package io.quarkus.oidc.deployment;

import io.quarkus.arc.deployment.AdditionalBeanBuildItem;
import io.quarkus.arc.deployment.BeanDiscoveryFinishedBuildItem;
import io.quarkus.arc.deployment.BeanRegistrationPhaseBuildItem;
import io.quarkus.arc.deployment.InjectionPointTransformerBuildItem;
import io.quarkus.arc.deployment.QualifierRegistrarBuildItem;
import io.quarkus.arc.deployment.SyntheticBeanBuildItem;
import io.quarkus.arc.deployment.SyntheticBeansRuntimeInitBuildItem;
import io.quarkus.arc.processor.Annotations;
import io.quarkus.arc.processor.BeanInfo;
import io.quarkus.arc.processor.BuildExtension;
import io.quarkus.arc.processor.BuiltinScope;
import io.quarkus.arc.processor.DotNames;
import io.quarkus.arc.processor.InjectionPointInfo;
import io.quarkus.arc.processor.InjectionPointsTransformer;
import io.quarkus.arc.processor.QualifierRegistrar;
import io.quarkus.deployment.Capabilities;
import io.quarkus.deployment.Feature;
import io.quarkus.deployment.annotations.BuildProducer;
import io.quarkus.deployment.annotations.BuildStep;
import io.quarkus.deployment.annotations.BuildSteps;
import io.quarkus.deployment.annotations.Consume;
import io.quarkus.deployment.annotations.ExecutionTime;
import io.quarkus.deployment.annotations.Record;
import io.quarkus.deployment.builditem.CombinedIndexBuildItem;
import io.quarkus.deployment.builditem.ExtensionSslNativeSupportBuildItem;
import io.quarkus.deployment.builditem.RunTimeConfigurationDefaultBuildItem;
import io.quarkus.deployment.builditem.SystemPropertyBuildItem;
import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
import io.quarkus.oidc.AuthorizationCodeFlow;
import io.quarkus.oidc.BearerTokenAuthentication;
import io.quarkus.oidc.IdToken;
import io.quarkus.oidc.Tenant;
import io.quarkus.oidc.TenantFeature;
import io.quarkus.oidc.TenantIdentityProvider;
import io.quarkus.oidc.TokenIntrospectionCache;
import io.quarkus.oidc.UserInfo;
import io.quarkus.oidc.UserInfoCache;
import io.quarkus.oidc.runtime.BackChannelLogoutHandler;
import io.quarkus.oidc.runtime.DefaultTenantConfigResolver;
import io.quarkus.oidc.runtime.DefaultTokenIntrospectionUserInfoCache;
import io.quarkus.oidc.runtime.DefaultTokenStateManager;
import io.quarkus.oidc.runtime.OidcAuthenticationMechanism;
import io.quarkus.oidc.runtime.OidcConfig;
import io.quarkus.oidc.runtime.OidcConfigurationMetadataProducer;
import io.quarkus.oidc.runtime.OidcIdentityProvider;
import io.quarkus.oidc.runtime.OidcJsonWebTokenProducer;
import io.quarkus.oidc.runtime.OidcRecorder;
import io.quarkus.oidc.runtime.OidcSessionImpl;
import io.quarkus.oidc.runtime.OidcTokenCredentialProducer;
import io.quarkus.oidc.runtime.TenantConfigBean;
import io.quarkus.oidc.runtime.providers.AzureAccessTokenCustomizer;
import io.quarkus.tls.TlsRegistryBuildItem;
import io.quarkus.vertx.core.deployment.CoreVertxBuildItem;
import io.quarkus.vertx.http.deployment.EagerSecurityInterceptorBindingBuildItem;
import io.quarkus.vertx.http.deployment.HttpAuthMechanismAnnotationBuildItem;
import io.quarkus.vertx.http.deployment.SecurityInformationBuildItem;
import io.quarkus.vertx.http.runtime.HttpBuildTimeConfig;
import io.smallrye.jwt.auth.cdi.ClaimValueProducer;
import io.smallrye.jwt.auth.cdi.CommonJwtProducer;
import io.smallrye.jwt.auth.cdi.JsonValueProducer;
import io.smallrye.jwt.auth.cdi.RawClaimTypeProducer;
import jakarta.enterprise.context.RequestScoped;
import jakarta.inject.Singleton;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.function.BooleanSupplier;
import org.eclipse.microprofile.jwt.Claim;
import org.eclipse.microprofile.jwt.ClaimValue;
import org.eclipse.microprofile.jwt.JsonWebToken;
import org.jboss.jandex.AnnotationInstance;
import org.jboss.jandex.AnnotationTarget;
import org.jboss.jandex.AnnotationValue;
import org.jboss.jandex.DotName;
import org.jboss.jandex.Type;
import org.jboss.logging.Logger;

@BuildSteps(onlyIf = {IsEnabled.class})
/* loaded from: input_file:io/quarkus/oidc/deployment/OidcBuildStep.class */
public class OidcBuildStep {
    private static final DotName CLAIM_NAME = DotName.createSimple(Claim.class.getName());
    private static final DotName CLAIM_VALUE_NAME = DotName.createSimple(ClaimValue.class);
    private static final DotName REQUEST_SCOPED_NAME = DotName.createSimple(RequestScoped.class);
    private static final Set<DotName> ALL_PROVIDER_NAMES = Set.of(DotNames.PROVIDER, DotNames.INSTANCE, DotNames.INJECTABLE_INSTANCE);
    private static final DotName TENANT_NAME = DotName.createSimple(Tenant.class);
    private static final DotName TENANT_FEATURE_NAME = DotName.createSimple(TenantFeature.class);
    private static final DotName TENANT_IDENTITY_PROVIDER_NAME = DotName.createSimple(TenantIdentityProvider.class);
    private static final Logger LOG = Logger.getLogger(OidcBuildStep.class);
    private static final DotName USER_INFO_NAME = DotName.createSimple(UserInfo.class);
    private static final DotName JSON_WEB_TOKEN_NAME = DotName.createSimple(JsonWebToken.class);
    private static final DotName ID_TOKEN_NAME = DotName.createSimple(IdToken.class);
    private static final String QUARKUS_TOKEN_PROPAGATION_PACKAGE = "io.quarkus.oidc.token.propagation";
    private static final String SMALLRYE_JWT_PACKAGE = "io.smallrye.jwt";

    /* loaded from: input_file:io/quarkus/oidc/deployment/OidcBuildStep$IsCacheEnabled.class */
    public static class IsCacheEnabled implements BooleanSupplier {
        OidcBuildTimeConfig config;

        @Override // java.util.function.BooleanSupplier
        public boolean getAsBoolean() {
            return this.config.enabled && this.config.defaultTokenCacheEnabled;
        }
    }

    /* loaded from: input_file:io/quarkus/oidc/deployment/OidcBuildStep$IsEnabled.class */
    public static class IsEnabled implements BooleanSupplier {
        OidcBuildTimeConfig config;

        @Override // java.util.function.BooleanSupplier
        public boolean getAsBoolean() {
            return this.config.enabled;
        }
    }

    @BuildStep
    public void provideSecurityInformation(BuildProducer<SecurityInformationBuildItem> buildProducer) {
        buildProducer.produce(SecurityInformationBuildItem.OPENIDCONNECT("quarkus.oidc.auth-server-url"));
    }

    @BuildStep
    void checkClaim(BeanRegistrationPhaseBuildItem beanRegistrationPhaseBuildItem, BuildProducer<BeanRegistrationPhaseBuildItem.BeanConfiguratorBuildItem> buildProducer) {
        for (InjectionPointInfo injectionPointInfo : (Collection) beanRegistrationPhaseBuildItem.getContext().get(BuildExtension.Key.INJECTION_POINTS)) {
            if (!injectionPointInfo.hasDefaultedQualifier() && injectionPointInfo.getRequiredQualifier(CLAIM_NAME) != null) {
                Type requiredType = injectionPointInfo.getRequiredType();
                Optional targetBean = injectionPointInfo.getTargetBean();
                if (targetBean.isPresent() && !REQUEST_SCOPED_NAME.equals(((BeanInfo) targetBean.get()).getScope().getDotName()) && !ALL_PROVIDER_NAMES.contains(injectionPointInfo.getType().name()) && !CLAIM_VALUE_NAME.equals(requiredType.name())) {
                    throw new IllegalStateException(String.format("%s type can not be used to represent JWT claims in @Singleton or @ApplicationScoped beans, make the bean @RequestScoped or wrap this type with org.eclipse.microprofile.jwt.ClaimValue or jakarta.inject.Provider or jakarta.enterprise.inject.Instance", requiredType.name()));
                }
            }
        }
    }

    @BuildStep
    AdditionalBeanBuildItem jwtClaimIntegration(Capabilities capabilities) {
        if (capabilities.isPresent("io.quarkus.jwt")) {
            return null;
        }
        AdditionalBeanBuildItem.Builder builder = AdditionalBeanBuildItem.builder();
        builder.addBeanClass(CommonJwtProducer.class);
        builder.addBeanClass(RawClaimTypeProducer.class);
        builder.addBeanClass(JsonValueProducer.class);
        builder.addBeanClass(ClaimValueProducer.class);
        builder.addBeanClass(Claim.class);
        return builder.build();
    }

    @BuildStep
    public void additionalBeans(BuildProducer<AdditionalBeanBuildItem> buildProducer, BuildProducer<ReflectiveClassBuildItem> buildProducer2) {
        AdditionalBeanBuildItem.Builder unremovable = AdditionalBeanBuildItem.builder().setUnremovable();
        unremovable.addBeanClass(OidcAuthenticationMechanism.class).addBeanClass(OidcJsonWebTokenProducer.class).addBeanClass(OidcTokenCredentialProducer.class).addBeanClass(OidcConfigurationMetadataProducer.class).addBeanClass(OidcIdentityProvider.class).addBeanClass(DefaultTenantConfigResolver.class).addBeanClass(DefaultTokenStateManager.class).addBeanClass(OidcSessionImpl.class).addBeanClass(BackChannelLogoutHandler.class).addBeanClass(AzureAccessTokenCustomizer.class);
        buildProducer.produce(unremovable.build());
    }

    @BuildStep(onlyIf = {IsCacheEnabled.class})
    @Record(ExecutionTime.RUNTIME_INIT)
    public SyntheticBeanBuildItem addDefaultCacheBean(OidcConfig oidcConfig, OidcRecorder oidcRecorder, CoreVertxBuildItem coreVertxBuildItem) {
        return SyntheticBeanBuildItem.configure(DefaultTokenIntrospectionUserInfoCache.class).unremovable().types(new Class[]{DefaultTokenIntrospectionUserInfoCache.class, TokenIntrospectionCache.class, UserInfoCache.class}).supplier(oidcRecorder.setupTokenCache(oidcConfig, coreVertxBuildItem.getVertx())).scope(Singleton.class).setRuntimeInit().done();
    }

    @BuildStep
    ExtensionSslNativeSupportBuildItem enableSslInNative() {
        return new ExtensionSslNativeSupportBuildItem(Feature.OIDC);
    }

    @BuildStep
    QualifierRegistrarBuildItem addQualifiers() {
        return new QualifierRegistrarBuildItem(new QualifierRegistrar() { // from class: io.quarkus.oidc.deployment.OidcBuildStep.1
            public Map<DotName, Set<String>> getAdditionalQualifiers() {
                return Map.of(OidcBuildStep.TENANT_FEATURE_NAME, Set.of());
            }
        });
    }

    @BuildStep
    InjectionPointTransformerBuildItem makeTenantIdentityProviderInjectionPointsNamed() {
        return new InjectionPointTransformerBuildItem(new InjectionPointsTransformer() { // from class: io.quarkus.oidc.deployment.OidcBuildStep.2
            public boolean appliesTo(Type type) {
                return type.name().equals(OidcBuildStep.TENANT_IDENTITY_PROVIDER_NAME);
            }

            public void transform(InjectionPointsTransformer.TransformationContext transformationContext) {
                if (transformationContext.getTarget().kind() == AnnotationTarget.Kind.METHOD) {
                    transformationContext.getAllAnnotations().stream().filter(annotationInstance -> {
                        return OidcBuildStep.TENANT_NAME.equals(annotationInstance.name());
                    }).forEach(annotationInstance2 -> {
                        transformationContext.transform().add(AnnotationInstance.create(DotNames.NAMED, annotationInstance2.target(), new AnnotationValue[]{AnnotationValue.createStringValue("value", annotationInstance2.value().asString())})).done();
                    });
                    return;
                }
                AnnotationInstance find = Annotations.find(transformationContext.getAllAnnotations(), OidcBuildStep.TENANT_NAME);
                if (find == null || find.value() == null) {
                    return;
                }
                transformationContext.transform().add(DotNames.NAMED, new AnnotationValue[]{AnnotationValue.createStringValue("value", find.value().asString())}).done();
            }
        });
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void produceTenantIdentityProviders(BuildProducer<SyntheticBeanBuildItem> buildProducer, OidcRecorder oidcRecorder, BeanDiscoveryFinishedBuildItem beanDiscoveryFinishedBuildItem, CombinedIndexBuildItem combinedIndexBuildItem) {
        if (!combinedIndexBuildItem.getIndex().getAnnotations(TENANT_NAME).isEmpty()) {
            beanDiscoveryFinishedBuildItem.getInjectionPoints().stream().filter(OidcBuildStep::isTenantIdentityProviderType).filter(injectionPointInfo -> {
                return injectionPointInfo.getRequiredQualifier(DotNames.NAMED) != null;
            }).map(injectionPointInfo2 -> {
                return injectionPointInfo2.getRequiredQualifier(DotNames.NAMED).value().asString();
            }).distinct().forEach(str -> {
                buildProducer.produce(SyntheticBeanBuildItem.configure(TenantIdentityProvider.class).named(str).scope(BuiltinScope.APPLICATION.getInfo()).supplier(oidcRecorder.createTenantIdentityProvider(str)).unremovable().done());
            });
        }
        if (beanDiscoveryFinishedBuildItem.getInjectionPoints().stream().filter(injectionPointInfo3 -> {
            return injectionPointInfo3.getRequiredQualifier(DotNames.NAMED) == null;
        }).anyMatch(OidcBuildStep::isTenantIdentityProviderType)) {
            buildProducer.produce(SyntheticBeanBuildItem.configure(TenantIdentityProvider.class).scope(BuiltinScope.APPLICATION.getInfo()).addQualifier(DotNames.DEFAULT).alternative(true).priority(1).supplier(oidcRecorder.createTenantIdentityProvider("Default")).unremovable().done());
        }
    }

    private static boolean isTenantIdentityProviderType(InjectionPointInfo injectionPointInfo) {
        return TENANT_IDENTITY_PROVIDER_NAME.equals(injectionPointInfo.getRequiredType().name());
    }

    @BuildStep
    @Record(ExecutionTime.RUNTIME_INIT)
    public SyntheticBeanBuildItem setup(BeanRegistrationPhaseBuildItem beanRegistrationPhaseBuildItem, OidcConfig oidcConfig, OidcRecorder oidcRecorder, CoreVertxBuildItem coreVertxBuildItem, TlsRegistryBuildItem tlsRegistryBuildItem) {
        return SyntheticBeanBuildItem.configure(TenantConfigBean.class).unremovable().types(new Class[]{TenantConfigBean.class}).supplier(oidcRecorder.createTenantConfigBean(oidcConfig, coreVertxBuildItem.getVertx(), tlsRegistryBuildItem.registry(), detectUserInfoRequired(beanRegistrationPhaseBuildItem))).destroyer(TenantConfigBean.Destroyer.class).scope(Singleton.class).setRuntimeInit().done();
    }

    @BuildStep
    @Consume(SyntheticBeansRuntimeInitBuildItem.class)
    @Record(ExecutionTime.RUNTIME_INIT)
    void initTenantConfigBean(OidcRecorder oidcRecorder) {
        oidcRecorder.initTenantConfigBean();
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    public void registerTenantResolverInterceptor(Capabilities capabilities, OidcRecorder oidcRecorder, HttpBuildTimeConfig httpBuildTimeConfig, CombinedIndexBuildItem combinedIndexBuildItem, BuildProducer<EagerSecurityInterceptorBindingBuildItem> buildProducer, BuildProducer<SystemPropertyBuildItem> buildProducer2) {
        if (httpBuildTimeConfig.auth.proactive) {
            return;
        }
        if ((capabilities.isPresent("io.quarkus.resteasy.reactive") || capabilities.isPresent("io.quarkus.resteasy")) && combinedIndexBuildItem.getIndex().getAnnotations(TENANT_NAME).stream().map((v0) -> {
            return v0.target();
        }).anyMatch(annotationTarget -> {
            return isMethodWithTenantAnnButNotInjPoint(annotationTarget) || annotationTarget.kind() == AnnotationTarget.Kind.CLASS;
        })) {
            buildProducer.produce(new EagerSecurityInterceptorBindingBuildItem(oidcRecorder.tenantResolverInterceptorCreator(), new DotName[]{TENANT_NAME}));
            buildProducer2.produce(new SystemPropertyBuildItem("io.quarkus.oidc.runtime.select-tenants-with-annotation", Boolean.TRUE.toString()));
        }
    }

    private static boolean isMethodWithTenantAnnButNotInjPoint(AnnotationTarget annotationTarget) {
        return (annotationTarget.kind() != AnnotationTarget.Kind.METHOD || annotationTarget.asMethod().isConstructor() || annotationTarget.hasAnnotation(DotNames.INJECT)) ? false : true;
    }

    private static boolean detectUserInfoRequired(BeanRegistrationPhaseBuildItem beanRegistrationPhaseBuildItem) {
        return isInjected(beanRegistrationPhaseBuildItem, USER_INFO_NAME, null);
    }

    @BuildStep
    void detectAccessTokenVerificationRequired(BeanRegistrationPhaseBuildItem beanRegistrationPhaseBuildItem, BuildProducer<RunTimeConfigurationDefaultBuildItem> buildProducer) {
        if (isInjected(beanRegistrationPhaseBuildItem, JSON_WEB_TOKEN_NAME, ID_TOKEN_NAME)) {
            buildProducer.produce(new RunTimeConfigurationDefaultBuildItem("quarkus.oidc.authentication.verify-access-token", "true"));
            buildProducer.produce(new RunTimeConfigurationDefaultBuildItem("quarkus.oidc.*.authentication.verify-access-token", "true"));
        }
    }

    @BuildStep
    List<HttpAuthMechanismAnnotationBuildItem> registerHttpAuthMechanismAnnotation() {
        return List.of(new HttpAuthMechanismAnnotationBuildItem(DotName.createSimple(AuthorizationCodeFlow.class), "code"), new HttpAuthMechanismAnnotationBuildItem(DotName.createSimple(BearerTokenAuthentication.class), "Bearer"));
    }

    private static boolean isInjected(BeanRegistrationPhaseBuildItem beanRegistrationPhaseBuildItem, DotName dotName, DotName dotName2) {
        for (InjectionPointInfo injectionPointInfo : beanRegistrationPhaseBuildItem.getInjectionPoints()) {
            if (dotName.equals(injectionPointInfo.getRequiredType().name()) && isApplicationPackage(injectionPointInfo.getTargetInfo()) && (dotName2 == null || injectionPointInfo.getRequiredQualifier(dotName2) == null)) {
                LOG.debugf("%s injection point: %s", dotName.toString(), injectionPointInfo.getTargetInfo());
                return true;
            }
        }
        return false;
    }

    private static boolean isApplicationPackage(String str) {
        return (str == null || str.startsWith(QUARKUS_TOKEN_PROPAGATION_PACKAGE) || str.startsWith(SMALLRYE_JWT_PACKAGE)) ? false : true;
    }
}
