package io.quarkus.vertx.http.deployment;

import io.quarkus.arc.deployment.AdditionalBeanBuildItem;
import io.quarkus.arc.deployment.BeanContainerBuildItem;
import io.quarkus.arc.deployment.BeanRegistrationPhaseBuildItem;
import io.quarkus.arc.deployment.GeneratedBeanBuildItem;
import io.quarkus.arc.deployment.GeneratedBeanGizmoAdaptor;
import io.quarkus.arc.deployment.SyntheticBeanBuildItem;
import io.quarkus.arc.processor.DotNames;
import io.quarkus.builder.item.SimpleBuildItem;
import io.quarkus.deployment.Capabilities;
import io.quarkus.deployment.annotations.BuildProducer;
import io.quarkus.deployment.annotations.BuildStep;
import io.quarkus.deployment.annotations.ExecutionTime;
import io.quarkus.deployment.annotations.Produce;
import io.quarkus.deployment.annotations.Record;
import io.quarkus.deployment.builditem.ApplicationIndexBuildItem;
import io.quarkus.deployment.builditem.CombinedIndexBuildItem;
import io.quarkus.deployment.builditem.SystemPropertyBuildItem;
import io.quarkus.gizmo.ClassCreator;
import io.quarkus.gizmo.DescriptorUtils;
import io.quarkus.gizmo.FieldCreator;
import io.quarkus.gizmo.MethodCreator;
import io.quarkus.gizmo.MethodDescriptor;
import io.quarkus.gizmo.ResultHandle;
import io.quarkus.runtime.RuntimeValue;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.quarkus.security.Authenticated;
import io.quarkus.security.spi.AdditionalSecuredMethodsBuildItem;
import io.quarkus.security.spi.AdditionalSecurityAnnotationBuildItem;
import io.quarkus.security.spi.AdditionalSecurityConstrainerEventPropsBuildItem;
import io.quarkus.security.spi.ClassSecurityAnnotationBuildItem;
import io.quarkus.security.spi.RegisterClassSecurityCheckBuildItem;
import io.quarkus.security.spi.runtime.MethodDescription;
import io.quarkus.vertx.core.deployment.IgnoredContextLocalDataKeysBuildItem;
import io.quarkus.vertx.http.runtime.AuthConfig;
import io.quarkus.vertx.http.runtime.VertxHttpBuildTimeConfig;
import io.quarkus.vertx.http.runtime.VertxHttpConfig;
import io.quarkus.vertx.http.runtime.management.ManagementInterfaceBuildTimeConfig;
import io.quarkus.vertx.http.runtime.security.AuthorizationPolicyStorage;
import io.quarkus.vertx.http.runtime.security.BasicAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.EagerSecurityInterceptorStorage;
import io.quarkus.vertx.http.runtime.security.FormAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.HttpAuthenticator;
import io.quarkus.vertx.http.runtime.security.HttpAuthorizer;
import io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder;
import io.quarkus.vertx.http.runtime.security.MtlsAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.PathMatchingHttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.VertxBlockingSecurityExecutor;
import io.quarkus.vertx.http.runtime.security.VertxSecurityIdentityAssociation;
import io.quarkus.vertx.http.runtime.security.annotation.BasicAuthentication;
import io.quarkus.vertx.http.runtime.security.annotation.FormAuthentication;
import io.quarkus.vertx.http.runtime.security.annotation.HttpAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.annotation.MTLSAuthentication;
import io.vertx.core.http.ClientAuth;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Singleton;
import java.lang.reflect.Modifier;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.BooleanSupplier;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jboss.jandex.AnnotationInstance;
import org.jboss.jandex.AnnotationTarget;
import org.jboss.jandex.ClassInfo;
import org.jboss.jandex.DotName;
import org.jboss.jandex.Index;
import org.jboss.jandex.IndexView;
import org.jboss.jandex.MethodInfo;
import org.jboss.jandex.ParameterizedType;
import org.jboss.jandex.Type;
import org.jboss.jandex.TypeVariable;

/* loaded from: input_file:io/quarkus/vertx/http/deployment/HttpSecurityProcessor.class */
public class HttpSecurityProcessor {
    private static final DotName AUTH_MECHANISM_NAME = DotName.createSimple(HttpAuthenticationMechanism.class);
    private static final DotName BASIC_AUTH_ANNOTATION_NAME = DotName.createSimple(BasicAuthentication.class);
    private static final String KOTLIN_SUSPEND_IMPL_SUFFIX = "$suspendImpl";

    /* loaded from: input_file:io/quarkus/vertx/http/deployment/HttpSecurityProcessor$AlwaysPropagateSecurityIdentity.class */
    static final class AlwaysPropagateSecurityIdentity implements BooleanSupplier {
        private final boolean alwaysPropagateSecurityIdentity;

        AlwaysPropagateSecurityIdentity(VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig) {
            this.alwaysPropagateSecurityIdentity = vertxHttpBuildTimeConfig.auth().propagateSecurityIdentity();
        }

        @Override // java.util.function.BooleanSupplier
        public boolean getAsBoolean() {
            return this.alwaysPropagateSecurityIdentity;
        }
    }

    /* loaded from: input_file:io/quarkus/vertx/http/deployment/HttpSecurityProcessor$HttpAuthenticationHandlerBuildItem.class */
    static final class HttpAuthenticationHandlerBuildItem extends SimpleBuildItem {
        private final RuntimeValue<HttpSecurityRecorder.AuthenticationHandler> handler;

        private HttpAuthenticationHandlerBuildItem(RuntimeValue<HttpSecurityRecorder.AuthenticationHandler> runtimeValue) {
            this.handler = runtimeValue;
        }
    }

    /* loaded from: input_file:io/quarkus/vertx/http/deployment/HttpSecurityProcessor$IsApplicationBasicAuthRequired.class */
    static class IsApplicationBasicAuthRequired implements BooleanSupplier {
        private final boolean required;

        public IsApplicationBasicAuthRequired(VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig, ManagementInterfaceBuildTimeConfig managementInterfaceBuildTimeConfig) {
            this.required = HttpSecurityProcessor.applicationBasicAuthRequired(vertxHttpBuildTimeConfig, managementInterfaceBuildTimeConfig);
        }

        @Override // java.util.function.BooleanSupplier
        public boolean getAsBoolean() {
            return this.required;
        }
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    AdditionalBeanBuildItem initFormAuth(HttpSecurityRecorder httpSecurityRecorder, VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig, BuildProducer<RouteBuildItem> buildProducer) {
        if (!vertxHttpBuildTimeConfig.auth().form().enabled()) {
            return null;
        }
        if (!vertxHttpBuildTimeConfig.auth().proactive()) {
            buildProducer.produce(RouteBuildItem.builder().route(vertxHttpBuildTimeConfig.auth().form().postLocation()).handler(httpSecurityRecorder.formAuthPostHandler()).build());
        }
        return AdditionalBeanBuildItem.builder().setUnremovable().addBeanClass(FormAuthenticationMechanism.class).setDefaultScope(DotNames.SINGLETON).build();
    }

    @BuildStep
    AdditionalBeanBuildItem initMtlsClientAuth(VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig) {
        if (isMtlsClientAuthenticationEnabled(vertxHttpBuildTimeConfig)) {
            return AdditionalBeanBuildItem.builder().setUnremovable().addBeanClass(MtlsAuthenticationMechanism.class).setDefaultScope(DotNames.SINGLETON).build();
        }
        return null;
    }

    @BuildStep
    @Record(ExecutionTime.RUNTIME_INIT)
    void setMtlsCertificateRoleProperties(HttpSecurityRecorder httpSecurityRecorder, VertxHttpConfig vertxHttpConfig, VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig) {
        if (isMtlsClientAuthenticationEnabled(vertxHttpBuildTimeConfig)) {
            httpSecurityRecorder.setMtlsCertificateRoleProperties(vertxHttpConfig);
        }
    }

    @BuildStep(onlyIf = {IsApplicationBasicAuthRequired.class})
    void detectBasicAuthImplicitlyRequired(VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig, BeanRegistrationPhaseBuildItem beanRegistrationPhaseBuildItem, ApplicationIndexBuildItem applicationIndexBuildItem, BuildProducer<SystemPropertyBuildItem> buildProducer, List<EagerSecurityInterceptorBindingBuildItem> list) {
        if (makeBasicAuthMechDefaultBean(vertxHttpBuildTimeConfig)) {
            Index index = applicationIndexBuildItem.getIndex();
            if (beanRegistrationPhaseBuildItem.getContext().beans().filter(beanInfo -> {
                return beanInfo.hasType(AUTH_MECHANISM_NAME);
            }).filter((v0) -> {
                return v0.isClassBean();
            }).filter(beanInfo2 -> {
                return index.getClassByName(beanInfo2.getBeanClass()) != null;
            }).isEmpty()) {
                buildProducer.produce(new SystemPropertyBuildItem("io.quarkus.security.http.test-if-basic-auth-implicitly-required", Boolean.TRUE.toString()));
                if (list.isEmpty()) {
                    return;
                }
                Stream flatMap = list.stream().map((v0) -> {
                    return v0.getAnnotationBindings();
                }).flatMap((v0) -> {
                    return Arrays.stream(v0);
                });
                DotName dotName = BASIC_AUTH_ANNOTATION_NAME;
                Objects.requireNonNull(dotName);
                if (flatMap.anyMatch((v1) -> {
                    return r1.equals(v1);
                })) {
                    buildProducer.produce(new SystemPropertyBuildItem("io.quarkus.security.http.basic-authentication-annotation-detected", Boolean.TRUE.toString()));
                }
            }
        }
    }

    @BuildStep(onlyIf = {IsApplicationBasicAuthRequired.class})
    @Record(ExecutionTime.RUNTIME_INIT)
    SyntheticBeanBuildItem initBasicAuth(HttpSecurityRecorder httpSecurityRecorder, VertxHttpConfig vertxHttpConfig, VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig, BuildProducer<SecurityInformationBuildItem> buildProducer) {
        if (vertxHttpBuildTimeConfig.auth().basic().isPresent() && ((Boolean) vertxHttpBuildTimeConfig.auth().basic().get()).booleanValue()) {
            buildProducer.produce(SecurityInformationBuildItem.BASIC());
        }
        SyntheticBeanBuildItem.ExtendedBeanConfigurator unremovable = SyntheticBeanBuildItem.configure(BasicAuthenticationMechanism.class).types(new Class[]{io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism.class}).scope(Singleton.class).supplier(httpSecurityRecorder.basicAuthenticationMechanismBean(vertxHttpConfig, vertxHttpBuildTimeConfig.auth().form().enabled())).setRuntimeInit().unremovable();
        if (makeBasicAuthMechDefaultBean(vertxHttpBuildTimeConfig)) {
            unremovable.defaultBean();
        }
        return unremovable.done();
    }

    private static boolean makeBasicAuthMechDefaultBean(VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig) {
        return (vertxHttpBuildTimeConfig.auth().form().enabled() || isMtlsClientAuthenticationEnabled(vertxHttpBuildTimeConfig) || ((Boolean) vertxHttpBuildTimeConfig.auth().basic().orElse(false)).booleanValue()) ? false : true;
    }

    private static boolean applicationBasicAuthRequired(VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig, ManagementInterfaceBuildTimeConfig managementInterfaceBuildTimeConfig) {
        if (vertxHttpBuildTimeConfig.auth().basic().isPresent() && !((Boolean) vertxHttpBuildTimeConfig.auth().basic().get()).booleanValue()) {
            return false;
        }
        if (((Boolean) vertxHttpBuildTimeConfig.auth().basic().orElse(false)).booleanValue()) {
            return true;
        }
        return (vertxHttpBuildTimeConfig.auth().form().enabled() || isMtlsClientAuthenticationEnabled(vertxHttpBuildTimeConfig) || ((Boolean) managementInterfaceBuildTimeConfig.auth().basic().orElse(false)).booleanValue()) ? false : true;
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void setupAuthenticationMechanisms(HttpSecurityRecorder httpSecurityRecorder, BuildProducer<FilterBuildItem> buildProducer, BuildProducer<AdditionalBeanBuildItem> buildProducer2, Optional<HttpAuthenticationHandlerBuildItem> optional, Capabilities capabilities, VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig, BuildProducer<SecurityInformationBuildItem> buildProducer3) {
        if (!vertxHttpBuildTimeConfig.auth().form().enabled() && ((Boolean) vertxHttpBuildTimeConfig.auth().basic().orElse(false)).booleanValue()) {
            buildProducer3.produce(SecurityInformationBuildItem.BASIC());
        }
        if (capabilities.isPresent("io.quarkus.security")) {
            buildProducer2.produce(AdditionalBeanBuildItem.builder().setUnremovable().addBeanClass(VertxBlockingSecurityExecutor.class).setDefaultScope(DotNames.APPLICATION_SCOPED).build());
            buildProducer2.produce(AdditionalBeanBuildItem.builder().setUnremovable().addBeanClass(HttpAuthenticator.class).addBeanClass(HttpAuthorizer.class).build());
            buildProducer2.produce(AdditionalBeanBuildItem.unremovableOf(PathMatchingHttpSecurityPolicy.class));
            buildProducer.produce(new FilterBuildItem(httpSecurityRecorder.getHttpAuthenticatorHandler(optional.get().handler), FilterBuildItem.AUTHENTICATION));
            buildProducer.produce(new FilterBuildItem(httpSecurityRecorder.permissionCheckHandler(), 100));
        }
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void createHttpAuthenticationHandler(HttpSecurityRecorder httpSecurityRecorder, Capabilities capabilities, VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig, BuildProducer<HttpAuthenticationHandlerBuildItem> buildProducer) {
        if (capabilities.isPresent("io.quarkus.security")) {
            AuthConfig auth = vertxHttpBuildTimeConfig.auth();
            buildProducer.produce(new HttpAuthenticationHandlerBuildItem(httpSecurityRecorder.authenticationMechanismHandler(auth.proactive(), auth.propagateSecurityIdentity())));
        }
    }

    @BuildStep
    @Produce(PreRouterFinalizationBuildItem.class)
    @Record(ExecutionTime.RUNTIME_INIT)
    void initializeAuthenticationHandler(Optional<HttpAuthenticationHandlerBuildItem> optional, HttpSecurityRecorder httpSecurityRecorder, VertxHttpConfig vertxHttpConfig, BeanContainerBuildItem beanContainerBuildItem) {
        if (optional.isPresent()) {
            httpSecurityRecorder.initializeHttpAuthenticatorHandler(optional.get().handler, vertxHttpConfig, beanContainerBuildItem.getValue());
        }
    }

    @BuildStep
    List<HttpAuthMechanismAnnotationBuildItem> registerHttpAuthMechanismAnnotations() {
        return List.of(new HttpAuthMechanismAnnotationBuildItem(DotName.createSimple(BasicAuthentication.class), "basic"), new HttpAuthMechanismAnnotationBuildItem(DotName.createSimple(FormAuthentication.class), "form"), new HttpAuthMechanismAnnotationBuildItem(DotName.createSimple(MTLSAuthentication.class), "X509"));
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void registerAuthMechanismSelectionInterceptor(Capabilities capabilities, VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig, BuildProducer<EagerSecurityInterceptorBindingBuildItem> buildProducer, HttpSecurityRecorder httpSecurityRecorder, BuildProducer<AdditionalSecuredMethodsBuildItem> buildProducer2, BuildProducer<RegisterClassSecurityCheckBuildItem> buildProducer3, List<ClassSecurityAnnotationBuildItem> list, List<HttpAuthMechanismAnnotationBuildItem> list2, CombinedIndexBuildItem combinedIndexBuildItem) {
        if (capabilities.isMissing("io.quarkus.security")) {
            return;
        }
        HashSet hashSet = new HashSet();
        Predicate useClassLevelSecurity = ClassSecurityAnnotationBuildItem.useClassLevelSecurity(list);
        DotName[] dotNameArr = (DotName[]) Stream.concat(Stream.of(AUTH_MECHANISM_NAME), list2.stream().map(httpAuthMechanismAnnotationBuildItem -> {
            return httpAuthMechanismAnnotationBuildItem.annotationName;
        })).flatMap(dotName -> {
            Collection annotations = combinedIndexBuildItem.getIndex().getAnnotations(dotName);
            if (annotations.isEmpty()) {
                return Stream.empty();
            }
            hashSet.addAll(collectMethodsWithoutRbacAnnotation(collectAnnotatedMethods(annotations)));
            hashSet.addAll(collectClassMethodsWithoutRbacAnnotation(collectAnnotatedClasses(annotations, useClassLevelSecurity.negate())));
            collectAnnotatedClasses(annotations, useClassLevelSecurity).stream().filter(Predicate.not(HttpSecurityUtils::hasSecurityAnnotation)).forEach(classInfo -> {
                buildProducer3.produce(new RegisterClassSecurityCheckBuildItem(classInfo.name(), AnnotationInstance.builder(Authenticated.class).buildWithTarget(classInfo)));
            });
            return Stream.of(dotName);
        }).toArray(i -> {
            return new DotName[i];
        });
        if (dotNameArr.length > 0) {
            validateAuthMechanismAnnotationUsage(capabilities, vertxHttpBuildTimeConfig, dotNameArr);
            buildProducer.produce(new EagerSecurityInterceptorBindingBuildItem(httpSecurityRecorder.authMechanismSelectionInterceptorCreator(), (Map) list2.stream().collect(Collectors.toMap(httpAuthMechanismAnnotationBuildItem2 -> {
                return httpAuthMechanismAnnotationBuildItem2.annotationName.toString();
            }, httpAuthMechanismAnnotationBuildItem3 -> {
                return httpAuthMechanismAnnotationBuildItem3.authMechanismScheme;
            })), dotNameArr));
            httpSecurityRecorder.selectAuthMechanismViaAnnotation();
            if (hashSet.isEmpty()) {
                return;
            }
            buildProducer2.produce(new AdditionalSecuredMethodsBuildItem(hashSet, Optional.of(List.of("**"))));
        }
    }

    @BuildStep
    void collectInterceptedMethods(CombinedIndexBuildItem combinedIndexBuildItem, List<EagerSecurityInterceptorBindingBuildItem> list, List<ClassSecurityAnnotationBuildItem> list2, BuildProducer<EagerSecurityInterceptorMethodsBuildItem> buildProducer, BuildProducer<EagerSecurityInterceptorClassesBuildItem> buildProducer2) {
        if (list.isEmpty()) {
            return;
        }
        Map map = (Map) list.stream().flatMap(eagerSecurityInterceptorBindingBuildItem -> {
            return Arrays.stream(eagerSecurityInterceptorBindingBuildItem.getAnnotationBindings()).map(dotName -> {
                return Map.entry(dotName, Boolean.valueOf(eagerSecurityInterceptorBindingBuildItem.requiresSecurityCheck()));
            });
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
        IndexView index = combinedIndexBuildItem.getIndex();
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        Predicate useClassLevelSecurity = ClassSecurityAnnotationBuildItem.useClassLevelSecurity(list2);
        HashMap hashMap3 = new HashMap();
        addInterceptedEndpoints(list, index, AnnotationTarget.Kind.METHOD, hashMap2, hashMap, useClassLevelSecurity, hashMap3);
        addInterceptedEndpoints(list, index, AnnotationTarget.Kind.CLASS, hashMap2, hashMap, useClassLevelSecurity, hashMap3);
        if (!hashMap2.isEmpty()) {
            hashMap2.forEach((dotName, map2) -> {
                buildProducer.produce(new EagerSecurityInterceptorMethodsBuildItem(map2, dotName, ((Boolean) map.get(dotName)).booleanValue()));
            });
        }
        if (hashMap3.isEmpty()) {
            return;
        }
        hashMap3.forEach((dotName2, map3) -> {
            buildProducer2.produce(new EagerSecurityInterceptorClassesBuildItem(map3, dotName2));
        });
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void produceEagerSecurityInterceptorStorage(HttpSecurityRecorder httpSecurityRecorder, BuildProducer<SyntheticBeanBuildItem> buildProducer, List<EagerSecurityInterceptorBindingBuildItem> list, List<EagerSecurityInterceptorClassesBuildItem> list2, List<EagerSecurityInterceptorMethodsBuildItem> list3) {
        if (list3.isEmpty() && list2.isEmpty()) {
            return;
        }
        Map map = (Map) list.stream().flatMap(eagerSecurityInterceptorBindingBuildItem -> {
            return Arrays.stream(eagerSecurityInterceptorBindingBuildItem.getAnnotationBindings()).map(dotName -> {
                return Map.entry(dotName, eagerSecurityInterceptorBindingBuildItem.getInterceptorCreator());
            });
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        for (EagerSecurityInterceptorMethodsBuildItem eagerSecurityInterceptorMethodsBuildItem : list3) {
            Function function = (Function) map.get(eagerSecurityInterceptorMethodsBuildItem.interceptorBinding);
            for (Map.Entry<String, List<MethodInfo>> entry : eagerSecurityInterceptorMethodsBuildItem.bindingValueToInterceptedMethods.entrySet()) {
                String key = entry.getKey();
                List<MethodInfo> value = entry.getValue();
                Consumer createEagerSecurityInterceptor = httpSecurityRecorder.createEagerSecurityInterceptor(function, key);
                Iterator<MethodInfo> it = value.iterator();
                while (it.hasNext()) {
                    hashMap2.compute((RuntimeValue) hashMap.computeIfAbsent(it.next(), methodInfo -> {
                        return httpSecurityRecorder.createMethodDescription(methodInfo.declaringClass().name().toString(), methodInfo.name(), (String[]) methodInfo.parameterTypes().stream().map(type -> {
                            return type.name().toString();
                        }).toArray(i -> {
                            return new String[i];
                        }));
                    }), (runtimeValue, consumer) -> {
                        return consumer == null ? createEagerSecurityInterceptor : httpSecurityRecorder.compoundSecurityInterceptor(createEagerSecurityInterceptor, consumer);
                    });
                }
            }
        }
        HashMap hashMap3 = new HashMap();
        for (EagerSecurityInterceptorClassesBuildItem eagerSecurityInterceptorClassesBuildItem : list2) {
            Function function2 = (Function) map.get(eagerSecurityInterceptorClassesBuildItem.interceptorBinding);
            eagerSecurityInterceptorClassesBuildItem.bindingValueToInterceptedClasses.forEach((str, set) -> {
                Consumer createEagerSecurityInterceptor2 = httpSecurityRecorder.createEagerSecurityInterceptor(function2, str);
                Iterator it2 = set.iterator();
                while (it2.hasNext()) {
                    hashMap3.compute((String) it2.next(), (str, consumer2) -> {
                        return consumer2 == null ? createEagerSecurityInterceptor2 : httpSecurityRecorder.compoundSecurityInterceptor(createEagerSecurityInterceptor2, consumer2);
                    });
                }
            });
        }
        buildProducer.produce(SyntheticBeanBuildItem.configure(EagerSecurityInterceptorStorage.class).scope(ApplicationScoped.class).supplier(httpSecurityRecorder.createSecurityInterceptorStorage(hashMap2, hashMap3)).unremovable().done());
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void addRoutingCtxToSecurityEventsForCdiBeans(HttpSecurityRecorder httpSecurityRecorder, Capabilities capabilities, BuildProducer<AdditionalSecurityConstrainerEventPropsBuildItem> buildProducer) {
        if (capabilities.isPresent("io.quarkus.security")) {
            buildProducer.produce(new AdditionalSecurityConstrainerEventPropsBuildItem(httpSecurityRecorder.createAdditionalSecEventPropsSupplier()));
        }
    }

    @BuildStep
    AuthorizationPolicyInstancesBuildItem gatherAuthorizationPolicyInstances(CombinedIndexBuildItem combinedIndexBuildItem, Capabilities capabilities) {
        if (capabilities.isPresent("io.quarkus.security")) {
            return new AuthorizationPolicyInstancesBuildItem((Map) combinedIndexBuildItem.getIndex().getAnnotations(HttpSecurityUtils.AUTHORIZATION_POLICY).stream().flatMap(annotationInstance -> {
                String asString = annotationInstance.value("name").asString();
                if (asString.isBlank()) {
                    throw new RuntimeException("The @AuthorizationPolicy annotation placed on '%s' must not have blank policy name.\n".formatted(annotationInstance.target().kind() == AnnotationTarget.Kind.CLASS ? annotationInstance.target().asClass().name().toString() : annotationInstance.target().asMethod().name()));
                }
                return getPolicyTargetEndpointCandidates(annotationInstance.target()).map(methodInfo -> {
                    return Map.entry(methodInfo, asString);
                });
            }).collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, (v0) -> {
                return v0.getValue();
            })));
        }
        return null;
    }

    @BuildStep
    void generateAuthorizationPolicyStorage(BuildProducer<GeneratedBeanBuildItem> buildProducer, Capabilities capabilities, AuthorizationPolicyInstancesBuildItem authorizationPolicyInstancesBuildItem, BuildProducer<AdditionalSecurityAnnotationBuildItem> buildProducer2) {
        MethodCreator methodCreator;
        if (capabilities.isPresent("io.quarkus.security")) {
            if (capabilities.isPresent("io.quarkus.rest") || capabilities.isPresent("io.quarkus.resteasy")) {
                ClassCreator build = ClassCreator.builder().className(AuthorizationPolicyStorage.class.getName() + "_Impl").superClass(AuthorizationPolicyStorage.class).classOutput(new GeneratedBeanGizmoAdaptor(buildProducer)).build();
                try {
                    build.addAnnotation(Singleton.class);
                    MethodCreator constructorCreator = build.getConstructorCreator(new String[0]);
                    constructorCreator.invokeSpecialMethod(MethodDescriptor.ofConstructor(AuthorizationPolicyStorage.class, new Class[0]), constructorCreator.getThis(), new ResultHandle[0]);
                    String typeToString = DescriptorUtils.typeToString(ParameterizedType.create(Map.class, new Type[]{Type.create(MethodDescription.class), Type.create(String.class)}));
                    if (authorizationPolicyInstancesBuildItem.methodToPolicyName.isEmpty()) {
                        methodCreator = build.getMethodCreator(MethodDescriptor.ofMethod(AuthorizationPolicyStorage.class, "getMethodToPolicyName", typeToString, new Object[0]));
                        try {
                            methodCreator.returnValue(methodCreator.invokeStaticInterfaceMethod(MethodDescriptor.ofMethod(Map.class, "of", Map.class, new Class[0]), new ResultHandle[0]));
                            if (methodCreator != null) {
                                methodCreator.close();
                            }
                        } finally {
                        }
                    } else {
                        buildProducer2.produce(new AdditionalSecurityAnnotationBuildItem(HttpSecurityUtils.AUTHORIZATION_POLICY));
                        FieldCreator modifiers = build.getFieldCreator("methodToPolicyName", typeToString).setModifiers(18);
                        methodCreator = build.getMethodCreator(MethodDescriptor.ofMethod(AuthorizationPolicyStorage.class, "getMethodToPolicyName", typeToString, new Object[0]));
                        try {
                            methodCreator.returnValue(methodCreator.readInstanceField(modifiers.getFieldDescriptor(), methodCreator.getThis()));
                            if (methodCreator != null) {
                                methodCreator.close();
                            }
                            ResultHandle newInstance = constructorCreator.newInstance(MethodDescriptor.ofConstructor(AuthorizationPolicyStorage.MethodsToPolicyBuilder.class, new Class[0]), new ResultHandle[0]);
                            MethodDescriptor ofMethod = MethodDescriptor.ofMethod(AuthorizationPolicyStorage.MethodsToPolicyBuilder.class, "addMethodToPolicyName", AuthorizationPolicyStorage.MethodsToPolicyBuilder.class, new Class[]{String.class, String.class, String.class, String[].class});
                            for (Map.Entry<MethodInfo, String> entry : authorizationPolicyInstancesBuildItem.methodToPolicyName.entrySet()) {
                                MethodInfo key = entry.getKey();
                                ResultHandle load = constructorCreator.load(entry.getValue());
                                ResultHandle load2 = constructorCreator.load(key.name());
                                ResultHandle load3 = constructorCreator.load(key.declaringClass().name().toString());
                                Stream map = key.parameterTypes().stream().map(type -> {
                                    return type.name().toString();
                                });
                                Objects.requireNonNull(constructorCreator);
                                newInstance = constructorCreator.invokeVirtualMethod(ofMethod, newInstance, new ResultHandle[]{load, load3, load2, constructorCreator.marshalAsArray(String[].class, (ResultHandle[]) map.map(constructorCreator::load).toArray(i -> {
                                    return new ResultHandle[i];
                                }))});
                            }
                            constructorCreator.writeInstanceField(modifiers.getFieldDescriptor(), constructorCreator.getThis(), constructorCreator.invokeVirtualMethod(MethodDescriptor.ofMethod(AuthorizationPolicyStorage.MethodsToPolicyBuilder.class, "build", DescriptorUtils.typeToString(ParameterizedType.create(Map.class, new Type[]{TypeVariable.create(MethodDescription.class), TypeVariable.create(String.class)})), new Object[0]), newInstance, new ResultHandle[0]));
                        } finally {
                        }
                    }
                    constructorCreator.returnVoid();
                    if (build != null) {
                        build.close();
                    }
                } catch (Throwable th) {
                    if (build != null) {
                        try {
                            build.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            }
        }
    }

    @BuildStep(onlyIf = {AlwaysPropagateSecurityIdentity.class})
    AdditionalBeanBuildItem createSecurityIdentityAssociation() {
        return AdditionalBeanBuildItem.unremovableOf(VertxSecurityIdentityAssociation.class);
    }

    @BuildStep(onlyIf = {AlwaysPropagateSecurityIdentity.class})
    @Record(ExecutionTime.STATIC_INIT)
    IgnoredContextLocalDataKeysBuildItem dontPropagateSecurityIdentityToDuplicateContext(HttpSecurityRecorder httpSecurityRecorder) {
        return new IgnoredContextLocalDataKeysBuildItem(httpSecurityRecorder.getSecurityIdentityContextKeySupplier());
    }

    private static Stream<MethodInfo> getPolicyTargetEndpointCandidates(AnnotationTarget annotationTarget) {
        if (annotationTarget.kind() != AnnotationTarget.Kind.METHOD) {
            return annotationTarget.asClass().methods().stream().filter(HttpSecurityProcessor::hasProperEndpointModifiers).filter(methodInfo -> {
                return !HttpSecurityUtils.hasSecurityAnnotation(methodInfo);
            });
        }
        MethodInfo asMethod = annotationTarget.asMethod();
        if (hasProperEndpointModifiers(asMethod)) {
            return Stream.of(asMethod);
        }
        if (asMethod.isSynthetic() && asMethod.name().endsWith(KOTLIN_SUSPEND_IMPL_SUFFIX)) {
            return Stream.empty();
        }
        throw new RuntimeException("Found method annotated with the @AuthorizationPolicy annotation that is not an endpoint: %s#%s\n".formatted(asMethod.declaringClass().name().toString(), asMethod.name()));
    }

    private static void validateAuthMechanismAnnotationUsage(Capabilities capabilities, VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig, DotName[] dotNameArr) {
        if (vertxHttpBuildTimeConfig.auth().proactive() || (capabilities.isMissing("io.quarkus.resteasy.reactive") && capabilities.isMissing("io.quarkus.resteasy") && capabilities.isMissing("io.quarkus.websockets.next"))) {
            throw new ConfigurationException("Annotations '" + Arrays.toString(dotNameArr) + "' can only be used when proactive authentication is disabled and either Quarkus REST, RESTEasy Classic or WebSockets Next extension is present");
        }
    }

    private static boolean isMtlsClientAuthenticationEnabled(VertxHttpBuildTimeConfig vertxHttpBuildTimeConfig) {
        return !ClientAuth.NONE.equals(vertxHttpBuildTimeConfig.tlsClientAuth());
    }

    public static Set<MethodInfo> collectClassMethodsWithoutRbacAnnotation(Collection<ClassInfo> collection) {
        return (Set) collection.stream().filter(classInfo -> {
            return !HttpSecurityUtils.hasSecurityAnnotation(classInfo);
        }).map((v0) -> {
            return v0.methods();
        }).flatMap((v0) -> {
            return v0.stream();
        }).filter(HttpSecurityProcessor::hasProperEndpointModifiers).filter(methodInfo -> {
            return !HttpSecurityUtils.hasSecurityAnnotation(methodInfo);
        }).collect(Collectors.toSet());
    }

    public static Set<MethodInfo> collectMethodsWithoutRbacAnnotation(Collection<MethodInfo> collection) {
        return (Set) collection.stream().filter(methodInfo -> {
            return !HttpSecurityUtils.hasSecurityAnnotation(methodInfo);
        }).collect(Collectors.toSet());
    }

    public static Set<ClassInfo> collectAnnotatedClasses(Collection<AnnotationInstance> collection, Predicate<ClassInfo> predicate) {
        return (Set) collection.stream().map((v0) -> {
            return v0.target();
        }).filter(annotationTarget -> {
            return annotationTarget.kind() == AnnotationTarget.Kind.CLASS;
        }).map((v0) -> {
            return v0.asClass();
        }).filter(predicate).collect(Collectors.toSet());
    }

    private static Set<MethodInfo> collectAnnotatedMethods(Collection<AnnotationInstance> collection) {
        return (Set) collection.stream().map((v0) -> {
            return v0.target();
        }).filter(annotationTarget -> {
            return annotationTarget.kind() == AnnotationTarget.Kind.METHOD;
        }).map((v0) -> {
            return v0.asMethod();
        }).collect(Collectors.toSet());
    }

    private static boolean hasProperEndpointModifiers(MethodInfo methodInfo) {
        return (methodInfo.isSynthetic() || !Modifier.isPublic(methodInfo.flags()) || methodInfo.isConstructor() || Modifier.isStatic(methodInfo.flags())) ? false : true;
    }

    private static void addInterceptedEndpoints(List<EagerSecurityInterceptorBindingBuildItem> list, IndexView indexView, AnnotationTarget.Kind kind, Map<DotName, Map<String, List<MethodInfo>>> map, Map<AnnotationTarget, List<EagerSecurityInterceptorBindingBuildItem>> map2, Predicate<ClassInfo> predicate, Map<DotName, Map<String, Set<String>>> map3) {
        for (EagerSecurityInterceptorBindingBuildItem eagerSecurityInterceptorBindingBuildItem : list) {
            for (DotName dotName : eagerSecurityInterceptorBindingBuildItem.getAnnotationBindings()) {
                HashMap hashMap = new HashMap();
                HashMap hashMap2 = new HashMap();
                for (AnnotationInstance annotationInstance : indexView.getAnnotations(dotName)) {
                    if (annotationInstance.target().kind() == kind) {
                        if (annotationInstance.target().kind() == AnnotationTarget.Kind.CLASS) {
                            ClassInfo asClass = annotationInstance.target().asClass();
                            if (predicate.test(asClass)) {
                                List<EagerSecurityInterceptorBindingBuildItem> computeIfAbsent = map2.computeIfAbsent(asClass, annotationTarget -> {
                                    return new ArrayList();
                                });
                                if (computeIfAbsent.contains(eagerSecurityInterceptorBindingBuildItem)) {
                                    throw new RuntimeException("Only one of the '%s' annotations can be applied on the '%s' class".formatted(Arrays.toString(eagerSecurityInterceptorBindingBuildItem.getAnnotationBindings()), asClass));
                                }
                                computeIfAbsent.add(eagerSecurityInterceptorBindingBuildItem);
                                ((Set) hashMap2.computeIfAbsent(eagerSecurityInterceptorBindingBuildItem.getBindingValue(annotationInstance, dotName, asClass), str -> {
                                    return new HashSet();
                                })).add(asClass.name().toString());
                            } else {
                                for (MethodInfo methodInfo : asClass.methods()) {
                                    if (hasProperEndpointModifiers(methodInfo)) {
                                        if ((map2.containsKey(methodInfo) && map2.get(methodInfo).contains(eagerSecurityInterceptorBindingBuildItem)) ? false : true) {
                                            addInterceptedEndpoint(methodInfo, annotationInstance, dotName, hashMap, eagerSecurityInterceptorBindingBuildItem);
                                        }
                                    }
                                }
                            }
                        } else {
                            MethodInfo asMethod = annotationInstance.target().asMethod();
                            List<EagerSecurityInterceptorBindingBuildItem> computeIfAbsent2 = map2.computeIfAbsent(asMethod, annotationTarget2 -> {
                                return new ArrayList();
                            });
                            if (computeIfAbsent2.contains(eagerSecurityInterceptorBindingBuildItem)) {
                                throw new RuntimeException("Only one of the '%s' annotations can be applied on the '%s' method".formatted(Arrays.toString(eagerSecurityInterceptorBindingBuildItem.getAnnotationBindings()), String.valueOf(asMethod.declaringClass().name()) + "#" + String.valueOf(asMethod)));
                            }
                            if (predicate.test(asMethod.declaringClass())) {
                                throw new RuntimeException("Security annotations '%s' cannot be applied on the '%s' method, please move the annotations to the class-level instead".formatted(Arrays.toString(Arrays.stream(eagerSecurityInterceptorBindingBuildItem.getAnnotationBindings()).toArray()), String.valueOf(asMethod.declaringClass().name()) + "#" + String.valueOf(asMethod)));
                            }
                            computeIfAbsent2.add(eagerSecurityInterceptorBindingBuildItem);
                            addInterceptedEndpoint(asMethod, annotationInstance, dotName, hashMap, eagerSecurityInterceptorBindingBuildItem);
                        }
                    }
                }
                if (!hashMap.isEmpty()) {
                    map.compute(dotName, (dotName2, map4) -> {
                        if (map4 == null) {
                            return hashMap;
                        }
                        hashMap.forEach((str2, list2) -> {
                            ((List) map4.computeIfAbsent(str2, str2 -> {
                                return new ArrayList();
                            })).addAll(list2);
                        });
                        return map4;
                    });
                }
                if (!hashMap2.isEmpty()) {
                    map3.compute(dotName, (dotName3, map5) -> {
                        if (map5 == null) {
                            return hashMap2;
                        }
                        hashMap2.forEach((str2, set) -> {
                            ((Set) map5.computeIfAbsent(str2, str2 -> {
                                return new HashSet();
                            })).addAll(set);
                        });
                        return map5;
                    });
                }
            }
        }
    }

    private static void addInterceptedEndpoint(MethodInfo methodInfo, AnnotationInstance annotationInstance, DotName dotName, Map<String, List<MethodInfo>> map, EagerSecurityInterceptorBindingBuildItem eagerSecurityInterceptorBindingBuildItem) {
        map.computeIfAbsent(eagerSecurityInterceptorBindingBuildItem.getBindingValue(annotationInstance, dotName, methodInfo), str -> {
            return new ArrayList();
        }).add(methodInfo);
    }
}
