package io.quarkus.spring.security.deployment;

import io.quarkus.arc.deployment.AdditionalBeanBuildItem;
import io.quarkus.arc.deployment.AnnotationsTransformerBuildItem;
import io.quarkus.arc.deployment.GeneratedBeanBuildItem;
import io.quarkus.arc.deployment.GeneratedBeanGizmoAdaptor;
import io.quarkus.arc.deployment.InterceptorBindingRegistrarBuildItem;
import io.quarkus.arc.deployment.UnremovableBeanBuildItem;
import io.quarkus.arc.processor.AnnotationsTransformer;
import io.quarkus.deployment.Feature;
import io.quarkus.deployment.GeneratedClassGizmoAdaptor;
import io.quarkus.deployment.annotations.BuildProducer;
import io.quarkus.deployment.annotations.BuildStep;
import io.quarkus.deployment.annotations.ExecutionTime;
import io.quarkus.deployment.annotations.Record;
import io.quarkus.deployment.builditem.CombinedIndexBuildItem;
import io.quarkus.deployment.builditem.FeatureBuildItem;
import io.quarkus.deployment.builditem.GeneratedClassBuildItem;
import io.quarkus.security.deployment.AdditionalSecurityCheckBuildItem;
import io.quarkus.security.runtime.SecurityCheckRecorder;
import io.quarkus.security.spi.SecurityTransformerUtils;
import io.quarkus.security.spi.runtime.SecurityCheck;
import io.quarkus.spring.di.deployment.SpringBeanNameToDotNameBuildItem;
import io.quarkus.spring.security.runtime.interceptor.SpringPreauthorizeInterceptor;
import io.quarkus.spring.security.runtime.interceptor.SpringSecuredInterceptor;
import io.quarkus.spring.security.runtime.interceptor.SpringSecurityRecorder;
import io.quarkus.spring.security.runtime.interceptor.check.PrincipalNameFromParameterObjectSecurityCheck;
import io.quarkus.spring.security.runtime.interceptor.check.PrincipalNameFromParameterSecurityCheck;
import java.lang.reflect.Modifier;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.jboss.jandex.AnnotationInstance;
import org.jboss.jandex.AnnotationTarget;
import org.jboss.jandex.AnnotationValue;
import org.jboss.jandex.ClassInfo;
import org.jboss.jandex.DotName;
import org.jboss.jandex.MethodInfo;

/* loaded from: input_file:io/quarkus/spring/security/deployment/SpringSecurityProcessor.class */
class SpringSecurityProcessor {
    private static final String PARAMETER_EQ_PRINCIPAL_USERNAME_REGEX = "#(\\w+)(\\.(\\w+))?\\s+[=!]=\\s+(authentication.)?principal.username";
    private static final Pattern PARAMETER_EQ_PRINCIPAL_USERNAME_PATTERN = Pattern.compile(PARAMETER_EQ_PRINCIPAL_USERNAME_REGEX);
    private static final int PARAMETER_EQ_PRINCIPAL_USERNAME_PARAMETER_NAME_GROUP = 1;
    private static final int PARAMETER_EQ_PRINCIPAL_USERNAME_PROPERTY_ACCESSOR_MATCHER_GROUP = 3;

    @BuildStep
    FeatureBuildItem feature() {
        return new FeatureBuildItem(Feature.SPRING_SECURITY);
    }

    @BuildStep
    void registerSecurityInterceptors(BuildProducer<InterceptorBindingRegistrarBuildItem> buildProducer, BuildProducer<AdditionalBeanBuildItem> buildProducer2) {
        buildProducer.produce(new InterceptorBindingRegistrarBuildItem(new SpringSecurityAnnotationsRegistrar()));
        buildProducer2.produce(new AdditionalBeanBuildItem(new Class[]{SpringSecuredInterceptor.class}));
        buildProducer2.produce(new AdditionalBeanBuildItem(new Class[]{SpringPreauthorizeInterceptor.class}));
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void addSpringSecuredSecurityCheck(CombinedIndexBuildItem combinedIndexBuildItem, SecurityCheckRecorder securityCheckRecorder, BuildProducer<AdditionalSecurityCheckBuildItem> buildProducer) {
        HashSet hashSet = new HashSet();
        for (AnnotationInstance annotationInstance : combinedIndexBuildItem.getIndex().getAnnotations(DotNames.SPRING_SECURED)) {
            if (annotationInstance.value() != null) {
                String[] asStringArray = annotationInstance.value().asStringArray();
                if (annotationInstance.target().kind() == AnnotationTarget.Kind.METHOD) {
                    MethodInfo asMethod = annotationInstance.target().asMethod();
                    checksStandardSecurity(annotationInstance, asMethod);
                    checksStandardSecurity(annotationInstance, asMethod.declaringClass());
                    buildProducer.produce(new AdditionalSecurityCheckBuildItem(asMethod, securityCheckRecorder.rolesAllowed(asStringArray)));
                    hashSet.add(asMethod);
                }
            }
        }
        for (AnnotationInstance annotationInstance2 : combinedIndexBuildItem.getIndex().getAnnotations(DotNames.SPRING_SECURED)) {
            if (annotationInstance2.value() != null) {
                String[] asStringArray2 = annotationInstance2.value().asStringArray();
                if (annotationInstance2.target().kind() == AnnotationTarget.Kind.CLASS) {
                    ClassInfo asClass = annotationInstance2.target().asClass();
                    checksStandardSecurity(annotationInstance2, asClass);
                    for (MethodInfo methodInfo : asClass.methods()) {
                        if (isPublicNonStaticNonConstructor(methodInfo)) {
                            checksStandardSecurity(annotationInstance2, methodInfo);
                            if (!hasSpringSecurityAnnotationOtherThan(methodInfo, DotNames.SPRING_SECURED) && !hashSet.contains(methodInfo)) {
                                buildProducer.produce(new AdditionalSecurityCheckBuildItem(methodInfo, securityCheckRecorder.rolesAllowed(asStringArray2)));
                            }
                        }
                    }
                }
            }
        }
    }

    private boolean hasSpringSecurityAnnotationOtherThan(MethodInfo methodInfo, DotName dotName) {
        HashSet hashSet = new HashSet(DotNames.SUPPORTED_SPRING_SECURITY_ANNOTATIONS);
        hashSet.remove(dotName);
        Iterator it = methodInfo.annotations().iterator();
        while (it.hasNext()) {
            if (hashSet.contains(((AnnotationInstance) it.next()).name())) {
                return true;
            }
        }
        return false;
    }

    private void checksStandardSecurity(AnnotationInstance annotationInstance, ClassInfo classInfo) {
        if (SecurityTransformerUtils.hasSecurityAnnotation(classInfo) && SecurityTransformerUtils.findFirstStandardSecurityAnnotation(classInfo).isPresent()) {
            throw new IllegalArgumentException("An invalid security annotation combination was detected: Found @" + annotationInstance.name().withoutPackagePrefix() + " and @" + ((AnnotationInstance) SecurityTransformerUtils.findFirstStandardSecurityAnnotation(classInfo).get()).name().withoutPackagePrefix() + " on class " + classInfo.simpleName());
        }
    }

    private void checksStandardSecurity(AnnotationInstance annotationInstance, MethodInfo methodInfo) {
        if (SecurityTransformerUtils.hasSecurityAnnotation(methodInfo) && SecurityTransformerUtils.findFirstStandardSecurityAnnotation(methodInfo).isPresent()) {
            throw new IllegalArgumentException("An invalid security annotation combination was detected: Found " + annotationInstance.name().withoutPackagePrefix() + " and " + ((AnnotationInstance) SecurityTransformerUtils.findFirstStandardSecurityAnnotation(methodInfo).get()).name().withoutPackagePrefix() + " on method " + methodInfo.name());
        }
    }

    private boolean isPublicNonStaticNonConstructor(MethodInfo methodInfo) {
        return (!Modifier.isPublic(methodInfo.flags()) || Modifier.isStatic(methodInfo.flags()) || "<init>".equals(methodInfo.name())) ? false : true;
    }

    @BuildStep
    void locatePreAuthorizedInstances(CombinedIndexBuildItem combinedIndexBuildItem, BuildProducer<SpringPreAuthorizeAnnotatedMethodBuildItem> buildProducer, BuildProducer<AnnotationsTransformerBuildItem> buildProducer2) {
        HashMap hashMap = new HashMap();
        for (AnnotationInstance annotationInstance : combinedIndexBuildItem.getIndex().getAnnotations(DotNames.SPRING_PRE_AUTHORIZE)) {
            if (annotationInstance.value() != null && annotationInstance.target().kind() == AnnotationTarget.Kind.METHOD) {
                MethodInfo asMethod = annotationInstance.target().asMethod();
                checksStandardSecurity(annotationInstance, asMethod);
                hashMap.put(asMethod, annotationInstance);
            }
        }
        HashMap hashMap2 = new HashMap();
        for (AnnotationInstance annotationInstance2 : combinedIndexBuildItem.getIndex().getAnnotations(DotNames.SPRING_PRE_AUTHORIZE)) {
            if (annotationInstance2.value() != null && annotationInstance2.target().kind() == AnnotationTarget.Kind.CLASS) {
                ClassInfo asClass = annotationInstance2.target().asClass();
                if (asClass.isAnnotation()) {
                    hashMap2.put(asClass.name(), asClass);
                } else {
                    checksStandardSecurity(annotationInstance2, asClass);
                    for (MethodInfo methodInfo : asClass.methods()) {
                        if (isPublicNonStaticNonConstructor(methodInfo)) {
                            checksStandardSecurity(annotationInstance2, methodInfo);
                            if (!hasSpringSecurityAnnotationOtherThan(methodInfo, DotNames.SPRING_PRE_AUTHORIZE) && !hashMap.containsKey(methodInfo)) {
                                hashMap.put(methodInfo, annotationInstance2);
                            }
                        }
                    }
                }
            }
        }
        final HashSet hashSet = new HashSet();
        for (ClassInfo classInfo : hashMap2.values()) {
            for (AnnotationInstance annotationInstance3 : combinedIndexBuildItem.getIndex().getAnnotations(classInfo.name())) {
                if (annotationInstance3.target().kind() == AnnotationTarget.Kind.METHOD) {
                    MethodInfo asMethod2 = annotationInstance3.target().asMethod();
                    checksStandardSecurity(annotationInstance3, asMethod2);
                    hashMap.put(asMethod2, classInfo.declaredAnnotation(DotNames.SPRING_PRE_AUTHORIZE));
                    hashSet.add(asMethod2.declaringClass().name());
                }
            }
        }
        buildProducer.produce(new SpringPreAuthorizeAnnotatedMethodBuildItem(hashMap));
        buildProducer2.produce(new AnnotationsTransformerBuildItem(new AnnotationsTransformer() { // from class: io.quarkus.spring.security.deployment.SpringSecurityProcessor.1
            public boolean appliesTo(AnnotationTarget.Kind kind) {
                return kind == AnnotationTarget.Kind.CLASS;
            }

            public void transform(AnnotationsTransformer.TransformationContext transformationContext) {
                if (hashSet.contains(transformationContext.getTarget().asClass().name())) {
                    transformationContext.transform().add(DotNames.SPRING_PRE_AUTHORIZE, new AnnotationValue[]{AnnotationValue.createStringValue("value", "")}).done();
                }
            }
        }));
    }

    @BuildStep
    void generateNecessarySupportClasses(CombinedIndexBuildItem combinedIndexBuildItem, SpringPreAuthorizeAnnotatedMethodBuildItem springPreAuthorizeAnnotatedMethodBuildItem, BuildProducer<GeneratedBeanBuildItem> buildProducer, BuildProducer<UnremovableBeanBuildItem> buildProducer2) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<MethodInfo, AnnotationInstance> entry : springPreAuthorizeAnnotatedMethodBuildItem.getMethodToInstanceMap().entrySet()) {
            AnnotationInstance value = entry.getValue();
            MethodInfo key = entry.getKey();
            String trim = value.value().asString().trim();
            String[] strArr = {trim};
            if (trim.toLowerCase().contains(" and ")) {
                strArr = trim.split("(?i) and ");
            } else if (trim.toLowerCase().contains(" or ")) {
                strArr = trim.split("(?i) or ");
            }
            String[] strArr2 = strArr;
            int length = strArr2.length;
            for (int i = 0; i < length; i += PARAMETER_EQ_PRINCIPAL_USERNAME_PARAMETER_NAME_GROUP) {
                String trim2 = strArr2[i].trim();
                if (trim2.matches(PARAMETER_EQ_PRINCIPAL_USERNAME_REGEX)) {
                    Matcher matcher = PARAMETER_EQ_PRINCIPAL_USERNAME_PATTERN.matcher(trim2);
                    if (!matcher.find()) {
                        throw SpringSecurityProcessorUtil.createGenericMalformedException(key, trim2);
                    }
                    ParameterNameAndIndex parameterNameAndIndexForPrincipalUserNameReference = getParameterNameAndIndexForPrincipalUserNameReference(key, matcher, trim2);
                    String group = matcher.group(PARAMETER_EQ_PRINCIPAL_USERNAME_PROPERTY_ACCESSOR_MATCHER_GROUP);
                    if (group != null) {
                        StringPropertyAccessorData from = StringPropertyAccessorData.from(key, parameterNameAndIndexForPrincipalUserNameReference.getIndex(), group, combinedIndexBuildItem.getIndex(), trim2);
                        Set set = (Set) hashMap.getOrDefault(from.getMatchingParameterClassInfo().name(), new HashSet());
                        set.add(from.getMatchingParameterFieldInfo());
                        hashMap.put(from.getMatchingParameterClassInfo().name(), set);
                    }
                }
            }
        }
        if (hashMap.isEmpty()) {
            return;
        }
        GeneratedBeanGizmoAdaptor generatedBeanGizmoAdaptor = new GeneratedBeanGizmoAdaptor(buildProducer);
        HashSet hashSet = new HashSet(hashMap.keySet().size());
        for (Map.Entry entry2 : hashMap.entrySet()) {
            hashSet.add(StringPropertyAccessorGenerator.generate((DotName) entry2.getKey(), (Set) entry2.getValue(), generatedBeanGizmoAdaptor));
        }
        buildProducer2.produce(new UnremovableBeanBuildItem(new UnremovableBeanBuildItem.BeanClassNamesExclusion(hashSet)));
    }

    @BuildStep
    @Record(ExecutionTime.STATIC_INIT)
    void addSpringPreAuthorizeSecurityCheck(CombinedIndexBuildItem combinedIndexBuildItem, SecurityCheckRecorder securityCheckRecorder, SpringSecurityRecorder springSecurityRecorder, SpringPreAuthorizeAnnotatedMethodBuildItem springPreAuthorizeAnnotatedMethodBuildItem, SpringBeanNameToDotNameBuildItem springBeanNameToDotNameBuildItem, BuildProducer<AdditionalSecurityCheckBuildItem> buildProducer, BuildProducer<UnremovableBeanBuildItem> buildProducer2, BuildProducer<GeneratedClassBuildItem> buildProducer3) {
        Map map = springBeanNameToDotNameBuildItem.getMap();
        HashMap hashMap = new HashMap();
        HashSet hashSet = new HashSet();
        BeanMethodInvocationGenerator beanMethodInvocationGenerator = new BeanMethodInvocationGenerator(combinedIndexBuildItem.getIndex(), map, hashMap, hashSet, new GeneratedClassGizmoAdaptor(buildProducer3, true));
        for (Map.Entry<MethodInfo, AnnotationInstance> entry : springPreAuthorizeAnnotatedMethodBuildItem.getMethodToInstanceMap().entrySet()) {
            AnnotationInstance value = entry.getValue();
            MethodInfo key = entry.getKey();
            String trim = value.value().asString().trim();
            String lowerCase = trim.toLowerCase();
            boolean z = lowerCase.contains(" or ") ? PARAMETER_EQ_PRINCIPAL_USERNAME_PARAMETER_NAME_GROUP : false;
            boolean z2 = lowerCase.contains(" and ") ? PARAMETER_EQ_PRINCIPAL_USERNAME_PARAMETER_NAME_GROUP : false;
            if (z2 && z) {
                throw new IllegalStateException("Currently expressions containing both logical 'and' / 'or' are not supported. Offending expression is " + trim + "' in the @PreAuthorize annotation on method '" + key.name() + "' of class '" + key.declaringClass());
            }
            String[] strArr = {trim};
            if (z2) {
                strArr = trim.split("(?i) and ");
            } else if (z) {
                strArr = trim.split("(?i) or ");
            }
            ArrayList arrayList = new ArrayList(strArr.length);
            String[] strArr2 = strArr;
            int length = strArr2.length;
            for (int i = 0; i < length; i += PARAMETER_EQ_PRINCIPAL_USERNAME_PARAMETER_NAME_GROUP) {
                String trim2 = strArr2[i].trim();
                if (trim2.equals("permitAll()")) {
                    arrayList.add(securityCheckRecorder.permitAll());
                } else if (trim2.equals("denyAll()")) {
                    arrayList.add(securityCheckRecorder.denyAll());
                } else if (trim2.equals("isAnonymous()")) {
                    arrayList.add(springSecurityRecorder.anonymous());
                } else if (trim2.replaceAll("\\s", "").equals("isAuthenticated()")) {
                    arrayList.add(securityCheckRecorder.authenticated());
                } else if (trim2.startsWith("hasRole(")) {
                    arrayList.add(springSecurityRecorder.rolesAllowed(Collections.singletonList(HasRoleValueUtil.getHasRoleValueProducer(trim2.replace("hasRole(", "").replace(")", ""), key, combinedIndexBuildItem.getIndex(), map, hashMap, hashSet, springSecurityRecorder))));
                } else if (trim2.startsWith("hasAnyRole(")) {
                    String[] split = trim2.replace("hasAnyRole(", "").replace(")", "").split(",");
                    ArrayList arrayList2 = new ArrayList(split.length);
                    int length2 = split.length;
                    for (int i2 = 0; i2 < length2; i2 += PARAMETER_EQ_PRINCIPAL_USERNAME_PARAMETER_NAME_GROUP) {
                        arrayList2.add(HasRoleValueUtil.getHasRoleValueProducer(split[i2].trim(), key, combinedIndexBuildItem.getIndex(), map, hashMap, hashSet, springSecurityRecorder));
                    }
                    arrayList.add(springSecurityRecorder.rolesAllowed(arrayList2));
                } else if (trim2.matches(PARAMETER_EQ_PRINCIPAL_USERNAME_REGEX)) {
                    Matcher matcher = PARAMETER_EQ_PRINCIPAL_USERNAME_PATTERN.matcher(trim2);
                    if (!matcher.find()) {
                        throw SpringSecurityProcessorUtil.createGenericMalformedException(key, trim2);
                    }
                    ParameterNameAndIndex parameterNameAndIndexForPrincipalUserNameReference = getParameterNameAndIndexForPrincipalUserNameReference(key, matcher, trim2);
                    String group = matcher.group(PARAMETER_EQ_PRINCIPAL_USERNAME_PROPERTY_ACCESSOR_MATCHER_GROUP);
                    if (group != null) {
                        StringPropertyAccessorData from = StringPropertyAccessorData.from(key, parameterNameAndIndexForPrincipalUserNameReference.getIndex(), group, combinedIndexBuildItem.getIndex(), trim2);
                        arrayList.add(springSecurityRecorder.principalNameFromParameterObjectSecurityCheck(parameterNameAndIndexForPrincipalUserNameReference.getIndex(), from.getMatchingParameterClassInfo().name().toString(), StringPropertyAccessorGenerator.getAccessorClassName(from.getMatchingParameterClassInfo().name()), from.getMatchingParameterFieldInfo().name(), trim2.contains("==") ? PrincipalNameFromParameterObjectSecurityCheck.CheckType.EQ : PrincipalNameFromParameterObjectSecurityCheck.CheckType.NEQ));
                    } else {
                        if (!DotNames.STRING.equals(key.parameterType(parameterNameAndIndexForPrincipalUserNameReference.getIndex()).name())) {
                            throw new IllegalArgumentException("Expression: '" + trim2 + "' in the @PreAuthorize annotation on method '" + key.name() + "' of class '" + key.declaringClass() + "' references method parameter '" + parameterNameAndIndexForPrincipalUserNameReference.getName() + "' which is not a string");
                        }
                        arrayList.add(springSecurityRecorder.principalNameFromParameterSecurityCheck(parameterNameAndIndexForPrincipalUserNameReference.getIndex(), trim2.contains("==") ? PrincipalNameFromParameterSecurityCheck.CheckType.EQ : PrincipalNameFromParameterSecurityCheck.CheckType.NEQ));
                    }
                } else {
                    if (!trim2.matches("@(\\w+)\\.(\\w+)\\(.*\\)")) {
                        throw SpringSecurityProcessorUtil.createGenericMalformedException(key, trim2);
                    }
                    arrayList.add(springSecurityRecorder.fromGeneratedClass(beanMethodInvocationGenerator.generateSecurityCheck(trim2, key)));
                }
            }
            if (arrayList.size() == PARAMETER_EQ_PRINCIPAL_USERNAME_PARAMETER_NAME_GROUP) {
                buildProducer.produce(new AdditionalSecurityCheckBuildItem(key, (SecurityCheck) arrayList.get(0)));
            } else if (z2) {
                buildProducer.produce(new AdditionalSecurityCheckBuildItem(key, springSecurityRecorder.allDelegating(arrayList)));
            } else if (z) {
                buildProducer.produce(new AdditionalSecurityCheckBuildItem(key, springSecurityRecorder.anyDelegating(arrayList)));
            }
        }
        if (hashSet.isEmpty()) {
            return;
        }
        buildProducer2.produce(new UnremovableBeanBuildItem(new UnremovableBeanBuildItem.BeanClassNamesExclusion(hashSet)));
    }

    private ParameterNameAndIndex getParameterNameAndIndexForPrincipalUserNameReference(MethodInfo methodInfo, Matcher matcher, String str) {
        String group = matcher.group(PARAMETER_EQ_PRINCIPAL_USERNAME_PARAMETER_NAME_GROUP);
        return new ParameterNameAndIndex(SpringSecurityProcessorUtil.getParameterIndex(methodInfo, group, str), group);
    }
}
