package io.quarkus.undertow.runtime;

import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy;
import io.smallrye.mutiny.Uni;
import io.undertow.servlet.api.Deployment;
import io.undertow.servlet.api.SecurityInfo;
import io.undertow.servlet.api.SingleConstraintMatch;
import io.vertx.ext.web.RoutingContext;
import jakarta.inject.Singleton;
import java.util.Iterator;
import java.util.function.Function;

@Singleton
/* loaded from: input_file:io/quarkus/undertow/runtime/ServletHttpSecurityPolicy.class */
public class ServletHttpSecurityPolicy implements HttpSecurityPolicy {
    private volatile Deployment deployment;
    private volatile String contextPath;

    @Override // io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy
    public Uni<HttpSecurityPolicy.CheckResult> checkPermission(RoutingContext routingContext, Uni<SecurityIdentity> uni, HttpSecurityPolicy.AuthorizationRequestContext authorizationRequestContext) {
        String normalizedPath = routingContext.normalizedPath();
        if (!normalizedPath.startsWith(this.contextPath)) {
            return HttpSecurityPolicy.CheckResult.permit();
        }
        if (!this.contextPath.equals("/")) {
            normalizedPath = normalizedPath.substring(this.contextPath.length() - 1);
        }
        final SingleConstraintMatch mergedConstraint = this.deployment.getSecurityPathMatches().getSecurityInfo(normalizedPath, routingContext.request().method().name()).getMergedConstraint();
        if (!mergedConstraint.getRequiredRoles().isEmpty()) {
            return uni.map(new Function<SecurityIdentity, HttpSecurityPolicy.CheckResult>() { // from class: io.quarkus.undertow.runtime.ServletHttpSecurityPolicy.2
                @Override // java.util.function.Function
                public HttpSecurityPolicy.CheckResult apply(SecurityIdentity securityIdentity) {
                    Iterator<String> it = mergedConstraint.getRequiredRoles().iterator();
                    while (it.hasNext()) {
                        if (securityIdentity.hasRole(it.next())) {
                            return HttpSecurityPolicy.CheckResult.PERMIT;
                        }
                    }
                    return HttpSecurityPolicy.CheckResult.DENY;
                }
            });
        }
        SecurityInfo.EmptyRoleSemantic emptyRoleSemantic = mergedConstraint.getEmptyRoleSemantic();
        return emptyRoleSemantic == SecurityInfo.EmptyRoleSemantic.PERMIT ? HttpSecurityPolicy.CheckResult.permit() : emptyRoleSemantic == SecurityInfo.EmptyRoleSemantic.DENY ? HttpSecurityPolicy.CheckResult.deny() : emptyRoleSemantic == SecurityInfo.EmptyRoleSemantic.AUTHENTICATE ? uni.map(new Function<SecurityIdentity, HttpSecurityPolicy.CheckResult>() { // from class: io.quarkus.undertow.runtime.ServletHttpSecurityPolicy.1
            @Override // java.util.function.Function
            public HttpSecurityPolicy.CheckResult apply(SecurityIdentity securityIdentity) {
                return securityIdentity.isAnonymous() ? HttpSecurityPolicy.CheckResult.DENY : HttpSecurityPolicy.CheckResult.PERMIT;
            }
        }) : Uni.createFrom().failure(new RuntimeException("Unknown empty role semantic " + emptyRoleSemantic));
    }

    public Deployment getDeployment() {
        return this.deployment;
    }

    public ServletHttpSecurityPolicy setDeployment(Deployment deployment) {
        this.deployment = deployment;
        this.contextPath = deployment.getDeploymentInfo().getContextPath();
        if (!this.contextPath.endsWith("/")) {
            this.contextPath += "/";
        }
        return this;
    }
}
