package io.quarkus.grpc.auth;

import io.grpc.Metadata;
import io.grpc.ServerCall;
import io.grpc.ServerCallHandler;
import io.grpc.ServerInterceptor;
import io.quarkus.grpc.GlobalInterceptor;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.identity.CurrentIdentityAssociation;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.AuthenticationRequest;
import io.quarkus.security.spi.runtime.AuthenticationFailureEvent;
import io.quarkus.security.spi.runtime.AuthenticationSuccessEvent;
import io.quarkus.security.spi.runtime.SecurityEventHelper;
import io.quarkus.vertx.core.runtime.context.VertxContextSafetyToggle;
import io.quarkus.vertx.http.runtime.security.QuarkusHttpUser;
import io.smallrye.common.vertx.VertxContext;
import io.smallrye.mutiny.Uni;
import io.vertx.core.Context;
import io.vertx.core.Handler;
import io.vertx.core.Vertx;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.event.Event;
import jakarta.enterprise.inject.Instance;
import jakarta.enterprise.inject.spi.BeanManager;
import jakarta.enterprise.inject.spi.Prioritized;
import jakarta.inject.Inject;
import jakarta.inject.Singleton;
import java.util.ArrayList;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Executor;
import java.util.function.Consumer;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.jboss.logging.Logger;

@GlobalInterceptor
@Singleton
/* loaded from: input_file:io/quarkus/grpc/auth/GrpcSecurityInterceptor.class */
public final class GrpcSecurityInterceptor implements ServerInterceptor, Prioritized {
    private static final Logger log = Logger.getLogger(GrpcSecurityInterceptor.class);
    private static final String IDENTITY_KEY = "io.quarkus.grpc.auth.identity";
    private final IdentityProviderManager identityProviderManager;
    private final CurrentIdentityAssociation identityAssociation;
    private final AuthExceptionHandlerProvider exceptionHandlerProvider;
    private final List<GrpcSecurityMechanism> securityMechanisms;
    private final Map<String, List<String>> serviceToBlockingMethods = new HashMap();
    private boolean hasBlockingMethods = false;
    private final boolean notUsingSeparateGrpcServer;
    private final SecurityEventHelper<AuthenticationSuccessEvent, AuthenticationFailureEvent> securityEventHelper;

    @Inject
    public GrpcSecurityInterceptor(CurrentIdentityAssociation currentIdentityAssociation, IdentityProviderManager identityProviderManager, Instance<GrpcSecurityMechanism> instance, Instance<AuthExceptionHandlerProvider> instance2, @ConfigProperty(name = "quarkus.grpc.server.use-separate-server") boolean z, @ConfigProperty(name = "quarkus.security.events.enabled") boolean z2, BeanManager beanManager, Event<AuthenticationFailureEvent> event, Event<AuthenticationSuccessEvent> event2) {
        this.securityEventHelper = new SecurityEventHelper<>(event2, event, SecurityEventHelper.AUTHENTICATION_SUCCESS, SecurityEventHelper.AUTHENTICATION_FAILURE, beanManager, z2);
        this.identityAssociation = currentIdentityAssociation;
        this.identityProviderManager = identityProviderManager;
        this.notUsingSeparateGrpcServer = !z;
        AuthExceptionHandlerProvider authExceptionHandlerProvider = null;
        for (AuthExceptionHandlerProvider authExceptionHandlerProvider2 : instance2) {
            if (authExceptionHandlerProvider == null || authExceptionHandlerProvider.getPriority() < authExceptionHandlerProvider2.getPriority()) {
                authExceptionHandlerProvider = authExceptionHandlerProvider2;
            }
        }
        this.exceptionHandlerProvider = authExceptionHandlerProvider;
        ArrayList arrayList = new ArrayList();
        Iterator it = instance.iterator();
        while (it.hasNext()) {
            arrayList.add((GrpcSecurityMechanism) it.next());
        }
        if (arrayList.isEmpty()) {
            this.securityMechanisms = null;
        } else {
            arrayList.sort(Comparator.comparing((v0) -> {
                return v0.getPriority();
            }));
            this.securityMechanisms = arrayList;
        }
    }

    public <ReqT, RespT> ServerCall.Listener<ReqT> interceptCall(ServerCall<ReqT, RespT> serverCall, Metadata metadata, ServerCallHandler<ReqT, RespT> serverCallHandler) {
        Context capturedVertxContext;
        boolean z;
        boolean z2 = true;
        if (this.securityMechanisms != null) {
            Exception exc = null;
            for (GrpcSecurityMechanism grpcSecurityMechanism : this.securityMechanisms) {
                if (grpcSecurityMechanism.handles(metadata)) {
                    try {
                        AuthenticationRequest createAuthenticationRequest = grpcSecurityMechanism.createAuthenticationRequest(metadata);
                        final Context currentContext = Vertx.currentContext();
                        final boolean isOnEventLoopThread = Context.isOnEventLoopThread();
                        if (this.hasBlockingMethods) {
                            List<String> list = this.serviceToBlockingMethods.get(serverCall.getMethodDescriptor().getServiceName());
                            z = list != null ? list.contains(serverCall.getMethodDescriptor().getFullMethodName()) : false;
                        } else {
                            z = false;
                        }
                        if (createAuthenticationRequest != null) {
                            final boolean z3 = z;
                            Uni emitOn = this.identityProviderManager.authenticate(createAuthenticationRequest).emitOn(new Executor() { // from class: io.quarkus.grpc.auth.GrpcSecurityInterceptor.1
                                @Override // java.util.concurrent.Executor
                                public void execute(final Runnable runnable) {
                                    if (!isOnEventLoopThread || z3) {
                                        runnable.run();
                                    } else {
                                        currentContext.runOnContext(new Handler<Void>() { // from class: io.quarkus.grpc.auth.GrpcSecurityInterceptor.1.1
                                            public void handle(Void r3) {
                                                runnable.run();
                                            }
                                        });
                                    }
                                }
                            });
                            if (this.securityEventHelper.fireEventOnSuccess()) {
                                emitOn = emitOn.invoke(new Consumer<SecurityIdentity>() { // from class: io.quarkus.grpc.auth.GrpcSecurityInterceptor.2
                                    @Override // java.util.function.Consumer
                                    public void accept(SecurityIdentity securityIdentity) {
                                        GrpcSecurityInterceptor.this.securityEventHelper.fireSuccessEvent(new AuthenticationSuccessEvent(securityIdentity, (Map) null));
                                    }
                                });
                            }
                            if (this.securityEventHelper.fireEventOnFailure()) {
                                emitOn = emitOn.onFailure().invoke(new Consumer<Throwable>() { // from class: io.quarkus.grpc.auth.GrpcSecurityInterceptor.3
                                    @Override // java.util.function.Consumer
                                    public void accept(Throwable th) {
                                        GrpcSecurityInterceptor.this.securityEventHelper.fireFailureEvent(new AuthenticationFailureEvent(th, (Map) null));
                                    }
                                });
                            }
                            this.identityAssociation.setIdentity(emitOn);
                            exc = null;
                            z2 = false;
                            break;
                        }
                        continue;
                    } catch (Exception e) {
                        exc = e;
                        log.warn("Failed to prepare AuthenticationRequest for a gRPC call", e);
                    }
                }
            }
            if (exc != null) {
                AuthenticationFailedException authenticationFailedException = new AuthenticationFailedException("Failed to parse authentication data", exc);
                if (this.securityEventHelper.fireEventOnFailure()) {
                    this.securityEventHelper.fireFailureEvent(new AuthenticationFailureEvent(authenticationFailedException, (Map) null));
                }
                this.identityAssociation.setIdentity(Uni.createFrom().failure(authenticationFailedException));
            }
        }
        if (z2 && this.notUsingSeparateGrpcServer && (capturedVertxContext = getCapturedVertxContext()) != null) {
            if (capturedVertxContext.getLocal(IDENTITY_KEY) != null) {
                this.identityAssociation.setIdentity((SecurityIdentity) capturedVertxContext.getLocal(IDENTITY_KEY));
            } else if (capturedVertxContext.getLocal("io.quarkus.vertx.http.deferred-identity") != null) {
                this.identityAssociation.setIdentity((Uni) capturedVertxContext.getLocal("io.quarkus.vertx.http.deferred-identity"));
            }
        }
        return this.exceptionHandlerProvider.createHandler(serverCallHandler.startCall(serverCall, metadata), serverCall, metadata);
    }

    public int getPriority() {
        return 2147483547;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void init(Map<String, List<String>> map) {
        this.serviceToBlockingMethods.putAll(map);
        this.hasBlockingMethods = true;
    }

    public static void propagateSecurityIdentityWithDuplicatedCtx(RoutingContext routingContext) {
        if (getCapturedVertxContext() != null) {
            QuarkusHttpUser user = routingContext.user();
            if (!(user instanceof QuarkusHttpUser)) {
                getCapturedVertxContext().putLocal("io.quarkus.vertx.http.deferred-identity", QuarkusHttpUser.getSecurityIdentity(routingContext, (IdentityProviderManager) null));
            } else {
                getCapturedVertxContext().putLocal(IDENTITY_KEY, user.getSecurityIdentity());
            }
        }
    }

    private static Context getCapturedVertxContext() {
        Context currentContext = Vertx.currentContext();
        if (currentContext != null && VertxContext.isDuplicatedContext(currentContext) && !VertxContextSafetyToggle.isExplicitlyMarkedAsUnsafe(currentContext)) {
            return currentContext;
        }
        log.warn("Unable to prepare request authentication - authentication must run on Vert.x duplicated context");
        return null;
    }
}
