw new IllegalArgumentException("HttpSecurityPolicy must not be null");
            }
            this.policy = new HttpSecurityConfiguration.Policy(null, httpSecurityPolicy);
            return HttpSecurityImpl.this;
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.Authorization
        public HttpSecurity policy(Predicate<SecurityIdentity> predicate) {
            return policy((securityIdentity, routingContext) -> {
                return !securityIdentity.isAnonymous() && predicate.test(securityIdentity);
            });
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.Authorization
        public HttpSecurity policy(BiPredicate<SecurityIdentity, RoutingContext> biPredicate) {
            return policy(new SimpleHttpSecurityPolicy(biPredicate));
        }

        private HttpSecurity authenticated() {
            validatePolicyNotSetYet();
            this.policy = new HttpSecurityConfiguration.Policy(AuthenticatedHttpSecurityPolicy.NAME, null);
            return HttpSecurityImpl.this;
        }

        private void validatePolicyNotSetYet() {
            if (this.policy != null) {
                throw new IllegalArgumentException("Policy has already been set");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityImpl$HttpPermissionImpl.class */
    public final class HttpPermissionImpl implements HttpSecurity.HttpPermission, HttpSecurityConfiguration.HttpPermissionCarrier {
        private final String[] paths;
        private HttpSecurityConfiguration.AuthenticationMechanism authMechanism = null;
        private AuthorizationPolicy authorizationPolicy = null;
        private boolean shared = false;
        private String[] methods = null;
        private boolean applyToJaxRs = false;

        private HttpPermissionImpl(String[] strArr) {
            this.paths = (String[]) Arrays.copyOf(strArr, strArr.length);
        }

        private void requireAuthenticationByDefault() {
            if (this.authorizationPolicy == null) {
                authenticated();
            }
        }

        private void validateAuthenticationNotSetYet() {
            if (this.authMechanism != null) {
                throw new IllegalArgumentException("Authentication has already been set");
            }
        }

        private void validateAuthorizationNotSetYet() {
            if (this.authMechanism == null && this.authorizationPolicy != null) {
                throw new IllegalArgumentException("Authorization has already been set");
            }
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public HttpSecurity.HttpPermission basic() {
            return authenticatedWith(BasicAuthentication.AUTH_MECHANISM_SCHEME);
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public HttpSecurity.HttpPermission form() {
            return authenticatedWith(FormAuthentication.AUTH_MECHANISM_SCHEME);
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public HttpSecurity.HttpPermission mTLS() {
            if (ClientAuth.NONE.equals(HttpSecurityImpl.this.clientAuth)) {
                throw new IllegalStateException("TLS client authentication is not available, please set the 'quarkus.http.ssl.client-auth' configuration property to 'required' or 'request'");
            }
            return authenticatedWith(MTLSAuthentication.AUTH_MECHANISM_SCHEME);
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public HttpSecurity.HttpPermission bearer() {
            return authenticatedWith("Bearer");
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public HttpSecurity.HttpPermission webAuthn() {
            return authenticatedWith("webauthn");
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public HttpSecurity.HttpPermission authorizationCodeFlow() {
            return authenticatedWith("code");
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public HttpSecurity authenticated() {
            return authorization().authenticated();
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public HttpSecurity.HttpPermission authenticatedWith(String str) {
            validateAuthenticationNotSetYet();
            requireAuthenticationByDefault();
            if (str == null || str.isBlank()) {
                throw new IllegalArgumentException("Authentication mechanism must not be null or blank");
            }
            this.authMechanism = new HttpSecurityConfiguration.AuthenticationMechanism(str, null);
            return this;
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public HttpSecurity.HttpPermission shared() {
            this.shared = true;
            return this;
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public HttpSecurity.HttpPermission applyToJaxRs() {
            this.applyToJaxRs = true;
            return this;
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public HttpSecurity.HttpPermission methods(String... strArr) {
            if (strArr == null || strArr.length == 0) {
                throw new IllegalArgumentException("HTTP methods must not be null or empty");
            }
            this.methods = (String[]) Arrays.copyOf(strArr, strArr.length);
            return this;
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public AuthorizationPolicy authorization() {
            validateAuthorizationNotSetYet();
            this.authorizationPolicy = new AuthorizationPolicy();
            return this.authorizationPolicy;
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public HttpSecurity permit() {
            return authorization().permit();
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public HttpSecurity roles(String... strArr) {
            return authorization().roles(strArr);
        }

        @Override // io.quarkus.vertx.http.security.HttpSecurity.HttpPermission
        public HttpSecurity policy(HttpSecurityPolicy httpSecurityPolicy) {
            return authorization().policy(httpSecurityPolicy);
        }

        @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.HttpPermissionCarrier
        public Set<String> getPaths() {
            return Set.of((Object[]) this.paths);
        }

        @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.HttpPermissionCarrier
        public boolean isShared() {
            return this.shared;
        }

        @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.HttpPermissionCarrier
        public boolean shouldApplyToJaxRs() {
            return this.applyToJaxRs;
        }

        @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.HttpPermissionCarrier
        public Set<String> getMethods() {
            return this.methods == null ? Set.of() : Set.of((Object[]) this.methods);
        }

        @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.HttpPermissionCarrier
        public HttpSecurityConfiguration.AuthenticationMechanism getAuthMechanism() {
            return this.authMechanism;
        }

        @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityConfiguration.HttpPermissionCarrier
        public HttpSecurityConfiguration.Policy getPolicy() {
            if (this.authorizationPolicy == null || this.authorizationPolicy.policy == null) {
                throw new IllegalStateException("Authorization Policy has not been set for paths: " + String.valueOf(getPaths()));
            }
            return this.authorizationPolicy.policy;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityImpl$PermissionsHttpSecurityPolicy.class */
    public static final class PermissionsHttpSecurityPolicy implements HttpSecurityPolicy {
        private final Permission[] permissions;

        private PermissionsHttpSecurityPolicy(Permission[] permissionArr) {
            this.permissions = (Permission[]) Arrays.copyOf(permissionArr, permissionArr.length);
        }

        @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy
        public Uni<HttpSecurityPolicy.CheckResult> checkPermission(RoutingContext routingContext, Uni<SecurityIdentity> uni, HttpSecurityPolicy.AuthorizationRequestContext authorizationRequestContext) {
            return uni.onItemOrFailure().transformToUni(new BiFunction<SecurityIdentity, Throwable, Uni<? extends HttpSecurityPolicy.CheckResult>>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityImpl.PermissionsHttpSecurityPolicy.1
                @Override // java.util.function.BiFunction
                public Uni<? extends HttpSecurityPolicy.CheckResult> apply(SecurityIdentity securityIdentity, Throwable th) {
                    if (th == null && securityIdentity != null && !securityIdentity.isAnonymous()) {
                        return PermissionsHttpSecurityPolicy.this.logicalAndPermissionCheck(securityIdentity, 0);
                    }
                    if (th != null) {
                        HttpSecurityImpl.LOG.debug("Authentication failed, denying access", th);
                    }
                    return HttpSecurityPolicy.CheckResult.deny();
                }
            });
        }

        private Uni<HttpSecurityPolicy.CheckResult> logicalAndPermissionCheck(final SecurityIdentity securityIdentity, final int i) {
            return this.permissions.length == i ? HttpSecurityPolicy.CheckResult.permit() : securityIdentity.checkPermission(this.permissions[i]).onItemOrFailure().transformToUni(new BiFunction<Boolean, Throwable, Uni<? extends HttpSecurityPolicy.CheckResult>>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityImpl.PermissionsHttpSecurityPolicy.2
                @Override // java.util.function.BiFunction
                public Uni<? extends HttpSecurityPolicy.CheckResult> apply(Boolean bool, Throwable th) {
                    if (th == null && Boolean.TRUE.equals(bool)) {
                        return PermissionsHttpSecurityPolicy.this.logicalAndPermissionCheck(securityIdentity, i + 1);
                    }
                    if (th != null) {
                        HttpSecurityImpl.LOG.debug("Failed to check permission, denying access", th);
                    }
                    return HttpSecurityPolicy.CheckResult.deny();
                }
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityImpl$SimpleHttpSecurityPolicy.class */
    public static final class SimpleHttpSecurityPolicy implements HttpSecurityPolicy {
        private final BiPredicate<SecurityIdentity, RoutingContext> predicate;

        private SimpleHttpSecurityPolicy(BiPredicate<SecurityIdentity, RoutingContext> biPredicate) {
            this.predicate = biPredicate;
        }

        @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy
        public Uni<HttpSecurityPolicy.CheckResult> checkPermission(final RoutingContext routingContext, Uni<SecurityIdentity> uni, HttpSecurityPolicy.AuthorizationRequestContext authorizationRequestContext) {
            return uni.onItemOrFailure().transform(new BiFunction<SecurityIdentity, Throwable, HttpSecurityPolicy.CheckResult>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityImpl.SimpleHttpSecurityPolicy.1
                @Override // java.util.function.BiFunction
                public HttpSecurityPolicy.CheckResult apply(SecurityIdentity securityIdentity, Throwable th) {
                    boolean z;
                    if (securityIdentity == null) {
                        return HttpSecurityPolicy.CheckResult.DENY;
                    }
                    if (th != null) {
                        HttpSecurityImpl.LOG.debug("Failed to retrieve SecurityIdentity, denying access", th);
                        return HttpSecurityPolicy.CheckResult.DENY;
                    }
                    try {
                        z = !SimpleHttpSecurityPolicy.this.predicate.test(securityIdentity, routingContext);
                    } catch (Exception e) {
                        HttpSecurityImpl.LOG.debug("Failed to check permission, denying access", e);
                        z = true;
                    }
                    return z ? HttpSecurityPolicy.CheckResult.DENY : HttpSecurityPolicy.CheckResult.PERMIT;
                }
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public HttpSecurityImpl(ClientAuth clientAuth, VertxHttpConfig vertxHttpConfig) {
        this.clientAuth = clientAuth;
        this.vertxHttpConfig = vertxHttpConfig;
    }

    @Override // io.quarkus.vertx.http.security.HttpSecurity
    public HttpSecurity mechanism(HttpAuthenticationMechanism httpAuthenticationMechanism) {
        Objects.requireNonNull(httpAuthenticationMechanism);
        if (httpAuthenticationMechanism.getClass() == FormAuthenticationMechanism.class) {
            if (!this.vertxHttpConfig.auth().form().equals(((VertxHttpConfig) new SmallRyeConfigBuilder().addDiscoveredConverters().withDefaultValue("quarkus.http.host", "8081").withMapping(VertxHttpConfig.class).build().getConfigMapping(VertxHttpConfig.class)).auth().form())) {
                throw new IllegalArgumentException("Cannot configure form-based authentication programmatically because it has already been configured in the 'application.properties' file");
            }
        } else if (httpAuthenticationMechanism.getClass() == BasicAuthenticationMechanism.class && this.vertxHttpConfig.auth().realm().orElse(null) != null) {
            throw new IllegalArgumentException("Cannot configure basic authentication programmatically because the authentication realm has already been configured in the 'application.properties' file");
        }
        this.mechanisms.add(httpAuthenticationMechanism);
        return this;
    }

    @Override // io.quarkus.vertx.http.security.HttpSecurity
    public HttpSecurity basic() {
        return mechanism(Basic.create());
    }

    @Override // io.quarkus.vertx.http.security.HttpSecurity
    public HttpSecurity basic(String str) {
        return mechanism(Basic.realm(str));
    }

    @Override // io.quarkus.vertx.http.security.HttpSecurity
    public HttpSecurity.HttpPermission path(String... strArr) {
        if (strArr == null || strArr.length == 0) {
            throw new IllegalArgumentException("Paths must not be empty");
        }
        HttpPermissionImpl httpPermissionImpl = new HttpPermissionImpl(strArr);
        this.httpPermissions.add(httpPermissionImpl);
        return httpPermissionImpl;
    }

    @Override // io.quarkus.vertx.http.security.HttpSecurity
    public HttpSecurity.HttpPermission get(String... strArr) {
        return path(strArr).methods(VertxHttpRecorder.GET);
    }

    @Override // io.quarkus.vertx.http.security.HttpSecurity
    public HttpSecurity.HttpPermission put(String... strArr) {
        return path(strArr).methods("PUT");
    }

    @Override // io.quarkus.vertx.http.security.HttpSecurity
    public HttpSecurity.HttpPermission post(String... strArr) {
        return path(strArr).methods("POST");
    }

    @Override // io.quarkus.vertx.http.security.HttpSecurity
    public HttpSecurity.HttpPermission delete(String... strArr) {
        return path(strArr).methods("DELETE");
    }

    @Override // io.quarkus.vertx.http.security.HttpSecurity
    public HttpSecurity rolesMapping(Map<String, List<String>> map) {
        if (this.rolesMapping != null) {
            throw new IllegalStateException("Roles mapping is already configured");
        }
        if (map == null || map.isEmpty()) {
            throw new IllegalArgumentException("Roles must not be empty");
        }
        map.forEach(new BiConsumer<String, List<String>>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityImpl.1
            @Override // java.util.function.BiConsumer
            public void accept(String str, List<String> list) {
                if (str.isEmpty()) {
                    throw new IllegalArgumentException("Source role must not be empty");
                }
                if (list == null || list.isEmpty()) {
                    throw new IllegalArgumentException("Target roles for role '%s' must not be empty".formatted(str));
                }
            }
        });
        this.rolesMapping = RolesMapping.of(map);
        return this;
    }

    @Override // io.quarkus.vertx.http.security.HttpSecurity
    public HttpSecurity rolesMapping(String str, List<String> list) {
        if (str == null) {
            throw new IllegalArgumentException("Source role must not be null");
        }
        if (list == null) {
            throw new IllegalArgumentException("Target roles for role '%s' must not be null".formatted(str));
        }
        return rolesMapping(Map.of(str, list));
    }

    @Override // io.quarkus.vertx.http.security.HttpSecurity
    public HttpSecurity rolesMapping(String str, String str2) {
        if (str2 == null) {
            throw new IllegalArgumentException("Target role for role '%s' must not be null".formatted(str));
        }
        return rolesMapping(str, List.of(str2));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void addHttpPermissions(List<HttpSecurityConfiguration.HttpPermissionCarrier> list) {
        this.httpPermissions.addAll(list);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<HttpSecurityConfiguration.HttpPermissionCarrier> getHttpPermissions() {
        return List.copyOf(this.httpPermissions);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public RolesMapping getRolesMapping() {
        return this.rolesMapping;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public List<HttpAuthenticationMechanism> getMechanisms() {
        return this.mechanisms.isEmpty() ? List.of() : List.copyOf(this.mechanisms);
    }

    ClientAuth getClientAuth() {
        return this.clientAuth;
    }
}
