package io.quarkus.oidc.runtime;

import io.netty.handler.codec.http.HttpResponseStatus;
import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.IdTokenCredential;
import io.quarkus.oidc.RefreshToken;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.quarkus.vertx.http.runtime.security.ChallengeData;
import io.vertx.core.http.Cookie;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.oauth2.AccessToken;
import io.vertx.ext.auth.oauth2.OAuth2Auth;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.impl.CookieImpl;
import java.net.URI;
import java.security.Permission;
import java.util.ArrayList;
import java.util.UUID;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.function.Function;
import javax.enterprise.context.ApplicationScoped;
import org.jose4j.jwt.ReservedClaimNames;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/oidc/runtime/CodeAuthenticationMechanism.class */
public class CodeAuthenticationMechanism extends AbstractOidcAuthenticationMechanism {
    private static final String STATE_COOKIE_NAME = "q_auth";
    private static final String SESSION_COOKIE_NAME = "q_session";
    private static final String SESSION_COOKIE_DELIM = "___";

    /* JADX INFO: Access modifiers changed from: private */
    public static QuarkusSecurityIdentity augmentIdentity(final SecurityIdentity securityIdentity, String str, String str2) {
        RefreshToken refreshToken = new RefreshToken(str2);
        return QuarkusSecurityIdentity.builder().setPrincipal(securityIdentity.getPrincipal()).addCredentials(securityIdentity.getCredentials()).addCredential(new AccessTokenCredential(str, refreshToken)).addCredential(refreshToken).addRoles(securityIdentity.getRoles()).addAttributes(securityIdentity.getAttributes()).addPermissionChecker(new Function<Permission, CompletionStage<Boolean>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.1
            @Override // java.util.function.Function
            public CompletionStage<Boolean> apply(Permission permission) {
                return SecurityIdentity.this.checkPermission(permission);
            }
        }).build();
    }

    @Override // io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism
    public CompletionStage<SecurityIdentity> authenticate(RoutingContext routingContext, IdentityProviderManager identityProviderManager) {
        Cookie cookie = routingContext.request().getCookie(SESSION_COOKIE_NAME);
        if (cookie == null) {
            return performCodeFlow(identityProviderManager, routingContext);
        }
        final String[] split = cookie.getValue().split(SESSION_COOKIE_DELIM);
        return authenticate(identityProviderManager, new IdTokenCredential(split[0])).thenCompose(new Function<SecurityIdentity, CompletionStage<SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.2
            @Override // java.util.function.Function
            public CompletionStage<SecurityIdentity> apply(SecurityIdentity securityIdentity) {
                return CompletableFuture.completedFuture(CodeAuthenticationMechanism.augmentIdentity(securityIdentity, split[1], split[2]));
            }
        });
    }

    @Override // io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism
    public CompletionStage<ChallengeData> getChallenge(RoutingContext routingContext) {
        removeSessionCookie(routingContext);
        JsonObject jsonObject = new JsonObject();
        ArrayList arrayList = new ArrayList();
        arrayList.add("openid");
        arrayList.addAll(this.config.authentication.scopes);
        jsonObject.put("scopes", new JsonArray(arrayList));
        jsonObject.put("redirect_uri", buildRedirectUri(routingContext));
        jsonObject.put("state", generateState(routingContext));
        return CompletableFuture.completedFuture(new ChallengeData(HttpResponseStatus.FOUND.code(), HttpHeaders.LOCATION, this.auth.authorizeURL(jsonObject)));
    }

    private CompletionStage<SecurityIdentity> performCodeFlow(IdentityProviderManager identityProviderManager, RoutingContext routingContext) {
        JsonObject jsonObject = new JsonObject();
        String param = routingContext.request().getParam("code");
        if (param == null) {
            return CompletableFuture.completedFuture(null);
        }
        CompletableFuture completableFuture = new CompletableFuture();
        jsonObject.put("code", param);
        jsonObject.put("redirect_uri", buildRedirectUri(routingContext));
        this.auth.authenticate(jsonObject, asyncResult -> {
            if (asyncResult.failed()) {
                completableFuture.completeExceptionally(new AuthenticationFailedException());
            } else {
                AccessToken accessToken = (AccessToken) AccessToken.class.cast(asyncResult.result());
                authenticate(identityProviderManager, new IdTokenCredential(accessToken.opaqueIdToken())).whenCompleteAsync((securityIdentity, th) -> {
                    if (th != null) {
                        completableFuture.completeExceptionally(th);
                    } else {
                        processSuccessfulAuthentication(routingContext, completableFuture, accessToken, securityIdentity);
                    }
                });
            }
        });
        return completableFuture;
    }

    private void processSuccessfulAuthentication(RoutingContext routingContext, CompletableFuture<SecurityIdentity> completableFuture, AccessToken accessToken, SecurityIdentity securityIdentity) {
        removeSessionCookie(routingContext);
        CookieImpl cookieImpl = new CookieImpl(SESSION_COOKIE_NAME, accessToken.opaqueIdToken() + SESSION_COOKIE_DELIM + accessToken.opaqueAccessToken() + SESSION_COOKIE_DELIM + accessToken.opaqueRefreshToken());
        cookieImpl.setMaxAge(accessToken.idToken().getInteger(ReservedClaimNames.EXPIRATION_TIME).intValue());
        cookieImpl.setSecure(routingContext.request().isSSL());
        cookieImpl.setHttpOnly(true);
        routingContext.response().addCookie(cookieImpl);
        completableFuture.complete(augmentIdentity(securityIdentity, accessToken.opaqueAccessToken(), accessToken.opaqueRefreshToken()));
    }

    private String generateState(RoutingContext routingContext) {
        CookieImpl cookieImpl = new CookieImpl(STATE_COOKIE_NAME, UUID.randomUUID().toString());
        cookieImpl.setHttpOnly(true);
        cookieImpl.setSecure(routingContext.request().isSSL());
        cookieImpl.setMaxAge(-1L);
        routingContext.response().addCookie(cookieImpl);
        return cookieImpl.getValue();
    }

    private String buildRedirectUri(RoutingContext routingContext) {
        URI create = URI.create(routingContext.request().absoluteURI());
        return routingContext.request().scheme() + "://" + create.getAuthority() + create.getPath();
    }

    private void removeSessionCookie(RoutingContext routingContext) {
        routingContext.response().removeCookie(SESSION_COOKIE_NAME, true);
    }

    @Override // io.quarkus.oidc.runtime.AbstractOidcAuthenticationMechanism
    public /* bridge */ /* synthetic */ AbstractOidcAuthenticationMechanism setAuth(OAuth2Auth oAuth2Auth, OidcConfig oidcConfig) {
        return super.setAuth(oAuth2Auth, oidcConfig);
    }
}
