package io.quarkus.oidc.runtime;

import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.IdTokenCredential;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.OidcTokenCredential;
import io.quarkus.oidc.common.runtime.OidcConstants;
import io.quarkus.runtime.BlockingOperationControl;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.credential.TokenCredential;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.identity.IdentityProvider;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.TokenAuthenticationRequest;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.groups.UniCreate;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.RoutingContext;
import java.security.Principal;
import java.util.function.BiFunction;
import java.util.function.Function;
import java.util.function.Supplier;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.jose4j.lang.UnresolvableKeyException;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/oidc/runtime/OidcIdentityProvider.class */
public class OidcIdentityProvider implements IdentityProvider<TokenAuthenticationRequest> {
    static final String REFRESH_TOKEN_GRANT_RESPONSE = "refresh_token_grant_response";
    static final String NEW_AUTHENTICATION = "new_authentication";
    private static final Uni<TokenVerificationResult> NULL_CODE_ACCESS_TOKEN_UNI = Uni.createFrom().nullItem();
    private static final Uni<JsonObject> NULL_USER_INFO_UNI = Uni.createFrom().nullItem();
    private static final String CODE_ACCESS_TOKEN_RESULT = "code_flow_access_token_result";

    @Inject
    DefaultTenantConfigResolver tenantResolver;

    @Override // io.quarkus.security.identity.IdentityProvider
    public Class<TokenAuthenticationRequest> getRequestType() {
        return TokenAuthenticationRequest.class;
    }

    @Override // io.quarkus.security.identity.IdentityProvider
    public Uni<SecurityIdentity> authenticate(final TokenAuthenticationRequest tokenAuthenticationRequest, AuthenticationRequestContext authenticationRequestContext) {
        final RoutingContext routingContext = ((OidcTokenCredential) tokenAuthenticationRequest.getToken()).getRoutingContext();
        routingContext.put(AuthenticationRequestContext.class.getName(), authenticationRequestContext);
        return this.tenantResolver.resolveContext(routingContext).onItem().transformToUni(new Function<TenantConfigContext, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.1
            @Override // java.util.function.Function
            public Uni<SecurityIdentity> apply(final TenantConfigContext tenantConfigContext) {
                return Uni.createFrom().deferred(new Supplier<Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.1.1
                    @Override // java.util.function.Supplier
                    /* renamed from: get, reason: merged with bridge method [inline-methods] */
                    public Uni<? extends SecurityIdentity> get2() {
                        return OidcIdentityProvider.this.authenticate(tokenAuthenticationRequest, routingContext, tenantConfigContext);
                    }
                });
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Uni<SecurityIdentity> authenticate(TokenAuthenticationRequest tokenAuthenticationRequest, RoutingContext routingContext, TenantConfigContext tenantConfigContext) {
        return tenantConfigContext.oidcConfig.publicKey.isPresent() ? validateTokenWithoutOidcServer(tokenAuthenticationRequest, tenantConfigContext) : validateAllTokensWithOidcServer(routingContext, tokenAuthenticationRequest, tenantConfigContext);
    }

    private Uni<SecurityIdentity> validateAllTokensWithOidcServer(final RoutingContext routingContext, final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext) {
        return verifyCodeFlowAccessTokenUni(routingContext, tokenAuthenticationRequest, tenantConfigContext).onItemOrFailure().transformToUni(new BiFunction<TokenVerificationResult, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.2
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(TokenVerificationResult tokenVerificationResult, Throwable th) {
                return th != null ? Uni.createFrom().failure(new AuthenticationFailedException(th)) : OidcIdentityProvider.this.validateTokenWithOidcServer(routingContext, tokenAuthenticationRequest, tenantConfigContext, tokenVerificationResult);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Uni<SecurityIdentity> validateTokenWithOidcServer(final RoutingContext routingContext, final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext, TokenVerificationResult tokenVerificationResult) {
        if (tokenVerificationResult != null) {
            routingContext.put(CODE_ACCESS_TOKEN_RESULT, tokenVerificationResult);
        }
        return getUserInfoUni(routingContext, tokenAuthenticationRequest, tenantConfigContext).onItemOrFailure().transformToUni(new BiFunction<JsonObject, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.3
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(JsonObject jsonObject, Throwable th) {
                return th != null ? Uni.createFrom().failure(new AuthenticationFailedException(th)) : OidcIdentityProvider.this.createSecurityIdentityWithOidcServer(routingContext, tokenAuthenticationRequest, tenantConfigContext, jsonObject);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Uni<SecurityIdentity> createSecurityIdentityWithOidcServer(final RoutingContext routingContext, final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext, final JsonObject jsonObject) {
        return verifyTokenUni(tenantConfigContext, tokenAuthenticationRequest.getToken().getToken()).onItemOrFailure().transformToUni(new BiFunction<TokenVerificationResult, Throwable, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.4
            @Override // java.util.function.BiFunction
            public Uni<SecurityIdentity> apply(TokenVerificationResult tokenVerificationResult, Throwable th) {
                if (th != null) {
                    return Uni.createFrom().failure(new AuthenticationFailedException(th));
                }
                TokenCredential token = tokenAuthenticationRequest.getToken();
                JsonObject jsonObject2 = tokenVerificationResult.localVerificationResult;
                if (jsonObject2 == null) {
                    jsonObject2 = OidcUtils.decodeJwtContent(token.getToken());
                }
                if (jsonObject2 != null) {
                    try {
                        OidcUtils.validatePrimaryJwtTokenType(tenantConfigContext.oidcConfig.token, jsonObject2);
                        QuarkusSecurityIdentity validateAndCreateIdentity = OidcUtils.validateAndCreateIdentity(routingContext, token, tenantConfigContext, jsonObject2, OidcIdentityProvider.getRolesJson(routingContext, tenantConfigContext, token, jsonObject2, jsonObject), jsonObject);
                        return OidcIdentityProvider.tokenAutoRefreshPrepared(jsonObject2, routingContext, tenantConfigContext.oidcConfig) ? Uni.createFrom().failure(new TokenAutoRefreshException(validateAndCreateIdentity)) : Uni.createFrom().item((UniCreate) validateAndCreateIdentity);
                    } catch (Throwable th2) {
                        return Uni.createFrom().failure(new AuthenticationFailedException(th2));
                    }
                }
                if ((token instanceof IdTokenCredential) || ((token instanceof AccessTokenCredential) && !((AccessTokenCredential) token).isOpaque())) {
                    return Uni.createFrom().failure(new AuthenticationFailedException("JWT token can not be converted to JSON"));
                }
                QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
                builder.addCredential(token);
                OidcUtils.setSecurityIdentityUserInfo(builder, jsonObject);
                OidcUtils.setSecurityIdentityConfigMetadata(builder, tenantConfigContext);
                if (tokenVerificationResult.introspectionResult.containsKey("username")) {
                    final String string = tokenVerificationResult.introspectionResult.getString("username");
                    builder.setPrincipal(new Principal() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.4.1
                        @Override // java.security.Principal
                        public String getName() {
                            return string;
                        }
                    });
                }
                if (tokenVerificationResult.introspectionResult.containsKey(OidcConstants.TOKEN_SCOPE)) {
                    for (String str : tokenVerificationResult.introspectionResult.getString(OidcConstants.TOKEN_SCOPE).split(" ")) {
                        builder.addRole(str.trim());
                    }
                }
                if (jsonObject != null) {
                    OidcUtils.setSecurityIdentityRoles(builder, tenantConfigContext.oidcConfig, jsonObject);
                }
                OidcUtils.setBlockinApiAttribute(builder, routingContext);
                OidcUtils.setTenantIdAttribute(builder, tenantConfigContext.oidcConfig);
                return Uni.createFrom().item((UniCreate) builder.build());
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Deprecated
    public static boolean tokenAutoRefreshPrepared(JsonObject jsonObject, RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        if (jsonObject == null || !oidcTenantConfig.token.refreshExpired) {
            return false;
        }
        if ((!oidcTenantConfig.token.getRefreshTokenTimeSkew().isPresent() && !oidcTenantConfig.token.autoRefreshInterval.isPresent()) || routingContext.get(REFRESH_TOKEN_GRANT_RESPONSE) == Boolean.TRUE || routingContext.get(NEW_AUTHENTICATION) == Boolean.TRUE) {
            return false;
        }
        return (System.currentTimeMillis() / 1000) + oidcTenantConfig.token.getRefreshTokenTimeSkew().orElse(oidcTenantConfig.token.autoRefreshInterval.get()).getSeconds() > jsonObject.getLong("exp").longValue();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static JsonObject getRolesJson(RoutingContext routingContext, TenantConfigContext tenantConfigContext, TokenCredential tokenCredential, JsonObject jsonObject, JsonObject jsonObject2) {
        JsonObject jsonObject3 = jsonObject;
        if (tenantConfigContext.oidcConfig.roles.source.isPresent()) {
            if (tenantConfigContext.oidcConfig.roles.source.get() == OidcTenantConfig.Roles.Source.userinfo) {
                jsonObject3 = jsonObject2;
            } else if ((tokenCredential instanceof IdTokenCredential) && tenantConfigContext.oidcConfig.roles.source.get() == OidcTenantConfig.Roles.Source.accesstoken) {
                jsonObject3 = ((TokenVerificationResult) routingContext.get(CODE_ACCESS_TOKEN_RESULT)).localVerificationResult;
                if (jsonObject3 == null) {
                    jsonObject3 = OidcUtils.decodeJwtContent((String) routingContext.get(OidcConstants.ACCESS_TOKEN_VALUE));
                }
            }
        }
        return jsonObject3;
    }

    private Uni<TokenVerificationResult> verifyCodeFlowAccessTokenUni(RoutingContext routingContext, TokenAuthenticationRequest tokenAuthenticationRequest, TenantConfigContext tenantConfigContext) {
        return ((tokenAuthenticationRequest.getToken() instanceof IdTokenCredential) && (tenantConfigContext.oidcConfig.authentication.verifyAccessToken || tenantConfigContext.oidcConfig.roles.source.orElse(null) == OidcTenantConfig.Roles.Source.accesstoken)) ? verifyTokenUni(tenantConfigContext, (String) routingContext.get(OidcConstants.ACCESS_TOKEN_VALUE)) : NULL_CODE_ACCESS_TOKEN_UNI;
    }

    private Uni<TokenVerificationResult> verifyTokenUni(TenantConfigContext tenantConfigContext, String str) {
        if (OidcUtils.isOpaqueToken(str) || tenantConfigContext.provider.getMetadata().getJsonWebKeySetUri() == null) {
            return introspectTokenUni(tenantConfigContext, str);
        }
        try {
            return Uni.createFrom().item((UniCreate) tenantConfigContext.provider.verifyJwtToken(str));
        } catch (Throwable th) {
            return th.getCause() instanceof UnresolvableKeyException ? refreshJwksAndVerifyTokenUni(tenantConfigContext, str) : Uni.createFrom().failure(th);
        }
    }

    private Uni<TokenVerificationResult> refreshJwksAndVerifyTokenUni(TenantConfigContext tenantConfigContext, String str) {
        return tenantConfigContext.provider.refreshJwksAndVerifyJwtToken(str).onFailure(th -> {
            return (th.getCause() instanceof UnresolvableKeyException) && tenantConfigContext.oidcConfig.token.allowJwtIntrospection;
        }).recoverWithUni(th2 -> {
            return introspectTokenUni(tenantConfigContext, str);
        });
    }

    private Uni<TokenVerificationResult> introspectTokenUni(TenantConfigContext tenantConfigContext, String str) {
        return tenantConfigContext.provider.introspectToken(str).plug(uni -> {
            return !BlockingOperationControl.isBlockingAllowed() ? uni.runSubscriptionOn(this.tenantResolver.getBlockingExecutor()) : uni;
        });
    }

    private static Uni<SecurityIdentity> validateTokenWithoutOidcServer(TokenAuthenticationRequest tokenAuthenticationRequest, TenantConfigContext tenantConfigContext) {
        try {
            TokenVerificationResult verifyJwtToken = tenantConfigContext.provider.verifyJwtToken(tokenAuthenticationRequest.getToken().getToken());
            return Uni.createFrom().item((UniCreate) OidcUtils.validateAndCreateIdentity(null, tokenAuthenticationRequest.getToken(), tenantConfigContext, verifyJwtToken.localVerificationResult, verifyJwtToken.localVerificationResult, null));
        } catch (Throwable th) {
            return Uni.createFrom().failure(new AuthenticationFailedException(th));
        }
    }

    private Uni<JsonObject> getUserInfoUni(RoutingContext routingContext, TokenAuthenticationRequest tokenAuthenticationRequest, TenantConfigContext tenantConfigContext) {
        return tenantConfigContext.oidcConfig.authentication.isUserInfoRequired() ? BlockingOperationControl.isBlockingAllowed() ? tenantConfigContext.provider.getUserInfo(routingContext, tokenAuthenticationRequest) : tenantConfigContext.provider.getUserInfo(routingContext, tokenAuthenticationRequest).runSubscriptionOn(this.tenantResolver.getBlockingExecutor()) : NULL_USER_INFO_UNI;
    }
}
