package io.quarkus.resteasy.runtime;

import io.quarkus.security.ForbiddenException;
import io.quarkus.security.UnauthorizedException;
import io.quarkus.security.identity.CurrentIdentityAssociation;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.spi.runtime.AuthorizationFailureEvent;
import io.quarkus.security.spi.runtime.AuthorizationSuccessEvent;
import io.quarkus.security.spi.runtime.MethodDescription;
import io.quarkus.security.spi.runtime.SecurityEventHelper;
import io.quarkus.vertx.http.runtime.security.AbstractPathMatchingHttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.JaxRsPathMatchingHttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.QuarkusHttpUser;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.event.Event;
import jakarta.enterprise.inject.spi.BeanManager;
import jakarta.inject.Inject;
import java.util.Map;
import org.eclipse.microprofile.config.inject.ConfigProperty;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/resteasy/runtime/JaxRsPermissionChecker.class */
public class JaxRsPermissionChecker {
    private final JaxRsPathMatchingHttpSecurityPolicy jaxRsPathMatchingPolicy;
    private final SecurityEventHelper<AuthorizationSuccessEvent, AuthorizationFailureEvent> eventHelper;

    @Inject
    RoutingContext routingContext;

    @Inject
    CurrentIdentityAssociation identityAssociation;

    JaxRsPermissionChecker(BeanManager beanManager, Event<AuthorizationFailureEvent> event, Event<AuthorizationSuccessEvent> event2, @ConfigProperty(name = "quarkus.security.events.enabled") boolean z, JaxRsPathMatchingHttpSecurityPolicy jaxRsPathMatchingHttpSecurityPolicy) {
        if (jaxRsPathMatchingHttpSecurityPolicy.hasNoPermissions()) {
            this.jaxRsPathMatchingPolicy = null;
        } else {
            this.jaxRsPathMatchingPolicy = jaxRsPathMatchingHttpSecurityPolicy;
        }
        this.eventHelper = new SecurityEventHelper<>(event2, event, SecurityEventHelper.AUTHORIZATION_SUCCESS, SecurityEventHelper.AUTHORIZATION_FAILURE, beanManager, z);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean shouldRunPermissionChecks() {
        return this.jaxRsPathMatchingPolicy != null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void applyPermissionChecks(MethodDescription methodDescription) {
        SecurityIdentity augmentedIdentity;
        HttpSecurityPolicy.CheckResult indefinitely = this.jaxRsPathMatchingPolicy.checkPermission(this.routingContext, this.identityAssociation.getDeferredIdentity(), methodDescription).await().indefinitely();
        if (indefinitely.getAugmentedIdentity() == null) {
            augmentedIdentity = indefinitely.isPermitted() ? null : this.identityAssociation.getIdentity();
        } else if (indefinitely.getAugmentedIdentity() != this.identityAssociation.getIdentity()) {
            augmentedIdentity = indefinitely.getAugmentedIdentity();
            QuarkusHttpUser.setIdentity(augmentedIdentity, this.routingContext);
            this.identityAssociation.setIdentity(augmentedIdentity);
        } else {
            augmentedIdentity = indefinitely.getAugmentedIdentity();
        }
        if (indefinitely.isPermitted()) {
            if (this.eventHelper.fireEventOnSuccess()) {
                this.eventHelper.fireSuccessEvent(new AuthorizationSuccessEvent(augmentedIdentity, AbstractPathMatchingHttpSecurityPolicy.class.getName(), Map.of(RoutingContext.class.getName(), this.routingContext)));
            }
        } else {
            Throwable unauthorizedException = augmentedIdentity.isAnonymous() ? new UnauthorizedException() : new ForbiddenException();
            if (this.eventHelper.fireEventOnFailure()) {
                this.eventHelper.fireFailureEvent(new AuthorizationFailureEvent(augmentedIdentity, unauthorizedException, AbstractPathMatchingHttpSecurityPolicy.class.getName(), Map.of(RoutingContext.class.getName(), this.routingContext)));
            }
            throw unauthorizedException;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public MethodDescription getMethodSecuredWithAuthZPolicy(MethodDescription methodDescription, MethodDescription methodDescription2) {
        if (!shouldRunPermissionChecks()) {
            return null;
        }
        if (this.jaxRsPathMatchingPolicy.requiresAuthorizationPolicy(methodDescription)) {
            return methodDescription;
        }
        if (this.jaxRsPathMatchingPolicy.requiresAuthorizationPolicy(methodDescription2)) {
            return methodDescription2;
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecurityEventHelper<AuthorizationSuccessEvent, AuthorizationFailureEvent> getEventHelper() {
        return this.eventHelper;
    }
}
