package io.quarkus.security.deployment;

import io.quarkus.arc.deployment.AdditionalBeanBuildItem;
import io.quarkus.arc.deployment.AnnotationsTransformerBuildItem;
import io.quarkus.arc.deployment.BeanArchiveIndexBuildItem;
import io.quarkus.arc.deployment.InterceptorBindingRegistrarBuildItem;
import io.quarkus.arc.deployment.SyntheticBeanBuildItem;
import io.quarkus.deployment.Capability;
import io.quarkus.deployment.Feature;
import io.quarkus.deployment.annotations.BuildProducer;
import io.quarkus.deployment.annotations.BuildStep;
import io.quarkus.deployment.annotations.ExecutionTime;
import io.quarkus.deployment.annotations.Record;
import io.quarkus.deployment.builditem.ApplicationClassPredicateBuildItem;
import io.quarkus.deployment.builditem.CapabilityBuildItem;
import io.quarkus.deployment.builditem.FeatureBuildItem;
import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
import io.quarkus.deployment.builditem.nativeimage.RuntimeReinitializedClassBuildItem;
import io.quarkus.gizmo.MethodDescriptor;
import io.quarkus.gizmo.ResultHandle;
import io.quarkus.runtime.RuntimeValue;
import io.quarkus.security.runtime.IdentityProviderManagerCreator;
import io.quarkus.security.runtime.SecurityBuildTimeConfig;
import io.quarkus.security.runtime.SecurityCheckRecorder;
import io.quarkus.security.runtime.SecurityIdentityAssociation;
import io.quarkus.security.runtime.SecurityIdentityProxy;
import io.quarkus.security.runtime.SecurityProviderRecorder;
import io.quarkus.security.runtime.X509IdentityProvider;
import io.quarkus.security.runtime.interceptor.AuthenticatedInterceptor;
import io.quarkus.security.runtime.interceptor.DenyAllInterceptor;
import io.quarkus.security.runtime.interceptor.PermitAllInterceptor;
import io.quarkus.security.runtime.interceptor.RolesAllowedInterceptor;
import io.quarkus.security.runtime.interceptor.SecurityCheckStorage;
import io.quarkus.security.runtime.interceptor.SecurityConstrainer;
import io.quarkus.security.runtime.interceptor.SecurityHandler;
import io.quarkus.security.runtime.interceptor.check.SecurityCheck;
import io.quarkus.security.spi.AdditionalSecuredClassesBuildIem;
import io.quarkus.security.spi.runtime.AuthorizationController;
import java.io.IOException;
import java.lang.reflect.Modifier;
import java.net.URISyntaxException;
import java.security.Provider;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.function.Function;
import javax.enterprise.context.ApplicationScoped;
import org.jboss.jandex.AnnotationInstance;
import org.jboss.jandex.AnnotationTarget;
import org.jboss.jandex.ClassInfo;
import org.jboss.jandex.DotName;
import org.jboss.jandex.IndexView;
import org.jboss.jandex.MethodInfo;
import org.jboss.jandex.Type;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/security/deployment/SecurityProcessor.class */
public class SecurityProcessor {
    private static final Logger log = Logger.getLogger(SecurityProcessor.class);
    SecurityConfig security;

    @BuildStep
    void produceJcaSecurityProviders(BuildProducer<JCAProviderBuildItem> buildProducer, BuildProducer<BouncyCastleProviderBuildItem> buildProducer2, BuildProducer<BouncyCastleJsseProviderBuildItem> buildProducer3) {
        for (String str : new HashSet(this.security.securityProviders.orElse(Collections.emptyList()))) {
            if ("BC".equals(str)) {
                buildProducer2.produce(new BouncyCastleProviderBuildItem());
            } else if ("BCJSSE".equals(str)) {
                buildProducer3.produce(new BouncyCastleJsseProviderBuildItem());
            } else if ("BCFIPS".equals(str)) {
                buildProducer2.produce(new BouncyCastleProviderBuildItem(true));
            } else if ("BCFIPSJSSE".equals(str)) {
                buildProducer3.produce(new BouncyCastleJsseProviderBuildItem(true));
            } else {
                buildProducer.produce(new JCAProviderBuildItem(str));
            }
            log.debugf("Added providerName: %s", str);
        }
    }

    @BuildStep
    void registerJCAProvidersForReflection(BuildProducer<ReflectiveClassBuildItem> buildProducer, List<JCAProviderBuildItem> list) throws IOException, URISyntaxException {
        Iterator<JCAProviderBuildItem> it = list.iterator();
        while (it.hasNext()) {
            for (String str : registerProvider(it.next().getProviderName())) {
                buildProducer.produce(new ReflectiveClassBuildItem(true, true, new String[]{str}));
                log.debugf("Register JCA class: %s", str);
            }
        }
    }

    @BuildStep
    void prepareBouncyCastleProviders(BuildProducer<ReflectiveClassBuildItem> buildProducer, BuildProducer<RuntimeReinitializedClassBuildItem> buildProducer2, Optional<BouncyCastleProviderBuildItem> optional, Optional<BouncyCastleJsseProviderBuildItem> optional2) throws Exception {
        if (optional2.isPresent()) {
            buildProducer.produce(new ReflectiveClassBuildItem(true, true, new String[]{"org.bouncycastle.jsse.provider.BouncyCastleJsseProvider"}));
            prepareBouncyCastleProvider(buildProducer, buildProducer2, optional2.get().isInFipsMode());
        } else if (optional.isPresent()) {
            prepareBouncyCastleProvider(buildProducer, buildProducer2, optional.get().isInFipsMode());
        }
    }

    private static void prepareBouncyCastleProvider(BuildProducer<ReflectiveClassBuildItem> buildProducer, BuildProducer<RuntimeReinitializedClassBuildItem> buildProducer2, boolean z) {
        String[] strArr = new String[1];
        strArr[0] = z ? "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider" : "org.bouncycastle.jce.provider.BouncyCastleProvider";
        buildProducer.produce(new ReflectiveClassBuildItem(true, true, strArr));
        buildProducer.produce(new ReflectiveClassBuildItem(true, true, new String[]{"org.bouncycastle.jcajce.provider.asymmetric.rsa.PSSSignatureSpi"}));
        buildProducer.produce(new ReflectiveClassBuildItem(true, true, new String[]{"org.bouncycastle.jcajce.provider.asymmetric.rsa.PSSSignatureSpi$SHA256withRSA"}));
        buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.crypto.CryptoServicesRegistrar"));
        if (z) {
            return;
        }
        buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.jcajce.provider.drbg.DRBG$Default"));
        buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.jcajce.provider.drbg.DRBG$NonceAndIV"));
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void recordBouncyCastleProviders(SecurityProviderRecorder securityProviderRecorder, Optional<BouncyCastleProviderBuildItem> optional, Optional<BouncyCastleJsseProviderBuildItem> optional2) {
        if (!optional2.isPresent()) {
            if (optional.isPresent()) {
                securityProviderRecorder.addBouncyCastleProvider(optional.get().isInFipsMode());
            }
        } else if (optional2.get().isInFipsMode()) {
            securityProviderRecorder.addBouncyCastleFipsJsseProvider();
        } else {
            securityProviderRecorder.addBouncyCastleJsseProvider();
        }
    }

    private List<String> registerProvider(String str) {
        ArrayList arrayList = new ArrayList();
        Provider provider = Security.getProvider(str);
        if (provider != null) {
            arrayList.add(provider.getClass().getName());
            for (Provider.Service service : provider.getServices()) {
                arrayList.add(service.getClassName());
                String attribute = service.getAttribute("SupportedKeyClasses");
                if (attribute != null) {
                    arrayList.addAll(Arrays.asList(attribute.split("\\|")));
                }
            }
        }
        return arrayList;
    }

    @BuildStep
    void registerSecurityInterceptors(BuildProducer<InterceptorBindingRegistrarBuildItem> buildProducer, BuildProducer<AdditionalBeanBuildItem> buildProducer2) {
        buildProducer.produce(new InterceptorBindingRegistrarBuildItem(new SecurityAnnotationsRegistrar()));
        buildProducer2.produce(new AdditionalBeanBuildItem(new Class[]{AuthenticatedInterceptor.class, DenyAllInterceptor.class, PermitAllInterceptor.class, RolesAllowedInterceptor.class}));
        buildProducer2.produce(new AdditionalBeanBuildItem(new Class[]{SecurityHandler.class, SecurityConstrainer.class}));
    }

    @BuildStep
    void transformSecurityAnnotations(BuildProducer<AnnotationsTransformerBuildItem> buildProducer, List<AdditionalSecuredClassesBuildIem> list, SecurityBuildTimeConfig securityBuildTimeConfig) {
        if (securityBuildTimeConfig.denyUnannotated) {
            buildProducer.produce(new AnnotationsTransformerBuildItem(new DenyingUnannotatedTransformer()));
        }
        if (list.isEmpty()) {
            return;
        }
        HashSet hashSet = new HashSet();
        Iterator<AdditionalSecuredClassesBuildIem> it = list.iterator();
        while (it.hasNext()) {
            Iterator it2 = it.next().additionalSecuredClasses.iterator();
            while (it2.hasNext()) {
                hashSet.add(((ClassInfo) it2.next()).name().toString());
            }
        }
        buildProducer.produce(new AnnotationsTransformerBuildItem(new AdditionalDenyingUnannotatedTransformer(hashSet)));
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void gatherSecurityChecks(BuildProducer<SyntheticBeanBuildItem> buildProducer, BeanArchiveIndexBuildItem beanArchiveIndexBuildItem, BuildProducer<ApplicationClassPredicateBuildItem> buildProducer2, List<AdditionalSecuredClassesBuildIem> list, SecurityCheckRecorder securityCheckRecorder, List<AdditionalSecurityCheckBuildItem> list2, SecurityBuildTimeConfig securityBuildTimeConfig) {
        buildProducer2.produce(new ApplicationClassPredicateBuildItem(new SecurityCheckStorage.AppPredicate()));
        HashMap hashMap = new HashMap();
        Iterator<AdditionalSecuredClassesBuildIem> it = list.iterator();
        while (it.hasNext()) {
            it.next().additionalSecuredClasses.forEach(classInfo -> {
                if (hashMap.containsKey(classInfo.name())) {
                    return;
                }
                hashMap.put(classInfo.name(), classInfo);
            });
        }
        Map<MethodInfo, SecurityCheck> gatherSecurityAnnotations = gatherSecurityAnnotations(beanArchiveIndexBuildItem.getIndex(), hashMap, securityBuildTimeConfig.denyUnannotated, securityCheckRecorder);
        for (AdditionalSecurityCheckBuildItem additionalSecurityCheckBuildItem : list2) {
            gatherSecurityAnnotations.put(additionalSecurityCheckBuildItem.getMethodInfo(), additionalSecurityCheckBuildItem.getSecurityCheck());
        }
        RuntimeValue newBuilder = securityCheckRecorder.newBuilder();
        for (Map.Entry<MethodInfo, SecurityCheck> entry : gatherSecurityAnnotations.entrySet()) {
            MethodInfo key = entry.getKey();
            String[] strArr = new String[key.parameters().size()];
            for (int i = 0; i < key.parameters().size(); i++) {
                strArr[i] = ((Type) key.parameters().get(i)).name().toString();
            }
            securityCheckRecorder.addMethod(newBuilder, key.declaringClass().name().toString(), key.name(), strArr, entry.getValue());
        }
        securityCheckRecorder.create(newBuilder);
        buildProducer.produce(SyntheticBeanBuildItem.configure(SecurityCheckStorage.class).scope(ApplicationScoped.class).creator(methodCreator -> {
            methodCreator.returnValue(methodCreator.invokeStaticMethod(MethodDescriptor.ofMethod(SecurityCheckRecorder.class, "getStorage", SecurityCheckStorage.class, new Class[0]), new ResultHandle[0]));
        }).done());
    }

    private Map<MethodInfo, SecurityCheck> gatherSecurityAnnotations(IndexView indexView, Map<DotName, ClassInfo> map, boolean z, SecurityCheckRecorder securityCheckRecorder) {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        HashMap hashMap3 = new HashMap(gatherSecurityAnnotations(indexView, DotNames.ROLES_ALLOWED, hashMap, hashMap2, annotationInstance -> {
            return securityCheckRecorder.rolesAllowed(annotationInstance.value().asStringArray());
        }));
        hashMap3.putAll(gatherSecurityAnnotations(indexView, DotNames.PERMIT_ALL, hashMap, hashMap2, annotationInstance2 -> {
            return securityCheckRecorder.permitAll();
        }));
        hashMap3.putAll(gatherSecurityAnnotations(indexView, DotNames.AUTHENTICATED, hashMap, hashMap2, annotationInstance3 -> {
            return securityCheckRecorder.authenticated();
        }));
        hashMap3.putAll(gatherSecurityAnnotations(indexView, DotNames.DENY_ALL, hashMap, hashMap2, annotationInstance4 -> {
            return securityCheckRecorder.denyAll();
        }));
        Iterator<Map.Entry<DotName, ClassInfo>> it = map.entrySet().iterator();
        while (it.hasNext()) {
            for (MethodInfo methodInfo : it.next().getValue().methods()) {
                if (isPublicNonStaticNonConstructor(methodInfo)) {
                    AnnotationInstance annotationInstance5 = hashMap.get(methodInfo);
                    if (annotationInstance5 == null) {
                        hashMap3.put(methodInfo, securityCheckRecorder.denyAll());
                    } else if (annotationInstance5.target().kind() == AnnotationTarget.Kind.CLASS) {
                        throw new IllegalStateException("Class " + methodInfo.declaringClass() + " should not have been added as an additional secured class");
                    }
                }
            }
        }
        if (z) {
            HashSet hashSet = new HashSet(hashMap.keySet().size());
            Iterator<MethodInfo> it2 = hashMap.keySet().iterator();
            while (it2.hasNext()) {
                hashSet.add(it2.next().declaringClass());
            }
            Iterator it3 = hashSet.iterator();
            while (it3.hasNext()) {
                for (MethodInfo methodInfo2 : ((ClassInfo) it3.next()).methods()) {
                    if (isPublicNonStaticNonConstructor(methodInfo2) && !hashMap.containsKey(methodInfo2)) {
                        hashMap3.put(methodInfo2, securityCheckRecorder.denyAll());
                    }
                }
            }
        }
        return hashMap3;
    }

    private boolean isPublicNonStaticNonConstructor(MethodInfo methodInfo) {
        return (!Modifier.isPublic(methodInfo.flags()) || Modifier.isStatic(methodInfo.flags()) || "<init>".equals(methodInfo.name())) ? false : true;
    }

    private Map<MethodInfo, SecurityCheck> gatherSecurityAnnotations(IndexView indexView, DotName dotName, Map<MethodInfo, AnnotationInstance> map, Map<ClassInfo, AnnotationInstance> map2, Function<AnnotationInstance, SecurityCheck> function) {
        HashMap hashMap = new HashMap();
        Collection<AnnotationInstance> annotations = indexView.getAnnotations(dotName);
        for (AnnotationInstance annotationInstance : annotations) {
            AnnotationTarget target = annotationInstance.target();
            if (target.kind() == AnnotationTarget.Kind.METHOD) {
                MethodInfo asMethod = target.asMethod();
                if (map.containsKey(asMethod)) {
                    throw new IllegalStateException("Method " + asMethod.name() + " of class " + asMethod.declaringClass() + " is annotated with multiple security annotations");
                }
                map.put(asMethod, annotationInstance);
                hashMap.put(asMethod, function.apply(annotationInstance));
            }
        }
        for (AnnotationInstance annotationInstance2 : annotations) {
            AnnotationTarget target2 = annotationInstance2.target();
            if (target2.kind() == AnnotationTarget.Kind.CLASS) {
                List<MethodInfo> methods = target2.asClass().methods();
                AnnotationInstance annotationInstance3 = map2.get(target2.asClass());
                if (annotationInstance3 != null) {
                    throw new IllegalStateException("Class " + target2.asClass() + " is annotated with multiple security annotations " + annotationInstance2.name() + " and " + annotationInstance3.name());
                }
                map2.put(target2.asClass(), annotationInstance2);
                for (MethodInfo methodInfo : methods) {
                    if (map.get(methodInfo) == null) {
                        hashMap.put(methodInfo, function.apply(annotationInstance2));
                    }
                }
            }
        }
        return hashMap;
    }

    @BuildStep
    CapabilityBuildItem capability() {
        return new CapabilityBuildItem(Capability.SECURITY);
    }

    @BuildStep
    FeatureBuildItem feature() {
        return new FeatureBuildItem(Feature.SECURITY);
    }

    @BuildStep
    void registerAdditionalBeans(BuildProducer<AdditionalBeanBuildItem> buildProducer) {
        buildProducer.produce(AdditionalBeanBuildItem.unremovableOf(SecurityIdentityAssociation.class));
        buildProducer.produce(AdditionalBeanBuildItem.unremovableOf(IdentityProviderManagerCreator.class));
        buildProducer.produce(AdditionalBeanBuildItem.unremovableOf(SecurityIdentityProxy.class));
        buildProducer.produce(AdditionalBeanBuildItem.unremovableOf(X509IdentityProvider.class));
    }

    @BuildStep
    AdditionalBeanBuildItem authorizationController() {
        return AdditionalBeanBuildItem.builder().addBeanClass(AuthorizationController.class).build();
    }
}
