package io.quarkus.vertx.http.runtime.security;

import io.netty.handler.codec.http.HttpHeaders;
import io.quarkus.arc.runtime.BeanContainer;
import io.quarkus.arc.runtime.BeanContainerListener;
import io.quarkus.runtime.RuntimeValue;
import io.quarkus.runtime.annotations.Recorder;
import io.quarkus.security.AuthenticationCompletionException;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.AuthenticationRedirectException;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.AnonymousAuthenticationRequest;
import io.quarkus.vertx.http.runtime.FormAuthConfig;
import io.quarkus.vertx.http.runtime.HttpBuildTimeConfig;
import io.quarkus.vertx.http.runtime.HttpConfiguration;
import io.smallrye.mutiny.CompositeException;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.groups.UniCreate;
import io.smallrye.mutiny.subscription.UniSubscriber;
import io.smallrye.mutiny.subscription.UniSubscription;
import io.smallrye.mutiny.tuples.Functions;
import io.vertx.core.Handler;
import io.vertx.core.http.HttpHeaders;
import io.vertx.ext.web.RoutingContext;
import java.lang.annotation.Annotation;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Map;
import java.util.concurrent.CompletionException;
import java.util.function.BiConsumer;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.Supplier;
import javax.enterprise.inject.spi.CDI;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpResponseCodes;

@Recorder
/* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder.class */
public class HttpSecurityRecorder {
    private static final Logger log = Logger.getLogger((Class<?>) HttpSecurityRecorder.class);
    protected static final Consumer<Throwable> NOOP_CALLBACK = new Consumer<Throwable>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.1
        @Override // java.util.function.Consumer
        public void accept(Throwable th) {
        }
    };
    final RuntimeValue<HttpConfiguration> httpConfiguration;
    final HttpBuildTimeConfig buildTimeConfig;
    static volatile String encryptionKey;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder$2, reason: invalid class name */
    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/HttpSecurityRecorder$2.class */
    public class AnonymousClass2 implements Handler<RoutingContext> {
        volatile HttpAuthenticator authenticator;
        final /* synthetic */ boolean val$proactiveAuthentication;

        AnonymousClass2(boolean z) {
            this.val$proactiveAuthentication = z;
        }

        @Override // io.vertx.core.Handler
        public void handle(final RoutingContext routingContext) {
            if (this.authenticator == null) {
                this.authenticator = (HttpAuthenticator) CDI.current().select(HttpAuthenticator.class, new Annotation[0]).get();
            }
            routingContext.put(HttpAuthenticator.class.getName(), this.authenticator);
            routingContext.put(QuarkusHttpUser.AUTH_FAILURE_HANDLER, new BiConsumer<RoutingContext, Throwable>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2.1
                @Override // java.util.function.BiConsumer
                public void accept(RoutingContext routingContext2, Throwable th) {
                    Throwable extractRootCause = HttpSecurityRecorder.this.extractRootCause(th);
                    if (extractRootCause instanceof AuthenticationFailedException) {
                        AnonymousClass2.this.authenticator.sendChallenge(routingContext).subscribe().with(new Consumer<Boolean>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2.1.1
                            @Override // java.util.function.Consumer
                            public void accept(Boolean bool) {
                                if (routingContext.response().ended()) {
                                    return;
                                }
                                routingContext.response().end();
                            }
                        }, new Consumer<Throwable>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2.1.2
                            @Override // java.util.function.Consumer
                            public void accept(Throwable th2) {
                                routingContext.fail(th2);
                            }
                        });
                        return;
                    }
                    if (extractRootCause instanceof AuthenticationCompletionException) {
                        routingContext.response().setStatusCode(HttpResponseCodes.SC_UNAUTHORIZED);
                        routingContext.response().end();
                    } else {
                        if (!(extractRootCause instanceof AuthenticationRedirectException)) {
                            routingContext.fail(extractRootCause);
                            return;
                        }
                        AuthenticationRedirectException authenticationRedirectException = (AuthenticationRedirectException) extractRootCause;
                        routingContext.response().setStatusCode(authenticationRedirectException.getCode());
                        routingContext.response().headers().set(HttpHeaders.LOCATION, authenticationRedirectException.getRedirectUri());
                        routingContext.response().headers().set(HttpHeaders.CACHE_CONTROL, HttpHeaders.Values.NO_STORE);
                        routingContext.response().headers().set("Pragma", "no-cache");
                        routingContext.response().end();
                    }
                }
            });
            final Uni<SecurityIdentity> indefinitely = this.authenticator.attemptAuthentication(routingContext).memoize().indefinitely();
            if (this.val$proactiveAuthentication) {
                indefinitely.subscribe().withSubscriber(new UniSubscriber<SecurityIdentity>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2.2
                    @Override // io.smallrye.mutiny.subscription.UniSubscriber
                    public void onSubscribe(UniSubscription uniSubscription) {
                    }

                    @Override // io.smallrye.mutiny.subscription.UniSubscriber
                    public void onItem(SecurityIdentity securityIdentity) {
                        if (routingContext.response().ended()) {
                            return;
                        }
                        if (securityIdentity == null) {
                            final Uni<SecurityIdentity> authenticate = AnonymousClass2.this.authenticator.getIdentityProviderManager().authenticate(AnonymousAuthenticationRequest.INSTANCE);
                            authenticate.subscribe().withSubscriber(new UniSubscriber<SecurityIdentity>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2.2.1
                                @Override // io.smallrye.mutiny.subscription.UniSubscriber
                                public void onSubscribe(UniSubscription uniSubscription) {
                                }

                                @Override // io.smallrye.mutiny.subscription.UniSubscriber
                                public void onItem(SecurityIdentity securityIdentity2) {
                                    routingContext.put(QuarkusHttpUser.DEFERRED_IDENTITY_KEY, authenticate);
                                    routingContext.setUser(new QuarkusHttpUser(securityIdentity2));
                                    routingContext.next();
                                }

                                @Override // io.smallrye.mutiny.subscription.UniSubscriber
                                public void onFailure(Throwable th) {
                                    BiConsumer biConsumer = (BiConsumer) routingContext.get(QuarkusHttpUser.AUTH_FAILURE_HANDLER);
                                    if (biConsumer != null) {
                                        biConsumer.accept(routingContext, th);
                                    }
                                }
                            });
                        } else {
                            routingContext.setUser(new QuarkusHttpUser(securityIdentity));
                            routingContext.put(QuarkusHttpUser.DEFERRED_IDENTITY_KEY, indefinitely);
                            routingContext.next();
                        }
                    }

                    @Override // io.smallrye.mutiny.subscription.UniSubscriber
                    public void onFailure(Throwable th) {
                        BiConsumer biConsumer = (BiConsumer) routingContext.get(QuarkusHttpUser.AUTH_FAILURE_HANDLER);
                        if (biConsumer != null) {
                            biConsumer.accept(routingContext, th);
                        }
                    }
                });
            } else {
                routingContext.put(QuarkusHttpUser.DEFERRED_IDENTITY_KEY, indefinitely.flatMap(new Function<SecurityIdentity, Uni<? extends SecurityIdentity>>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2.4
                    @Override // java.util.function.Function
                    public Uni<? extends SecurityIdentity> apply(SecurityIdentity securityIdentity) {
                        return securityIdentity == null ? AnonymousClass2.this.authenticator.getIdentityProviderManager().authenticate(AnonymousAuthenticationRequest.INSTANCE) : Uni.createFrom().item((UniCreate) securityIdentity);
                    }
                }).onTermination().invoke(new Functions.TriConsumer<SecurityIdentity, Throwable, Boolean>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.2.3
                    @Override // io.smallrye.mutiny.tuples.Functions.TriConsumer
                    public void accept(SecurityIdentity securityIdentity, Throwable th, Boolean bool) {
                        BiConsumer biConsumer;
                        if (securityIdentity != null) {
                            if (securityIdentity != null) {
                                routingContext.setUser(new QuarkusHttpUser(securityIdentity));
                            }
                        } else {
                            if (th == null || (biConsumer = (BiConsumer) routingContext.get(QuarkusHttpUser.AUTH_FAILURE_HANDLER)) == null) {
                                return;
                            }
                            biConsumer.accept(routingContext, th);
                        }
                    }
                }).memoize().indefinitely());
                routingContext.next();
            }
        }
    }

    public HttpSecurityRecorder(RuntimeValue<HttpConfiguration> runtimeValue, HttpBuildTimeConfig httpBuildTimeConfig) {
        this.httpConfiguration = runtimeValue;
        this.buildTimeConfig = httpBuildTimeConfig;
    }

    public Handler<RoutingContext> authenticationMechanismHandler(boolean z) {
        return new AnonymousClass2(z);
    }

    private Throwable extractRootCause(Throwable th) {
        while (true) {
            if ((!(th instanceof CompletionException) || th.getCause() == null) && !(th instanceof CompositeException)) {
                return th;
            }
            th = th instanceof CompositeException ? ((CompositeException) th).getCauses().get(0) : th.getCause();
        }
    }

    public Handler<RoutingContext> permissionCheckHandler() {
        return new Handler<RoutingContext>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.3
            volatile HttpAuthorizer authorizer;

            @Override // io.vertx.core.Handler
            public void handle(RoutingContext routingContext) {
                if (this.authorizer == null) {
                    this.authorizer = (HttpAuthorizer) CDI.current().select(HttpAuthorizer.class, new Annotation[0]).get();
                }
                this.authorizer.checkPermission(routingContext);
            }
        };
    }

    public BeanContainerListener initPermissions(final HttpBuildTimeConfig httpBuildTimeConfig, final Map<String, Supplier<HttpSecurityPolicy>> map) {
        return new BeanContainerListener() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.4
            @Override // io.quarkus.arc.runtime.BeanContainerListener
            public void created(BeanContainer beanContainer) {
                ((PathMatchingHttpSecurityPolicy) beanContainer.instance(PathMatchingHttpSecurityPolicy.class, new Annotation[0])).init(httpBuildTimeConfig, map);
            }
        };
    }

    public Supplier<FormAuthenticationMechanism> setupFormAuth() {
        return new Supplier<FormAuthenticationMechanism>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public FormAuthenticationMechanism get() {
                String str;
                if (HttpSecurityRecorder.this.httpConfiguration.getValue().encryptionKey.isPresent()) {
                    str = HttpSecurityRecorder.this.httpConfiguration.getValue().encryptionKey.get();
                } else if (HttpSecurityRecorder.encryptionKey != null) {
                    str = HttpSecurityRecorder.encryptionKey;
                } else {
                    byte[] bArr = new byte[32];
                    new SecureRandom().nextBytes(bArr);
                    String encodeToString = Base64.getEncoder().encodeToString(bArr);
                    HttpSecurityRecorder.encryptionKey = encodeToString;
                    str = encodeToString;
                    HttpSecurityRecorder.log.warn("Encryption key was not specified for persistent FORM auth, using temporary key " + str);
                }
                FormAuthConfig formAuthConfig = HttpSecurityRecorder.this.buildTimeConfig.auth.form;
                PersistentLoginManager persistentLoginManager = new PersistentLoginManager(str, formAuthConfig.cookieName, formAuthConfig.timeout.toMillis(), formAuthConfig.newCookieInterval.toMillis());
                return new FormAuthenticationMechanism(formAuthConfig.loginPage.startsWith("/") ? formAuthConfig.loginPage : "/" + formAuthConfig.loginPage, formAuthConfig.postLocation.startsWith("/") ? formAuthConfig.postLocation : "/" + formAuthConfig.postLocation, formAuthConfig.usernameParameter, formAuthConfig.passwordParameter, formAuthConfig.errorPage.startsWith("/") ? formAuthConfig.errorPage : "/" + formAuthConfig.errorPage, formAuthConfig.landingPage.startsWith("/") ? formAuthConfig.landingPage : "/" + formAuthConfig.landingPage, formAuthConfig.redirectAfterLogin, formAuthConfig.locationCookie, persistentLoginManager);
            }
        };
    }

    public Supplier<?> setupBasicAuth(final HttpBuildTimeConfig httpBuildTimeConfig) {
        return new Supplier<BasicAuthenticationMechanism>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public BasicAuthenticationMechanism get() {
                return new BasicAuthenticationMechanism(httpBuildTimeConfig.auth.realm, httpBuildTimeConfig.auth.form.enabled);
            }
        };
    }

    public Supplier<?> setupMtlsClientAuth() {
        return new Supplier<MtlsAuthenticationMechanism>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.7
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public MtlsAuthenticationMechanism get() {
                return new MtlsAuthenticationMechanism();
            }
        };
    }

    public Handler<RoutingContext> formAuthPostHandler() {
        return new Handler<RoutingContext>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.8
            @Override // io.vertx.core.Handler
            public void handle(final RoutingContext routingContext) {
                ((Uni) routingContext.get(QuarkusHttpUser.DEFERRED_IDENTITY_KEY)).subscribe().withSubscriber(new UniSubscriber<SecurityIdentity>() { // from class: io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder.8.1
                    @Override // io.smallrye.mutiny.subscription.UniSubscriber
                    public void onSubscribe(UniSubscription uniSubscription) {
                    }

                    @Override // io.smallrye.mutiny.subscription.UniSubscriber
                    public void onItem(SecurityIdentity securityIdentity) {
                        routingContext.next();
                    }

                    @Override // io.smallrye.mutiny.subscription.UniSubscriber
                    public void onFailure(Throwable th) {
                        routingContext.fail(th);
                    }
                });
            }
        };
    }
}
