package io.quarkus.resteasy.reactive.server.runtime.security;

import io.quarkus.arc.Arc;
import io.quarkus.arc.InjectableInstance;
import io.quarkus.resteasy.reactive.server.runtime.StandardSecurityCheckInterceptor;
import io.quarkus.security.UnauthorizedException;
import io.quarkus.security.identity.CurrentIdentityAssociation;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.spi.runtime.AuthorizationController;
import io.quarkus.security.spi.runtime.MethodDescription;
import io.quarkus.security.spi.runtime.SecurityCheck;
import io.quarkus.security.spi.runtime.SecurityCheckStorage;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.subscription.UniSubscriber;
import io.smallrye.mutiny.subscription.UniSubscription;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.util.Collections;
import java.util.List;
import java.util.function.Function;
import org.jboss.resteasy.reactive.common.model.ResourceClass;
import org.jboss.resteasy.reactive.server.core.ResteasyReactiveRequestContext;
import org.jboss.resteasy.reactive.server.model.HandlerChainCustomizer;
import org.jboss.resteasy.reactive.server.model.ServerResourceMethod;
import org.jboss.resteasy.reactive.server.spi.ResteasyReactiveResourceInfo;
import org.jboss.resteasy.reactive.server.spi.ServerRestHandler;

/* loaded from: input_file:io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler.class */
public class EagerSecurityHandler implements ServerRestHandler {
    private static final SecurityCheck NULL_SENTINEL = new SecurityCheck() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.1
        public void apply(SecurityIdentity securityIdentity, Method method, Object[] objArr) {
        }

        public void apply(SecurityIdentity securityIdentity, MethodDescription methodDescription, Object[] objArr) {
        }
    };
    private final boolean isProactiveAuthDisabled;
    private volatile InjectableInstance<CurrentIdentityAssociation> currentIdentityAssociation;
    private volatile SecurityCheck check;
    private volatile AuthorizationController authorizationController;

    /* loaded from: input_file:io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler$Customizer.class */
    public static abstract class Customizer implements HandlerChainCustomizer {

        /* loaded from: input_file:io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler$Customizer$ProactiveAuthDisabledCustomizer.class */
        public static class ProactiveAuthDisabledCustomizer extends Customizer {
            @Override // io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.Customizer
            protected boolean isProactiveAuthDisabled() {
                return true;
            }
        }

        /* loaded from: input_file:io/quarkus/resteasy/reactive/server/runtime/security/EagerSecurityHandler$Customizer$ProactiveAuthEnabledCustomizer.class */
        public static class ProactiveAuthEnabledCustomizer extends Customizer {
            @Override // io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.Customizer
            protected boolean isProactiveAuthDisabled() {
                return false;
            }
        }

        public static HandlerChainCustomizer newInstance(boolean z) {
            return z ? new ProactiveAuthEnabledCustomizer() : new ProactiveAuthDisabledCustomizer();
        }

        protected abstract boolean isProactiveAuthDisabled();

        public List<ServerRestHandler> handlers(HandlerChainCustomizer.Phase phase, ResourceClass resourceClass, ServerResourceMethod serverResourceMethod) {
            return phase == HandlerChainCustomizer.Phase.AFTER_MATCH ? Collections.singletonList(new EagerSecurityHandler(isProactiveAuthDisabled())) : Collections.emptyList();
        }
    }

    public EagerSecurityHandler(boolean z) {
        this.isProactiveAuthDisabled = z;
    }

    public void handle(final ResteasyReactiveRequestContext resteasyReactiveRequestContext) throws Exception {
        if (this.check == NULL_SENTINEL) {
            return;
        }
        SecurityCheck securityCheck = this.check;
        ResteasyReactiveResourceInfo lazyMethod = resteasyReactiveRequestContext.getTarget().getLazyMethod();
        final MethodDescription methodDescription = new MethodDescription(lazyMethod.getResourceClass().getName(), lazyMethod.getName(), MethodDescription.typesAsStrings(lazyMethod.getParameterTypes()));
        if (securityCheck == null) {
            securityCheck = ((SecurityCheckStorage) Arc.container().instance(SecurityCheckStorage.class, new Annotation[0]).get()).getSecurityCheck(methodDescription);
            if (securityCheck == null) {
                securityCheck = NULL_SENTINEL;
            }
            this.check = securityCheck;
        }
        if (securityCheck == NULL_SENTINEL) {
            return;
        }
        if (this.authorizationController == null) {
            this.authorizationController = (AuthorizationController) Arc.container().instance(AuthorizationController.class, new Annotation[0]).get();
        }
        if (this.authorizationController.isAuthorizationEnabled()) {
            resteasyReactiveRequestContext.requireCDIRequestScope();
            final SecurityCheck securityCheck2 = securityCheck;
            if (securityCheck2.isPermitAll()) {
                preventRepeatedSecurityChecks(resteasyReactiveRequestContext, methodDescription);
                return;
            }
            resteasyReactiveRequestContext.suspend();
            Uni deferredIdentity = ((CurrentIdentityAssociation) getCurrentIdentityAssociation().get()).getDeferredIdentity();
            if (this.isProactiveAuthDisabled && lazyMethod.isNonBlocking) {
                deferredIdentity = deferredIdentity.call(securityIdentity -> {
                    if (securityIdentity != null) {
                        ((CurrentIdentityAssociation) getCurrentIdentityAssociation().get()).setIdentity(securityIdentity);
                    }
                    return Uni.createFrom().item(securityIdentity);
                });
            }
            deferredIdentity.flatMap(new Function<SecurityIdentity, Uni<?>>() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.3
                @Override // java.util.function.Function
                public Uni<?> apply(SecurityIdentity securityIdentity2) {
                    if (!securityCheck2.requiresMethodArguments()) {
                        EagerSecurityHandler.this.preventRepeatedSecurityChecks(resteasyReactiveRequestContext, methodDescription);
                        return securityCheck2.nonBlockingApply(securityIdentity2, methodDescription, resteasyReactiveRequestContext.getParameters());
                    }
                    if (securityIdentity2.isAnonymous()) {
                        throw new UnauthorizedException();
                    }
                    return Uni.createFrom().nullItem();
                }
            }).subscribe().withSubscriber(new UniSubscriber<Object>() { // from class: io.quarkus.resteasy.reactive.server.runtime.security.EagerSecurityHandler.2
                public void onSubscribe(UniSubscription uniSubscription) {
                }

                public void onItem(Object obj) {
                    resteasyReactiveRequestContext.resume();
                }

                public void onFailure(Throwable th) {
                    resteasyReactiveRequestContext.resume(th, true);
                }
            });
        }
    }

    private void preventRepeatedSecurityChecks(ResteasyReactiveRequestContext resteasyReactiveRequestContext, MethodDescription methodDescription) {
        resteasyReactiveRequestContext.setProperty(StandardSecurityCheckInterceptor.STANDARD_SECURITY_CHECK_INTERCEPTOR, methodDescription);
    }

    private InjectableInstance<CurrentIdentityAssociation> getCurrentIdentityAssociation() {
        InjectableInstance<CurrentIdentityAssociation> injectableInstance = this.currentIdentityAssociation;
        if (injectableInstance != null) {
            return injectableInstance;
        }
        InjectableInstance<CurrentIdentityAssociation> select = Arc.container().select(CurrentIdentityAssociation.class, new Annotation[0]);
        this.currentIdentityAssociation = select;
        return select;
    }
}
