package com.github.mcollovati.quarkus.hilla.security;

import com.github.mcollovati.quarkus.hilla.QuarkusEndpointConfiguration;
import com.vaadin.flow.router.Location;
import com.vaadin.flow.router.QueryParameters;
import com.vaadin.flow.router.Router;
import com.vaadin.flow.router.internal.NavigationRouteTarget;
import com.vaadin.flow.router.internal.RouteTarget;
import com.vaadin.flow.server.HandlerHelper;
import com.vaadin.flow.server.RouteRegistry;
import com.vaadin.flow.server.ServiceInitEvent;
import com.vaadin.flow.server.VaadinService;
import com.vaadin.flow.server.auth.AccessCheckDecision;
import com.vaadin.flow.server.auth.AccessCheckResult;
import com.vaadin.flow.server.auth.NavigationAccessControl;
import com.vaadin.flow.server.auth.NavigationContext;
import com.vaadin.hilla.parser.utils.Streams;
import io.quarkus.runtime.Startup;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.vertx.http.runtime.security.AuthenticatedHttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.ImmutablePathMatcher;
import io.smallrye.mutiny.Uni;
import io.vertx.core.MultiMap;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.event.Observes;
import java.security.Principal;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.function.Consumer;
import java.util.function.UnaryOperator;
import java.util.stream.Collectors;
import org.eclipse.microprofile.config.Config;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Startup
/* loaded from: input_file:com/github/mcollovati/quarkus/hilla/security/HillaSecurityPolicy.class */
public class HillaSecurityPolicy implements HttpSecurityPolicy {
    private ImmutablePathMatcher<Boolean> permitAllMatcher;
    private final AuthenticatedHttpSecurityPolicy authenticatedHttpSecurityPolicy = new AuthenticatedHttpSecurityPolicy();
    private final NavigationAccessControl accessControl;
    private final QuarkusEndpointConfiguration endpointConfiguration;
    private final EndpointUtil endpointUtil;
    private VaadinService vaadinService;
    private RouteUtil routeUtil;
    private WebIconsRequestMatcher webIconsRequestMatcher;

    public HillaSecurityPolicy(NavigationAccessControl navigationAccessControl, QuarkusEndpointConfiguration quarkusEndpointConfiguration, EndpointUtil endpointUtil) {
        this.accessControl = navigationAccessControl;
        this.endpointConfiguration = quarkusEndpointConfiguration;
        this.endpointUtil = endpointUtil;
        buildPathMatcher(null);
    }

    /* JADX WARN: Type inference failed for: r0v9, types: [java.lang.Object[][], java.lang.String[]] */
    private void buildPathMatcher(Consumer<ImmutablePathMatcher.ImmutablePathMatcherBuilder<Boolean>> consumer) {
        ImmutablePathMatcher.ImmutablePathMatcherBuilder<Boolean> builder = ImmutablePathMatcher.builder();
        builder.addPath(this.endpointConfiguration.getNormalizedEndpointPrefix() + "/*", true);
        builder.addPath("/HILLA/*", true);
        Streams.combine((Object[][]) new String[]{HandlerHelper.getPublicResources(), HandlerHelper.getPublicResourcesRoot(), HandlerHelper.getPublicResourcesRequiringSecurityContext()}).map(PathUtil::normalizeWildcard).forEach(str -> {
            builder.addPath(str, true);
        });
        if (consumer != null) {
            consumer.accept(builder);
        }
        this.permitAllMatcher = builder.build();
    }

    public Uni<HttpSecurityPolicy.CheckResult> checkPermission(RoutingContext routingContext, Uni<SecurityIdentity> uni, HttpSecurityPolicy.AuthorizationRequestContext authorizationRequestContext) {
        Boolean bool = (Boolean) this.permitAllMatcher.match(routingContext.request().path()).getValue();
        return ((bool != null && bool.booleanValue()) || isFrameworkInternalRequest(routingContext) || isAnonymousEndpoint(routingContext) || isAnonymousRoute(tryCreateNavigationContext(routingContext), routingContext.normalizedPath()) || isCustomWebIcon(routingContext)) ? HttpSecurityPolicy.CheckResult.permit() : uni.flatMap(securityIdentity -> {
            return isAllowedHillaView(routingContext, securityIdentity) ? HttpSecurityPolicy.CheckResult.permit() : this.authenticatedHttpSecurityPolicy.checkPermission(routingContext, uni, authorizationRequestContext);
        });
    }

    private boolean isAllowedHillaView(RoutingContext routingContext, SecurityIdentity securityIdentity) {
        return this.routeUtil.isRouteAllowed(routingContext, securityIdentity);
    }

    private boolean isCustomWebIcon(RoutingContext routingContext) {
        return this.webIconsRequestMatcher.isWebIconRequest(routingContext.request().path());
    }

    private boolean isAnonymousEndpoint(RoutingContext routingContext) {
        return this.endpointUtil.isAnonymousEndpoint(routingContext);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void withFormLogin(Config config) {
        HashSet hashSet = new HashSet();
        UnaryOperator unaryOperator = str -> {
            return str.replaceFirst("\\?.*", "");
        };
        Optional map = config.getOptionalValue("quarkus.http.auth.form.login-page", String.class).map(unaryOperator);
        Objects.requireNonNull(hashSet);
        map.ifPresent((v1) -> {
            r1.add(v1);
        });
        Optional map2 = config.getOptionalValue("quarkus.http.auth.form.error-page", String.class).map(unaryOperator);
        Objects.requireNonNull(hashSet);
        map2.ifPresent((v1) -> {
            r1.add(v1);
        });
        hashSet.add((String) unaryOperator.apply((String) config.getValue("quarkus.http.auth.form.post-location", String.class)));
        buildPathMatcher(immutablePathMatcherBuilder -> {
            hashSet.forEach(str2 -> {
                immutablePathMatcherBuilder.addPath(PathUtil.normalizeWildcard(str2), true);
            });
        });
    }

    public boolean isFrameworkInternalRequest(RoutingContext routingContext) {
        return QuarkusHandlerHelper.isFrameworkInternalRequest(getUrlMapping(), routingContext);
    }

    private boolean isAnonymousRoute(NavigationContext navigationContext, String str) {
        if (this.vaadinService == null) {
            getLogger().warn("VaadinService not set. Cannot determine server route for {}", str);
            return true;
        }
        if (navigationContext == null) {
            getLogger().trace("No route defined for {}", str);
            return true;
        }
        boolean isProductionMode = this.vaadinService.getDeploymentConfiguration().isProductionMode();
        if (!this.accessControl.isEnabled()) {
            if (isProductionMode) {
                getLogger().debug("Navigation Access Control is disabled. Cannot determine if {} refers to a public view, thus access is denied. Please add an explicit request matcher rule for this URL.", str);
                return true;
            }
            getLogger().info("Navigation Access Control is disabled. Cannot determine if {} refers to a public view, thus access is denied. Please add an explicit request matcher rule for this URL.", str);
            return true;
        }
        AccessCheckResult checkAccess = this.accessControl.checkAccess(navigationContext, isProductionMode);
        boolean z = checkAccess.decision() == AccessCheckDecision.ALLOW;
        if (z) {
            getLogger().debug("{} refers to a public view", str);
        } else {
            getLogger().debug("Access to {} denied by Flow navigation access control. {}", str, checkAccess.reason());
        }
        return z;
    }

    private NavigationContext tryCreateNavigationContext(RoutingContext routingContext) {
        RouteTarget routeTarget;
        Class target;
        String urlMapping = getUrlMapping();
        String requestPathInsideContext = QuarkusHandlerHelper.getRequestPathInsideContext(routingContext);
        if (this.vaadinService == null) {
            return null;
        }
        Router router = this.vaadinService.getRouter();
        RouteRegistry registry = router.getRegistry();
        Optional map = HandlerHelper.getPathIfInsideServlet(urlMapping, requestPathInsideContext).map(str -> {
            if (str.startsWith("/")) {
                str = str.substring(1);
            }
            return str;
        });
        Objects.requireNonNull(registry);
        NavigationRouteTarget navigationRouteTarget = (NavigationRouteTarget) map.map(registry::getNavigationRouteTarget).orElse(null);
        if (navigationRouteTarget == null || (routeTarget = navigationRouteTarget.getRouteTarget()) == null || (target = routeTarget.getTarget()) == null) {
            return null;
        }
        return new NavigationContext(router, target, new Location(requestPathInsideContext, queryParametersFromRequest(routingContext)), navigationRouteTarget.getRouteParameters(), (Principal) null, str2 -> {
            return false;
        }, false);
    }

    private QueryParameters queryParametersFromRequest(RoutingContext routingContext) {
        MultiMap params = routingContext.request().params();
        return QueryParameters.full((Map) params.names().stream().map(str -> {
            return Map.entry(str, (String[]) params.getAll(str).toArray(i -> {
                return new String[i];
            }));
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        })));
    }

    private String getUrlMapping() {
        return "/*";
    }

    private Logger getLogger() {
        return LoggerFactory.getLogger(getClass());
    }

    void onVaadinServiceInit(@Observes ServiceInitEvent serviceInitEvent) {
        this.vaadinService = serviceInitEvent.getSource();
        this.routeUtil = new RouteUtil(this.vaadinService);
        this.webIconsRequestMatcher = new WebIconsRequestMatcher(this.vaadinService, getUrlMapping());
    }
}
