package io.quarkus.websockets.next.runtime;

import io.quarkus.arc.Arc;
import io.quarkus.arc.ManagedContext;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.credential.TokenCredential;
import io.quarkus.security.identity.CurrentIdentityAssociation;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.vertx.http.runtime.security.HttpSecurityUtils;
import io.quarkus.websockets.next.CloseReason;
import io.quarkus.websockets.next.WebSocketServerException;
import io.quarkus.websockets.next.runtime.spi.security.WebSocketIdentityUpdateRequest;
import io.vertx.core.Vertx;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.inject.Instance;
import java.util.Objects;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.TimeUnit;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/websockets/next/runtime/SecuritySupport.class */
public final class SecuritySupport {
    public static final String QUARKUS_IDENTITY_EXPIRE_TIME = "quarkus.identity.expire-time";
    private static final Logger LOG = Logger.getLogger(SecuritySupport.class);
    static final SecuritySupport NOOP = new SecuritySupport(null, null, null, null);
    private final Instance<CurrentIdentityAssociation> currentIdentity;
    private final ManagedContext requestContext;
    private final RoutingContext routingContext;
    private volatile SecurityIdentity identity;
    private volatile Runnable onClose;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecuritySupport(Instance<CurrentIdentityAssociation> instance, SecurityIdentity securityIdentity, WebSocketConnectionImpl webSocketConnectionImpl, RoutingContext routingContext) {
        this.currentIdentity = instance;
        if (this.currentIdentity != null) {
            this.identity = (SecurityIdentity) Objects.requireNonNull(securityIdentity);
            this.onClose = closeConnectionWhenIdentityExpired(routingContext.vertx(), webSocketConnectionImpl, this.identity);
        } else {
            this.identity = null;
            this.onClose = null;
        }
        this.requestContext = Arc.container().requestContext();
        this.routingContext = routingContext;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void start() {
        if (this.currentIdentity == null || !this.requestContext.isActive()) {
            return;
        }
        ((CurrentIdentityAssociation) this.currentIdentity.get()).setIdentity(this.identity);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onClose() {
        if (this.onClose != null) {
            this.onClose.run();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CompletionStage<SecurityIdentity> updateSecurityIdentity(String str, WebSocketConnectionImpl webSocketConnectionImpl, IdentityProviderManager identityProviderManager) {
        return identityProviderManager.authenticate(HttpSecurityUtils.setRoutingContextAttribute(new WebSocketIdentityUpdateRequest(new TokenCredential(str, "bearer"), this.identity), this.routingContext)).onItem().ifNull().failWith(AuthenticationFailedException::new).invoke(securityIdentity -> {
            updateSecurityIdentity(securityIdentity, webSocketConnectionImpl);
        }).onFailure().invoke(th -> {
            LOG.debug("Failed to update SecurityIdentity attached to the WebSocket connection with id " + webSocketConnectionImpl.id(), th);
        }).convert().toCompletionStage();
    }

    private synchronized void updateSecurityIdentity(SecurityIdentity securityIdentity, WebSocketConnectionImpl webSocketConnectionImpl) {
        if (webSocketConnectionImpl.isClosed()) {
            return;
        }
        if (securityIdentity.isAnonymous()) {
            throw new AuthenticationFailedException("Updated SecurityIdentity is anonymous");
        }
        if (LOG.isDebugEnabled()) {
            Long l = (Long) securityIdentity.getAttribute(QUARKUS_IDENTITY_EXPIRE_TIME);
            String normalizedPath = this.routingContext.normalizedPath();
            LOG.debugf("Updated 'SecurityIdentity' with principal name '%s' used by WebSocket connection '%s' and path '%s', the new SecurityIdentity expires at '%d'", new Object[]{securityIdentity.getPrincipal().getName(), webSocketConnectionImpl.id(), normalizedPath, l});
        }
        String name = this.identity.getPrincipal().getName();
        String name2 = securityIdentity.getPrincipal().getName();
        if (!name.equals(name2)) {
            throw new WebSocketServerException("New SecurityIdentity principal name '%s' is different than previous principal name '%s'. SecurityIdentity update is aborted".formatted(name2, name));
        }
        onClose();
        this.identity = securityIdentity;
        this.onClose = closeConnectionWhenIdentityExpired(this.routingContext.vertx(), webSocketConnectionImpl, securityIdentity);
        if (webSocketConnectionImpl.isClosed()) {
            onClose();
        } else {
            start();
        }
    }

    private static Runnable closeConnectionWhenIdentityExpired(Vertx vertx, WebSocketConnectionImpl webSocketConnectionImpl, SecurityIdentity securityIdentity) {
        Object attribute = securityIdentity.getAttribute(QUARKUS_IDENTITY_EXPIRE_TIME);
        if (!(attribute instanceof Long)) {
            return null;
        }
        long timer = vertx.setTimer(TimeUnit.SECONDS.toMillis(((Long) attribute).longValue()) - System.currentTimeMillis(), l -> {
            webSocketConnectionImpl.close(new CloseReason(1008, "Authentication expired")).subscribe().with(r5 -> {
                LOG.tracef("Closed connection due to expired authentication: %s", webSocketConnectionImpl);
            }, th -> {
                LOG.errorf("Unable to close connection [%s] after authentication expired due to unhandled failure: %s", webSocketConnectionImpl, th);
            });
        });
        return () -> {
            vertx.cancelTimer(timer);
        };
    }
}
