package io.quarkus.oidc.runtime;

import io.netty.handler.codec.http.HttpResponseStatus;
import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.IdTokenCredential;
import io.quarkus.oidc.RefreshToken;
import io.quarkus.oidc.runtime.OidcTenantConfig;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.quarkus.vertx.http.runtime.security.AuthenticationCompletionException;
import io.quarkus.vertx.http.runtime.security.AuthenticationRedirectException;
import io.quarkus.vertx.http.runtime.security.ChallengeData;
import io.vertx.core.http.Cookie;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.oauth2.AccessToken;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.impl.CookieImpl;
import java.net.URI;
import java.security.Permission;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.UUID;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.function.Function;
import org.jboss.logging.Logger;
import org.jose4j.jwt.ReservedClaimNames;

/* loaded from: input_file:io/quarkus/oidc/runtime/CodeAuthenticationMechanism.class */
public class CodeAuthenticationMechanism extends AbstractOidcAuthenticationMechanism {
    private static final Logger LOG = Logger.getLogger((Class<?>) CodeAuthenticationMechanism.class);
    private static final String STATE_COOKIE_NAME = "q_auth";
    private static final String SESSION_COOKIE_NAME = "q_session";
    private static final String COOKIE_DELIM = "___";

    /* JADX INFO: Access modifiers changed from: private */
    public static QuarkusSecurityIdentity augmentIdentity(final SecurityIdentity securityIdentity, String str, String str2, RoutingContext routingContext) {
        RefreshToken refreshToken = new RefreshToken(str2);
        return QuarkusSecurityIdentity.builder().setPrincipal(securityIdentity.getPrincipal()).addCredentials(securityIdentity.getCredentials()).addCredential(new AccessTokenCredential(str, refreshToken, routingContext)).addCredential(refreshToken).addRoles(securityIdentity.getRoles()).addAttributes(securityIdentity.getAttributes()).addPermissionChecker(new Function<Permission, CompletionStage<Boolean>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.1
            @Override // java.util.function.Function
            public CompletionStage<Boolean> apply(Permission permission) {
                return SecurityIdentity.this.checkPermission(permission);
            }
        }).build();
    }

    public CompletionStage<SecurityIdentity> authenticate(final RoutingContext routingContext, IdentityProviderManager identityProviderManager, DefaultTenantConfigResolver defaultTenantConfigResolver) {
        Cookie cookie = routingContext.request().getCookie(SESSION_COOKIE_NAME);
        if (cookie == null) {
            return performCodeFlow(identityProviderManager, routingContext, defaultTenantConfigResolver);
        }
        final String[] split = cookie.getValue().split(COOKIE_DELIM);
        return authenticate(identityProviderManager, new IdTokenCredential(split[0], routingContext)).thenCompose(new Function<SecurityIdentity, CompletionStage<SecurityIdentity>>() { // from class: io.quarkus.oidc.runtime.CodeAuthenticationMechanism.2
            @Override // java.util.function.Function
            public CompletionStage<SecurityIdentity> apply(SecurityIdentity securityIdentity) {
                return CompletableFuture.completedFuture(CodeAuthenticationMechanism.augmentIdentity(securityIdentity, split[1], split[2], routingContext));
            }
        });
    }

    public CompletionStage<ChallengeData> getChallenge(RoutingContext routingContext, DefaultTenantConfigResolver defaultTenantConfigResolver) {
        removeCookie(routingContext, SESSION_COOKIE_NAME);
        TenantConfigContext resolve = defaultTenantConfigResolver.resolve(routingContext, false);
        JsonObject jsonObject = new JsonObject();
        ArrayList arrayList = new ArrayList();
        arrayList.add("openid");
        Optional<List<String>> optional = resolve.oidcConfig.getAuthentication().scopes;
        arrayList.getClass();
        optional.ifPresent((v1) -> {
            r1.addAll(v1);
        });
        jsonObject.put("scopes", new JsonArray(arrayList));
        URI create = URI.create(routingContext.request().absoluteURI());
        String redirectPath = getRedirectPath(resolve, create);
        String buildRedirectUri = buildRedirectUri(routingContext, create, redirectPath);
        LOG.debugf("Authentication request redirect_uri parameter: %s", buildRedirectUri);
        jsonObject.put("redirect_uri", buildRedirectUri);
        jsonObject.put("state", generateState(routingContext, resolve, create, redirectPath));
        if (resolve.oidcConfig.authentication.getExtraParams() != null) {
            for (Map.Entry<String, String> entry : resolve.oidcConfig.authentication.getExtraParams().entrySet()) {
                jsonObject.put(entry.getKey(), entry.getValue());
            }
        }
        return CompletableFuture.completedFuture(new ChallengeData(HttpResponseStatus.FOUND.code(), HttpHeaders.LOCATION, resolve.auth.authorizeURL(jsonObject)));
    }

    /* JADX WARN: String concatenation convert failed
    jadx.core.utils.exceptions.JadxRuntimeException: Can't remove SSA var: r21v0 java.lang.String, still in use, count: 1, list:
      (r21v0 java.lang.String) from STR_CONCAT 
      (r21v0 java.lang.String)
      ("&")
      (wrap:java.lang.String:0x00f9: INVOKE (r0v11 java.net.URI) VIRTUAL call: java.net.URI.getRawQuery():java.lang.String A[MD:():java.lang.String (c), WRAPPED])
     A[MD:():java.lang.String (c), SYNTHETIC, WRAPPED]
    	at jadx.core.utils.InsnRemover.removeSsaVar(InsnRemover.java:151)
    	at jadx.core.utils.InsnRemover.unbindResult(InsnRemover.java:116)
    	at jadx.core.utils.InsnRemover.unbindInsn(InsnRemover.java:80)
    	at jadx.core.utils.InsnRemover.unbindArgUsage(InsnRemover.java:163)
    	at jadx.core.utils.InsnRemover.unbindAllArgs(InsnRemover.java:95)
    	at jadx.core.utils.InsnRemover.unbindInsn(InsnRemover.java:79)
    	at jadx.core.utils.InsnRemover.unbindArgUsage(InsnRemover.java:163)
    	at jadx.core.utils.InsnRemover.unbindAllArgs(InsnRemover.java:95)
    	at jadx.core.utils.InsnRemover.unbindInsn(InsnRemover.java:79)
    	at jadx.core.utils.InsnRemover.unbindArgUsage(InsnRemover.java:163)
    	at jadx.core.utils.InsnRemover.unbindAllArgs(InsnRemover.java:95)
    	at jadx.core.dex.visitors.SimplifyVisitor.removeStringBuilderInsns(SimplifyVisitor.java:495)
    	at jadx.core.dex.visitors.SimplifyVisitor.convertStringBuilderChain(SimplifyVisitor.java:422)
    	at jadx.core.dex.visitors.SimplifyVisitor.convertInvoke(SimplifyVisitor.java:314)
    	at jadx.core.dex.visitors.SimplifyVisitor.simplifyInsn(SimplifyVisitor.java:145)
    	at jadx.core.dex.visitors.SimplifyVisitor.simplifyArgs(SimplifyVisitor.java:114)
    	at jadx.core.dex.visitors.SimplifyVisitor.simplifyInsn(SimplifyVisitor.java:132)
    	at jadx.core.dex.visitors.SimplifyVisitor.simplifyBlock(SimplifyVisitor.java:86)
    	at jadx.core.dex.visitors.SimplifyVisitor.visit(SimplifyVisitor.java:71)
     */
    private CompletionStage<SecurityIdentity> performCodeFlow(IdentityProviderManager identityProviderManager, RoutingContext routingContext, DefaultTenantConfigResolver defaultTenantConfigResolver) {
        String str;
        TenantConfigContext resolve = defaultTenantConfigResolver.resolve(routingContext, true);
        JsonObject jsonObject = new JsonObject();
        String param = routingContext.request().getParam("code");
        if (param == null) {
            return CompletableFuture.completedFuture(null);
        }
        CompletableFuture completableFuture = new CompletableFuture();
        URI create = URI.create(routingContext.request().absoluteURI());
        io.vertx.ext.web.Cookie cookie = routingContext.getCookie(STATE_COOKIE_NAME);
        if (cookie == null) {
            LOG.debug("The state cookie is missing after a redirect from IDP");
            completableFuture.completeExceptionally(new AuthenticationCompletionException());
            return completableFuture;
        }
        List<String> queryParam = routingContext.queryParam("state");
        if (queryParam.size() != 1) {
            LOG.debug("State parameter can not be empty or multi-valued");
            completableFuture.completeExceptionally(new AuthenticationCompletionException());
            return completableFuture;
        }
        if (!cookie.getValue().startsWith(queryParam.get(0))) {
            LOG.debug("State cookie does not match the state parameter");
            completableFuture.completeExceptionally(new AuthenticationCompletionException());
            return completableFuture;
        }
        if (routingContext.queryParam("pathChecked").isEmpty()) {
            String[] split = cookie.getValue().split(COOKIE_DELIM);
            if (split.length == 2) {
                String buildRedirectUri = buildRedirectUri(routingContext, create, new StringBuilder().append(split[1]).append(create.getRawQuery() != null ? str + "&" + create.getRawQuery() : "?pathChecked=true").toString());
                LOG.debugf("Local redirect URI: %s", buildRedirectUri);
                completableFuture.completeExceptionally(new AuthenticationRedirectException(buildRedirectUri));
                return completableFuture;
            }
            removeCookie(routingContext, STATE_COOKIE_NAME);
        } else {
            removeCookie(routingContext, STATE_COOKIE_NAME);
        }
        jsonObject.put("code", param);
        String buildRedirectUri2 = buildRedirectUri(routingContext, create, getRedirectPath(resolve, create));
        LOG.debugf("Token request redirect_uri parameter: %s", buildRedirectUri2);
        jsonObject.put("redirect_uri", buildRedirectUri2);
        OidcTenantConfig.Credentials credentials = resolve.oidcConfig.getCredentials();
        if (credentials.clientSecret.value.isPresent() && credentials.clientSecret.method.isPresent() && OidcTenantConfig.Credentials.Secret.Method.POST == credentials.clientSecret.method.get()) {
            jsonObject.put("client_secret", credentials.clientSecret.value.get());
        }
        resolve.auth.authenticate(jsonObject, asyncResult -> {
            if (!asyncResult.failed()) {
                AccessToken accessToken = (AccessToken) AccessToken.class.cast(asyncResult.result());
                authenticate(identityProviderManager, new IdTokenCredential(accessToken.opaqueIdToken(), routingContext)).whenCompleteAsync((securityIdentity, th) -> {
                    if (th != null) {
                        completableFuture.completeExceptionally(new AuthenticationCompletionException(th));
                    } else {
                        processSuccessfulAuthentication(routingContext, resolve, completableFuture, accessToken, securityIdentity);
                    }
                });
            } else {
                if (asyncResult.cause() != null) {
                    LOG.debugf("Exception during the code to token exchange: %s", asyncResult.cause().getMessage());
                }
                completableFuture.completeExceptionally(new AuthenticationCompletionException(asyncResult.cause()));
            }
        });
        return completableFuture;
    }

    private void processSuccessfulAuthentication(RoutingContext routingContext, TenantConfigContext tenantConfigContext, CompletableFuture<SecurityIdentity> completableFuture, AccessToken accessToken, SecurityIdentity securityIdentity) {
        removeCookie(routingContext, SESSION_COOKIE_NAME);
        CookieImpl cookieImpl = new CookieImpl(SESSION_COOKIE_NAME, accessToken.opaqueIdToken() + COOKIE_DELIM + accessToken.opaqueAccessToken() + COOKIE_DELIM + accessToken.opaqueRefreshToken());
        cookieImpl.setMaxAge(accessToken.idToken().getInteger(ReservedClaimNames.EXPIRATION_TIME).intValue());
        cookieImpl.setSecure(routingContext.request().isSSL());
        cookieImpl.setHttpOnly(true);
        if (tenantConfigContext.oidcConfig.authentication.cookiePath.isPresent()) {
            cookieImpl.setPath(tenantConfigContext.oidcConfig.authentication.cookiePath.get());
        }
        routingContext.response().addCookie(cookieImpl);
        completableFuture.complete(augmentIdentity(securityIdentity, accessToken.opaqueAccessToken(), accessToken.opaqueRefreshToken(), routingContext));
    }

    private String getRedirectPath(TenantConfigContext tenantConfigContext, URI uri) {
        OidcTenantConfig.Authentication authentication = tenantConfigContext.oidcConfig.getAuthentication();
        return authentication.getRedirectPath().isPresent() ? authentication.getRedirectPath().get() : uri.getRawPath();
    }

    private String generateState(RoutingContext routingContext, TenantConfigContext tenantConfigContext, URI uri, String str) {
        String uuid = UUID.randomUUID().toString();
        String str2 = uuid;
        OidcTenantConfig.Authentication authentication = tenantConfigContext.oidcConfig.getAuthentication();
        if (authentication.isRestorePathAfterRedirect() && !str.equals(uri.getRawPath())) {
            str2 = str2 + COOKIE_DELIM + uri.getRawPath();
        }
        CookieImpl cookieImpl = new CookieImpl(STATE_COOKIE_NAME, str2);
        cookieImpl.setHttpOnly(true);
        cookieImpl.setSecure(routingContext.request().isSSL());
        cookieImpl.setMaxAge(1800L);
        if (authentication.cookiePath.isPresent()) {
            cookieImpl.setPath(authentication.getCookiePath().get());
        }
        routingContext.response().addCookie(cookieImpl);
        return uuid;
    }

    private String buildRedirectUri(RoutingContext routingContext, URI uri, String str) {
        return routingContext.request().scheme() + "://" + uri.getAuthority() + str;
    }

    private Cookie removeCookie(RoutingContext routingContext, String str) {
        return routingContext.response().removeCookie(str, true);
    }
}
