package io.quarkus.oidc.runtime;

import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.ForbiddenException;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.identity.IdentityProvider;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.TokenAuthenticationRequest;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.groups.UniCreate;
import io.smallrye.mutiny.subscription.UniEmitter;
import io.vertx.core.AsyncResult;
import io.vertx.core.Handler;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.oauth2.AccessToken;
import io.vertx.ext.auth.oauth2.impl.OAuth2AuthProviderImpl;
import io.vertx.ext.jwt.JWT;
import io.vertx.ext.web.RoutingContext;
import java.util.Iterator;
import java.util.function.Consumer;
import java.util.function.Supplier;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.eclipse.microprofile.jwt.Claims;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/oidc/runtime/OidcIdentityProvider.class */
public class OidcIdentityProvider implements IdentityProvider<TokenAuthenticationRequest> {

    @Inject
    DefaultTenantConfigResolver tenantResolver;

    @Override // io.quarkus.security.identity.IdentityProvider
    public Class<TokenAuthenticationRequest> getRequestType() {
        return TokenAuthenticationRequest.class;
    }

    @Override // io.quarkus.security.identity.IdentityProvider
    public Uni<SecurityIdentity> authenticate(final TokenAuthenticationRequest tokenAuthenticationRequest, final AuthenticationRequestContext authenticationRequestContext) {
        final RoutingContext context = ((ContextAwareTokenCredential) tokenAuthenticationRequest.getToken()).getContext();
        return Uni.createFrom().deferred(new Supplier<Uni<SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public Uni<SecurityIdentity> get() {
                return OidcIdentityProvider.this.tenantResolver.isBlocking(context) ? authenticationRequestContext.runBlocking(new Supplier<SecurityIdentity>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.1.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.function.Supplier
                    public SecurityIdentity get() {
                        return (SecurityIdentity) OidcIdentityProvider.this.authenticate(tokenAuthenticationRequest, context).await().indefinitely();
                    }
                }) : OidcIdentityProvider.this.authenticate(tokenAuthenticationRequest, context);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Uni<SecurityIdentity> authenticate(TokenAuthenticationRequest tokenAuthenticationRequest, RoutingContext routingContext) {
        TenantConfigContext resolve = this.tenantResolver.resolve(routingContext, true);
        return resolve.oidcConfig.publicKey.isPresent() ? validateTokenWithoutOidcServer(tokenAuthenticationRequest, resolve) : validateTokenWithOidcServer(tokenAuthenticationRequest, resolve);
    }

    private Uni<SecurityIdentity> validateTokenWithOidcServer(final TokenAuthenticationRequest tokenAuthenticationRequest, final TenantConfigContext tenantConfigContext) {
        return Uni.createFrom().emitter(new Consumer<UniEmitter<? super SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.2
            @Override // java.util.function.Consumer
            public void accept(final UniEmitter<? super SecurityIdentity> uniEmitter) {
                tenantConfigContext.auth.decodeToken(tokenAuthenticationRequest.getToken().getToken(), new Handler<AsyncResult<AccessToken>>() { // from class: io.quarkus.oidc.runtime.OidcIdentityProvider.2.1
                    @Override // io.vertx.core.Handler
                    public void handle(AsyncResult<AccessToken> asyncResult) {
                        if (asyncResult.failed()) {
                            uniEmitter.fail(new AuthenticationFailedException(asyncResult.cause()));
                            return;
                        }
                        try {
                            uniEmitter.complete(OidcIdentityProvider.this.validateAndCreateIdentity(tokenAuthenticationRequest, tenantConfigContext.oidcConfig, asyncResult.result().accessToken()));
                        } catch (Throwable th) {
                            uniEmitter.fail(th);
                        }
                    }
                });
            }
        });
    }

    private Uni<SecurityIdentity> validateTokenWithoutOidcServer(TokenAuthenticationRequest tokenAuthenticationRequest, TenantConfigContext tenantConfigContext) {
        OAuth2AuthProviderImpl oAuth2AuthProviderImpl = (OAuth2AuthProviderImpl) tenantConfigContext.auth;
        JWT jwt = oAuth2AuthProviderImpl.getJWT();
        try {
            JsonObject decode = jwt.decode(tokenAuthenticationRequest.getToken().getToken());
            if (jwt.isExpired(decode, oAuth2AuthProviderImpl.getConfig().getJWTOptions())) {
                return Uni.createFrom().failure(new AuthenticationFailedException());
            }
            try {
                return Uni.createFrom().item((UniCreate) validateAndCreateIdentity(tokenAuthenticationRequest, tenantConfigContext.oidcConfig, decode));
            } catch (Throwable th) {
                return Uni.createFrom().failure(th);
            }
        } catch (Throwable th2) {
            return Uni.createFrom().failure(new AuthenticationFailedException(th2));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public QuarkusSecurityIdentity validateAndCreateIdentity(TokenAuthenticationRequest tokenAuthenticationRequest, OidcTenantConfig oidcTenantConfig, JsonObject jsonObject) throws Exception {
        try {
            OidcUtils.validateClaims(oidcTenantConfig.getToken(), jsonObject);
            QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
            builder.addCredential(tokenAuthenticationRequest.getToken());
            try {
                JwtClaims parse = JwtClaims.parse(jsonObject.encode());
                parse.setClaim(Claims.raw_token.name(), tokenAuthenticationRequest.getToken().getToken());
                builder.setPrincipal(new OidcJwtCallerPrincipal(parse, tokenAuthenticationRequest.getToken(), oidcTenantConfig.token.principalClaim.isPresent() ? oidcTenantConfig.token.principalClaim.get() : null));
                try {
                    Iterator<String> it = OidcUtils.findRoles(oidcTenantConfig.getClientId().isPresent() ? oidcTenantConfig.getClientId().get() : null, oidcTenantConfig.getRoles(), jsonObject).iterator();
                    while (it.hasNext()) {
                        builder.addRole(it.next());
                    }
                    return builder.build();
                } catch (Exception e) {
                    throw new ForbiddenException(e);
                }
            } catch (InvalidJwtException e2) {
                throw new AuthenticationFailedException(e2);
            }
        } catch (OIDCException e3) {
            throw new AuthenticationFailedException(e3);
        }
    }
}
