package io.quarkus.resteasy.reactive.server.runtime.security;

import io.quarkus.resteasy.reactive.server.runtime.StandardSecurityCheckInterceptor;
import io.quarkus.security.UnauthorizedException;
import io.quarkus.security.identity.CurrentIdentityAssociation;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.spi.runtime.AuthorizationFailureEvent;
import io.quarkus.security.spi.runtime.AuthorizationSuccessEvent;
import io.quarkus.security.spi.runtime.MethodDescription;
import io.quarkus.security.spi.runtime.SecurityCheck;
import io.quarkus.vertx.http.runtime.security.QuarkusHttpUser;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.subscription.UniSubscriber;
import io.smallrye.mutiny.subscription.UniSubscription;
import io.vertx.ext.web.RoutingContext;
import java.lang.reflect.Method;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import org.jboss.resteasy.reactive.common.model.ResourceClass;
import org.jboss.resteasy.reactive.server.core.ResteasyReactiveRequestContext;
import org.jboss.resteasy.reactive.server.model.HandlerChainCustomizer;
import org.jboss.resteasy.reactive.server.model.ServerResourceMethod;
import org.jboss.resteasy.reactive.server.spi.ServerRestHandler;

/* loaded from: input_file:io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler.class */
public class EagerSecurityHandler implements ServerRestHandler {
    private static final SecurityCheck NULL_SENTINEL = new SecurityCheck() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.1
        public void apply(SecurityIdentity securityIdentity, Method method, Object[] objArr) {
        }

        public void apply(SecurityIdentity securityIdentity, MethodDescription methodDescription, Object[] objArr) {
        }
    };
    private final boolean onlyCheckForHttpPermissions;
    private volatile SecurityCheck check;

    /* loaded from: input_file:io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler$Customizer.class */
    public static abstract class Customizer implements HandlerChainCustomizer {

        /* loaded from: input_file:io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler$Customizer$HttpPermissionsAndSecurityChecksCustomizer.class */
        public static final class HttpPermissionsAndSecurityChecksCustomizer extends Customizer {
            @Override // io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.Customizer
            protected boolean onlyCheckForHttpPermissions() {
                return false;
            }
        }

        /* loaded from: input_file:io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler$Customizer$HttpPermissionsOnlyCustomizer.class */
        public static final class HttpPermissionsOnlyCustomizer extends Customizer {
            @Override // io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.Customizer
            protected boolean onlyCheckForHttpPermissions() {
                return true;
            }
        }

        public static HandlerChainCustomizer newInstance(boolean z) {
            return z ? new HttpPermissionsOnlyCustomizer() : new HttpPermissionsAndSecurityChecksCustomizer();
        }

        public List<ServerRestHandler> handlers(HandlerChainCustomizer.Phase phase, ResourceClass resourceClass, ServerResourceMethod serverResourceMethod) {
            return phase == HandlerChainCustomizer.Phase.AFTER_MATCH ? Collections.singletonList(new EagerSecurityHandler(onlyCheckForHttpPermissions())) : Collections.emptyList();
        }

        protected abstract boolean onlyCheckForHttpPermissions();
    }

    public EagerSecurityHandler(boolean z) {
        this.onlyCheckForHttpPermissions = z;
    }

    public void handle(final ResteasyReactiveRequestContext resteasyReactiveRequestContext) throws Exception {
        Uni chain;
        if (EagerSecurityContext.instance.authorizationController.isAuthorizationEnabled()) {
            Function<SecurityIdentity, Uni<?>> securityCheck = getSecurityCheck(resteasyReactiveRequestContext);
            if (securityCheck != null) {
                chain = EagerSecurityContext.instance.doNotRunPermissionSecurityCheck ? EagerSecurityContext.instance.getDeferredIdentity().chain(securityCheck) : EagerSecurityContext.instance.getDeferredIdentity().flatMap(new Function<SecurityIdentity, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.3
                    @Override // java.util.function.Function
                    public Uni<SecurityIdentity> apply(SecurityIdentity securityIdentity) {
                        return EagerSecurityContext.instance.getPermissionCheck(resteasyReactiveRequestContext, securityIdentity);
                    }
                }).chain(securityCheck);
            } else if (EagerSecurityContext.instance.doNotRunPermissionSecurityCheck) {
                return;
            } else {
                chain = Uni.createFrom().deferred(new Supplier<Uni<?>>() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.function.Supplier
                    public Uni<?> get() {
                        return EagerSecurityContext.instance.getPermissionCheck(resteasyReactiveRequestContext, null);
                    }
                });
            }
            resteasyReactiveRequestContext.requireCDIRequestScope();
            resteasyReactiveRequestContext.suspend();
            chain.subscribe().withSubscriber(new UniSubscriber<Object>() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.4
                public void onSubscribe(UniSubscription uniSubscription) {
                }

                public void onItem(Object obj) {
                    resteasyReactiveRequestContext.resume();
                }

                public void onFailure(Throwable th) {
                    resteasyReactiveRequestContext.resume(th, true);
                }
            });
        }
    }

    private Function<SecurityIdentity, Uni<?>> getSecurityCheck(final ResteasyReactiveRequestContext resteasyReactiveRequestContext) {
        SecurityIdentity securityIdentity;
        if (this.onlyCheckForHttpPermissions || this.check == NULL_SENTINEL) {
            return null;
        }
        SecurityCheck securityCheck = this.check;
        final MethodDescription lazyMethodToMethodDescription = EagerSecurityContext.lazyMethodToMethodDescription(resteasyReactiveRequestContext.getTarget().getLazyMethod());
        if (securityCheck == null) {
            securityCheck = EagerSecurityContext.instance.securityCheckStorage.getSecurityCheck(lazyMethodToMethodDescription);
            if (securityCheck == null) {
                securityCheck = (EagerSecurityContext.instance.securityCheckStorage.getDefaultSecurityCheck() == null || isRequestAlreadyChecked(resteasyReactiveRequestContext)) ? NULL_SENTINEL : EagerSecurityContext.instance.securityCheckStorage.getDefaultSecurityCheck();
            }
            this.check = securityCheck;
        }
        if (securityCheck == NULL_SENTINEL) {
            return null;
        }
        if (!securityCheck.isPermitAll()) {
            final SecurityCheck securityCheck2 = securityCheck;
            return new Function<SecurityIdentity, Uni<?>>() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.5
                @Override // java.util.function.Function
                public Uni<?> apply(final SecurityIdentity securityIdentity2) {
                    if (EagerSecurityContext.instance.isProactiveAuthDisabled) {
                        ((CurrentIdentityAssociation) EagerSecurityContext.instance.identityAssociation.get()).setIdentity(securityIdentity2);
                    }
                    if (securityCheck2.requiresMethodArguments()) {
                        if (securityIdentity2 != null && !securityIdentity2.isAnonymous()) {
                            return Uni.createFrom().nullItem();
                        }
                        UnauthorizedException unauthorizedException = new UnauthorizedException();
                        if (EagerSecurityContext.instance.eventHelper.fireEventOnFailure()) {
                            EagerSecurityContext.instance.eventHelper.fireFailureEvent(new AuthorizationFailureEvent(securityIdentity2, unauthorizedException, securityCheck2.getClass().getName(), EagerSecurityHandler.createEventPropsWithRoutingCtx(resteasyReactiveRequestContext), lazyMethodToMethodDescription));
                        }
                        throw unauthorizedException;
                    }
                    EagerSecurityHandler.preventRepeatedSecurityChecks(resteasyReactiveRequestContext, lazyMethodToMethodDescription);
                    Uni<?> nonBlockingApply = securityCheck2.nonBlockingApply(securityIdentity2, lazyMethodToMethodDescription, resteasyReactiveRequestContext.getParameters());
                    if (EagerSecurityContext.instance.eventHelper.fireEventOnFailure()) {
                        nonBlockingApply = nonBlockingApply.onFailure().invoke(new Consumer<Throwable>() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.5.1
                            @Override // java.util.function.Consumer
                            public void accept(Throwable th) {
                                EagerSecurityContext.instance.eventHelper.fireFailureEvent(new AuthorizationFailureEvent(securityIdentity2, th, securityCheck2.getClass().getName(), EagerSecurityHandler.createEventPropsWithRoutingCtx(resteasyReactiveRequestContext), lazyMethodToMethodDescription));
                            }
                        });
                    }
                    if (EagerSecurityContext.instance.eventHelper.fireEventOnSuccess()) {
                        nonBlockingApply = nonBlockingApply.invoke(new Runnable() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.5.2
                            @Override // java.lang.Runnable
                            public void run() {
                                EagerSecurityContext.instance.eventHelper.fireSuccessEvent(new AuthorizationSuccessEvent(securityIdentity2, securityCheck2.getClass().getName(), EagerSecurityHandler.createEventPropsWithRoutingCtx(resteasyReactiveRequestContext), lazyMethodToMethodDescription));
                            }
                        });
                    }
                    return nonBlockingApply;
                }
            };
        }
        preventRepeatedSecurityChecks(resteasyReactiveRequestContext, lazyMethodToMethodDescription);
        if (!EagerSecurityContext.instance.eventHelper.fireEventOnSuccess()) {
            return null;
        }
        resteasyReactiveRequestContext.requireCDIRequestScope();
        RoutingContext routingContext = (RoutingContext) resteasyReactiveRequestContext.unwrap(RoutingContext.class);
        if (routingContext != null) {
            QuarkusHttpUser user = routingContext.user();
            if (user instanceof QuarkusHttpUser) {
                securityIdentity = user.getSecurityIdentity();
                EagerSecurityContext.instance.eventHelper.fireSuccessEvent(new AuthorizationSuccessEvent(securityIdentity, securityCheck.getClass().getName(), createEventPropsWithRoutingCtx(resteasyReactiveRequestContext), lazyMethodToMethodDescription));
                return null;
            }
        }
        securityIdentity = null;
        EagerSecurityContext.instance.eventHelper.fireSuccessEvent(new AuthorizationSuccessEvent(securityIdentity, securityCheck.getClass().getName(), createEventPropsWithRoutingCtx(resteasyReactiveRequestContext), lazyMethodToMethodDescription));
        return null;
    }

    private static Map<String, Object> createEventPropsWithRoutingCtx(ResteasyReactiveRequestContext resteasyReactiveRequestContext) {
        RoutingContext routingContext = (RoutingContext) resteasyReactiveRequestContext.unwrap(RoutingContext.class);
        return routingContext == null ? Map.of() : Map.of(RoutingContext.class.getName(), routingContext);
    }

    private static void preventRepeatedSecurityChecks(ResteasyReactiveRequestContext resteasyReactiveRequestContext, MethodDescription methodDescription) {
        resteasyReactiveRequestContext.setProperty(StandardSecurityCheckInterceptor.STANDARD_SECURITY_CHECK_INTERCEPTOR, methodDescription);
    }

    private static boolean isRequestAlreadyChecked(ResteasyReactiveRequestContext resteasyReactiveRequestContext) {
        return resteasyReactiveRequestContext.getProperty(StandardSecurityCheckInterceptor.STANDARD_SECURITY_CHECK_INTERCEPTOR) != null;
    }
}
