package io.quarkus.vertx.http.runtime.security;

import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.AuthenticationRedirectException;
import io.quarkus.security.ForbiddenException;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.spi.runtime.AuthorizationController;
import io.quarkus.security.spi.runtime.AuthorizationFailureEvent;
import io.quarkus.security.spi.runtime.AuthorizationSuccessEvent;
import io.quarkus.security.spi.runtime.BlockingSecurityExecutor;
import io.quarkus.security.spi.runtime.SecurityEventHelper;
import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.subscription.UniSubscriber;
import io.smallrye.mutiny.subscription.UniSubscription;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.event.Event;
import jakarta.enterprise.inject.spi.BeanManager;
import java.io.IOException;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import org.jboss.logging.Logger;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/quarkus/vertx/http/runtime/security/AbstractHttpAuthorizer.class */
public abstract class AbstractHttpAuthorizer {
    private static final Logger log = Logger.getLogger(AbstractHttpAuthorizer.class);
    private final HttpAuthenticator httpAuthenticator;
    private final IdentityProviderManager identityProviderManager;
    private final AuthorizationController controller;
    private final List<HttpSecurityPolicy> policies;
    private final SecurityEventHelper<AuthorizationSuccessEvent, AuthorizationFailureEvent> securityEventHelper;
    private final HttpSecurityPolicy.AuthorizationRequestContext context;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AbstractHttpAuthorizer(HttpAuthenticator httpAuthenticator, IdentityProviderManager identityProviderManager, AuthorizationController authorizationController, List<HttpSecurityPolicy> list, BeanManager beanManager, BlockingSecurityExecutor blockingSecurityExecutor, Event<AuthorizationFailureEvent> event, Event<AuthorizationSuccessEvent> event2, boolean z) {
        this.httpAuthenticator = httpAuthenticator;
        this.identityProviderManager = identityProviderManager;
        this.controller = authorizationController;
        this.policies = list;
        this.context = new HttpSecurityPolicy.DefaultAuthorizationRequestContext(blockingSecurityExecutor);
        this.securityEventHelper = new SecurityEventHelper<>(event2, event, SecurityEventHelper.AUTHORIZATION_SUCCESS, SecurityEventHelper.AUTHORIZATION_FAILURE, beanManager, z);
    }

    public void checkPermission(RoutingContext routingContext) {
        if (this.controller.isAuthorizationEnabled()) {
            doPermissionCheck(routingContext, QuarkusHttpUser.getSecurityIdentity(routingContext, this.identityProviderManager), 0, null, this.policies);
        } else {
            routingContext.next();
        }
    }

    private void doPermissionCheck(final RoutingContext routingContext, final Uni<SecurityIdentity> uni, final int i, final SecurityIdentity securityIdentity, final List<HttpSecurityPolicy> list) {
        if (i != list.size()) {
            final HttpSecurityPolicy httpSecurityPolicy = list.get(i);
            httpSecurityPolicy.checkPermission(routingContext, uni, this.context).subscribe().with(new Consumer<HttpSecurityPolicy.CheckResult>() { // from class: io.quarkus.vertx.http.runtime.security.AbstractHttpAuthorizer.1
                @Override // java.util.function.Consumer
                public void accept(HttpSecurityPolicy.CheckResult checkResult) {
                    if (!checkResult.isPermitted()) {
                        AbstractHttpAuthorizer.this.doDeny(uni, routingContext, httpSecurityPolicy);
                    } else if (checkResult.getAugmentedIdentity() != null) {
                        AbstractHttpAuthorizer.this.doPermissionCheck(routingContext, Uni.createFrom().item(checkResult.getAugmentedIdentity()), i + 1, checkResult.getAugmentedIdentity(), list);
                    } else {
                        AbstractHttpAuthorizer.this.doPermissionCheck(routingContext, uni, i + 1, securityIdentity, list);
                    }
                }
            }, new Consumer<Throwable>() { // from class: io.quarkus.vertx.http.runtime.security.AbstractHttpAuthorizer.2
                @Override // java.util.function.Consumer
                public void accept(Throwable th) {
                    if (!routingContext.response().ended() && !th.equals(routingContext.failure())) {
                        routingContext.fail(th);
                        return;
                    }
                    if (th instanceof AuthenticationFailedException) {
                        AbstractHttpAuthorizer.log.debug("Authentication challenge is required");
                    } else if (th instanceof AuthenticationRedirectException) {
                        AbstractHttpAuthorizer.log.debugf("Completing authentication with a redirect to %s", ((AuthenticationRedirectException) th).getRedirectUri());
                    } else {
                        AbstractHttpAuthorizer.log.error("Exception occurred during authorization", th);
                    }
                }
            });
            return;
        }
        QuarkusHttpUser quarkusHttpUser = (QuarkusHttpUser) routingContext.user();
        if (securityIdentity != null) {
            if (!securityIdentity.isAnonymous() && (quarkusHttpUser == null || quarkusHttpUser.getSecurityIdentity() != securityIdentity)) {
                routingContext.setUser(new QuarkusHttpUser(securityIdentity));
                routingContext.put(QuarkusHttpUser.DEFERRED_IDENTITY_KEY, Uni.createFrom().item(securityIdentity));
            }
            if (this.securityEventHelper.fireEventOnSuccess()) {
                this.securityEventHelper.fireSuccessEvent(new AuthorizationSuccessEvent(securityIdentity, Map.of(RoutingContext.class.getName(), routingContext)));
            }
        } else if (this.securityEventHelper.fireEventOnSuccess() && permissionCheckPerformed(list, routingContext, i)) {
            this.securityEventHelper.fireSuccessEvent(new AuthorizationSuccessEvent(quarkusHttpUser == null ? null : quarkusHttpUser.getSecurityIdentity(), Map.of(RoutingContext.class.getName(), routingContext)));
        }
        routingContext.next();
    }

    private void doDeny(Uni<SecurityIdentity> uni, final RoutingContext routingContext, final HttpSecurityPolicy httpSecurityPolicy) {
        uni.subscribe().withSubscriber(new UniSubscriber<SecurityIdentity>() { // from class: io.quarkus.vertx.http.runtime.security.AbstractHttpAuthorizer.3
            public void onSubscribe(UniSubscription uniSubscription) {
            }

            public void onItem(final SecurityIdentity securityIdentity) {
                if (securityIdentity.isAnonymous()) {
                    AbstractHttpAuthorizer.this.httpAuthenticator.sendChallenge(routingContext).subscribe().withSubscriber(new UniSubscriber<Boolean>() { // from class: io.quarkus.vertx.http.runtime.security.AbstractHttpAuthorizer.3.1
                        public void onSubscribe(UniSubscription uniSubscription) {
                        }

                        public void onItem(Boolean bool) {
                            if (!routingContext.response().ended()) {
                                routingContext.response().end();
                            }
                            AbstractHttpAuthorizer.this.fireAuthZFailureEvent(routingContext, httpSecurityPolicy, null, securityIdentity);
                        }

                        public void onFailure(Throwable th) {
                            AbstractHttpAuthorizer.this.fireAuthZFailureEvent(routingContext, httpSecurityPolicy, th, securityIdentity);
                            if (!routingContext.response().ended()) {
                                routingContext.fail(th);
                            } else if (th instanceof IOException) {
                                AbstractHttpAuthorizer.log.debug("Failed to send challenge", th);
                            } else {
                                AbstractHttpAuthorizer.log.error("Failed to send challenge", th);
                            }
                        }
                    });
                    return;
                }
                AbstractHttpAuthorizer.this.fireAuthZFailureEvent(routingContext, httpSecurityPolicy, new ForbiddenException(), securityIdentity);
                routingContext.fail(new ForbiddenException());
            }

            public void onFailure(Throwable th) {
                AbstractHttpAuthorizer.this.fireAuthZFailureEvent(routingContext, httpSecurityPolicy, th, null);
                routingContext.fail(th);
            }
        });
    }

    private void fireAuthZFailureEvent(RoutingContext routingContext, HttpSecurityPolicy httpSecurityPolicy, Throwable th, SecurityIdentity securityIdentity) {
        if (this.securityEventHelper.fireEventOnFailure()) {
            this.securityEventHelper.fireFailureEvent(new AuthorizationFailureEvent(securityIdentity, th, httpSecurityPolicy != null ? httpSecurityPolicy.getClass().getName() : null, Map.of(RoutingContext.class.getName(), routingContext)));
        }
    }

    private static boolean permissionCheckPerformed(List<HttpSecurityPolicy> list, RoutingContext routingContext, int i) {
        return (i == 1 && (list.get(0) instanceof AbstractPathMatchingHttpSecurityPolicy)) ? AbstractPathMatchingHttpSecurityPolicy.policyApplied(routingContext) : i > 0;
    }
}
