package io.quarkus.oidc.runtime;

import io.quarkus.arc.Arc;
import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.vertx.http.runtime.security.ImmutablePathMatcher;
import io.vertx.core.Handler;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.Router;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.event.Observes;
import jakarta.inject.Singleton;
import java.lang.annotation.Annotation;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.net.URI;
import java.util.HashMap;
import org.jboss.logging.Logger;

@Singleton
/* loaded from: input_file:io/quarkus/oidc/runtime/ResourceMetadataHandler.class */
public class ResourceMetadataHandler implements Handler<RoutingContext> {
    private static final Logger LOG = Logger.getLogger(ResourceMetadataHandler.class);
    private static final String SLASH = "/";
    private static final String HTTP_SCHEME = "http";
    private static final String RESOURCE_METADATA_AUTHENTICATE_PARAM = "resource_metadata";
    private final DefaultTenantConfigResolver resolver;
    private volatile ImmutablePathMatcher<Handler<RoutingContext>> pathMatcher = null;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/quarkus/oidc/runtime/ResourceMetadataHandler$NewResourceMetadata.class */
    public static final class NewResourceMetadata extends Record {
        NewResourceMetadata() {
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, NewResourceMetadata.class), NewResourceMetadata.class, "").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, NewResourceMetadata.class), NewResourceMetadata.class, "").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, NewResourceMetadata.class, Object.class), NewResourceMetadata.class, "").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/oidc/runtime/ResourceMetadataHandler$RouteHandler.class */
    public static class RouteHandler implements Handler<RoutingContext> {
        private final io.quarkus.oidc.OidcTenantConfig oidcConfig;
        private final DefaultTenantConfigResolver resolver;

        RouteHandler(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig, DefaultTenantConfigResolver defaultTenantConfigResolver) {
            this.oidcConfig = oidcTenantConfig;
            this.resolver = defaultTenantConfigResolver;
        }

        public void handle(RoutingContext routingContext) {
            ResourceMetadataHandler.LOG.debugf("Resource metadata request for the tenant %s received", this.oidcConfig.tenantId().get());
            routingContext.response().setStatusCode(200);
            routingContext.response().end(prepareMetadata(routingContext));
        }

        private String prepareMetadata(RoutingContext routingContext) {
            JsonObject jsonObject = new JsonObject();
            jsonObject.put("resource", ResourceMetadataHandler.buildResourceIdentifierUrl(routingContext, this.resolver, this.oidcConfig));
            JsonArray jsonArray = new JsonArray();
            jsonArray.add(0, this.oidcConfig.authServerUrl().get());
            jsonObject.put("authorization_servers", jsonArray);
            return jsonObject.toString();
        }
    }

    ResourceMetadataHandler(DefaultTenantConfigResolver defaultTenantConfigResolver) {
        this.resolver = defaultTenantConfigResolver;
    }

    public void handle(RoutingContext routingContext) {
        Handler handler;
        ImmutablePathMatcher<Handler<RoutingContext>> immutablePathMatcher = this.pathMatcher;
        if (immutablePathMatcher == null || (handler = (Handler) immutablePathMatcher.match(routingContext.normalizedPath()).getValue()) == null) {
            routingContext.next();
        } else {
            handler.handle(routingContext);
        }
    }

    void setup(@Observes Router router) {
        createOrUpdatePathMatcher();
    }

    synchronized void updatePathMatcher(@Observes NewResourceMetadata newResourceMetadata) {
        createOrUpdatePathMatcher();
    }

    private void createOrUpdatePathMatcher() {
        ImmutablePathMatcher.ImmutablePathMatcherBuilder immutablePathMatcherBuilder = null;
        HashMap hashMap = null;
        for (TenantConfigContext tenantConfigContext : this.resolver.getTenantConfigBean().getAllTenantConfigs()) {
            if (tenantConfigContext.ready() && tenantConfigContext.oidcConfig().tenantEnabled() && tenantConfigContext.oidcConfig().resourceMetadata().enabled()) {
                if (immutablePathMatcherBuilder == null) {
                    immutablePathMatcherBuilder = ImmutablePathMatcher.builder();
                    hashMap = new HashMap();
                }
                String resourceMetadataPath = getResourceMetadataPath(tenantConfigContext.oidcConfig(), this.resolver.getRootPath());
                if (resourceMetadataPath.contains("*")) {
                    throw new IllegalStateException("Resource metadata path cannot contain a wildcard '*' character");
                }
                io.quarkus.oidc.OidcTenantConfig oidcTenantConfig = (io.quarkus.oidc.OidcTenantConfig) hashMap.put(resourceMetadataPath, tenantConfigContext.oidcConfig());
                if (oidcTenantConfig == null) {
                    immutablePathMatcherBuilder.addPath(resourceMetadataPath, new RouteHandler(tenantConfigContext.oidcConfig(), this.resolver));
                } else {
                    String str = oidcTenantConfig.tenantId().get();
                    String str2 = tenantConfigContext.oidcConfig().tenantId().get();
                    if (!str.equals(str2)) {
                        String formatted = "OIDC tenants '%s' and '%s' share the same resource metadata path '%s', which is not supported".formatted(str, str2, resourceMetadataPath);
                        LOG.error(formatted);
                        throw new OIDCException(formatted);
                    }
                }
            }
        }
        if (immutablePathMatcherBuilder != null) {
            this.pathMatcher = immutablePathMatcherBuilder.build();
        } else {
            this.pathMatcher = null;
        }
    }

    static String getResourceMetadataPath(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig, String str) {
        String orElse = oidcTenantConfig.resourceMetadata().resource().orElse("");
        String rawPath = orElse.startsWith(HTTP_SCHEME) ? URI.create(orElse).getRawPath() : orElse;
        String str2 = OidcUtils.getRootPath(str) + "/.well-known/oauth-protected-resource";
        if (rawPath.isEmpty()) {
            if (!OidcUtils.DEFAULT_TENANT_ID.equals(oidcTenantConfig.tenantId().get())) {
                str2 = str2 + OidcCommonUtils.prependSlash(oidcTenantConfig.tenantId().get().toLowerCase());
            }
        } else if (!SLASH.equals(rawPath)) {
            str2 = str2 + OidcCommonUtils.prependSlash(rawPath);
        }
        return str2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void fireResourceMetadataChangedEvent(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig, TenantConfigContext tenantConfigContext) {
        if (oidcTenantConfig.resourceMetadata().enabled() || (tenantConfigContext.oidcConfig() != null && tenantConfigContext.oidcConfig().resourceMetadata().enabled())) {
            if ((tenantConfigContext.oidcConfig() != null && oidcTenantConfig.resourceMetadata().resource().orElse("").equals(tenantConfigContext.oidcConfig().resourceMetadata().resource().orElse("")) && oidcTenantConfig.resourceMetadata().enabled() == tenantConfigContext.oidcConfig().resourceMetadata().enabled() && oidcTenantConfig.resourceMetadata().forceHttpsScheme() == tenantConfigContext.oidcConfig().resourceMetadata().forceHttpsScheme()) ? false : true) {
                fireResourceMetadataEvent();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void fireResourceMetadataReadyEvent(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        if (oidcTenantConfig.resourceMetadata().enabled()) {
            fireResourceMetadataEvent();
        }
    }

    private static void fireResourceMetadataEvent() {
        Arc.container().beanManager().getEvent().select(NewResourceMetadata.class, new Annotation[0]).fire(new NewResourceMetadata());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String resourceMetadataAuthenticateParameter(RoutingContext routingContext, DefaultTenantConfigResolver defaultTenantConfigResolver, io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        return " resource_metadata=\"" + buildResourceIdentifierUrl(routingContext, defaultTenantConfigResolver, oidcTenantConfig) + "\"";
    }

    static String buildResourceIdentifierUrl(RoutingContext routingContext, DefaultTenantConfigResolver defaultTenantConfigResolver, io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        String orElse = oidcTenantConfig.resourceMetadata().resource().orElse("");
        if (orElse.startsWith(HTTP_SCHEME)) {
            return orElse;
        }
        if (orElse.isEmpty()) {
            if (!OidcUtils.DEFAULT_TENANT_ID.equals(oidcTenantConfig.tenantId().get())) {
                orElse = orElse + OidcCommonUtils.prependSlash(oidcTenantConfig.tenantId().get().toLowerCase());
            }
        } else if (!SLASH.equals(orElse)) {
            orElse = OidcCommonUtils.prependSlash(orElse);
        }
        return buildUri(routingContext, defaultTenantConfigResolver.isEnableHttpForwardedPrefix(), oidcTenantConfig.resourceMetadata().forceHttpsScheme(), URI.create(routingContext.request().absoluteURI()).getAuthority(), orElse);
    }

    private static String buildUri(RoutingContext routingContext, boolean z, boolean z2, String str, String str2) {
        String header;
        String scheme = z2 ? "https" : routingContext.request().scheme();
        String str3 = "";
        if (z && (header = routingContext.request().getHeader("X-Forwarded-Prefix")) != null && !header.equals(SLASH) && !header.equals("//")) {
            str3 = header;
            if (str3.endsWith(SLASH)) {
                str3 = str3.substring(0, str3.length() - 1);
            }
        }
        return scheme + "://" + str + str3 + str2;
    }
}
