package io.quarkus.oidc.token.propagation;

import io.quarkus.arc.Arc;
import io.quarkus.oidc.client.OidcClient;
import io.quarkus.oidc.client.OidcClientConfig;
import io.quarkus.oidc.client.OidcClients;
import io.quarkus.oidc.client.Tokens;
import io.quarkus.oidc.token.propagation.runtime.AbstractTokenRequestFilter;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.quarkus.security.credential.TokenCredential;
import java.io.IOException;
import java.lang.annotation.Annotation;
import java.util.Collections;
import java.util.Optional;
import javax.annotation.PostConstruct;
import javax.enterprise.inject.Instance;
import javax.inject.Inject;
import javax.ws.rs.client.ClientRequestContext;
import org.eclipse.microprofile.config.ConfigProvider;
import org.eclipse.microprofile.config.inject.ConfigProperty;

/* loaded from: input_file:io/quarkus/oidc/token/propagation/AccessTokenRequestFilter.class */
public class AccessTokenRequestFilter extends AbstractTokenRequestFilter {

    @Inject
    Instance<TokenCredential> accessToken;

    @Inject
    @ConfigProperty(name = "quarkus.oidc-token-propagation.client-name")
    Optional<String> oidcClientName;

    @Inject
    @ConfigProperty(name = "quarkus.oidc-token-propagation.exchange-token")
    boolean exchangeToken;
    OidcClient exchangeTokenClient;
    String exchangeTokenProperty;

    @PostConstruct
    public void initExchangeTokenClient() {
        if (this.exchangeToken) {
            OidcClients oidcClients = (OidcClients) Arc.container().instance(OidcClients.class, new Annotation[0]).get();
            this.exchangeTokenClient = this.oidcClientName.isPresent() ? oidcClients.getClient(this.oidcClientName.get()) : oidcClients.getClient();
            OidcClientConfig.Grant.Type type = (OidcClientConfig.Grant.Type) ConfigProvider.getConfig().getValue("quarkus.oidc-client." + (this.oidcClientName.isPresent() ? this.oidcClientName.get() + "." : "") + "grant.type", OidcClientConfig.Grant.Type.class);
            if (type == OidcClientConfig.Grant.Type.EXCHANGE) {
                this.exchangeTokenProperty = "subject_token";
            } else {
                if (type != OidcClientConfig.Grant.Type.JWT) {
                    throw new ConfigurationException("Token exchange is required but OIDC client is configured to use the " + type.getGrantType() + " grantType");
                }
                this.exchangeTokenProperty = "assertion";
            }
        }
    }

    public void filter(ClientRequestContext clientRequestContext) throws IOException {
        if (verifyTokenInstance(clientRequestContext, this.accessToken)) {
            propagateToken(clientRequestContext, exchangeTokenIfNeeded(((TokenCredential) this.accessToken.get()).getToken()));
        }
    }

    private String exchangeTokenIfNeeded(String str) {
        return this.exchangeTokenClient != null ? ((Tokens) this.exchangeTokenClient.getTokens(Collections.singletonMap(this.exchangeTokenProperty, str)).await().indefinitely()).getAccessToken() : str;
    }
}
