package io.quarkus.security.deployment;

import io.quarkus.arc.deployment.AdditionalBeanBuildItem;
import io.quarkus.arc.deployment.AnnotationsTransformerBuildItem;
import io.quarkus.arc.deployment.BeanArchiveIndexBuildItem;
import io.quarkus.arc.deployment.BeanDiscoveryFinishedBuildItem;
import io.quarkus.arc.deployment.InterceptorBindingRegistrarBuildItem;
import io.quarkus.arc.deployment.SynthesisFinishedBuildItem;
import io.quarkus.arc.deployment.SyntheticBeanBuildItem;
import io.quarkus.arc.deployment.UnremovableBeanBuildItem;
import io.quarkus.arc.deployment.ValidationPhaseBuildItem;
import io.quarkus.arc.processor.AnnotationStore;
import io.quarkus.arc.processor.BuildExtension;
import io.quarkus.arc.processor.BuiltinScope;
import io.quarkus.builder.item.MultiBuildItem;
import io.quarkus.builder.item.SimpleBuildItem;
import io.quarkus.deployment.Capabilities;
import io.quarkus.deployment.annotations.BuildProducer;
import io.quarkus.deployment.annotations.BuildStep;
import io.quarkus.deployment.annotations.Consume;
import io.quarkus.deployment.annotations.ExecutionTime;
import io.quarkus.deployment.annotations.Record;
import io.quarkus.deployment.builditem.ApplicationClassPredicateBuildItem;
import io.quarkus.deployment.builditem.FeatureBuildItem;
import io.quarkus.deployment.builditem.GeneratedClassBuildItem;
import io.quarkus.deployment.builditem.GeneratedNativeImageClassBuildItem;
import io.quarkus.deployment.builditem.LaunchModeBuildItem;
import io.quarkus.deployment.builditem.NativeImageFeatureBuildItem;
import io.quarkus.deployment.builditem.RunTimeConfigBuilderBuildItem;
import io.quarkus.deployment.builditem.RuntimeConfigSetupCompleteBuildItem;
import io.quarkus.deployment.builditem.ShutdownContextBuildItem;
import io.quarkus.deployment.builditem.nativeimage.JPMSExportBuildItem;
import io.quarkus.deployment.builditem.nativeimage.NativeImageSecurityProviderBuildItem;
import io.quarkus.deployment.builditem.nativeimage.ReflectiveClassBuildItem;
import io.quarkus.deployment.builditem.nativeimage.RuntimeReinitializedClassBuildItem;
import io.quarkus.deployment.execannotations.ExecutionModelAnnotationsAllowedBuildItem;
import io.quarkus.deployment.pkg.NativeConfig;
import io.quarkus.deployment.pkg.builditem.CurateOutcomeBuildItem;
import io.quarkus.gizmo.CatchBlockCreator;
import io.quarkus.gizmo.ClassCreator;
import io.quarkus.gizmo.ClassOutput;
import io.quarkus.gizmo.MethodCreator;
import io.quarkus.gizmo.MethodDescriptor;
import io.quarkus.gizmo.ResultHandle;
import io.quarkus.gizmo.TryBlock;
import io.quarkus.runtime.LaunchMode;
import io.quarkus.runtime.RuntimeValue;
import io.quarkus.runtime.StartupEvent;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.quarkus.security.deployment.PermissionSecurityChecks;
import io.quarkus.security.identity.SecurityIdentityAugmentor;
import io.quarkus.security.runtime.IdentityProviderManagerCreator;
import io.quarkus.security.runtime.QuarkusPermissionSecurityIdentityAugmentor;
import io.quarkus.security.runtime.QuarkusSecurityRolesAllowedConfigBuilder;
import io.quarkus.security.runtime.SecurityCheckRecorder;
import io.quarkus.security.runtime.SecurityIdentityAssociation;
import io.quarkus.security.runtime.SecurityIdentityProxy;
import io.quarkus.security.runtime.SecurityProviderRecorder;
import io.quarkus.security.runtime.SecurityProviderUtils;
import io.quarkus.security.runtime.X509IdentityProvider;
import io.quarkus.security.runtime.interceptor.AuthenticatedInterceptor;
import io.quarkus.security.runtime.interceptor.DenyAllInterceptor;
import io.quarkus.security.runtime.interceptor.PermissionsAllowedInterceptor;
import io.quarkus.security.runtime.interceptor.PermitAllInterceptor;
import io.quarkus.security.runtime.interceptor.RolesAllowedInterceptor;
import io.quarkus.security.runtime.interceptor.SecurityConstrainer;
import io.quarkus.security.runtime.interceptor.SecurityHandler;
import io.quarkus.security.spi.AdditionalSecuredClassesBuildItem;
import io.quarkus.security.spi.AdditionalSecuredMethodsBuildItem;
import io.quarkus.security.spi.AdditionalSecurityAnnotationBuildItem;
import io.quarkus.security.spi.AdditionalSecurityConstrainerEventPropsBuildItem;
import io.quarkus.security.spi.ClassSecurityCheckAnnotationBuildItem;
import io.quarkus.security.spi.ClassSecurityCheckStorageBuildItem;
import io.quarkus.security.spi.DefaultSecurityCheckBuildItem;
import io.quarkus.security.spi.PermissionsAllowedMetaAnnotationBuildItem;
import io.quarkus.security.spi.RolesAllowedConfigExpResolverBuildItem;
import io.quarkus.security.spi.SecurityTransformerUtils;
import io.quarkus.security.spi.runtime.AuthorizationController;
import io.quarkus.security.spi.runtime.BlockingSecurityExecutor;
import io.quarkus.security.spi.runtime.DevModeDisabledAuthorizationController;
import io.quarkus.security.spi.runtime.MethodDescription;
import io.quarkus.security.spi.runtime.SecurityCheck;
import io.quarkus.security.spi.runtime.SecurityCheckStorage;
import jakarta.annotation.security.DenyAll;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.context.Dependent;
import jakarta.inject.Singleton;
import java.io.IOException;
import java.lang.reflect.Modifier;
import java.net.URISyntaxException;
import java.security.Provider;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.function.BiConsumer;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.graalvm.nativeimage.hosted.Feature;
import org.jboss.jandex.AnnotationInstance;
import org.jboss.jandex.AnnotationTarget;
import org.jboss.jandex.AnnotationTransformation;
import org.jboss.jandex.ClassInfo;
import org.jboss.jandex.DotName;
import org.jboss.jandex.IndexView;
import org.jboss.jandex.MethodInfo;
import org.jboss.jandex.Type;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/security/deployment/SecurityProcessor.class */
public class SecurityProcessor {
    private static final Logger log = Logger.getLogger(SecurityProcessor.class);
    private static final DotName STARTUP_EVENT_NAME = DotName.createSimple(StartupEvent.class.getName());
    SecurityConfig security;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/quarkus/security/deployment/SecurityProcessor$AdditionalSecured.class */
    public static class AdditionalSecured {
        final MethodInfo methodInfo;
        final Optional<List<String>> rolesAllowed;

        AdditionalSecured(MethodInfo methodInfo, Optional<List<String>> optional) {
            this.methodInfo = methodInfo;
            this.rolesAllowed = optional;
        }
    }

    /* loaded from: input_file:io/quarkus/security/deployment/SecurityProcessor$MethodSecurityChecks.class */
    static final class MethodSecurityChecks extends SimpleBuildItem {
        Map<MethodInfo, SecurityCheck> securityChecks;

        MethodSecurityChecks(Map<MethodInfo, SecurityCheck> map) {
            this.securityChecks = map;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/security/deployment/SecurityProcessor$SecurityAnnotationGatherer.class */
    public static final class SecurityAnnotationGatherer {
        private final Collection<AnnotationInstance> annotationInstances;
        private final Map<MethodInfo, AnnotationInstance> alreadyCheckedMethods;
        private final BiConsumer<MethodInfo, AnnotationInstance> putResult;
        private final Map<ClassInfo, AnnotationInstance> classLevelAnnotations;
        private final Predicate<MethodInfo> hasAdditionalSecurityAnnotation;

        private SecurityAnnotationGatherer(Collection<AnnotationInstance> collection, Map<MethodInfo, AnnotationInstance> map, BiConsumer<MethodInfo, AnnotationInstance> biConsumer, Map<ClassInfo, AnnotationInstance> map2, Predicate<MethodInfo> predicate) {
            this.annotationInstances = collection;
            this.alreadyCheckedMethods = map;
            this.putResult = biConsumer;
            this.classLevelAnnotations = map2;
            this.hasAdditionalSecurityAnnotation = predicate;
        }

        private void gatherClassSecurityAnnotations() {
            for (AnnotationInstance annotationInstance : this.annotationInstances) {
                AnnotationTarget target = annotationInstance.target();
                if (target.kind() == AnnotationTarget.Kind.CLASS) {
                    List<MethodInfo> methods = target.asClass().methods();
                    AnnotationInstance annotationInstance2 = this.classLevelAnnotations.get(target.asClass());
                    if (annotationInstance2 != null) {
                        throw new IllegalStateException("Class " + String.valueOf(target.asClass()) + " is annotated with multiple security annotations " + String.valueOf(annotationInstance.name()) + " and " + String.valueOf(annotationInstance2.name()));
                    }
                    this.classLevelAnnotations.put(target.asClass(), annotationInstance);
                    for (MethodInfo methodInfo : methods) {
                        if (this.alreadyCheckedMethods.get(methodInfo) == null && !this.hasAdditionalSecurityAnnotation.test(methodInfo)) {
                            this.putResult.accept(methodInfo, annotationInstance);
                        }
                    }
                }
            }
        }

        private void gatherMethodSecurityAnnotations() {
            for (AnnotationInstance annotationInstance : this.annotationInstances) {
                AnnotationTarget target = annotationInstance.target();
                if (target.kind() == AnnotationTarget.Kind.METHOD) {
                    MethodInfo asMethod = target.asMethod();
                    if (this.alreadyCheckedMethods.containsKey(asMethod) || this.hasAdditionalSecurityAnnotation.test(asMethod)) {
                        throw new IllegalStateException("Method " + asMethod.name() + " of class " + String.valueOf(asMethod.declaringClass()) + " is annotated with multiple security annotations");
                    }
                    this.alreadyCheckedMethods.put(asMethod, annotationInstance);
                    this.putResult.accept(asMethod, annotationInstance);
                }
            }
        }
    }

    /* loaded from: input_file:io/quarkus/security/deployment/SecurityProcessor$SecurityCheckStorageAppPredicate.class */
    static class SecurityCheckStorageAppPredicate implements Predicate<String> {
        SecurityCheckStorageAppPredicate() {
        }

        @Override // java.util.function.Predicate
        public boolean test(String str) {
            return str.equals(SecurityCheckStorage.class.getName());
        }
    }

    @BuildStep
    void produceJcaSecurityProviders(BuildProducer<JCAProviderBuildItem> buildProducer, BuildProducer<BouncyCastleProviderBuildItem> buildProducer2, BuildProducer<BouncyCastleJsseProviderBuildItem> buildProducer3) {
        for (String str : this.security.securityProviders().orElse(Set.of())) {
            if ("BC".equals(str)) {
                buildProducer2.produce(new BouncyCastleProviderBuildItem());
            } else if ("BCJSSE".equals(str)) {
                buildProducer3.produce(new BouncyCastleJsseProviderBuildItem());
            } else if ("BCFIPS".equals(str)) {
                buildProducer2.produce(new BouncyCastleProviderBuildItem(true));
            } else if ("BCFIPSJSSE".equals(str)) {
                buildProducer3.produce(new BouncyCastleJsseProviderBuildItem(true));
            } else {
                buildProducer.produce(new JCAProviderBuildItem(str, this.security.securityProviderConfig().get(str)));
            }
            log.debugf("Added providerName: %s", str);
        }
    }

    @BuildStep
    void registerJCAProvidersForReflection(BuildProducer<ReflectiveClassBuildItem> buildProducer, List<JCAProviderBuildItem> list, BuildProducer<NativeImageSecurityProviderBuildItem> buildProducer2) throws IOException, URISyntaxException {
        for (JCAProviderBuildItem jCAProviderBuildItem : list) {
            for (String str : registerProvider(jCAProviderBuildItem.getProviderName(), jCAProviderBuildItem.getProviderConfig(), buildProducer2)) {
                buildProducer.produce(ReflectiveClassBuildItem.builder(new String[]{str}).methods().fields().build());
                log.debugf("Register JCA class: %s", str);
            }
        }
    }

    @BuildStep
    void prepareBouncyCastleProviders(CurateOutcomeBuildItem curateOutcomeBuildItem, BuildProducer<ReflectiveClassBuildItem> buildProducer, BuildProducer<RuntimeReinitializedClassBuildItem> buildProducer2, List<BouncyCastleProviderBuildItem> list, List<BouncyCastleJsseProviderBuildItem> list2) throws Exception {
        Optional one = getOne(list2);
        if (one.isPresent()) {
            buildProducer.produce(ReflectiveClassBuildItem.builder(new String[]{"org.bouncycastle.jsse.provider.BouncyCastleJsseProvider"}).methods().fields().build());
            buildProducer.produce(ReflectiveClassBuildItem.builder(new String[]{"org.bouncycastle.jsse.provider.DefaultSSLContextSpi$LazyManagers"}).methods().fields().build());
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.jsse.provider.DefaultSSLContextSpi$LazyManagers"));
            prepareBouncyCastleProvider(curateOutcomeBuildItem, buildProducer, buildProducer2, ((BouncyCastleJsseProviderBuildItem) one.get()).isInFipsMode());
            return;
        }
        Optional one2 = getOne(list);
        if (one2.isPresent()) {
            prepareBouncyCastleProvider(curateOutcomeBuildItem, buildProducer, buildProducer2, ((BouncyCastleProviderBuildItem) one2.get()).isInFipsMode());
        }
    }

    private static void prepareBouncyCastleProvider(CurateOutcomeBuildItem curateOutcomeBuildItem, BuildProducer<ReflectiveClassBuildItem> buildProducer, BuildProducer<RuntimeReinitializedClassBuildItem> buildProducer2, boolean z) {
        String[] strArr = new String[1];
        strArr[0] = z ? "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider" : "org.bouncycastle.jce.provider.BouncyCastleProvider";
        buildProducer.produce(ReflectiveClassBuildItem.builder(strArr).methods().fields().build());
        if (curateOutcomeBuildItem.getApplicationModel().getDependencies().stream().anyMatch(resolvedDependency -> {
            return resolvedDependency.getGroupId().equals("org.bouncycastle") && resolvedDependency.getArtifactId().startsWith("bcprov-");
        })) {
            buildProducer.produce(ReflectiveClassBuildItem.builder(new String[]{"org.bouncycastle.jcajce.provider.symmetric.AES", "org.bouncycastle.jcajce.provider.symmetric.AES$CBC", "org.bouncycastle.crypto.paddings.PKCS7Padding", "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi", "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi$EC", "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyFactorySpi$ECDSA", "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi", "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$EC", "org.bouncycastle.jcajce.provider.asymmetric.ec.KeyPairGeneratorSpi$ECDSA", "org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyFactorySpi", "org.bouncycastle.jcajce.provider.asymmetric.rsa.KeyPairGeneratorSpi", "org.bouncycastle.jcajce.provider.asymmetric.rsa.PSSSignatureSpi", "org.bouncycastle.jcajce.provider.asymmetric.rsa.PSSSignatureSpi$SHA256withRSA"}).methods().fields().build());
        }
        buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.crypto.CryptoServicesRegistrar"));
        if (z) {
            buildProducer.produce(ReflectiveClassBuildItem.builder(new String[]{"org.bouncycastle.crypto.general.AES"}).methods().fields().build());
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.crypto.general.AES"));
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.crypto.asymmetric.NamedECDomainParameters"));
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.crypto.asymmetric.CustomNamedCurves"));
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.asn1.ua.DSTU4145NamedCurves"));
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.asn1.sec.SECNamedCurves"));
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.asn1.cryptopro.ECGOST3410NamedCurves"));
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.asn1.x9.X962NamedCurves"));
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.asn1.x9.ECNamedCurveTable"));
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.asn1.anssi.ANSSINamedCurves"));
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.asn1.teletrust.TeleTrusTNamedCurves"));
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.jcajce.spec.ECUtil"));
        } else {
            buildProducer.produce(ReflectiveClassBuildItem.builder(new String[]{"org.bouncycastle.jcajce.provider.drbg.DRBG$Default"}).methods().fields().build());
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.jcajce.provider.drbg.DRBG$Default"));
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.jcajce.provider.drbg.DRBG$NonceAndIV"));
            buildProducer2.produce(new RuntimeReinitializedClassBuildItem("org.bouncycastle.jcajce.provider.drbg.DRBG$URLSeededEntropySourceProvider"));
        }
        buildProducer2.produce(new RuntimeReinitializedClassBuildItem("sun.security.pkcs11.P11Util"));
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void recordBouncyCastleProviders(SecurityProviderRecorder securityProviderRecorder, List<BouncyCastleProviderBuildItem> list, List<BouncyCastleJsseProviderBuildItem> list2) {
        Optional one = getOne(list2);
        if (one.isPresent()) {
            if (((BouncyCastleJsseProviderBuildItem) one.get()).isInFipsMode()) {
                securityProviderRecorder.addBouncyCastleFipsJsseProvider();
                return;
            } else {
                securityProviderRecorder.addBouncyCastleJsseProvider();
                return;
            }
        }
        Optional one2 = getOne(list);
        if (one2.isPresent()) {
            securityProviderRecorder.addBouncyCastleProvider(((BouncyCastleProviderBuildItem) one2.get()).isInFipsMode());
        }
    }

    @BuildStep
    NativeImageFeatureBuildItem bouncyCastleFeature(NativeConfig nativeConfig, List<BouncyCastleProviderBuildItem> list, List<BouncyCastleJsseProviderBuildItem> list2) {
        if (!nativeConfig.enabled()) {
            return null;
        }
        Optional one = getOne(list2);
        Optional one2 = getOne(list);
        if (one.isPresent() || one2.isPresent()) {
            return new NativeImageFeatureBuildItem("io.quarkus.security.BouncyCastleFeature");
        }
        return null;
    }

    @BuildStep
    void addBouncyCastleProvidersToNativeImage(final BuildProducer<GeneratedNativeImageClassBuildItem> buildProducer, BuildProducer<NativeImageSecurityProviderBuildItem> buildProducer2, List<BouncyCastleProviderBuildItem> list, List<BouncyCastleJsseProviderBuildItem> list2) {
        Optional one = getOne(list2);
        Optional one2 = getOne(list);
        if (one.isPresent() || one2.isPresent()) {
            ClassCreator classCreator = new ClassCreator(new ClassOutput() { // from class: io.quarkus.security.deployment.SecurityProcessor.1
                public void write(String str, byte[] bArr) {
                    buildProducer.produce(new GeneratedNativeImageClassBuildItem(str, bArr));
                }
            }, "io.quarkus.security.BouncyCastleFeature", (String) null, Object.class.getName(), new String[]{Feature.class.getName()});
            MethodCreator methodCreator = classCreator.getMethodCreator("afterRegistration", "V", new String[]{Feature.AfterRegistrationAccess.class.getName()});
            TryBlock tryBlock = methodCreator.tryBlock();
            if (one.isPresent()) {
                buildProducer2.produce(new NativeImageSecurityProviderBuildItem("org.bouncycastle.jsse.provider.BouncyCastleJsseProvider"));
                if (((BouncyCastleJsseProviderBuildItem) one.get()).isInFipsMode()) {
                    int findProviderIndex = SecurityProviderUtils.findProviderIndex("SUN");
                    ResultHandle newInstance = tryBlock.newInstance(MethodDescriptor.ofConstructor("org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider", new String[0]), new ResultHandle[0]);
                    ResultHandle newInstance2 = tryBlock.newInstance(MethodDescriptor.ofConstructor("org.bouncycastle.jsse.provider.BouncyCastleJsseProvider", new String[]{"boolean", Provider.class.getName()}), new ResultHandle[]{tryBlock.load(true), newInstance});
                    tryBlock.invokeStaticMethod(MethodDescriptor.ofMethod(Security.class, "insertProviderAt", Integer.TYPE, new Class[]{Provider.class, Integer.TYPE}), new ResultHandle[]{newInstance, tryBlock.load(findProviderIndex)});
                    tryBlock.invokeStaticMethod(MethodDescriptor.ofMethod(Security.class, "insertProviderAt", Integer.TYPE, new Class[]{Provider.class, Integer.TYPE}), new ResultHandle[]{newInstance2, tryBlock.load(findProviderIndex + 1)});
                } else {
                    int findProviderIndex2 = SecurityProviderUtils.findProviderIndex("SunJSSE");
                    ResultHandle newInstance3 = tryBlock.newInstance(MethodDescriptor.ofConstructor("org.bouncycastle.jce.provider.BouncyCastleProvider", new String[0]), new ResultHandle[0]);
                    ResultHandle newInstance4 = tryBlock.newInstance(MethodDescriptor.ofConstructor("org.bouncycastle.jsse.provider.BouncyCastleJsseProvider", new String[0]), new ResultHandle[0]);
                    tryBlock.invokeStaticMethod(MethodDescriptor.ofMethod(Security.class, "insertProviderAt", Integer.TYPE, new Class[]{Provider.class, Integer.TYPE}), new ResultHandle[]{newInstance3, tryBlock.load(findProviderIndex2)});
                    tryBlock.invokeStaticMethod(MethodDescriptor.ofMethod(Security.class, "insertProviderAt", Integer.TYPE, new Class[]{Provider.class, Integer.TYPE}), new ResultHandle[]{newInstance4, tryBlock.load(findProviderIndex2 + 1)});
                }
            } else {
                tryBlock.invokeStaticMethod(MethodDescriptor.ofMethod(Security.class, "addProvider", Integer.TYPE, new Class[]{Provider.class}), new ResultHandle[]{tryBlock.newInstance(MethodDescriptor.ofConstructor(((BouncyCastleProviderBuildItem) one2.get()).isInFipsMode() ? "org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider" : "org.bouncycastle.jce.provider.BouncyCastleProvider", new String[0]), new ResultHandle[0])});
            }
            CatchBlockCreator addCatch = tryBlock.addCatch(Throwable.class);
            addCatch.invokeVirtualMethod(MethodDescriptor.ofMethod(Throwable.class, "printStackTrace", Void.TYPE, new Class[0]), addCatch.getCaughtException(), new ResultHandle[0]);
            methodCreator.returnValue((ResultHandle) null);
            classCreator.close();
        }
    }

    @BuildStep
    void addBouncyCastleExportsToNativeImage(BuildProducer<JPMSExportBuildItem> buildProducer, List<BouncyCastleProviderBuildItem> list, List<BouncyCastleJsseProviderBuildItem> list2) {
        boolean z;
        Optional one = getOne(list2);
        if (one.isPresent()) {
            z = ((BouncyCastleJsseProviderBuildItem) one.get()).isInFipsMode();
        } else {
            Optional one2 = getOne(list);
            z = one2.isPresent() && ((BouncyCastleProviderBuildItem) one2.get()).isInFipsMode();
        }
        if (z) {
            buildProducer.produce(new JPMSExportBuildItem("java.base", "sun.security.internal.spec"));
            buildProducer.produce(new JPMSExportBuildItem("java.base", "sun.security.provider"));
        }
    }

    private static <BI extends MultiBuildItem> Optional<BI> getOne(List<BI> list) {
        if (list.size() > 1) {
            throw new IllegalStateException("Only a single Bouncy Castle registration can be provided.");
        }
        return list.stream().findFirst();
    }

    private static List<String> registerProvider(String str, String str2, BuildProducer<NativeImageSecurityProviderBuildItem> buildProducer) {
        Provider configure;
        ArrayList arrayList = new ArrayList();
        Provider provider = Security.getProvider(str);
        if (provider != null) {
            arrayList.add(provider.getClass().getName());
            for (Provider.Service service : provider.getServices()) {
                arrayList.add(service.getClassName());
                String attribute = service.getAttribute("SupportedKeyClasses");
                if (attribute != null) {
                    arrayList.addAll(Arrays.asList(attribute.split("\\|")));
                }
            }
            if (str2 != null && (configure = provider.configure(str2)) != null) {
                Security.addProvider(configure);
                arrayList.add(configure.getClass().getName());
            }
        }
        if (SecurityProviderUtils.SUN_PROVIDERS.containsKey(str)) {
            buildProducer.produce(new NativeImageSecurityProviderBuildItem((String) SecurityProviderUtils.SUN_PROVIDERS.get(str)));
        }
        return arrayList;
    }

    @BuildStep
    @Consume(RuntimeConfigSetupCompleteBuildItem.class)
    @Record(ExecutionTime.RUNTIME_INIT)
    void recordRuntimeConfigReady(SecurityCheckRecorder securityCheckRecorder, ShutdownContextBuildItem shutdownContextBuildItem, LaunchModeBuildItem launchModeBuildItem) {
        securityCheckRecorder.setRuntimeConfigReady();
        if (launchModeBuildItem.getLaunchMode() == LaunchMode.DEVELOPMENT) {
            securityCheckRecorder.unsetRuntimeConfigReady(shutdownContextBuildItem);
        }
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void registerSecurityInterceptors(BuildProducer<InterceptorBindingRegistrarBuildItem> buildProducer, BuildProducer<AdditionalBeanBuildItem> buildProducer2, BuildProducer<SyntheticBeanBuildItem> buildProducer3, SecurityCheckRecorder securityCheckRecorder, Optional<AdditionalSecurityConstrainerEventPropsBuildItem> optional) {
        buildProducer.produce(new InterceptorBindingRegistrarBuildItem(new SecurityAnnotationsRegistrar()));
        buildProducer2.produce(new AdditionalBeanBuildItem(new Class[]{AuthenticatedInterceptor.class, DenyAllInterceptor.class, PermitAllInterceptor.class, RolesAllowedInterceptor.class, PermissionsAllowedInterceptor.class}));
        buildProducer2.produce(new AdditionalBeanBuildItem(new Class[]{SecurityHandler.class}));
        buildProducer3.produce(SyntheticBeanBuildItem.configure(SecurityConstrainer.class).unremovable().scope(Singleton.class).supplier(securityCheckRecorder.createSecurityConstrainer((Supplier) optional.map((v0) -> {
            return v0.getAdditionalEventPropsSupplier();
        }).orElse(null))).done());
    }

    @BuildStep
    void transformAdditionalSecuredClassesToMethods(List<AdditionalSecuredClassesBuildItem> list, BuildProducer<AdditionalSecuredMethodsBuildItem> buildProducer) {
        for (AdditionalSecuredClassesBuildItem additionalSecuredClassesBuildItem : list) {
            ArrayList arrayList = new ArrayList();
            Iterator it = additionalSecuredClassesBuildItem.additionalSecuredClasses.iterator();
            while (it.hasNext()) {
                for (MethodInfo methodInfo : ((ClassInfo) it.next()).methods()) {
                    if (isPublicNonStaticNonConstructor(methodInfo)) {
                        arrayList.add(methodInfo);
                    }
                }
            }
            buildProducer.produce(new AdditionalSecuredMethodsBuildItem(arrayList, additionalSecuredClassesBuildItem.rolesAllowed));
        }
    }

    @BuildStep
    void transformSecurityAnnotations(BuildProducer<AnnotationsTransformerBuildItem> buildProducer, List<AdditionalSecuredMethodsBuildItem> list) {
        if (this.security.denyUnannotatedMembers()) {
            buildProducer.produce(new AnnotationsTransformerBuildItem(AnnotationTransformation.forClasses().whenClass(new DenyUnannotatedPredicate()).transform(transformationContext -> {
                transformationContext.add(DenyAll.class);
            })));
        }
        if (list.isEmpty()) {
            return;
        }
        for (AdditionalSecuredMethodsBuildItem additionalSecuredMethodsBuildItem : list) {
            HashSet hashSet = new HashSet();
            Iterator it = additionalSecuredMethodsBuildItem.additionalSecuredMethods.iterator();
            while (it.hasNext()) {
                hashSet.add(createMethodDescription((MethodInfo) it.next()));
            }
            if (additionalSecuredMethodsBuildItem.rolesAllowed.isPresent()) {
                AdditionalRolesAllowedTransformer additionalRolesAllowedTransformer = new AdditionalRolesAllowedTransformer(hashSet, (List) additionalSecuredMethodsBuildItem.rolesAllowed.get());
                buildProducer.produce(new AnnotationsTransformerBuildItem(AnnotationTransformation.forMethods().whenMethod(additionalRolesAllowedTransformer).transform(additionalRolesAllowedTransformer)));
            } else {
                AdditionalDenyingUnannotatedTransformer additionalDenyingUnannotatedTransformer = new AdditionalDenyingUnannotatedTransformer(hashSet);
                buildProducer.produce(new AnnotationsTransformerBuildItem(AnnotationTransformation.forMethods().whenMethod(additionalDenyingUnannotatedTransformer).transform(additionalDenyingUnannotatedTransformer)));
            }
        }
    }

    @BuildStep
    void makeSecurityAnnotationsInherited(BuildProducer<AnnotationsTransformerBuildItem> buildProducer) {
        Set of = Set.of(DotNames.PERMIT_ALL, DotNames.DENY_ALL, DotNames.AUTHENTICATED, DotNames.PERMISSIONS_ALLOWED, DotNames.ROLES_ALLOWED);
        buildProducer.produce(new AnnotationsTransformerBuildItem(AnnotationTransformation.forClasses().whenClass(classInfo -> {
            return of.contains(classInfo.name());
        }).transform(transformationContext -> {
            transformationContext.add(AnnotationInstance.builder(DotNames.INHERITED).build());
        })));
    }

    @BuildStep
    PermissionsAllowedMetaAnnotationBuildItem transformPermissionsAllowedMetaAnnotations(BeanArchiveIndexBuildItem beanArchiveIndexBuildItem, BuildProducer<AnnotationsTransformerBuildItem> buildProducer, List<ClassSecurityCheckAnnotationBuildItem> list) {
        PermissionsAllowedMetaAnnotationBuildItem movePermFromMetaAnnToMetaTarget = PermissionSecurityChecks.PermissionSecurityChecksBuilder.movePermFromMetaAnnToMetaTarget(beanArchiveIndexBuildItem.getIndex());
        movePermFromMetaAnnToMetaTarget.getTransitiveInstances().stream().filter(annotationInstance -> {
            return annotationInstance.target().kind() == AnnotationTarget.Kind.METHOD;
        }).forEach(annotationInstance2 -> {
            MethodInfo asMethod = annotationInstance2.target().asMethod();
            buildProducer.produce(new AnnotationsTransformerBuildItem(AnnotationTransformation.forMethods().whenMethod(asMethod.declaringClass().name(), asMethod.name()).transform(transformationContext -> {
                transformationContext.add(annotationInstance2);
            })));
        });
        Set set = (Set) list.stream().map((v0) -> {
            return v0.getClassAnnotation();
        }).collect(Collectors.toSet());
        movePermFromMetaAnnToMetaTarget.getTransitiveInstances().stream().filter(annotationInstance3 -> {
            return annotationInstance3.target().kind() == AnnotationTarget.Kind.CLASS;
        }).filter(set.isEmpty() ? annotationInstance4 -> {
            return true;
        } : annotationInstance5 -> {
            Iterator it = annotationInstance5.target().asClass().declaredAnnotations().iterator();
            while (it.hasNext()) {
                if (set.contains(((AnnotationInstance) it.next()).name())) {
                    return false;
                }
            }
            return true;
        }).forEach(annotationInstance6 -> {
            buildProducer.produce(new AnnotationsTransformerBuildItem(AnnotationTransformation.forClasses().whenClass(annotationInstance6.target().asClass().name()).transform(transformationContext -> {
                transformationContext.add(annotationInstance6);
            })));
        });
        return movePermFromMetaAnnToMetaTarget;
    }

    @BuildStep
    PermissionSecurityChecksBuilderBuildItem createPermissionSecurityChecksBuilder(BeanArchiveIndexBuildItem beanArchiveIndexBuildItem, PermissionsAllowedMetaAnnotationBuildItem permissionsAllowedMetaAnnotationBuildItem) {
        return new PermissionSecurityChecksBuilderBuildItem(new PermissionSecurityChecks.PermissionSecurityChecksBuilder(beanArchiveIndexBuildItem.getIndex(), permissionsAllowedMetaAnnotationBuildItem));
    }

    @BuildStep
    UnremovableBeanBuildItem makePermissionCheckerClassBeansUnremovable() {
        return new UnremovableBeanBuildItem(beanInfo -> {
            if (beanInfo.isRemovable() && beanInfo.isClassBean()) {
                return ((Boolean) beanInfo.getTarget().map(annotationTarget -> {
                    return Boolean.valueOf(annotationTarget.hasAnnotation(PermissionSecurityChecks.PERMISSION_CHECKER_NAME));
                }).orElse(false)).booleanValue();
            }
            return false;
        });
    }

    @BuildStep
    ExecutionModelAnnotationsAllowedBuildItem supportBlockingExecutionOfPermissionChecks() {
        return new ExecutionModelAnnotationsAllowedBuildItem(methodInfo -> {
            return methodInfo.hasDeclaredAnnotation(PermissionSecurityChecks.PERMISSION_CHECKER_NAME) && methodInfo.hasDeclaredAnnotation(PermissionSecurityChecks.BLOCKING);
        });
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void configurePermissionCheckers(PermissionSecurityChecksBuilderBuildItem permissionSecurityChecksBuilderBuildItem, BuildProducer<SyntheticBeanBuildItem> buildProducer, SecurityCheckRecorder securityCheckRecorder, BeanDiscoveryFinishedBuildItem beanDiscoveryFinishedBuildItem, BuildProducer<GeneratedClassBuildItem> buildProducer2) {
        if (permissionSecurityChecksBuilderBuildItem.instance.foundPermissionChecker()) {
            SyntheticBeanBuildItem.ExtendedBeanConfigurator createWith = SyntheticBeanBuildItem.configure(QuarkusPermissionSecurityIdentityAugmentor.class).addType(SecurityIdentityAugmentor.class).scope(Dependent.class).unremovable().addInjectionPoint(Type.create(BlockingSecurityExecutor.class), new AnnotationInstance[0]).createWith(securityCheckRecorder.createPermissionAugmentor());
            permissionSecurityChecksBuilderBuildItem.instance.getPermissionCheckers().stream().forEach(methodInfo -> {
                Type create = Type.create(methodInfo.declaringClass().name(), Type.Kind.CLASS);
                List collect = beanDiscoveryFinishedBuildItem.beanStream().assignableTo(create, new AnnotationInstance[0]).collect();
                if (collect.isEmpty()) {
                    throw new RuntimeException("@PermissionChecker declared on method '%s', but no matching CDI bean could be found for the declaring class '%s'.\n".formatted(methodInfo.name(), create.name()));
                }
                collect.stream().filter(beanInfo -> {
                    return BuiltinScope.DEPENDENT.getInfo().equals(beanInfo.getScope());
                }).findFirst().ifPresent(beanInfo2 -> {
                    throw new RuntimeException("Found @PermissionChecker annotation instance declared on the CDI bean method '%s#%s'.\nThe CDI bean is a dependent scoped bean, but only the '@Singleton' bean or normal scoped beans are supported\n".formatted(methodInfo.name(), create.name()));
                });
                createWith.addInjectionPoint(create, new AnnotationInstance[0]);
            });
            buildProducer.produce(createWith.done());
            permissionSecurityChecksBuilderBuildItem.instance.generatePermissionCheckers(buildProducer2);
        }
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    MethodSecurityChecks gatherSecurityChecks(BuildProducer<ConfigExpRolesAllowedSecurityCheckBuildItem> buildProducer, List<RolesAllowedConfigExpResolverBuildItem> list, BeanArchiveIndexBuildItem beanArchiveIndexBuildItem, BuildProducer<ApplicationClassPredicateBuildItem> buildProducer2, BuildProducer<RunTimeConfigBuilderBuildItem> buildProducer3, List<AdditionalSecuredMethodsBuildItem> list2, SecurityCheckRecorder securityCheckRecorder, List<AdditionalSecurityAnnotationBuildItem> list3, BuildProducer<ClassSecurityCheckStorageBuildItem> buildProducer4, List<RegisterClassSecurityCheckBuildItem> list4, BuildProducer<ReflectiveClassBuildItem> buildProducer5, List<AdditionalSecurityCheckBuildItem> list5, PermissionSecurityChecksBuilderBuildItem permissionSecurityChecksBuilderBuildItem, BuildProducer<GeneratedClassBuildItem> buildProducer6, BuildProducer<ReflectiveClassBuildItem> buildProducer7) {
        Predicate<MethodInfo> hasAdditionalSecurityAnnotation = hasAdditionalSecurityAnnotation((Set) list3.stream().map((v0) -> {
            return v0.getSecurityAnnotationName();
        }).collect(Collectors.toSet()));
        buildProducer2.produce(new ApplicationClassPredicateBuildItem(new SecurityCheckStorageAppPredicate()));
        HashMap hashMap = new HashMap();
        for (AdditionalSecuredMethodsBuildItem additionalSecuredMethodsBuildItem : list2) {
            for (MethodInfo methodInfo : additionalSecuredMethodsBuildItem.additionalSecuredMethods) {
                hashMap.putIfAbsent(createMethodDescription(methodInfo), new AdditionalSecured(methodInfo, additionalSecuredMethodsBuildItem.rolesAllowed));
            }
        }
        Map<MethodInfo, SecurityCheck> gatherSecurityAnnotations = gatherSecurityAnnotations(beanArchiveIndexBuildItem.getIndex(), buildProducer, hashMap.values(), this.security.denyUnannotatedMembers(), securityCheckRecorder, buildProducer3, buildProducer5, list, list4, buildProducer4, hasAdditionalSecurityAnnotation, list3, permissionSecurityChecksBuilderBuildItem.instance, buildProducer6, buildProducer7);
        for (AdditionalSecurityCheckBuildItem additionalSecurityCheckBuildItem : list5) {
            gatherSecurityAnnotations.put(additionalSecurityCheckBuildItem.getMethodInfo(), additionalSecurityCheckBuildItem.getSecurityCheck());
        }
        return new MethodSecurityChecks(gatherSecurityAnnotations);
    }

    @BuildStep
    @Consume(Capabilities.class)
    @Record(ExecutionTime.STATIC_INIT)
    void createSecurityCheckStorage(BuildProducer<SyntheticBeanBuildItem> buildProducer, BuildProducer<ApplicationClassPredicateBuildItem> buildProducer2, SecurityCheckRecorder securityCheckRecorder, MethodSecurityChecks methodSecurityChecks, List<DefaultSecurityCheckBuildItem> list) {
        buildProducer2.produce(new ApplicationClassPredicateBuildItem(new SecurityCheckStorageAppPredicate()));
        RuntimeValue newBuilder = securityCheckRecorder.newBuilder();
        for (Map.Entry<MethodInfo, SecurityCheck> entry : methodSecurityChecks.securityChecks.entrySet()) {
            MethodInfo key = entry.getKey();
            String[] strArr = new String[key.parametersCount()];
            for (int i = 0; i < key.parametersCount(); i++) {
                strArr[i] = key.parameterType(i).name().toString();
            }
            securityCheckRecorder.addMethod(newBuilder, key.declaringClass().name().toString(), key.name(), strArr, entry.getValue());
        }
        if (!list.isEmpty()) {
            if (list.size() > 1) {
                throw new IllegalStateException("Found %d DefaultSecurityCheckBuildItem items, ".formatted(Integer.valueOf(list.size())) + "please make sure the item is produced exactly once");
            }
            List rolesAllowed = list.get(0).getRolesAllowed();
            if (rolesAllowed == null) {
                securityCheckRecorder.registerDefaultSecurityCheck(newBuilder, securityCheckRecorder.denyAll());
            } else {
                securityCheckRecorder.registerDefaultSecurityCheck(newBuilder, securityCheckRecorder.rolesAllowed((String[]) rolesAllowed.toArray(new String[0])));
            }
        }
        buildProducer.produce(SyntheticBeanBuildItem.configure(SecurityCheckStorage.class).scope(ApplicationScoped.class).unremovable().runtimeProxy(securityCheckRecorder.create(newBuilder)).done());
    }

    @BuildStep
    @Consume(RuntimeConfigSetupCompleteBuildItem.class)
    @Record(ExecutionTime.RUNTIME_INIT)
    public void resolveConfigExpressionRoles(Optional<ConfigExpRolesAllowedSecurityCheckBuildItem> optional, SecurityCheckRecorder securityCheckRecorder) {
        if (optional.isPresent()) {
            securityCheckRecorder.resolveRolesAllowedConfigExpRoles();
        }
    }

    private static Map<MethodInfo, SecurityCheck> gatherSecurityAnnotations(IndexView indexView, BuildProducer<ConfigExpRolesAllowedSecurityCheckBuildItem> buildProducer, Collection<AdditionalSecured> collection, boolean z, SecurityCheckRecorder securityCheckRecorder, BuildProducer<RunTimeConfigBuilderBuildItem> buildProducer2, BuildProducer<ReflectiveClassBuildItem> buildProducer3, List<RolesAllowedConfigExpResolverBuildItem> list, List<RegisterClassSecurityCheckBuildItem> list2, BuildProducer<ClassSecurityCheckStorageBuildItem> buildProducer4, Predicate<MethodInfo> predicate, List<AdditionalSecurityAnnotationBuildItem> list3, PermissionSecurityChecks.PermissionSecurityChecksBuilder permissionSecurityChecksBuilder, BuildProducer<GeneratedClassBuildItem> buildProducer5, BuildProducer<ReflectiveClassBuildItem> buildProducer6) {
        Map<DotName, SecurityCheck> of;
        boolean z2;
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        HashMap hashMap3 = new HashMap();
        SecurityAnnotationGatherer securityAnnotationGatherer = new SecurityAnnotationGatherer(indexView.getAnnotations(DotNames.PERMIT_ALL), hashMap, (methodInfo, annotationInstance) -> {
            hashMap3.put(methodInfo, securityCheckRecorder.permitAll());
        }, hashMap2, predicate);
        SecurityAnnotationGatherer securityAnnotationGatherer2 = new SecurityAnnotationGatherer(indexView.getAnnotations(DotNames.AUTHENTICATED), hashMap, (methodInfo2, annotationInstance2) -> {
            hashMap3.put(methodInfo2, securityCheckRecorder.authenticated());
        }, hashMap2, predicate);
        SecurityAnnotationGatherer securityAnnotationGatherer3 = new SecurityAnnotationGatherer(indexView.getAnnotations(DotNames.DENY_ALL), hashMap, (methodInfo3, annotationInstance3) -> {
            hashMap3.put(methodInfo3, securityCheckRecorder.denyAll());
        }, hashMap2, predicate);
        HashMap hashMap4 = new HashMap();
        SecurityAnnotationGatherer securityAnnotationGatherer4 = new SecurityAnnotationGatherer(indexView.getAnnotations(DotNames.ROLES_ALLOWED), hashMap, (methodInfo4, annotationInstance4) -> {
            hashMap4.put(methodInfo4, annotationInstance4.value().asStringArray());
        }, hashMap2, predicate);
        securityAnnotationGatherer.gatherMethodSecurityAnnotations();
        securityAnnotationGatherer2.gatherMethodSecurityAnnotations();
        securityAnnotationGatherer3.gatherMethodSecurityAnnotations();
        securityAnnotationGatherer4.gatherMethodSecurityAnnotations();
        if (permissionSecurityChecksBuilder.foundPermissionsAllowedInstances()) {
            PermissionSecurityChecks build = permissionSecurityChecksBuilder.prepareParamConverterGenerator(securityCheckRecorder, buildProducer5, buildProducer6).gatherPermissionsAllowedAnnotations(hashMap, hashMap2, list2.stream().filter(registerClassSecurityCheckBuildItem -> {
                return DotNames.PERMISSIONS_ALLOWED.equals(registerClassSecurityCheckBuildItem.securityAnnotationInstance.name());
            }).map(registerClassSecurityCheckBuildItem2 -> {
                return registerClassSecurityCheckBuildItem2.securityAnnotationInstance;
            }).toList(), predicate).validatePermissionClasses().createPermissionPredicates().build();
            hashMap3.putAll(build.getMethodSecurityChecks());
            of = build.getClassNameSecurityChecks();
            for (String str : build.permissionClasses()) {
                buildProducer3.produce(ReflectiveClassBuildItem.builder(new String[]{str}).constructors().fields().methods().build());
                log.debugf("Register Permission class for reflection: %s", str);
            }
        } else {
            of = Map.of();
        }
        securityAnnotationGatherer.gatherClassSecurityAnnotations();
        securityAnnotationGatherer2.gatherClassSecurityAnnotations();
        securityAnnotationGatherer3.gatherClassSecurityAnnotations();
        securityAnnotationGatherer4.gatherClassSecurityAnnotations();
        list3.stream().map((v0) -> {
            return v0.getSecurityAnnotationName();
        }).forEach(dotName -> {
            indexView.getAnnotations(dotName).stream().filter(annotationInstance5 -> {
                return annotationInstance5.target().kind() == AnnotationTarget.Kind.CLASS;
            }).map(annotationInstance6 -> {
                return annotationInstance6.target().asClass();
            }).filter(SecurityTransformerUtils::hasSecurityAnnotation).findFirst().ifPresent(classInfo -> {
                throw new RuntimeException("Class '%s' is annotated with '%s' and '%s' security annotations,\nhowever security annotations cannot be combined.\n".formatted(classInfo.name(), dotName, ((AnnotationInstance) SecurityTransformerUtils.findFirstStandardSecurityAnnotation(classInfo).get()).name()));
            });
        });
        for (AdditionalSecured additionalSecured : collection) {
            if (isPublicNonStaticNonConstructor(additionalSecured.methodInfo) && !predicate.test(additionalSecured.methodInfo)) {
                AnnotationInstance annotationInstance5 = hashMap.get(additionalSecured.methodInfo);
                if (additionalSecured.rolesAllowed.isPresent()) {
                    if (annotationInstance5 == null) {
                        hashMap4.put(additionalSecured.methodInfo, (String[]) additionalSecured.rolesAllowed.get().toArray(i -> {
                            return new String[i];
                        }));
                    } else if (alreadyHasAnnotation(annotationInstance5, DotNames.ROLES_ALLOWED)) {
                        throw new IllegalStateException("Method " + String.valueOf(additionalSecured.methodInfo.declaringClass()) + "#" + additionalSecured.methodInfo.name() + " should not have been added as an additional secured method as it's already annotated with @RolesAllowed.");
                    }
                } else if (annotationInstance5 == null) {
                    hashMap3.put(additionalSecured.methodInfo, securityCheckRecorder.denyAll());
                } else if (alreadyHasAnnotation(annotationInstance5, DotNames.DENY_ALL)) {
                    throw new IllegalStateException("Method " + String.valueOf(additionalSecured.methodInfo.declaringClass()) + "#" + additionalSecured.methodInfo.name() + " should not have been added as an additional secured method as it's already annotated with @DenyAll.");
                }
            }
        }
        HashMap hashMap5 = new HashMap();
        AtomicInteger atomicInteger = new AtomicInteger(0);
        AtomicBoolean atomicBoolean = new AtomicBoolean(false);
        for (Map.Entry entry : hashMap4.entrySet()) {
            hashMap3.put((MethodInfo) entry.getKey(), computeRolesAllowedCheck(hashMap5, atomicBoolean, atomicInteger, securityCheckRecorder, (String[]) entry.getValue()));
        }
        if (!list2.isEmpty()) {
            ClassSecurityCheckStorageBuildItem.ClassStorageBuilder classStorageBuilder = new ClassSecurityCheckStorageBuildItem.ClassStorageBuilder();
            Map<DotName, SecurityCheck> map = of;
            list2.forEach(registerClassSecurityCheckBuildItem3 -> {
                SecurityCheck securityCheck;
                DotName name = registerClassSecurityCheckBuildItem3.securityAnnotationInstance.name();
                if (DotNames.DENY_ALL.equals(name)) {
                    securityCheck = securityCheckRecorder.denyAll();
                } else if (DotNames.PERMIT_ALL.equals(name)) {
                    securityCheck = securityCheckRecorder.permitAll();
                } else if (DotNames.AUTHENTICATED.equals(name)) {
                    securityCheck = securityCheckRecorder.authenticated();
                } else if (DotNames.ROLES_ALLOWED.equals(name)) {
                    securityCheck = computeRolesAllowedCheck(hashMap5, atomicBoolean, atomicInteger, securityCheckRecorder, registerClassSecurityCheckBuildItem3.securityAnnotationInstance.value().asStringArray());
                } else {
                    if (!DotNames.PERMISSIONS_ALLOWED.equals(name)) {
                        throw new IllegalStateException("Found unknown security annotation: " + String.valueOf(name));
                    }
                    securityCheck = (SecurityCheck) Objects.requireNonNull((SecurityCheck) map.get(registerClassSecurityCheckBuildItem3.className));
                }
                classStorageBuilder.addSecurityCheck(registerClassSecurityCheckBuildItem3.className, securityCheck);
            });
            buildProducer4.produce(classStorageBuilder.build());
        }
        if (list.isEmpty()) {
            z2 = atomicBoolean.get();
        } else {
            z2 = true;
            for (RolesAllowedConfigExpResolverBuildItem rolesAllowedConfigExpResolverBuildItem : list) {
                securityCheckRecorder.recordRolesAllowedConfigExpression(rolesAllowedConfigExpResolverBuildItem.getRoleConfigExpr(), atomicInteger.getAndIncrement(), rolesAllowedConfigExpResolverBuildItem.getConfigValueRecorder());
            }
        }
        if (atomicBoolean.get()) {
            buildProducer.produce(new ConfigExpRolesAllowedSecurityCheckBuildItem());
        }
        if (z2) {
            buildProducer2.produce(new RunTimeConfigBuilderBuildItem(QuarkusSecurityRolesAllowedConfigBuilder.class.getName()));
        }
        if (z) {
            HashSet hashSet = new HashSet(hashMap.keySet().size());
            Iterator<MethodInfo> it = hashMap.keySet().iterator();
            while (it.hasNext()) {
                hashSet.add(it.next().declaringClass());
            }
            Iterator it2 = hashSet.iterator();
            while (it2.hasNext()) {
                for (MethodInfo methodInfo5 : ((ClassInfo) it2.next()).methods()) {
                    if (isPublicNonStaticNonConstructor(methodInfo5) && !hashMap.containsKey(methodInfo5) && !predicate.test(methodInfo5)) {
                        hashMap3.put(methodInfo5, securityCheckRecorder.denyAll());
                    }
                }
            }
        }
        return hashMap3;
    }

    private static SecurityCheck computeRolesAllowedCheck(Map<Set<String>, SecurityCheck> map, final AtomicBoolean atomicBoolean, final AtomicInteger atomicInteger, final SecurityCheckRecorder securityCheckRecorder, final String[] strArr) {
        return map.computeIfAbsent(getSetForKey(strArr), new Function<Set<String>, SecurityCheck>() { // from class: io.quarkus.security.deployment.SecurityProcessor.2
            @Override // java.util.function.Function
            public SecurityCheck apply(Set<String> set) {
                int[] configExpressionPositions = SecurityProcessor.configExpressionPositions(strArr);
                if (configExpressionPositions.length <= 0) {
                    return securityCheckRecorder.rolesAllowed(strArr);
                }
                atomicBoolean.set(true);
                int[] iArr = new int[configExpressionPositions.length];
                for (int i = 0; i < configExpressionPositions.length; i++) {
                    iArr[i] = atomicInteger.getAndIncrement();
                }
                return securityCheckRecorder.rolesAllowedSupplier(strArr, configExpressionPositions, iArr);
            }
        });
    }

    public static int[] configExpressionPositions(String[] strArr) {
        HashSet hashSet = new HashSet();
        for (int i = 0; i < strArr.length; i++) {
            int indexOf = strArr[i].indexOf("${");
            if (indexOf >= 0 && strArr[i].indexOf(125, indexOf + 2) > 0) {
                hashSet.add(Integer.valueOf(i));
            }
        }
        return hashSet.isEmpty() ? new int[0] : hashSet.stream().mapToInt((v0) -> {
            return v0.intValue();
        }).toArray();
    }

    private static Set<String> getSetForKey(String[] strArr) {
        return strArr.length == 0 ? Collections.emptySet() : strArr.length == 1 ? Collections.singleton(strArr[0]) : new HashSet(Arrays.asList(strArr));
    }

    private static boolean alreadyHasAnnotation(AnnotationInstance annotationInstance, DotName dotName) {
        return annotationInstance.target().kind() == AnnotationTarget.Kind.METHOD && annotationInstance.name().equals(dotName);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isPublicNonStaticNonConstructor(MethodInfo methodInfo) {
        return (!Modifier.isPublic(methodInfo.flags()) || Modifier.isStatic(methodInfo.flags()) || "<init>".equals(methodInfo.name())) ? false : true;
    }

    @BuildStep
    FeatureBuildItem feature() {
        return new FeatureBuildItem(io.quarkus.deployment.Feature.SECURITY);
    }

    @BuildStep
    void registerAdditionalBeans(BuildProducer<AdditionalBeanBuildItem> buildProducer) {
        buildProducer.produce(AdditionalBeanBuildItem.unremovableOf(SecurityIdentityAssociation.class));
        buildProducer.produce(AdditionalBeanBuildItem.unremovableOf(IdentityProviderManagerCreator.class));
        buildProducer.produce(AdditionalBeanBuildItem.unremovableOf(SecurityIdentityProxy.class));
        buildProducer.produce(AdditionalBeanBuildItem.unremovableOf(X509IdentityProvider.class));
    }

    @BuildStep
    AdditionalBeanBuildItem authorizationController(LaunchModeBuildItem launchModeBuildItem) {
        Class cls = AuthorizationController.class;
        if (launchModeBuildItem.getLaunchMode() == LaunchMode.DEVELOPMENT && !this.security.authorizationEnabledInDevMode()) {
            cls = DevModeDisabledAuthorizationController.class;
        }
        return AdditionalBeanBuildItem.builder().addBeanClass(cls).build();
    }

    @BuildStep
    void validateStartUpObserversNotSecured(SynthesisFinishedBuildItem synthesisFinishedBuildItem, ValidationPhaseBuildItem validationPhaseBuildItem, BeanArchiveIndexBuildItem beanArchiveIndexBuildItem, BuildProducer<ValidationPhaseBuildItem.ValidationErrorBuildItem> buildProducer) {
        AnnotationStore annotationStore = (AnnotationStore) validationPhaseBuildItem.getContext().get(BuildExtension.Key.ANNOTATION_STORE);
        synthesisFinishedBuildItem.getObservers().stream().map((v0) -> {
            return v0.asObserver();
        }).filter(observerInfo -> {
            return observerInfo.getObservedType().name().equals(STARTUP_EVENT_NAME);
        }).map((v0) -> {
            return v0.getObserverMethod();
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).forEach(methodInfo -> {
            if (SecurityTransformerUtils.hasSecurityAnnotation(annotationStore.getAnnotations(methodInfo)) || hasClassLevelStandardSecurityAnnotation(methodInfo, annotationStore)) {
                ClassInfo declaringClass = methodInfo.declaringClass();
                SecurityTransformerUtils.findFirstStandardSecurityAnnotation(annotationStore.getAnnotations(methodInfo)).or(() -> {
                    return SecurityTransformerUtils.findFirstStandardSecurityAnnotation(annotationStore.getAnnotations(declaringClass));
                }).map((v0) -> {
                    return v0.name();
                }).filter(dotName -> {
                    return !dotName.equals(DotNames.PERMIT_ALL);
                }).ifPresent(dotName2 -> {
                    buildProducer.produce(new ValidationPhaseBuildItem.ValidationErrorBuildItem(new Throwable[]{new ConfigurationException(String.format("Method '%s#%s' cannot observe '%s' as the method is secured with the '%s' annotation", declaringClass.name(), methodInfo.name(), STARTUP_EVENT_NAME, dotName2))}));
                });
            }
        });
    }

    @BuildStep
    void gatherClassSecurityChecks(BuildProducer<RegisterClassSecurityCheckBuildItem> buildProducer, BeanArchiveIndexBuildItem beanArchiveIndexBuildItem, PermissionsAllowedMetaAnnotationBuildItem permissionsAllowedMetaAnnotationBuildItem, List<ClassSecurityCheckAnnotationBuildItem> list) {
        if (list.isEmpty()) {
            return;
        }
        IndexView index = beanArchiveIndexBuildItem.getIndex();
        Stream<R> map = list.stream().map((v0) -> {
            return v0.getClassAnnotation();
        });
        Objects.requireNonNull(index);
        Stream map2 = map.map(index::getAnnotations).flatMap((v0) -> {
            return v0.stream();
        }).filter(annotationInstance -> {
            return annotationInstance.target().kind() == AnnotationTarget.Kind.CLASS;
        }).map(annotationInstance2 -> {
            return annotationInstance2.target().asClass();
        }).filter(classInfo -> {
            return SecurityTransformerUtils.hasSecurityAnnotation(classInfo) || permissionsAllowedMetaAnnotationBuildItem.hasPermissionsAllowed(classInfo);
        }).map(classInfo2 -> {
            return new RegisterClassSecurityCheckBuildItem(classInfo2.name(), (AnnotationInstance) SecurityTransformerUtils.findFirstStandardSecurityAnnotation(classInfo2).or(() -> {
                return permissionsAllowedMetaAnnotationBuildItem.findPermissionsAllowedInstance(classInfo2);
            }).get());
        });
        Objects.requireNonNull(buildProducer);
        map2.forEach((v1) -> {
            r1.produce(v1);
        });
    }

    private static boolean hasClassLevelStandardSecurityAnnotation(MethodInfo methodInfo, AnnotationStore annotationStore) {
        return applyClassLevenInterceptor(methodInfo, annotationStore) && SecurityTransformerUtils.hasSecurityAnnotation(annotationStore.getAnnotations(methodInfo.declaringClass()));
    }

    private static boolean applyClassLevenInterceptor(MethodInfo methodInfo, AnnotationStore annotationStore) {
        return (methodInfo.isConstructor() || !Modifier.isPublic(methodInfo.flags()) || annotationStore.hasAnnotation(methodInfo, io.quarkus.arc.processor.DotNames.NO_CLASS_INTERCEPTORS)) ? false : true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static MethodDescription createMethodDescription(MethodInfo methodInfo) {
        String[] strArr = new String[methodInfo.parametersCount()];
        for (int i = 0; i < methodInfo.parametersCount(); i++) {
            strArr[i] = ((Type) methodInfo.parameterTypes().get(i)).name().toString();
        }
        return new MethodDescription(methodInfo.declaringClass().name().toString(), methodInfo.name(), strArr);
    }

    private static Predicate<MethodInfo> hasAdditionalSecurityAnnotation(final Set<DotName> set) {
        return new Predicate<MethodInfo>() { // from class: io.quarkus.security.deployment.SecurityProcessor.3
            @Override // java.util.function.Predicate
            public boolean test(MethodInfo methodInfo) {
                Stream stream = set.stream();
                Objects.requireNonNull(methodInfo);
                return stream.anyMatch(methodInfo::hasDeclaredAnnotation);
            }
        };
    }
}
