package io.apicurio.registry.services.auth;

import io.apicurio.registry.logging.audit.AuditHttpRequestContext;
import io.apicurio.registry.logging.audit.AuditHttpRequestInfo;
import io.apicurio.registry.logging.audit.AuditLogService;
import io.apicurio.registry.metrics.MetricsConstants;
import io.apicurio.rest.client.JdkHttpClientProvider;
import io.apicurio.rest.client.auth.Auth;
import io.apicurio.rest.client.auth.OidcAuth;
import io.apicurio.rest.client.auth.exception.AuthErrorHandler;
import io.apicurio.rest.client.auth.exception.NotAuthorizedException;
import io.apicurio.rest.client.spi.ApicurioHttpClient;
import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.runtime.BearerAuthenticationMechanism;
import io.quarkus.oidc.runtime.OidcAuthenticationMechanism;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.AuthenticationRequest;
import io.quarkus.security.identity.request.TokenAuthenticationRequest;
import io.quarkus.vertx.http.runtime.security.ChallengeData;
import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.HttpCredentialTransport;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;
import java.util.Collections;
import java.util.HashMap;
import java.util.Optional;
import java.util.Set;
import java.util.function.BiConsumer;
import javax.annotation.PostConstruct;
import javax.annotation.Priority;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Alternative;
import javax.inject.Inject;
import org.apache.commons.lang3.tuple.Pair;
import org.eclipse.microprofile.config.inject.ConfigProperty;

@Alternative
@Priority(1)
@ApplicationScoped
/* loaded from: input_file:io/apicurio/registry/services/auth/CustomAuthenticationMechanism.class */
public class CustomAuthenticationMechanism implements HttpAuthenticationMechanism {

    @ConfigProperty(name = "registry.auth.enabled")
    boolean authEnabled;

    @ConfigProperty(name = "registry.auth.basic-auth-client-credentials.enabled")
    boolean fakeBasicAuthEnabled;

    @ConfigProperty(name = "registry.auth.token.endpoint")
    String authServerUrl;

    @ConfigProperty(name = "registry.auth.client-secret")
    Optional<String> clientSecret;

    @ConfigProperty(name = "quarkus.oidc.client-id")
    String clientId;

    @Inject
    OidcAuthenticationMechanism oidcAuthenticationMechanism;

    @Inject
    AuditLogService auditLog;
    private BearerAuthenticationMechanism bearerAuth;
    private ApicurioHttpClient httpClient;

    @PostConstruct
    public void init() {
        if (this.authEnabled) {
            this.httpClient = new JdkHttpClientProvider().create(this.authServerUrl, Collections.emptyMap(), (Auth) null, new AuthErrorHandler());
            this.bearerAuth = new BearerAuthenticationMechanism();
        }
    }

    public Uni<SecurityIdentity> authenticate(RoutingContext routingContext, IdentityProviderManager identityProviderManager) {
        Pair<String, String> extractCredentialsFromContext;
        if (!this.authEnabled) {
            return Uni.createFrom().nullItem();
        }
        setAuditLogger(routingContext);
        if (this.fakeBasicAuthEnabled && null != (extractCredentialsFromContext = CredentialsHelper.extractCredentialsFromContext(routingContext))) {
            try {
                return authenticateWithClientCredentials(extractCredentialsFromContext, routingContext, identityProviderManager);
            } catch (NotAuthorizedException e) {
                throw new AuthenticationFailedException();
            }
        }
        return customAuthentication(routingContext, identityProviderManager);
    }

    public Uni<SecurityIdentity> customAuthentication(RoutingContext routingContext, IdentityProviderManager identityProviderManager) {
        Pair<String, String> extractCredentialsFromContext;
        if (!this.clientSecret.isEmpty() && (extractCredentialsFromContext = CredentialsHelper.extractCredentialsFromContext(routingContext)) != null) {
            String obtainAccessTokenPasswordGrant = new OidcAuth(this.httpClient, this.clientId, this.clientSecret.get()).obtainAccessTokenPasswordGrant((String) extractCredentialsFromContext.getLeft(), (String) extractCredentialsFromContext.getRight());
            return obtainAccessTokenPasswordGrant != null ? identityProviderManager.authenticate(new TokenAuthenticationRequest(new AccessTokenCredential(obtainAccessTokenPasswordGrant, routingContext))) : Uni.createFrom().nullItem();
        }
        return this.oidcAuthenticationMechanism.authenticate(routingContext, identityProviderManager);
    }

    private void setAuditLogger(RoutingContext routingContext) {
        BiConsumer biConsumer = (BiConsumer) routingContext.get("io.quarkus.vertx.http.auth-failure-handler");
        routingContext.put("io.quarkus.vertx.http.auth-failure-handler", (routingContext2, th) -> {
            biConsumer.accept(routingContext2, th);
            if (routingContext2.response().getStatusCode() >= 400) {
                HashMap hashMap = new HashMap();
                hashMap.put("method", routingContext2.request().method().name());
                hashMap.put(MetricsConstants.REST_REQUESTS_TAG_PATH, routingContext2.request().path());
                hashMap.put("response_code", String.valueOf(routingContext2.response().getStatusCode()));
                if (th != null) {
                    hashMap.put("error_msg", th.getMessage());
                }
                this.auditLog.log("registry.audit", "authenticate", AuditHttpRequestContext.FAILURE, hashMap, new AuditHttpRequestInfo() { // from class: io.apicurio.registry.services.auth.CustomAuthenticationMechanism.1
                    @Override // io.apicurio.registry.logging.audit.AuditHttpRequestInfo
                    public String getSourceIp() {
                        return routingContext2.request().remoteAddress().toString();
                    }

                    @Override // io.apicurio.registry.logging.audit.AuditHttpRequestInfo
                    public String getForwardedFor() {
                        return routingContext2.request().getHeader(AuditHttpRequestContext.X_FORWARDED_FOR_HEADER);
                    }
                });
            }
        });
    }

    public Uni<ChallengeData> getChallenge(RoutingContext routingContext) {
        return this.bearerAuth.getChallenge(routingContext);
    }

    public Set<Class<? extends AuthenticationRequest>> getCredentialTypes() {
        return Collections.singleton(TokenAuthenticationRequest.class);
    }

    public HttpCredentialTransport getCredentialTransport() {
        return new HttpCredentialTransport(HttpCredentialTransport.Type.AUTHORIZATION, "bearer");
    }

    private Uni<SecurityIdentity> authenticateWithClientCredentials(Pair<String, String> pair, RoutingContext routingContext, IdentityProviderManager identityProviderManager) {
        return identityProviderManager.authenticate(new TokenAuthenticationRequest(new AccessTokenCredential(new OidcAuth(this.httpClient, (String) pair.getLeft(), (String) pair.getRight()).authenticate(), routingContext)));
    }
}
