package io.quarkus.resteasy.reactive.server.runtime.security;

import io.quarkus.arc.Arc;
import io.quarkus.resteasy.reactive.server.runtime.StandardSecurityCheckInterceptor;
import io.quarkus.security.UnauthorizedException;
import io.quarkus.security.identity.CurrentIdentityAssociation;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.spi.runtime.AuthorizationFailureEvent;
import io.quarkus.security.spi.runtime.AuthorizationSuccessEvent;
import io.quarkus.security.spi.runtime.MethodDescription;
import io.quarkus.security.spi.runtime.SecurityCheck;
import io.quarkus.security.spi.runtime.SecurityCheckStorage;
import io.quarkus.vertx.http.runtime.security.AuthorizationPolicyStorage;
import io.quarkus.vertx.http.runtime.security.QuarkusHttpUser;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.subscription.UniSubscriber;
import io.smallrye.mutiny.subscription.UniSubscription;
import io.vertx.ext.web.RoutingContext;
import java.lang.annotation.Annotation;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import org.jboss.resteasy.reactive.common.model.ResourceClass;
import org.jboss.resteasy.reactive.server.core.ResteasyReactiveRequestContext;
import org.jboss.resteasy.reactive.server.model.HandlerChainCustomizer;
import org.jboss.resteasy.reactive.server.model.ServerResourceMethod;
import org.jboss.resteasy.reactive.server.spi.ServerRestHandler;

/* loaded from: input_file:io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler.class */
public class EagerSecurityHandler implements ServerRestHandler {
    private static final EagerSecurityHandler HTTP_PERMS_ONLY = new EagerSecurityHandler(null, false, null);
    private final SecurityCheck check;
    private final boolean isDefaultJaxRsSecCheck;
    private final MethodDescription invokedMethodDesc;

    /* loaded from: input_file:io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler$Customizer.class */
    public static abstract class Customizer implements HandlerChainCustomizer {

        /* loaded from: input_file:io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler$Customizer$AuthZPolicyCustomizer.class */
        public static final class AuthZPolicyCustomizer extends Customizer {
            @Override // io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.Customizer
            protected boolean onlyCheckForHttpPermissions() {
                return true;
            }

            @Override // io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.Customizer
            protected boolean applyAuthorizationPolicy() {
                return true;
            }
        }

        /* loaded from: input_file:io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler$Customizer$HttpPermissionsAndSecurityChecksCustomizer.class */
        public static final class HttpPermissionsAndSecurityChecksCustomizer extends Customizer {
            @Override // io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.Customizer
            protected boolean onlyCheckForHttpPermissions() {
                return false;
            }

            @Override // io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.Customizer
            protected boolean applyAuthorizationPolicy() {
                return false;
            }
        }

        /* loaded from: input_file:io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler$Customizer$HttpPermissionsOnlyCustomizer.class */
        public static final class HttpPermissionsOnlyCustomizer extends Customizer {
            @Override // io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.Customizer
            protected boolean onlyCheckForHttpPermissions() {
                return true;
            }

            @Override // io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.Customizer
            protected boolean applyAuthorizationPolicy() {
                return false;
            }
        }

        public static HandlerChainCustomizer newInstanceWithAuthorizationPolicy() {
            return new AuthZPolicyCustomizer();
        }

        public static HandlerChainCustomizer newInstance(boolean z) {
            return z ? new HttpPermissionsOnlyCustomizer() : new HttpPermissionsAndSecurityChecksCustomizer();
        }

        public List<ServerRestHandler> handlers(HandlerChainCustomizer.Phase phase, ResourceClass resourceClass, ServerResourceMethod serverResourceMethod) {
            if (phase != HandlerChainCustomizer.Phase.AFTER_MATCH) {
                return Collections.emptyList();
            }
            if (onlyCheckForHttpPermissions()) {
                return applyAuthorizationPolicy() ? createHandlerForAuthZPolicy(serverResourceMethod) : Collections.singletonList(EagerSecurityHandler.HTTP_PERMS_ONLY);
            }
            boolean z = false;
            ResourceMethodDescription of = ResourceMethodDescription.of(serverResourceMethod);
            SecurityCheckStorage securityCheckStorage = (SecurityCheckStorage) Arc.container().instance(SecurityCheckStorage.class, new Annotation[0]).get();
            SecurityCheck securityCheck = securityCheckStorage.getSecurityCheck(of.invokedMethodDesc());
            if (securityCheck == null && of.fallbackMethodDesc() != null) {
                securityCheck = securityCheckStorage.getSecurityCheck(of.fallbackMethodDesc());
            }
            if (securityCheck == null) {
                securityCheck = securityCheckStorage.getDefaultSecurityCheck();
                z = true;
            }
            if (securityCheck == null) {
                throw new IllegalStateException("Security annotation placed on resource method '%s#%s' wasn't detected by Quarkus during the build time.\nPlease consult https://quarkus.io/guides/cdi-reference#bean_discovery on how to make the module containing the code discoverable by Quarkus.\n".formatted(of.invokedMethodDesc().getClassName(), of.invokedMethodDesc().getMethodName()));
            }
            return Collections.singletonList(new EagerSecurityHandler(securityCheck, z, of.invokedMethodDesc()));
        }

        private static List<ServerRestHandler> createHandlerForAuthZPolicy(ServerResourceMethod serverResourceMethod) {
            MethodDescription fallbackMethodDesc;
            ResourceMethodDescription of = ResourceMethodDescription.of(serverResourceMethod);
            AuthorizationPolicyStorage authorizationPolicyStorage = (AuthorizationPolicyStorage) Arc.container().select(AuthorizationPolicyStorage.class, new Annotation[0]).get();
            if (authorizationPolicyStorage.requiresAuthorizationPolicy(of.invokedMethodDesc())) {
                fallbackMethodDesc = of.invokedMethodDesc();
            } else {
                if (!authorizationPolicyStorage.requiresAuthorizationPolicy(of.fallbackMethodDesc())) {
                    throw new IllegalStateException("@AuthorizationPolicy annotation placed on resource method '%s#%s' wasn't detected by Quarkus during the build time.\nPlease consult https://quarkus.io/guides/cdi-reference#bean_discovery on how to make the module containing the code discoverable by Quarkus.\n".formatted(of.invokedMethodDesc().getClassName(), of.invokedMethodDesc().getMethodName()));
                }
                fallbackMethodDesc = of.fallbackMethodDesc();
            }
            return Collections.singletonList(new EagerSecurityHandler(null, false, fallbackMethodDesc));
        }

        protected abstract boolean onlyCheckForHttpPermissions();

        protected abstract boolean applyAuthorizationPolicy();
    }

    private EagerSecurityHandler(SecurityCheck securityCheck, boolean z, MethodDescription methodDescription) {
        this.check = securityCheck;
        this.isDefaultJaxRsSecCheck = z;
        this.invokedMethodDesc = methodDescription;
    }

    public void handle(final ResteasyReactiveRequestContext resteasyReactiveRequestContext) throws Exception {
        Uni chain;
        if (EagerSecurityContext.instance.authorizationController.isAuthorizationEnabled()) {
            if (this.isDefaultJaxRsSecCheck && isRequestAlreadyChecked(resteasyReactiveRequestContext)) {
                return;
            }
            Function<SecurityIdentity, Uni<?>> securityCheck = this.check == null ? null : getSecurityCheck(resteasyReactiveRequestContext, this.check, this.invokedMethodDesc);
            if (securityCheck != null) {
                chain = EagerSecurityContext.instance.doNotRunPermissionSecurityCheck ? EagerSecurityContext.instance.getDeferredIdentity().chain(securityCheck) : EagerSecurityContext.instance.getDeferredIdentity().flatMap(new Function<SecurityIdentity, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.2
                    @Override // java.util.function.Function
                    public Uni<SecurityIdentity> apply(SecurityIdentity securityIdentity) {
                        return EagerSecurityContext.instance.getPermissionCheck(resteasyReactiveRequestContext, securityIdentity, EagerSecurityHandler.this.invokedMethodDesc);
                    }
                }).chain(securityCheck);
            } else if (EagerSecurityContext.instance.doNotRunPermissionSecurityCheck) {
                return;
            } else {
                chain = Uni.createFrom().deferred(new Supplier<Uni<?>>() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.function.Supplier
                    public Uni<?> get() {
                        return EagerSecurityContext.instance.getPermissionCheck(resteasyReactiveRequestContext, null, EagerSecurityHandler.this.invokedMethodDesc);
                    }
                });
            }
            resteasyReactiveRequestContext.requireCDIRequestScope();
            resteasyReactiveRequestContext.suspend();
            chain.subscribe().withSubscriber(new UniSubscriber<Object>() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.3
                public void onSubscribe(UniSubscription uniSubscription) {
                }

                public void onItem(Object obj) {
                    resteasyReactiveRequestContext.resume();
                }

                public void onFailure(Throwable th) {
                    resteasyReactiveRequestContext.resume(th, true);
                }
            });
        }
    }

    private static Function<SecurityIdentity, Uni<?>> getSecurityCheck(final ResteasyReactiveRequestContext resteasyReactiveRequestContext, final SecurityCheck securityCheck, final MethodDescription methodDescription) {
        SecurityIdentity securityIdentity;
        if (!securityCheck.isPermitAll()) {
            return new Function<SecurityIdentity, Uni<?>>() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.4
                @Override // java.util.function.Function
                public Uni<?> apply(final SecurityIdentity securityIdentity2) {
                    if (EagerSecurityContext.instance.isProactiveAuthDisabled) {
                        ((CurrentIdentityAssociation) EagerSecurityContext.instance.identityAssociation.get()).setIdentity(securityIdentity2);
                    }
                    if (securityCheck.requiresMethodArguments()) {
                        if (securityIdentity2 != null && !securityIdentity2.isAnonymous()) {
                            return Uni.createFrom().nullItem();
                        }
                        UnauthorizedException unauthorizedException = new UnauthorizedException();
                        if (EagerSecurityContext.instance.eventHelper.fireEventOnFailure()) {
                            EagerSecurityContext.instance.eventHelper.fireFailureEvent(new AuthorizationFailureEvent(securityIdentity2, unauthorizedException, securityCheck.getClass().getName(), EagerSecurityHandler.createEventPropsWithRoutingCtx(resteasyReactiveRequestContext), methodDescription));
                        }
                        throw unauthorizedException;
                    }
                    EagerSecurityHandler.preventRepeatedSecurityChecks(resteasyReactiveRequestContext, methodDescription);
                    Uni<?> nonBlockingApply = securityCheck.nonBlockingApply(securityIdentity2, methodDescription, resteasyReactiveRequestContext.getParameters());
                    if (EagerSecurityContext.instance.eventHelper.fireEventOnFailure()) {
                        nonBlockingApply = nonBlockingApply.onFailure().invoke(new Consumer<Throwable>() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.4.1
                            @Override // java.util.function.Consumer
                            public void accept(Throwable th) {
                                EagerSecurityContext.instance.eventHelper.fireFailureEvent(new AuthorizationFailureEvent(securityIdentity2, th, securityCheck.getClass().getName(), EagerSecurityHandler.createEventPropsWithRoutingCtx(resteasyReactiveRequestContext), methodDescription));
                            }
                        });
                    }
                    if (EagerSecurityContext.instance.eventHelper.fireEventOnSuccess()) {
                        nonBlockingApply = nonBlockingApply.invoke(new Runnable() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.4.2
                            @Override // java.lang.Runnable
                            public void run() {
                                EagerSecurityContext.instance.eventHelper.fireSuccessEvent(new AuthorizationSuccessEvent(securityIdentity2, securityCheck.getClass().getName(), EagerSecurityHandler.createEventPropsWithRoutingCtx(resteasyReactiveRequestContext), methodDescription));
                            }
                        });
                    }
                    return nonBlockingApply;
                }
            };
        }
        preventRepeatedSecurityChecks(resteasyReactiveRequestContext, methodDescription);
        if (!EagerSecurityContext.instance.eventHelper.fireEventOnSuccess()) {
            return null;
        }
        resteasyReactiveRequestContext.requireCDIRequestScope();
        RoutingContext routingContext = (RoutingContext) resteasyReactiveRequestContext.unwrap(RoutingContext.class);
        if (routingContext != null) {
            QuarkusHttpUser user = routingContext.user();
            if (user instanceof QuarkusHttpUser) {
                securityIdentity = user.getSecurityIdentity();
                EagerSecurityContext.instance.eventHelper.fireSuccessEvent(new AuthorizationSuccessEvent(securityIdentity, securityCheck.getClass().getName(), createEventPropsWithRoutingCtx(resteasyReactiveRequestContext), methodDescription));
                return null;
            }
        }
        securityIdentity = null;
        EagerSecurityContext.instance.eventHelper.fireSuccessEvent(new AuthorizationSuccessEvent(securityIdentity, securityCheck.getClass().getName(), createEventPropsWithRoutingCtx(resteasyReactiveRequestContext), methodDescription));
        return null;
    }

    private static Map<String, Object> createEventPropsWithRoutingCtx(ResteasyReactiveRequestContext resteasyReactiveRequestContext) {
        RoutingContext routingContext = (RoutingContext) resteasyReactiveRequestContext.unwrap(RoutingContext.class);
        return routingContext == null ? Map.of() : Map.of(RoutingContext.class.getName(), routingContext);
    }

    private static void preventRepeatedSecurityChecks(ResteasyReactiveRequestContext resteasyReactiveRequestContext, MethodDescription methodDescription) {
        resteasyReactiveRequestContext.setProperty(StandardSecurityCheckInterceptor.STANDARD_SECURITY_CHECK_INTERCEPTOR, methodDescription);
    }

    private static boolean isRequestAlreadyChecked(ResteasyReactiveRequestContext resteasyReactiveRequestContext) {
        return resteasyReactiveRequestContext.getProperty(StandardSecurityCheckInterceptor.STANDARD_SECURITY_CHECK_INTERCEPTOR) != null;
    }
}
