package io.quarkus.oidc.runtime;

import io.netty.handler.codec.rtsp.RtspHeaders;
import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.runtime.annotations.Recorder;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.vertx.core.AsyncResult;
import io.vertx.core.Handler;
import io.vertx.core.Vertx;
import io.vertx.core.json.JsonObject;
import io.vertx.core.net.ProxyOptions;
import io.vertx.ext.auth.PubSecKeyOptions;
import io.vertx.ext.auth.oauth2.OAuth2Auth;
import io.vertx.ext.auth.oauth2.OAuth2ClientOptions;
import io.vertx.ext.auth.oauth2.impl.OAuth2AuthProviderImpl;
import io.vertx.ext.auth.oauth2.providers.KeycloakAuth;
import io.vertx.ext.jwt.JWTOptions;
import java.util.HashMap;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionException;
import java.util.function.Function;
import java.util.function.Supplier;
import org.jboss.logging.Logger;
import org.jose4j.jws.AlgorithmIdentifiers;

@Recorder
/* loaded from: input_file:test-resources/jobs-service.jar:io/quarkus/oidc/runtime/OidcRecorder.class */
public class OidcRecorder {
    private static final Logger LOG = Logger.getLogger((Class<?>) OidcRecorder.class);

    public Supplier<TenantConfigBean> setup(OidcConfig oidcConfig, Supplier<Vertx> supplier) {
        final Vertx vertx = supplier.get();
        final HashMap hashMap = new HashMap();
        for (Map.Entry<String, OidcTenantConfig> entry : oidcConfig.namedTenants.entrySet()) {
            if (oidcConfig.defaultTenant.getTenantId().isPresent() && entry.getKey().equals(oidcConfig.defaultTenant.getTenantId().get())) {
                throw new OIDCException("tenant-id '" + entry.getKey() + "' duplicates the default tenant-id");
            }
            if (entry.getValue().getTenantId().isPresent() && !entry.getKey().equals(entry.getValue().getTenantId().get())) {
                throw new OIDCException("Configuration has 2 different tenant-id values: '" + entry.getKey() + "' and '" + entry.getValue().getTenantId().get() + "'");
            }
            hashMap.put(entry.getKey(), createTenantContext(vertx, entry.getValue(), entry.getKey()));
        }
        final TenantConfigContext createTenantContext = createTenantContext(vertx, oidcConfig.defaultTenant, "Default");
        return new Supplier<TenantConfigBean>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public TenantConfigBean get() {
                return new TenantConfigBean(hashMap, createTenantContext, new Function<OidcTenantConfig, TenantConfigContext>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.1.1
                    @Override // java.util.function.Function
                    public TenantConfigContext apply(OidcTenantConfig oidcTenantConfig) {
                        return OidcRecorder.this.createTenantContext(vertx, oidcTenantConfig, oidcTenantConfig.getTenantId().get());
                    }
                });
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: private */
    public TenantConfigContext createTenantContext(Vertx vertx, OidcTenantConfig oidcTenantConfig, String str) {
        if (!oidcTenantConfig.tenantEnabled) {
            LOG.debugf("%s tenant configuration is disabled", str);
            return null;
        }
        if (!oidcTenantConfig.tenantId.isPresent()) {
            oidcTenantConfig.tenantId = Optional.of(str);
        }
        OAuth2ClientOptions oAuth2ClientOptions = new OAuth2ClientOptions();
        if (oidcTenantConfig.getClientId().isPresent()) {
            oAuth2ClientOptions.setClientID(oidcTenantConfig.getClientId().get());
        }
        if (oidcTenantConfig.getToken().issuer.isPresent()) {
            oAuth2ClientOptions.setValidateIssuer(false);
        }
        if (oidcTenantConfig.getToken().getLifespanGrace().isPresent()) {
            JWTOptions jWTOptions = new JWTOptions();
            jWTOptions.setLeeway(oidcTenantConfig.getToken().getLifespanGrace().get().intValue());
            oAuth2ClientOptions.setJWTOptions(jWTOptions);
        }
        if (oidcTenantConfig.getPublicKey().isPresent()) {
            return createdTenantContextFromPublicKey(oAuth2ClientOptions, oidcTenantConfig);
        }
        if (!oidcTenantConfig.getAuthServerUrl().isPresent() || !oidcTenantConfig.getClientId().isPresent()) {
            throw new ConfigurationException("Both 'auth-server-url' and 'client-id' or alterntively 'public-key' must be configured when the quarkus-oidc extension is enabled");
        }
        String str2 = oidcTenantConfig.getAuthServerUrl().get();
        if (str2.endsWith("/")) {
            str2 = str2.substring(0, str2.length() - 1);
        }
        oAuth2ClientOptions.setSite(str2);
        if (oidcTenantConfig.getIntrospectionPath().isPresent()) {
            oAuth2ClientOptions.setIntrospectionPath(oidcTenantConfig.getIntrospectionPath().get());
        }
        if (oidcTenantConfig.getJwksPath().isPresent()) {
            oAuth2ClientOptions.setJwkPath(oidcTenantConfig.getJwksPath().get());
        }
        OidcTenantConfig.Credentials credentials = oidcTenantConfig.getCredentials();
        if (credentials.secret.isPresent() && credentials.clientSecret.value.isPresent()) {
            throw new ConfigurationException("'credentials.secret' and 'credentials.client-secret' properties are mutually exclusive");
        }
        if ((credentials.secret.isPresent() || credentials.clientSecret.value.isPresent()) && credentials.jwt.secret.isPresent()) {
            throw new ConfigurationException("Use only 'credentials.secret' or 'credentials.client-secret' or 'credentials.jwt.secret' property");
        }
        if (credentials.secret.isPresent() || (credentials.clientSecret.value.isPresent() && credentials.clientSecret.method.orElseGet(() -> {
            return OidcTenantConfig.Credentials.Secret.Method.BASIC;
        }) == OidcTenantConfig.Credentials.Secret.Method.BASIC)) {
            oAuth2ClientOptions.setClientSecret(credentials.secret.orElseGet(() -> {
                return credentials.clientSecret.value.get();
            }));
        } else {
            oAuth2ClientOptions.setClientSecretParameterName(null);
        }
        Optional<ProxyOptions> proxyOptions = toProxyOptions(oidcTenantConfig.getProxy());
        if (proxyOptions.isPresent()) {
            oAuth2ClientOptions.setProxyOptions(proxyOptions.get());
        }
        if (oidcTenantConfig.tls.verification == OidcTenantConfig.Tls.Verification.NONE) {
            oAuth2ClientOptions.setTrustAll(true);
            oAuth2ClientOptions.setVerifyHost(false);
        }
        long millis = oidcTenantConfig.getConnectionDelay().isPresent() ? oidcTenantConfig.getConnectionDelay().get().toMillis() / 1000 : 0L;
        long j = millis > 1 ? millis / 2 : 1L;
        if (j > 1) {
            LOG.infof("Connecting to IDP for up to %d times every 2 seconds", Long.valueOf(j));
        }
        OAuth2Auth oAuth2Auth = null;
        long j2 = 0;
        while (true) {
            long j3 = j2;
            if (j3 >= j) {
                break;
            }
            try {
                final CompletableFuture completableFuture = new CompletableFuture();
                KeycloakAuth.discover(vertx, oAuth2ClientOptions, new Handler<AsyncResult<OAuth2Auth>>() { // from class: io.quarkus.oidc.runtime.OidcRecorder.2
                    @Override // io.vertx.core.Handler
                    public void handle(AsyncResult<OAuth2Auth> asyncResult) {
                        if (asyncResult.failed()) {
                            completableFuture.completeExceptionally(OidcRecorder.toOidcException(asyncResult.cause()));
                        } else {
                            completableFuture.complete(asyncResult.result());
                        }
                    }
                });
                oAuth2Auth = (OAuth2Auth) completableFuture.join();
                if (!OidcTenantConfig.ApplicationType.WEB_APP.equals(oidcTenantConfig.applicationType)) {
                    if (oidcTenantConfig.token.refreshExpired) {
                        throw new RuntimeException("The 'token.refresh-expired' property can only be enabled for " + OidcTenantConfig.ApplicationType.WEB_APP + " application types");
                    }
                    if (oidcTenantConfig.logout.path.isPresent()) {
                        throw new RuntimeException("The 'logout.path' property can only be enabled for " + OidcTenantConfig.ApplicationType.WEB_APP + " application types");
                    }
                }
                String logoutPath = ((OAuth2AuthProviderImpl) OAuth2AuthProviderImpl.class.cast(oAuth2Auth)).getConfig().getLogoutPath();
                if (oidcTenantConfig.logout.path.isPresent() && !oidcTenantConfig.endSessionPath.isPresent() && logoutPath == null) {
                    throw new RuntimeException("The application supports RP-Initiated Logout but the OpenID Provider does not advertise the end_session_endpoint");
                }
            } catch (Throwable th) {
                th = th;
                while ((th instanceof CompletionException) && th.getCause() != null) {
                    th = th.getCause();
                }
                if (!(th instanceof OIDCException)) {
                    throw new OIDCException(th);
                }
                if (j3 + 1 >= j) {
                    throw ((OIDCException) th);
                }
                try {
                    Thread.sleep(2000L);
                } catch (InterruptedException e) {
                }
                j2 = j3 + 1;
            }
        }
        oAuth2Auth.missingKeyHandler(new JwkSetRefreshHandler(oAuth2Auth, oidcTenantConfig.token.forcedJwkRefreshInterval));
        return new TenantConfigContext(oAuth2Auth, oidcTenantConfig);
    }

    private TenantConfigContext createdTenantContextFromPublicKey(OAuth2ClientOptions oAuth2ClientOptions, OidcTenantConfig oidcTenantConfig) {
        if (oidcTenantConfig.applicationType == OidcTenantConfig.ApplicationType.WEB_APP) {
            throw new ConfigurationException("'public-key' property can only be used with the 'service' applications");
        }
        LOG.debug("'public-key' property for the local token verification is set, no connection to the OIDC server will be created");
        oAuth2ClientOptions.addPubSecKey(new PubSecKeyOptions().setAlgorithm(AlgorithmIdentifiers.RSA_USING_SHA256).setPublicKey(oidcTenantConfig.getPublicKey().get()));
        return new TenantConfigContext(new OAuth2AuthProviderImpl(null, oAuth2ClientOptions), oidcTenantConfig);
    }

    protected static OIDCException toOidcException(Throwable th) {
        return new OIDCException("OIDC server is not available at the 'quarkus.oidc.auth-server-url' URL. Please make sure it is correct. Note it has to end with a realm value if you work with Keycloak, for example: 'https://localhost:8180/auth/realms/quarkus'", th);
    }

    protected static Optional<ProxyOptions> toProxyOptions(OidcTenantConfig.Proxy proxy) {
        if (!proxy.host.isPresent()) {
            return Optional.empty();
        }
        JsonObject jsonObject = new JsonObject();
        jsonObject.put("host", proxy.host.get());
        jsonObject.put(RtspHeaders.Values.PORT, Integer.valueOf(proxy.port));
        if (proxy.username.isPresent()) {
            jsonObject.put("username", proxy.username.get());
        }
        if (proxy.password.isPresent()) {
            jsonObject.put("password", proxy.password.get());
        }
        return Optional.of(new ProxyOptions(jsonObject));
    }
}
