package io.quarkus.oidc.runtime;

import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.TokenIntrospection;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.identity.IdentityProvider;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.spi.runtime.BlockingSecurityExecutor;
import io.quarkus.vertx.http.runtime.security.HttpSecurityUtils;
import io.quarkus.websockets.next.runtime.spi.security.WebSocketIdentityUpdateRequest;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.groups.UniCreate;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import org.eclipse.microprofile.jwt.JsonWebToken;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/oidc/runtime/WebSocketIdentityUpdateProvider.class */
public class WebSocketIdentityUpdateProvider implements IdentityProvider<WebSocketIdentityUpdateRequest> {

    @Inject
    DefaultTenantConfigResolver resolver;

    @Inject
    BlockingSecurityExecutor blockingExecutor;

    WebSocketIdentityUpdateProvider() {
    }

    public Class<WebSocketIdentityUpdateRequest> getRequestType() {
        return WebSocketIdentityUpdateRequest.class;
    }

    public Uni<SecurityIdentity> authenticate(WebSocketIdentityUpdateRequest webSocketIdentityUpdateRequest, AuthenticationRequestContext authenticationRequestContext) {
        return authenticate(webSocketIdentityUpdateRequest.getCredential().getToken(), HttpSecurityUtils.getRoutingContextAttribute(webSocketIdentityUpdateRequest)).onItem().transformToUni(securityIdentity -> {
            String string;
            JsonWebToken principal = securityIdentity.getPrincipal();
            if (principal instanceof JsonWebToken) {
                JsonWebToken jsonWebToken = principal;
                JsonWebToken principal2 = webSocketIdentityUpdateRequest.getCurrentSecurityIdentity().getPrincipal();
                if (principal2 instanceof JsonWebToken) {
                    JsonWebToken jsonWebToken2 = principal2;
                    String subject = jsonWebToken.getSubject();
                    String subject2 = jsonWebToken2.getSubject();
                    return (subject == null || !subject.equals(subject2)) ? Uni.createFrom().failure(new AuthenticationFailedException("JWT token claim 'sub' value '%s' is different to the previous claim value '%s'".formatted(subject, subject2))) : Uni.createFrom().item(securityIdentity);
                }
            }
            TokenIntrospection tokenIntrospection = (TokenIntrospection) OidcUtils.getAttribute(securityIdentity, OidcUtils.INTROSPECTION_ATTRIBUTE);
            if (tokenIntrospection == null || (string = tokenIntrospection.getString("sub")) == null || string.isEmpty()) {
                return Uni.createFrom().failure(new AuthenticationFailedException("Cannot verify that updated identity represents same subject as the 'sub' claim is not available"));
            }
            TokenIntrospection tokenIntrospection2 = (TokenIntrospection) OidcUtils.getAttribute(webSocketIdentityUpdateRequest.getCurrentSecurityIdentity(), OidcUtils.INTROSPECTION_ATTRIBUTE);
            if (tokenIntrospection2 != null && string.equals(tokenIntrospection2.getString("sub"))) {
                return Uni.createFrom().item(securityIdentity);
            }
            UniCreate createFrom = Uni.createFrom();
            Object[] objArr = new Object[2];
            objArr[0] = string;
            objArr[1] = tokenIntrospection2 == null ? null : tokenIntrospection2.getString("sub");
            return createFrom.failure(new AuthenticationFailedException("Token introspection result claim 'sub' value '%s' is different to the previous claim value '%s'".formatted(objArr)));
        });
    }

    private Uni<SecurityIdentity> authenticate(String str, RoutingContext routingContext) {
        io.quarkus.oidc.OidcTenantConfig oidcTenantConfig = (io.quarkus.oidc.OidcTenantConfig) routingContext.get(io.quarkus.oidc.OidcTenantConfig.class.getName());
        return oidcTenantConfig == null ? Uni.createFrom().failure(new AuthenticationFailedException("Cannot update SecurityIdentity because OIDC tenant wasn't resolved for current WebSocket connection")) : new TenantSpecificOidcIdentityProvider(oidcTenantConfig.tenantId().get(), this.resolver, this.blockingExecutor).authenticate(new AccessTokenCredential(str));
    }
}
