package io.quarkus.vertx.http.deployment;

import io.quarkus.arc.deployment.AdditionalBeanBuildItem;
import io.quarkus.arc.deployment.AnnotationsTransformerBuildItem;
import io.quarkus.arc.deployment.SyntheticBeanBuildItem;
import io.quarkus.arc.processor.AnnotationsTransformer;
import io.quarkus.arc.processor.DotNames;
import io.quarkus.deployment.Capabilities;
import io.quarkus.deployment.annotations.BuildProducer;
import io.quarkus.deployment.annotations.BuildStep;
import io.quarkus.deployment.annotations.ExecutionTime;
import io.quarkus.deployment.annotations.Record;
import io.quarkus.vertx.http.runtime.HttpBuildTimeConfig;
import io.quarkus.vertx.http.runtime.management.ManagementInterfaceBuildTimeConfig;
import io.quarkus.vertx.http.runtime.security.BasicAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.EagerSecurityInterceptorStorage;
import io.quarkus.vertx.http.runtime.security.FormAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.HttpAuthenticator;
import io.quarkus.vertx.http.runtime.security.HttpAuthorizer;
import io.quarkus.vertx.http.runtime.security.HttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.HttpSecurityRecorder;
import io.quarkus.vertx.http.runtime.security.MtlsAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.PathMatchingHttpSecurityPolicy;
import io.quarkus.vertx.http.runtime.security.VertxBlockingSecurityExecutor;
import io.vertx.core.http.ClientAuth;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Singleton;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.function.BooleanSupplier;
import java.util.stream.Collectors;
import org.jboss.jandex.AnnotationValue;
import org.jboss.jandex.DotName;

/* loaded from: input_file:io/quarkus/vertx/http/deployment/HttpSecurityProcessor.class */
public class HttpSecurityProcessor {
    private static final DotName BASIC_AUTH_MECH_NAME = DotName.createSimple(BasicAuthenticationMechanism.class);

    /* loaded from: input_file:io/quarkus/vertx/http/deployment/HttpSecurityProcessor$IsApplicationBasicAuthRequired.class */
    static class IsApplicationBasicAuthRequired implements BooleanSupplier {
        private final boolean required;

        public IsApplicationBasicAuthRequired(HttpBuildTimeConfig httpBuildTimeConfig, ManagementInterfaceBuildTimeConfig managementInterfaceBuildTimeConfig) {
            this.required = HttpSecurityProcessor.applicationBasicAuthRequired(httpBuildTimeConfig, managementInterfaceBuildTimeConfig);
        }

        @Override // java.util.function.BooleanSupplier
        public boolean getAsBoolean() {
            return this.required;
        }
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void produceNamedHttpSecurityPolicies(List<HttpSecurityPolicyBuildItem> list, BuildProducer<SyntheticBeanBuildItem> buildProducer, HttpSecurityRecorder httpSecurityRecorder) {
        if (list.isEmpty()) {
            return;
        }
        list.forEach(httpSecurityPolicyBuildItem -> {
            buildProducer.produce(SyntheticBeanBuildItem.configure(HttpSecurityPolicy.class).named(HttpSecurityPolicy.class.getName() + "." + httpSecurityPolicyBuildItem.getName()).runtimeValue(httpSecurityRecorder.createNamedHttpSecurityPolicy(httpSecurityPolicyBuildItem.getPolicySupplier(), httpSecurityPolicyBuildItem.getName())).addType(HttpSecurityPolicy.class).scope(Singleton.class).unremovable().done());
        });
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    AdditionalBeanBuildItem initFormAuth(HttpSecurityRecorder httpSecurityRecorder, HttpBuildTimeConfig httpBuildTimeConfig, BuildProducer<RouteBuildItem> buildProducer) {
        if (!httpBuildTimeConfig.auth.form.enabled) {
            return null;
        }
        if (!httpBuildTimeConfig.auth.proactive) {
            buildProducer.produce(RouteBuildItem.builder().route(httpBuildTimeConfig.auth.form.postLocation).handler(httpSecurityRecorder.formAuthPostHandler()).build());
        }
        return AdditionalBeanBuildItem.builder().setUnremovable().addBeanClass(FormAuthenticationMechanism.class).setDefaultScope(DotNames.SINGLETON).build();
    }

    @BuildStep
    AdditionalBeanBuildItem initMtlsClientAuth(HttpBuildTimeConfig httpBuildTimeConfig) {
        if (isMtlsClientAuthenticationEnabled(httpBuildTimeConfig)) {
            return AdditionalBeanBuildItem.builder().setUnremovable().addBeanClass(MtlsAuthenticationMechanism.class).setDefaultScope(DotNames.SINGLETON).build();
        }
        return null;
    }

    @BuildStep(onlyIf = {IsApplicationBasicAuthRequired.class})
    AdditionalBeanBuildItem initBasicAuth(HttpBuildTimeConfig httpBuildTimeConfig, BuildProducer<AnnotationsTransformerBuildItem> buildProducer, BuildProducer<SecurityInformationBuildItem> buildProducer2) {
        if (!httpBuildTimeConfig.auth.form.enabled && !isMtlsClientAuthenticationEnabled(httpBuildTimeConfig) && !((Boolean) httpBuildTimeConfig.auth.basic.orElse(false)).booleanValue()) {
            buildProducer.produce(new AnnotationsTransformerBuildItem(AnnotationsTransformer.appliedToClass().whenClass(classInfo -> {
                return BASIC_AUTH_MECH_NAME.equals(classInfo.name());
            }).thenTransform(transformation -> {
                transformation.add(DotNames.DEFAULT_BEAN, new AnnotationValue[0]);
            })));
        }
        if (httpBuildTimeConfig.auth.basic.isPresent() && ((Boolean) httpBuildTimeConfig.auth.basic.get()).booleanValue()) {
            buildProducer2.produce(SecurityInformationBuildItem.BASIC());
        }
        return AdditionalBeanBuildItem.builder().setUnremovable().addBeanClass(BasicAuthenticationMechanism.class).build();
    }

    public static boolean applicationBasicAuthRequired(HttpBuildTimeConfig httpBuildTimeConfig, ManagementInterfaceBuildTimeConfig managementInterfaceBuildTimeConfig) {
        if (httpBuildTimeConfig.auth.basic.isPresent() && !((Boolean) httpBuildTimeConfig.auth.basic.get()).booleanValue()) {
            return false;
        }
        if (((Boolean) httpBuildTimeConfig.auth.basic.orElse(false)).booleanValue()) {
            return true;
        }
        return (httpBuildTimeConfig.auth.form.enabled || isMtlsClientAuthenticationEnabled(httpBuildTimeConfig) || ((Boolean) managementInterfaceBuildTimeConfig.auth.basic.orElse(false)).booleanValue()) ? false : true;
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void setupAuthenticationMechanisms(HttpSecurityRecorder httpSecurityRecorder, BuildProducer<FilterBuildItem> buildProducer, BuildProducer<AdditionalBeanBuildItem> buildProducer2, Capabilities capabilities, HttpBuildTimeConfig httpBuildTimeConfig, BuildProducer<SecurityInformationBuildItem> buildProducer3) {
        if (!httpBuildTimeConfig.auth.form.enabled && ((Boolean) httpBuildTimeConfig.auth.basic.orElse(false)).booleanValue()) {
            buildProducer3.produce(SecurityInformationBuildItem.BASIC());
        }
        if (capabilities.isPresent("io.quarkus.security")) {
            buildProducer2.produce(AdditionalBeanBuildItem.builder().setUnremovable().addBeanClass(VertxBlockingSecurityExecutor.class).setDefaultScope(DotNames.APPLICATION_SCOPED).build());
            buildProducer2.produce(AdditionalBeanBuildItem.builder().setUnremovable().addBeanClass(HttpAuthenticator.class).addBeanClass(HttpAuthorizer.class).build());
            buildProducer2.produce(AdditionalBeanBuildItem.unremovableOf(PathMatchingHttpSecurityPolicy.class));
            buildProducer.produce(new FilterBuildItem(httpSecurityRecorder.authenticationMechanismHandler(httpBuildTimeConfig.auth.proactive), FilterBuildItem.AUTHENTICATION));
            buildProducer.produce(new FilterBuildItem(httpSecurityRecorder.permissionCheckHandler(), 100));
        }
    }

    @BuildStep
    void collectEagerSecurityInterceptors(List<EagerSecurityInterceptorCandidateBuildItem> list, HttpBuildTimeConfig httpBuildTimeConfig, Capabilities capabilities, BuildProducer<EagerSecurityInterceptorBuildItem> buildProducer) {
        if (httpBuildTimeConfig.auth.proactive || !capabilities.isPresent("io.quarkus.security") || list.isEmpty()) {
            return;
        }
        buildProducer.produce(new EagerSecurityInterceptorBuildItem((List) list.stream().map((v0) -> {
            return v0.getMethodInfo();
        }).collect(Collectors.toList()), (Map) list.stream().collect(Collectors.toMap((v0) -> {
            return v0.getDescriptionRuntimeValue();
        }, (v0) -> {
            return v0.getSecurityInterceptor();
        }))));
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void produceEagerSecurityInterceptorStorage(HttpSecurityRecorder httpSecurityRecorder, BuildProducer<SyntheticBeanBuildItem> buildProducer, Optional<EagerSecurityInterceptorBuildItem> optional) {
        if (optional.isPresent()) {
            buildProducer.produce(SyntheticBeanBuildItem.configure(EagerSecurityInterceptorStorage.class).scope(ApplicationScoped.class).supplier(httpSecurityRecorder.createSecurityInterceptorStorage(optional.get().methodCandidateToSecurityInterceptor)).unremovable().done());
        }
    }

    private static boolean isMtlsClientAuthenticationEnabled(HttpBuildTimeConfig httpBuildTimeConfig) {
        return !ClientAuth.NONE.equals(httpBuildTimeConfig.tlsClientAuth);
    }
}
