package io.quarkus.oidc.runtime;

import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.identity.request.TokenAuthenticationRequest;
import io.quarkus.vertx.http.runtime.security.HttpSecurityUtils;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.RoutingContext;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.time.Duration;
import java.util.Arrays;
import java.util.Map;
import java.util.Set;
import java.util.function.Consumer;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/oidc/runtime/StepUpAuthenticationPolicy.class */
final class StepUpAuthenticationPolicy extends Record implements Consumer<TokenVerificationResult> {
    private final String[] expectedAcrValues;
    private final Long maxAge;
    private static volatile boolean enabled = false;
    private static final Logger LOG = Logger.getLogger(StepUpAuthenticationPolicy.class);
    private static final String AUTHENTICATION_POLICY_KEY = "io.quarkus.oidc.runtime.step-up-auth";

    /* JADX INFO: Access modifiers changed from: package-private */
    public StepUpAuthenticationPolicy(String str, Duration duration) {
        this(str.split(","), duration == null ? null : Long.valueOf(duration.toSeconds()));
    }

    StepUpAuthenticationPolicy(String[] strArr, Long l) {
        this.expectedAcrValues = strArr;
        this.maxAge = l;
    }

    @Override // java.util.function.Consumer
    public void accept(TokenVerificationResult tokenVerificationResult) {
        JsonObject jsonObject = tokenVerificationResult.localVerificationResult != null ? tokenVerificationResult.localVerificationResult : new JsonObject(tokenVerificationResult.introspectionResult.getIntrospectionString());
        verifyAcr(jsonObject);
        if (this.maxAge != null) {
            verifyMaxAge(jsonObject);
        }
    }

    private void verifyMaxAge(JsonObject jsonObject) {
        Long l = jsonObject.getLong(Claims.auth_time.name());
        if (l == null) {
            l = jsonObject.getLong(Claims.iat.name());
            if (l != null) {
                LOG.debugf("The '%s' claim value is not available, using the '%s' claim value '%s' to verify maximum token age", Claims.auth_time.name(), Claims.iat.name(), l);
            }
        }
        if (l == null) {
            throwAuthenticationFailedException("Token has no '%s' claim".formatted(Claims.auth_time.name()));
            return;
        }
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        if (currentTimeMillis - l.longValue() > this.maxAge.longValue()) {
            throwAuthenticationFailedException("The token age '%d' has exceeded '%d'".formatted(Long.valueOf(l.longValue() + this.maxAge.longValue()), Long.valueOf(currentTimeMillis)));
        }
    }

    private void verifyAcr(JsonObject jsonObject) {
        JsonArray jsonArray = jsonObject.getJsonArray("acr");
        if (jsonArray != null && !jsonArray.isEmpty()) {
            boolean z = true;
            String[] strArr = this.expectedAcrValues;
            int length = strArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                String str = strArr[i];
                if (!jsonArray.contains(str)) {
                    LOG.debug("Acr value " + str + " is required but not found in token 'acr' claim: " + String.valueOf(jsonArray));
                    z = false;
                    break;
                }
                i++;
            }
            if (z) {
                return;
            }
        }
        throwAuthenticationFailedException("Valid token with '%s' acr claim values is required".formatted(Arrays.toString(this.expectedAcrValues)));
    }

    private void throwAuthenticationFailedException(String str) {
        throwAuthenticationFailedException(str, this.expectedAcrValues, this.maxAge);
    }

    private static void throwAuthenticationFailedException(String str, String[] strArr, Long l) {
        throw new AuthenticationFailedException(str, l == null ? Map.of("acr_values", String.join(",", strArr)) : Map.of("acr_values", String.join(",", strArr), "max_age", Long.toString(l.longValue())));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void throwAuthenticationFailedException(String str, Set<String> set) {
        throwAuthenticationFailedException(str, (String[]) set.toArray(new String[0]), null);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void storeSelfOnContext(RoutingContext routingContext) {
        routingContext.put(AUTHENTICATION_POLICY_KEY, this);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static StepUpAuthenticationPolicy getFromRequest(TokenAuthenticationRequest tokenAuthenticationRequest) {
        RoutingContext routingContextAttribute = HttpSecurityUtils.getRoutingContextAttribute(tokenAuthenticationRequest);
        if (routingContextAttribute != null) {
            return (StepUpAuthenticationPolicy) routingContextAttribute.get(AUTHENTICATION_POLICY_KEY);
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isInsufficientUserAuthException(RoutingContext routingContext) {
        return isInsufficientUserAuthException(HttpSecurityUtils.getAuthenticationFailureFromEvent(routingContext));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getAuthRequirementChallenge(RoutingContext routingContext) {
        AuthenticationFailedException authenticationFailureFromEvent = HttpSecurityUtils.getAuthenticationFailureFromEvent(routingContext);
        if (!isInsufficientUserAuthException(authenticationFailureFromEvent)) {
            return null;
        }
        StringBuilder sb = new StringBuilder(" error=\"insufficient_user_authentication\", error_description=\"A different authentication level is required\"");
        if (authenticationFailureFromEvent.getAttribute("acr_values") != null) {
            sb.append(", ").append("acr_values").append("=\"").append((String) authenticationFailureFromEvent.getAttribute("acr_values")).append("\"");
        }
        if (authenticationFailureFromEvent.getAttribute("max_age") != null) {
            sb.append(", ").append("max_age").append("=\"").append((String) authenticationFailureFromEvent.getAttribute("max_age")).append("\"");
        }
        return sb.toString();
    }

    private static boolean isInsufficientUserAuthException(AuthenticationFailedException authenticationFailedException) {
        return (authenticationFailedException == null || (authenticationFailedException.getAttribute("acr_values") == null && authenticationFailedException.getAttribute("max_age") == null)) ? false : true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void markAsEnabled() {
        enabled = true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isEnabled() {
        return enabled;
    }

    @Override // java.lang.Record
    public final String toString() {
        return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, StepUpAuthenticationPolicy.class), StepUpAuthenticationPolicy.class, "expectedAcrValues;maxAge", "FIELD:Lio/quarkus/oidc/runtime/StepUpAuthenticationPolicy;->expectedAcrValues:[Ljava/lang/String;", "FIELD:Lio/quarkus/oidc/runtime/StepUpAuthenticationPolicy;->maxAge:Ljava/lang/Long;").dynamicInvoker().invoke(this) /* invoke-custom */;
    }

    @Override // java.lang.Record
    public final int hashCode() {
        return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, StepUpAuthenticationPolicy.class), StepUpAuthenticationPolicy.class, "expectedAcrValues;maxAge", "FIELD:Lio/quarkus/oidc/runtime/StepUpAuthenticationPolicy;->expectedAcrValues:[Ljava/lang/String;", "FIELD:Lio/quarkus/oidc/runtime/StepUpAuthenticationPolicy;->maxAge:Ljava/lang/Long;").dynamicInvoker().invoke(this) /* invoke-custom */;
    }

    @Override // java.lang.Record
    public final boolean equals(Object obj) {
        return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, StepUpAuthenticationPolicy.class, Object.class), StepUpAuthenticationPolicy.class, "expectedAcrValues;maxAge", "FIELD:Lio/quarkus/oidc/runtime/StepUpAuthenticationPolicy;->expectedAcrValues:[Ljava/lang/String;", "FIELD:Lio/quarkus/oidc/runtime/StepUpAuthenticationPolicy;->maxAge:Ljava/lang/Long;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
    }

    public String[] expectedAcrValues() {
        return this.expectedAcrValues;
    }

    public Long maxAge() {
        return this.maxAge;
    }
}
