package io.quarkus.oidc.deployment;

import io.quarkus.arc.deployment.AdditionalBeanBuildItem;
import io.quarkus.arc.deployment.SynthesisFinishedBuildItem;
import io.quarkus.arc.deployment.SyntheticBeanBuildItem;
import io.quarkus.deployment.Capabilities;
import io.quarkus.deployment.Feature;
import io.quarkus.deployment.annotations.BuildProducer;
import io.quarkus.deployment.annotations.BuildStep;
import io.quarkus.deployment.annotations.BuildSteps;
import io.quarkus.deployment.annotations.Consume;
import io.quarkus.deployment.annotations.ExecutionTime;
import io.quarkus.deployment.annotations.Record;
import io.quarkus.deployment.builditem.CombinedIndexBuildItem;
import io.quarkus.deployment.builditem.ExtensionSslNativeSupportBuildItem;
import io.quarkus.deployment.builditem.RuntimeConfigSetupCompleteBuildItem;
import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
import io.quarkus.oidc.SecurityEvent;
import io.quarkus.oidc.Tenant;
import io.quarkus.oidc.TokenIntrospectionCache;
import io.quarkus.oidc.UserInfoCache;
import io.quarkus.oidc.runtime.BackChannelLogoutHandler;
import io.quarkus.oidc.runtime.DefaultTenantConfigResolver;
import io.quarkus.oidc.runtime.DefaultTokenIntrospectionUserInfoCache;
import io.quarkus.oidc.runtime.DefaultTokenStateManager;
import io.quarkus.oidc.runtime.OidcAuthenticationMechanism;
import io.quarkus.oidc.runtime.OidcConfig;
import io.quarkus.oidc.runtime.OidcConfigurationMetadataProducer;
import io.quarkus.oidc.runtime.OidcIdentityProvider;
import io.quarkus.oidc.runtime.OidcJsonWebTokenProducer;
import io.quarkus.oidc.runtime.OidcRecorder;
import io.quarkus.oidc.runtime.OidcSessionImpl;
import io.quarkus.oidc.runtime.OidcTokenCredentialProducer;
import io.quarkus.oidc.runtime.TenantConfigBean;
import io.quarkus.oidc.runtime.providers.AzureAccessTokenCustomizer;
import io.quarkus.runtime.TlsConfig;
import io.quarkus.vertx.core.deployment.CoreVertxBuildItem;
import io.quarkus.vertx.http.deployment.EagerSecurityInterceptorCandidateBuildItem;
import io.quarkus.vertx.http.deployment.SecurityInformationBuildItem;
import io.quarkus.vertx.http.runtime.HttpBuildTimeConfig;
import io.smallrye.jwt.auth.cdi.ClaimValueProducer;
import io.smallrye.jwt.auth.cdi.CommonJwtProducer;
import io.smallrye.jwt.auth.cdi.JsonValueProducer;
import io.smallrye.jwt.auth.cdi.RawClaimTypeProducer;
import jakarta.inject.Singleton;
import java.util.HashMap;
import java.util.Map;
import java.util.function.BooleanSupplier;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import org.eclipse.microprofile.jwt.Claim;
import org.jboss.jandex.AnnotationInstance;
import org.jboss.jandex.AnnotationTarget;
import org.jboss.jandex.DotName;
import org.jboss.jandex.IndexView;
import org.jboss.jandex.MethodInfo;
import org.jboss.logging.Logger;

@BuildSteps(onlyIf = {IsEnabled.class})
/* loaded from: input_file:io/quarkus/oidc/deployment/OidcBuildStep.class */
public class OidcBuildStep {
    public static final DotName DOTNAME_SECURITY_EVENT = DotName.createSimple(SecurityEvent.class.getName());
    private static final DotName TENANT_NAME = DotName.createSimple(Tenant.class);
    private static final Logger LOG = Logger.getLogger(OidcBuildStep.class);

    /* loaded from: input_file:io/quarkus/oidc/deployment/OidcBuildStep$IsCacheEnabled.class */
    public static class IsCacheEnabled implements BooleanSupplier {
        OidcBuildTimeConfig config;

        @Override // java.util.function.BooleanSupplier
        public boolean getAsBoolean() {
            return this.config.enabled && this.config.defaultTokenCacheEnabled;
        }
    }

    /* loaded from: input_file:io/quarkus/oidc/deployment/OidcBuildStep$IsEnabled.class */
    public static class IsEnabled implements BooleanSupplier {
        OidcBuildTimeConfig config;

        @Override // java.util.function.BooleanSupplier
        public boolean getAsBoolean() {
            return this.config.enabled;
        }
    }

    @BuildStep
    public void provideSecurityInformation(BuildProducer<SecurityInformationBuildItem> buildProducer) {
        buildProducer.produce(SecurityInformationBuildItem.OPENIDCONNECT("quarkus.oidc.auth-server-url"));
    }

    @BuildStep
    AdditionalBeanBuildItem jwtClaimIntegration(Capabilities capabilities) {
        if (capabilities.isPresent("io.quarkus.jwt")) {
            return null;
        }
        AdditionalBeanBuildItem.Builder builder = AdditionalBeanBuildItem.builder();
        builder.addBeanClass(CommonJwtProducer.class);
        builder.addBeanClass(RawClaimTypeProducer.class);
        builder.addBeanClass(JsonValueProducer.class);
        builder.addBeanClass(ClaimValueProducer.class);
        builder.addBeanClass(Claim.class);
        return builder.build();
    }

    @BuildStep
    public void additionalBeans(BuildProducer<AdditionalBeanBuildItem> buildProducer, BuildProducer<ReflectiveClassBuildItem> buildProducer2) {
        AdditionalBeanBuildItem.Builder unremovable = AdditionalBeanBuildItem.builder().setUnremovable();
        unremovable.addBeanClass(OidcAuthenticationMechanism.class).addBeanClass(OidcJsonWebTokenProducer.class).addBeanClass(OidcTokenCredentialProducer.class).addBeanClass(OidcConfigurationMetadataProducer.class).addBeanClass(OidcIdentityProvider.class).addBeanClass(DefaultTenantConfigResolver.class).addBeanClass(DefaultTokenStateManager.class).addBeanClass(OidcSessionImpl.class).addBeanClass(BackChannelLogoutHandler.class).addBeanClass(AzureAccessTokenCustomizer.class);
        buildProducer.produce(unremovable.build());
    }

    @BuildStep(onlyIf = {IsCacheEnabled.class})
    @Record(ExecutionTime.RUNTIME_INIT)
    public SyntheticBeanBuildItem addDefaultCacheBean(OidcConfig oidcConfig, OidcRecorder oidcRecorder, CoreVertxBuildItem coreVertxBuildItem) {
        return SyntheticBeanBuildItem.configure(DefaultTokenIntrospectionUserInfoCache.class).unremovable().types(new Class[]{DefaultTokenIntrospectionUserInfoCache.class, TokenIntrospectionCache.class, UserInfoCache.class}).supplier(oidcRecorder.setupTokenCache(oidcConfig, coreVertxBuildItem.getVertx())).scope(Singleton.class).setRuntimeInit().done();
    }

    @BuildStep
    ExtensionSslNativeSupportBuildItem enableSslInNative() {
        return new ExtensionSslNativeSupportBuildItem(Feature.OIDC);
    }

    @BuildStep
    @Record(ExecutionTime.RUNTIME_INIT)
    public SyntheticBeanBuildItem setup(OidcConfig oidcConfig, OidcRecorder oidcRecorder, CoreVertxBuildItem coreVertxBuildItem, TlsConfig tlsConfig) {
        return SyntheticBeanBuildItem.configure(TenantConfigBean.class).unremovable().types(new Class[]{TenantConfigBean.class}).supplier(oidcRecorder.setup(oidcConfig, coreVertxBuildItem.getVertx(), tlsConfig)).destroyer(TenantConfigBean.Destroyer.class).scope(Singleton.class).setRuntimeInit().done();
    }

    @BuildStep
    @Consume(RuntimeConfigSetupCompleteBuildItem.class)
    @Record(ExecutionTime.RUNTIME_INIT)
    public void findSecurityEventObservers(OidcRecorder oidcRecorder, SynthesisFinishedBuildItem synthesisFinishedBuildItem) {
        oidcRecorder.setSecurityEventObserved(synthesisFinishedBuildItem.getObservers().stream().anyMatch(observerInfo -> {
            return observerInfo.asObserver().getObservedType().name().equals(DOTNAME_SECURITY_EVENT);
        }));
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    public void produceTenantResolverInterceptors(CombinedIndexBuildItem combinedIndexBuildItem, Capabilities capabilities, OidcRecorder oidcRecorder, BuildProducer<EagerSecurityInterceptorCandidateBuildItem> buildProducer, HttpBuildTimeConfig httpBuildTimeConfig) {
        if (httpBuildTimeConfig.auth.proactive) {
            return;
        }
        if (capabilities.isPresent("io.quarkus.resteasy.reactive") || capabilities.isPresent("io.quarkus.resteasy")) {
            IndexView index = combinedIndexBuildItem.getIndex();
            HashMap hashMap = new HashMap();
            for (AnnotationInstance annotationInstance : index.getAnnotations(TENANT_NAME)) {
                AnnotationTarget target = annotationInstance.target();
                if (annotationInstance.value() == null || annotationInstance.value().asString().isEmpty()) {
                    LOG.warnf("Annotation instance @Tenant placed on %s did not provide valid tenant", toTargetName(target));
                } else {
                    String asString = annotationInstance.value().asString();
                    if (target.kind() == AnnotationTarget.Kind.METHOD) {
                        MethodInfo asMethod = target.asMethod();
                        if (EagerSecurityInterceptorCandidateBuildItem.hasProperEndpointModifiers(asMethod)) {
                            hashMap.put(asMethod, asString);
                        } else {
                            LOG.warnf("Method %s is not valid endpoint, but is annotated with the '@Tenant' annotation", toTargetName(target));
                        }
                    } else if (target.kind() == AnnotationTarget.Kind.CLASS) {
                        for (MethodInfo methodInfo : target.asClass().methods()) {
                            if (EagerSecurityInterceptorCandidateBuildItem.hasProperEndpointModifiers(methodInfo)) {
                                hashMap.put(methodInfo, asString);
                            }
                        }
                    }
                }
            }
            if (hashMap.isEmpty()) {
                return;
            }
            Map map = (Map) hashMap.values().stream().distinct().map(str -> {
                return Map.entry(str, oidcRecorder.createTenantResolverInterceptor(str));
            }).collect(Collectors.toMap((v0) -> {
                return v0.getKey();
            }, (v0) -> {
                return v0.getValue();
            }));
            hashMap.forEach((methodInfo2, str2) -> {
                buildProducer.produce(new EagerSecurityInterceptorCandidateBuildItem(methodInfo2, oidcRecorder.methodInfoToDescription(methodInfo2.declaringClass().name().toString(), methodInfo2.name(), (String[]) methodInfo2.parameterTypes().stream().map(type -> {
                    return type.name().toString();
                }).toArray(i -> {
                    return new String[i];
                })), (Consumer) map.get(str2)));
            });
        }
    }

    private static String toTargetName(AnnotationTarget annotationTarget) {
        return annotationTarget.kind() == AnnotationTarget.Kind.CLASS ? annotationTarget.asClass().name().toString() : annotationTarget.asMethod().declaringClass().name().toString() + "#" + annotationTarget.asMethod().name();
    }
}
