package io.quarkus.vertx.http.runtime.security;

import io.quarkus.arc.ClientProxy;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.quarkus.security.StringPermission;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.vertx.http.runtime.PolicyConfig;
import io.quarkus.vertx.http.runtime.PolicyMappingConfig;
import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.ImmutablePathMatcher;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.inject.Instance;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.runtime.ObjectMethods;
import java.security.Permission;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;

/* loaded from: input_file:io/quarkus/vertx/http/runtime/security/AbstractPathMatchingHttpSecurityPolicy.class */
public class AbstractPathMatchingHttpSecurityPolicy {
    private static final String PATH_MATCHING_POLICY_FOUND = AbstractPathMatchingHttpSecurityPolicy.class.getName() + ".POLICY_FOUND";
    private final ImmutablePathMatcher<List<HttpMatcher>> pathMatcher;
    private final List<ImmutablePathMatcher<List<HttpMatcher>>> sharedPermissionsPathMatchers;
    private final boolean hasNoPermissions;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/AbstractPathMatchingHttpSecurityPolicy$HttpMatcher.class */
    public static final class HttpMatcher extends Record {
        private final String authMechanism;
        private final Set<String> methods;
        private final HttpSecurityPolicy checker;

        HttpMatcher(String str, Set<String> set, HttpSecurityPolicy httpSecurityPolicy) {
            this.authMechanism = str;
            this.methods = set;
            this.checker = httpSecurityPolicy;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, HttpMatcher.class), HttpMatcher.class, "authMechanism;methods;checker", "FIELD:Lio/quarkus/vertx/http/runtime/security/AbstractPathMatchingHttpSecurityPolicy$HttpMatcher;->authMechanism:Ljava/lang/String;", "FIELD:Lio/quarkus/vertx/http/runtime/security/AbstractPathMatchingHttpSecurityPolicy$HttpMatcher;->methods:Ljava/util/Set;", "FIELD:Lio/quarkus/vertx/http/runtime/security/AbstractPathMatchingHttpSecurityPolicy$HttpMatcher;->checker:Lio/quarkus/vertx/http/runtime/security/HttpSecurityPolicy;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, HttpMatcher.class), HttpMatcher.class, "authMechanism;methods;checker", "FIELD:Lio/quarkus/vertx/http/runtime/security/AbstractPathMatchingHttpSecurityPolicy$HttpMatcher;->authMechanism:Ljava/lang/String;", "FIELD:Lio/quarkus/vertx/http/runtime/security/AbstractPathMatchingHttpSecurityPolicy$HttpMatcher;->methods:Ljava/util/Set;", "FIELD:Lio/quarkus/vertx/http/runtime/security/AbstractPathMatchingHttpSecurityPolicy$HttpMatcher;->checker:Lio/quarkus/vertx/http/runtime/security/HttpSecurityPolicy;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, HttpMatcher.class, Object.class), HttpMatcher.class, "authMechanism;methods;checker", "FIELD:Lio/quarkus/vertx/http/runtime/security/AbstractPathMatchingHttpSecurityPolicy$HttpMatcher;->authMechanism:Ljava/lang/String;", "FIELD:Lio/quarkus/vertx/http/runtime/security/AbstractPathMatchingHttpSecurityPolicy$HttpMatcher;->methods:Ljava/util/Set;", "FIELD:Lio/quarkus/vertx/http/runtime/security/AbstractPathMatchingHttpSecurityPolicy$HttpMatcher;->checker:Lio/quarkus/vertx/http/runtime/security/HttpSecurityPolicy;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String authMechanism() {
            return this.authMechanism;
        }

        public Set<String> methods() {
            return this.methods;
        }

        public HttpSecurityPolicy checker() {
            return this.checker;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/vertx/http/runtime/security/AbstractPathMatchingHttpSecurityPolicy$PermissionToActions.class */
    public static final class PermissionToActions {
        private final String permissionName;
        private final Set<String> actions = new HashSet();

        private PermissionToActions(String str) {
            this.permissionName = str;
        }

        private void addAction(String str) {
            if (str != null) {
                this.actions.add(str);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AbstractPathMatchingHttpSecurityPolicy(Map<String, PolicyMappingConfig> map, Map<String, PolicyConfig> map2, String str, Instance<HttpSecurityPolicy> instance, PolicyMappingConfig.AppliesTo appliesTo) {
        boolean z = true;
        Map<String, HttpSecurityPolicy> namedHttpSecPolicies = toNamedHttpSecPolicies(map2, instance);
        ArrayList arrayList = new ArrayList();
        ImmutablePathMatcher.ImmutablePathMatcherBuilder rootPath = ImmutablePathMatcher.builder().handlerAccumulator((v0, v1) -> {
            v0.addAll(v1);
        }).rootPath(str);
        for (PolicyMappingConfig policyMappingConfig : map.values()) {
            if (appliesTo == policyMappingConfig.appliesTo()) {
                z = z ? false : z;
                if (policyMappingConfig.shared()) {
                    ImmutablePathMatcher.ImmutablePathMatcherBuilder rootPath2 = ImmutablePathMatcher.builder().handlerAccumulator((v0, v1) -> {
                        v0.addAll(v1);
                    }).rootPath(str);
                    addPermissionToPathMatcher(namedHttpSecPolicies, policyMappingConfig, rootPath2);
                    arrayList.add(rootPath2.build());
                } else {
                    addPermissionToPathMatcher(namedHttpSecPolicies, policyMappingConfig, rootPath);
                }
            }
        }
        this.hasNoPermissions = z;
        this.sharedPermissionsPathMatchers = arrayList.isEmpty() ? null : List.copyOf(arrayList);
        this.pathMatcher = rootPath.build();
    }

    public String getAuthMechanismName(RoutingContext routingContext) {
        if (this.sharedPermissionsPathMatchers != null) {
            Iterator<ImmutablePathMatcher<List<HttpMatcher>>> it = this.sharedPermissionsPathMatchers.iterator();
            while (it.hasNext()) {
                String authMechanismName = getAuthMechanismName(routingContext, it.next());
                if (authMechanismName != null) {
                    return authMechanismName;
                }
            }
        }
        return getAuthMechanismName(routingContext, this.pathMatcher);
    }

    public boolean hasNoPermissions() {
        return this.hasNoPermissions;
    }

    public Uni<HttpSecurityPolicy.CheckResult> checkPermission(RoutingContext routingContext, Uni<SecurityIdentity> uni, HttpSecurityPolicy.AuthorizationRequestContext authorizationRequestContext) {
        return checkPermissions(routingContext, uni, authorizationRequestContext, new HttpSecurityPolicy[0]);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Uni<HttpSecurityPolicy.CheckResult> checkPermissions(RoutingContext routingContext, Uni<SecurityIdentity> uni, HttpSecurityPolicy.AuthorizationRequestContext authorizationRequestContext, HttpSecurityPolicy... httpSecurityPolicyArr) {
        List<HttpSecurityPolicy> arrayList = this.hasNoPermissions ? new ArrayList<>() : getHttpSecurityPolicies(routingContext);
        if (httpSecurityPolicyArr.length > 0) {
            if (httpSecurityPolicyArr.length == 1) {
                arrayList.add(httpSecurityPolicyArr[0]);
            } else {
                arrayList.addAll(Arrays.asList(httpSecurityPolicyArr));
            }
        }
        return doPermissionCheck(routingContext, uni, 0, null, arrayList, authorizationRequestContext);
    }

    /* JADX WARN: Multi-variable type inference failed */
    private List<HttpSecurityPolicy> getHttpSecurityPolicies(RoutingContext routingContext) {
        List arrayList;
        if (this.sharedPermissionsPathMatchers == null) {
            arrayList = findPermissionCheckers(routingContext, this.pathMatcher);
        } else {
            arrayList = new ArrayList();
            Iterator<ImmutablePathMatcher<List<HttpMatcher>>> it = this.sharedPermissionsPathMatchers.iterator();
            while (it.hasNext()) {
                arrayList.addAll(findPermissionCheckers(routingContext, it.next()));
            }
            arrayList.addAll(findPermissionCheckers(routingContext, this.pathMatcher));
        }
        return arrayList;
    }

    private Uni<HttpSecurityPolicy.CheckResult> doPermissionCheck(final RoutingContext routingContext, final Uni<SecurityIdentity> uni, final int i, final SecurityIdentity securityIdentity, final List<HttpSecurityPolicy> list, final HttpSecurityPolicy.AuthorizationRequestContext authorizationRequestContext) {
        if (i != list.size()) {
            return list.get(i).checkPermission(routingContext, uni, authorizationRequestContext).flatMap(new Function<HttpSecurityPolicy.CheckResult, Uni<? extends HttpSecurityPolicy.CheckResult>>() { // from class: io.quarkus.vertx.http.runtime.security.AbstractPathMatchingHttpSecurityPolicy.1
                @Override // java.util.function.Function
                public Uni<? extends HttpSecurityPolicy.CheckResult> apply(HttpSecurityPolicy.CheckResult checkResult) {
                    return !checkResult.isPermitted() ? checkResult.getAugmentedIdentity() == null ? HttpSecurityPolicy.CheckResult.deny() : Uni.createFrom().item(new HttpSecurityPolicy.CheckResult(false, checkResult.getAugmentedIdentity())) : checkResult.getAugmentedIdentity() != null ? AbstractPathMatchingHttpSecurityPolicy.this.doPermissionCheck(routingContext, checkResult.getAugmentedIdentityAsUni(), i + 1, checkResult.getAugmentedIdentity(), list, authorizationRequestContext) : AbstractPathMatchingHttpSecurityPolicy.this.doPermissionCheck(routingContext, uni, i + 1, securityIdentity, list, authorizationRequestContext);
                }
            });
        }
        if (i > 0) {
            routingContext.put(PATH_MATCHING_POLICY_FOUND, true);
        }
        return Uni.createFrom().item(new HttpSecurityPolicy.CheckResult(true, securityIdentity));
    }

    private static String getAuthMechanismName(RoutingContext routingContext, ImmutablePathMatcher<List<HttpMatcher>> immutablePathMatcher) {
        ImmutablePathMatcher.PathMatch<List<HttpMatcher>> match = immutablePathMatcher.match(routingContext.normalizedPath());
        if (match.getValue() == null || match.getValue().isEmpty()) {
            return null;
        }
        for (HttpMatcher httpMatcher : match.getValue()) {
            if (httpMatcher.authMechanism != null) {
                return httpMatcher.authMechanism;
            }
        }
        return null;
    }

    private static void addPermissionToPathMatcher(Map<String, HttpSecurityPolicy> map, PolicyMappingConfig policyMappingConfig, ImmutablePathMatcher.ImmutablePathMatcherBuilder<List<HttpMatcher>> immutablePathMatcherBuilder) {
        HttpSecurityPolicy httpSecurityPolicy = map.get(policyMappingConfig.policy());
        if (httpSecurityPolicy == null) {
            throw new RuntimeException("Unable to find HTTP security policy " + policyMappingConfig.policy());
        }
        if (policyMappingConfig.enabled().orElse(Boolean.TRUE).booleanValue()) {
            for (String str : policyMappingConfig.paths().orElse(Collections.emptyList())) {
                HttpMatcher httpMatcher = new HttpMatcher(policyMappingConfig.authMechanism().orElse(null), new HashSet(policyMappingConfig.methods().orElse(Collections.emptyList())), httpSecurityPolicy);
                ArrayList arrayList = new ArrayList();
                arrayList.add(httpMatcher);
                immutablePathMatcherBuilder.addPath(str, arrayList);
            }
        }
    }

    private static List<HttpSecurityPolicy> findPermissionCheckers(RoutingContext routingContext, ImmutablePathMatcher<List<HttpMatcher>> immutablePathMatcher) {
        ArrayList arrayList = new ArrayList();
        ImmutablePathMatcher.PathMatch<List<HttpMatcher>> match = immutablePathMatcher.match(routingContext.normalizedPath());
        if (match.getValue() == null || match.getValue().isEmpty()) {
            return arrayList;
        }
        ArrayList arrayList2 = new ArrayList();
        ArrayList arrayList3 = new ArrayList();
        for (HttpMatcher httpMatcher : match.getValue()) {
            if (httpMatcher.methods == null || httpMatcher.methods.isEmpty()) {
                arrayList3.add(httpMatcher.checker);
            } else if (httpMatcher.methods.contains(routingContext.request().method().toString())) {
                arrayList2.add(httpMatcher.checker);
            }
        }
        if (!arrayList2.isEmpty()) {
            arrayList.addAll(arrayList2);
        } else if (arrayList3.isEmpty()) {
            arrayList.add(DenySecurityPolicy.INSTANCE);
        } else {
            arrayList.addAll(arrayList3);
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean policyApplied(RoutingContext routingContext) {
        return routingContext.get(PATH_MATCHING_POLICY_FOUND) != null;
    }

    private static Map<String, HttpSecurityPolicy> toNamedHttpSecPolicies(Map<String, PolicyConfig> map, Instance<HttpSecurityPolicy> instance) {
        HashMap hashMap;
        HashMap hashMap2 = new HashMap();
        for (Instance.Handle handle : instance.handles()) {
            if (handle.getBean().getBeanClass().getSuperclass() != AbstractPathMatchingHttpSecurityPolicy.class) {
                HttpSecurityPolicy httpSecurityPolicy = (HttpSecurityPolicy) handle.get();
                if (httpSecurityPolicy.name() == null) {
                    continue;
                } else {
                    if (httpSecurityPolicy.name().isBlank()) {
                        throw new ConfigurationException("HTTP Security policy '" + httpSecurityPolicy + "' name must not be blank");
                    }
                    HttpSecurityPolicy httpSecurityPolicy2 = (HttpSecurityPolicy) hashMap2.put(httpSecurityPolicy.name(), httpSecurityPolicy);
                    if (httpSecurityPolicy2 != null) {
                        throw duplicateNamedPoliciesNotAllowedEx(httpSecurityPolicy2, httpSecurityPolicy);
                    }
                }
            }
        }
        for (Map.Entry<String, PolicyConfig> entry : map.entrySet()) {
            PolicyConfig value = entry.getValue();
            if (value.permissions().isEmpty()) {
                hashMap = null;
            } else {
                hashMap = new HashMap();
                for (Map.Entry<String, List<String>> entry2 : value.permissions().entrySet()) {
                    HashMap hashMap3 = new HashMap();
                    String key = entry2.getKey();
                    Iterator<String> it = entry2.getValue().iterator();
                    while (it.hasNext()) {
                        addPermissionToAction(hashMap3, key, it.next());
                    }
                    HashSet hashSet = new HashSet();
                    for (PermissionToActions permissionToActions : hashMap3.values()) {
                        if (StringPermission.class.getName().equals(value.permissionClass())) {
                            hashSet.add(new StringPermission(permissionToActions.permissionName, (String[]) permissionToActions.actions.toArray(new String[0])));
                        } else {
                            hashSet.add(customPermissionCreator(value, permissionToActions));
                        }
                    }
                    hashMap.put(key, Set.copyOf(hashSet));
                }
            }
            RolesAllowedHttpSecurityPolicy rolesAllowedHttpSecurityPolicy = new RolesAllowedHttpSecurityPolicy(value.rolesAllowed(), hashMap, value.roles());
            HttpSecurityPolicy httpSecurityPolicy3 = (HttpSecurityPolicy) hashMap2.put(entry.getKey(), rolesAllowedHttpSecurityPolicy);
            if (httpSecurityPolicy3 != null) {
                throw duplicateNamedPoliciesNotAllowedEx(httpSecurityPolicy3, rolesAllowedHttpSecurityPolicy);
            }
        }
        HttpSecurityPolicy httpSecurityPolicy4 = (HttpSecurityPolicy) hashMap2.put("deny", DenySecurityPolicy.INSTANCE);
        if (httpSecurityPolicy4 != null) {
            throw duplicateNamedPoliciesNotAllowedEx(httpSecurityPolicy4, DenySecurityPolicy.INSTANCE);
        }
        HttpSecurityPolicy httpSecurityPolicy5 = (HttpSecurityPolicy) hashMap2.put("permit", new PermitSecurityPolicy());
        if (httpSecurityPolicy5 != null) {
            throw duplicateNamedPoliciesNotAllowedEx(httpSecurityPolicy5, new PermitSecurityPolicy());
        }
        HttpSecurityPolicy httpSecurityPolicy6 = (HttpSecurityPolicy) hashMap2.put("authenticated", new AuthenticatedHttpSecurityPolicy());
        if (httpSecurityPolicy6 != null) {
            throw duplicateNamedPoliciesNotAllowedEx(httpSecurityPolicy6, new AuthenticatedHttpSecurityPolicy());
        }
        return hashMap2;
    }

    private static boolean acceptsActions(String str) {
        boolean z;
        Class<?> loadClass = loadClass(str);
        if (loadClass.getConstructors().length != 1) {
            throw new ConfigurationException(String.format("Permission class '%s' must have exactly one constructor", loadClass));
        }
        Constructor<?> constructor = loadClass.getConstructors()[0];
        if (constructor.getParameterCount() == 0 || constructor.getParameterTypes()[0] != String.class) {
            throw new ConfigurationException(String.format("Permission class '%s' constructor first parameter must be '%s' (permission name)", loadClass, String.class.getName()));
        }
        if (constructor.getParameterCount() == 1) {
            z = false;
        } else {
            if (constructor.getParameterCount() != 2) {
                throw new ConfigurationException(String.format("Permission class '%s' constructor must accept either one parameter (String permissionName), or two parameters (String permissionName, String[] actions)", loadClass));
            }
            if (constructor.getParameterTypes()[1] != String[].class) {
                throw new ConfigurationException(String.format("Permission class '%s' constructor second parameter must be '%s' array", loadClass, String.class.getName()));
            }
            z = true;
        }
        return z;
    }

    private static void addPermissionToAction(Map<String, PermissionToActions> map, String str, String str2) {
        String trim;
        String str3;
        if (str2.contains(":")) {
            String[] split = str2.split(":");
            if (split.length != 2) {
                throw new ConfigurationException(String.format("Invalid permission format '%s', please use exactly one permission to action separator", str2));
            }
            trim = split[0].trim();
            str3 = split[1].trim();
        } else {
            trim = str2.trim();
            str3 = null;
        }
        if (trim.isEmpty()) {
            throw new ConfigurationException(String.format("Invalid permission name '%s' for role '%s'", str2, str));
        }
        map.computeIfAbsent(trim, new Function<String, PermissionToActions>() { // from class: io.quarkus.vertx.http.runtime.security.AbstractPathMatchingHttpSecurityPolicy.2
            @Override // java.util.function.Function
            public PermissionToActions apply(String str4) {
                return new PermissionToActions(str4);
            }
        }).addAction(str3);
    }

    private static Class<?> loadClass(String str) {
        try {
            return Thread.currentThread().getContextClassLoader().loadClass(str);
        } catch (ClassNotFoundException e) {
            throw new RuntimeException("Unable to load class '" + str + "' for creating permission", e);
        }
    }

    private static Permission customPermissionCreator(PolicyConfig policyConfig, PermissionToActions permissionToActions) {
        try {
            Constructor<?> constructor = loadClass(policyConfig.permissionClass()).getConstructors()[0];
            return acceptsActions(policyConfig.permissionClass()) ? (Permission) constructor.newInstance(permissionToActions.permissionName, permissionToActions.actions.toArray(new String[0])) : (Permission) constructor.newInstance(permissionToActions.permissionName);
        } catch (IllegalAccessException | InstantiationException | InvocationTargetException e) {
            throw new RuntimeException(String.format("Failed to create Permission - class '%s', name '%s', actions '%s'", policyConfig.permissionClass(), permissionToActions.permissionName, Arrays.toString(permissionToActions.actions.toArray(new String[0]))), e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static ConfigurationException duplicateNamedPoliciesNotAllowedEx(HttpSecurityPolicy httpSecurityPolicy, HttpSecurityPolicy httpSecurityPolicy2) {
        return new ConfigurationException("Only one HttpSecurityPolicy with the name '" + httpSecurityPolicy.name() + "' is allowed, but found: " + ((HttpSecurityPolicy) ClientProxy.unwrap(httpSecurityPolicy)).getClass().getName() + " and " + ((HttpSecurityPolicy) ClientProxy.unwrap(httpSecurityPolicy2)).getClass().getName());
    }
}
