package fish.payara.security.openid;

import fish.payara.security.annotations.AzureAuthenticationDefinition;
import fish.payara.security.annotations.GoogleAuthenticationDefinition;
import fish.payara.security.annotations.OpenIdAuthenticationDefinition;
import fish.payara.security.openid.controller.AuthenticationController;
import fish.payara.security.openid.controller.ConfigurationController;
import fish.payara.security.openid.controller.JWTValidator;
import fish.payara.security.openid.controller.NonceController;
import fish.payara.security.openid.controller.ProviderMetadataContoller;
import fish.payara.security.openid.controller.StateController;
import fish.payara.security.openid.controller.TokenController;
import fish.payara.security.openid.controller.UserInfoController;
import fish.payara.security.openid.domain.OpenIdContextImpl;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.context.Dependent;
import jakarta.enterprise.context.SessionScoped;
import jakarta.enterprise.event.Observes;
import jakarta.enterprise.inject.Any;
import jakarta.enterprise.inject.spi.AfterBeanDiscovery;
import jakarta.enterprise.inject.spi.BeanManager;
import jakarta.enterprise.inject.spi.BeforeBeanDiscovery;
import jakarta.enterprise.inject.spi.DefinitionException;
import jakarta.enterprise.inject.spi.Extension;
import jakarta.enterprise.inject.spi.ProcessAnnotatedType;
import jakarta.enterprise.inject.spi.ProcessBean;
import jakarta.enterprise.inject.spi.ProcessBeanAttributes;
import jakarta.enterprise.inject.spi.ProcessProducer;
import jakarta.enterprise.inject.spi.Producer;
import jakarta.enterprise.inject.spi.WithAnnotations;
import jakarta.enterprise.inject.spi.configurator.BeanConfigurator;
import jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
import jakarta.security.enterprise.identitystore.IdentityStore;
import jakarta.security.enterprise.identitystore.IdentityStoreHandler;
import java.lang.annotation.Annotation;
import java.util.Objects;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.eclipse.microprofile.config.ConfigProvider;

/* loaded from: input_file:fish/payara/security/openid/OpenIdExtension.class */
public class OpenIdExtension implements Extension {
    private static final Logger LOGGER = Logger.getLogger(OpenIdExtension.class.getName());
    private OpenIdAuthenticationDefinition definition;
    private Class<?> definitionSource;
    private boolean definitionActive;
    private Producer<IdentityStoreHandler> storeHandlerWorkaroundProducer;

    protected void registerTypes(@Observes BeforeBeanDiscovery beforeBeanDiscovery) {
        registerTypes(beforeBeanDiscovery, AuthenticationController.class, ConfigurationController.class, NonceController.class, ProviderMetadataContoller.class, StateController.class, TokenController.class, UserInfoController.class, OpenIdContextImpl.class, OpenIdIdentityStore.class, AccessTokenIdentityStore.class, OpenIdAuthenticationMechanism.class, JWTValidator.class);
    }

    private void registerTypes(BeforeBeanDiscovery beforeBeanDiscovery, Class<?>... clsArr) {
        for (Class<?> cls : clsArr) {
            beforeBeanDiscovery.addAnnotatedType(cls, cls.getName());
        }
    }

    protected void findOpenIdDefinitionAnnotation(@WithAnnotations({OpenIdAuthenticationDefinition.class}) @Observes ProcessAnnotatedType<?> processAnnotatedType) {
        setDefinition((OpenIdAuthenticationDefinition) processAnnotatedType.getAnnotatedType().getAnnotation(OpenIdAuthenticationDefinition.class), processAnnotatedType.getAnnotatedType().getJavaClass(), "Generic");
    }

    private void setDefinition(OpenIdAuthenticationDefinition openIdAuthenticationDefinition, Class<?> cls, String str) {
        if (this.definition != null) {
            LOGGER.warning("Multiple authentication definition found. Will ignore the definition in " + cls);
            return;
        }
        validateExtraParametersFormat(openIdAuthenticationDefinition);
        this.definitionSource = cls;
        this.definition = openIdAuthenticationDefinition;
        LOGGER.log(Level.INFO, "Activating {0} OpenID Connect authentication definition from class {1}", new Object[]{str, cls.getName()});
    }

    protected void findGoogleDefinitionAnnotation(@WithAnnotations({GoogleAuthenticationDefinition.class}) @Observes ProcessAnnotatedType<?> processAnnotatedType) {
        setDefinition(GoogleDefinitionConverter.toOpenIdAuthDefinition((GoogleAuthenticationDefinition) processAnnotatedType.getAnnotatedType().getAnnotation(GoogleAuthenticationDefinition.class)), processAnnotatedType.getAnnotatedType().getJavaClass(), "Google");
    }

    protected void findAzureDefinitionAnnotation(@WithAnnotations({AzureAuthenticationDefinition.class}) @Observes ProcessAnnotatedType<?> processAnnotatedType) {
        setDefinition(AzureDefinitionConverter.toOpenIdAuthDefinition((AzureAuthenticationDefinition) processAnnotatedType.getAnnotatedType().getAnnotation(AzureAuthenticationDefinition.class)), processAnnotatedType.getAnnotatedType().getJavaClass(), "Azure");
    }

    protected void validateExtraParametersFormat(OpenIdAuthenticationDefinition openIdAuthenticationDefinition) {
        for (String str : openIdAuthenticationDefinition.extraParameters()) {
            if (str.split("=").length != 2) {
                throw new DefinitionException(OpenIdAuthenticationDefinition.class.getSimpleName() + ".extraParameters() value '" + str + "' is not of the format key=value");
            }
        }
    }

    protected void watchActiveBeans(@Observes ProcessBean<?> processBean) {
        if (this.definitionSource == null || !this.definitionSource.equals(processBean.getAnnotated().getBaseType())) {
            return;
        }
        this.definitionActive = true;
    }

    protected void watchForInjectionWorkaround(@Any @Observes ProcessProducer<?, IdentityStoreHandler> processProducer) {
        if (processProducer.getAnnotatedMember().isAnnotationPresent(InjectionWorkaround.class)) {
            this.storeHandlerWorkaroundProducer = processProducer.getProducer();
        }
    }

    protected void redefineConfigControllerScope(@Observes ProcessBeanAttributes<ConfigurationController> processBeanAttributes) {
        boolean z = false;
        try {
            z = ((Boolean) ConfigProvider.getConfig().getOptionalValue(OpenIdAuthenticationDefinition.OPENID_MP_SESSION_SCOPED_CONFIGURATION, Boolean.TYPE).orElse(false)).booleanValue();
        } catch (IllegalArgumentException e) {
            LOGGER.warning("The value of payara.security.openid.sessionScopedConfigurationis not a boolean value. The OpenID connector will be configured only once for all requests.");
        }
        if (z) {
            LOGGER.info("Using per-session OpenIdConfiguration");
            processBeanAttributes.configureBeanAttributes().scope(SessionScoped.class);
        }
    }

    protected void registerDefinition(@Observes AfterBeanDiscovery afterBeanDiscovery, BeanManager beanManager) {
        if (!this.definitionActive) {
            afterBeanDiscovery.addBean().beanClass(OpenIdAuthenticationDefinition.class).types(OpenIdAuthenticationDefinition.class).scope(Dependent.class).id("Null OpenId Definition").createWith(creationalContext -> {
                return null;
            });
            return;
        }
        afterBeanDiscovery.addBean().beanClass(HttpAuthenticationMechanism.class).addType(HttpAuthenticationMechanism.class).id(OpenIdExtension.class.getName() + "/OpenIdAuthenticationMechanism").scope(ApplicationScoped.class).produceWith(instance -> {
            return (OpenIdAuthenticationMechanism) instance.select(OpenIdAuthenticationMechanism.class, new Annotation[0]).get2();
        }).disposeWith((openIdAuthenticationMechanism, instance2) -> {
            instance2.destroy(openIdAuthenticationMechanism);
        });
        afterBeanDiscovery.addBean().beanClass(IdentityStore.class).addType(IdentityStore.class).id(OpenIdExtension.class.getName() + "/OpenIdIdentityStore").scope(ApplicationScoped.class).produceWith(instance3 -> {
            return (OpenIdIdentityStore) instance3.select(OpenIdIdentityStore.class, new Annotation[0]).get2();
        }).disposeWith((openIdIdentityStore, instance4) -> {
            instance4.destroy(openIdIdentityStore);
        });
        afterBeanDiscovery.addBean().beanClass(IdentityStore.class).addType(IdentityStore.class).id(OpenIdExtension.class.getName() + "/AccessTokenIdentityStore").scope(ApplicationScoped.class).produceWith(instance5 -> {
            return (AccessTokenIdentityStore) instance5.select(AccessTokenIdentityStore.class, new Annotation[0]).get2();
        }).disposeWith((accessTokenIdentityStore, instance6) -> {
            instance6.destroy(accessTokenIdentityStore);
        });
        afterBeanDiscovery.addBean().beanClass(OpenIdAuthenticationDefinition.class).types(OpenIdAuthenticationDefinition.class).scope(ApplicationScoped.class).id("OpenId Definition").createWith(creationalContext2 -> {
            return this.definition;
        });
        if (this.storeHandlerWorkaroundProducer == null || !beanManager.getBeans(IdentityStoreHandler.class, InjectionWorkaround.LITERAL).isEmpty()) {
            return;
        }
        BeanConfigurator addQualifier = afterBeanDiscovery.addBean().beanClass(IdentityStoreHandler.class).types(IdentityStoreHandler.class).addQualifier(InjectionWorkaround.LITERAL);
        Producer<IdentityStoreHandler> producer = this.storeHandlerWorkaroundProducer;
        Objects.requireNonNull(producer);
        addQualifier.createWith(producer::produce).destroyWith((identityStoreHandler, creationalContext3) -> {
            this.storeHandlerWorkaroundProducer.dispose(identityStoreHandler);
        });
    }
}
