package io.quarkus.security.runtime.interceptor;

import io.quarkus.runtime.BlockingOperationNotAllowedException;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.runtime.SecurityConfig;
import io.quarkus.security.runtime.SecurityIdentityAssociation;
import io.quarkus.security.spi.runtime.AuthorizationFailureEvent;
import io.quarkus.security.spi.runtime.AuthorizationSuccessEvent;
import io.quarkus.security.spi.runtime.SecurityCheck;
import io.quarkus.security.spi.runtime.SecurityCheckStorage;
import io.quarkus.security.spi.runtime.SecurityEventHelper;
import io.smallrye.mutiny.Uni;
import jakarta.enterprise.event.Event;
import jakarta.enterprise.inject.spi.BeanManager;
import jakarta.inject.Inject;
import jakarta.inject.Singleton;
import java.lang.reflect.Method;
import java.util.Map;
import java.util.function.Consumer;
import java.util.function.Function;

@Singleton
/* loaded from: input_file:io/quarkus/security/runtime/interceptor/SecurityConstrainer.class */
public class SecurityConstrainer {
    public static final Object CHECK_OK = new Object();
    private final SecurityCheckStorage storage;
    private final SecurityEventHelper<AuthorizationSuccessEvent, AuthorizationFailureEvent> securityEventHelper;

    @Inject
    SecurityIdentityAssociation identityAssociation;

    SecurityConstrainer(SecurityCheckStorage securityCheckStorage, BeanManager beanManager, SecurityConfig securityConfig, Event<AuthorizationFailureEvent> event, Event<AuthorizationSuccessEvent> event2) {
        this.storage = securityCheckStorage;
        this.securityEventHelper = new SecurityEventHelper<>(event2, event, SecurityEventHelper.AUTHORIZATION_SUCCESS, SecurityEventHelper.AUTHORIZATION_FAILURE, beanManager, securityConfig.events().enabled());
    }

    public void check(Method method, Object[] objArr) {
        SecurityCheck securityCheck = this.storage.getSecurityCheck(method);
        SecurityIdentity securityIdentity = null;
        if (securityCheck != null && !securityCheck.isPermitAll()) {
            try {
                securityIdentity = this.identityAssociation.getIdentity();
                if (this.securityEventHelper.fireEventOnFailure()) {
                    try {
                        securityCheck.apply(securityIdentity, method, objArr);
                    } catch (Exception e) {
                        fireAuthZFailureEvent(securityIdentity, e, securityCheck);
                        throw e;
                    }
                } else {
                    securityCheck.apply(securityIdentity, method, objArr);
                }
            } catch (BlockingOperationNotAllowedException e2) {
                throw new BlockingOperationNotAllowedException("Blocking security check attempted in code running on the event loop. Make the secured method return an async type, i.e. Uni, Multi or CompletionStage, or use an authentication mechanism that sets the SecurityIdentity in a blocking manner prior to delegating the call", e2);
            }
        }
        if (this.securityEventHelper.fireEventOnSuccess()) {
            fireAuthZSuccessEvent(securityCheck, securityIdentity);
        }
    }

    public Uni<?> nonBlockingCheck(final Method method, final Object[] objArr) {
        final SecurityCheck securityCheck = this.storage.getSecurityCheck(method);
        if (securityCheck != null) {
            if (!securityCheck.isPermitAll()) {
                return this.identityAssociation.getDeferredIdentity().onItem().transformToUni(new Function<SecurityIdentity, Uni<?>>() { // from class: io.quarkus.security.runtime.interceptor.SecurityConstrainer.1
                    @Override // java.util.function.Function
                    public Uni<?> apply(final SecurityIdentity securityIdentity) {
                        Uni<?> nonBlockingApply = securityCheck.nonBlockingApply(securityIdentity, method, objArr);
                        if (SecurityConstrainer.this.securityEventHelper.fireEventOnFailure()) {
                            nonBlockingApply = nonBlockingApply.onFailure().invoke(new Consumer<Throwable>() { // from class: io.quarkus.security.runtime.interceptor.SecurityConstrainer.1.1
                                @Override // java.util.function.Consumer
                                public void accept(Throwable th) {
                                    SecurityConstrainer.this.fireAuthZFailureEvent(securityIdentity, th, securityCheck);
                                }
                            });
                        }
                        if (SecurityConstrainer.this.securityEventHelper.fireEventOnSuccess()) {
                            nonBlockingApply = nonBlockingApply.invoke(new Runnable() { // from class: io.quarkus.security.runtime.interceptor.SecurityConstrainer.1.2
                                @Override // java.lang.Runnable
                                public void run() {
                                    SecurityConstrainer.this.fireAuthZSuccessEvent(securityCheck, securityIdentity);
                                }
                            });
                        }
                        return nonBlockingApply;
                    }
                });
            }
            if (this.securityEventHelper.fireEventOnSuccess()) {
                fireAuthZSuccessEvent(securityCheck, null);
            }
        }
        return Uni.createFrom().item(CHECK_OK);
    }

    private void fireAuthZSuccessEvent(SecurityCheck securityCheck, SecurityIdentity securityIdentity) {
        this.securityEventHelper.fireSuccessEvent(new AuthorizationSuccessEvent(securityIdentity, securityCheck == null ? null : securityCheck.getClass().getName(), (Map) null));
    }

    private void fireAuthZFailureEvent(SecurityIdentity securityIdentity, Throwable th, SecurityCheck securityCheck) {
        this.securityEventHelper.fireFailureEvent(new AuthorizationFailureEvent(securityIdentity, th, securityCheck.getClass().getName()));
    }
}
