package com.github.mcollovati.quarkus.hilla.deployment.security;

import com.github.mcollovati.quarkus.hilla.security.EndpointUtil;
import com.github.mcollovati.quarkus.hilla.security.HillaFormAuthenticationMechanism;
import com.github.mcollovati.quarkus.hilla.security.HillaSecurityPolicy;
import com.github.mcollovati.quarkus.hilla.security.HillaSecurityRecorder;
import com.github.mcollovati.quarkus.hilla.security.QuarkusNavigationAccessControl;
import com.vaadin.flow.router.Route;
import com.vaadin.flow.server.auth.AnnotatedViewAccessChecker;
import com.vaadin.flow.server.auth.AnonymousAllowed;
import com.vaadin.flow.server.auth.DefaultAccessCheckDecisionResolver;
import io.quarkus.arc.deployment.AdditionalBeanBuildItem;
import io.quarkus.arc.deployment.BeanContainerBuildItem;
import io.quarkus.arc.deployment.SyntheticBeanBuildItem;
import io.quarkus.arc.deployment.SyntheticBeansRuntimeInitBuildItem;
import io.quarkus.arc.processor.DotNames;
import io.quarkus.deployment.annotations.BuildProducer;
import io.quarkus.deployment.annotations.BuildStep;
import io.quarkus.deployment.annotations.Consume;
import io.quarkus.deployment.annotations.ExecutionTime;
import io.quarkus.deployment.annotations.Record;
import io.quarkus.deployment.builditem.CombinedIndexBuildItem;
import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
import jakarta.annotation.security.DenyAll;
import jakarta.annotation.security.PermitAll;
import jakarta.annotation.security.RolesAllowed;
import jakarta.enterprise.context.ApplicationScoped;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;
import org.eclipse.microprofile.config.ConfigProvider;
import org.jboss.jandex.DotName;

/* loaded from: input_file:com/github/mcollovati/quarkus/hilla/deployment/security/QuarkusHillaSecurityProcessor.class */
class QuarkusHillaSecurityProcessor {
    @BuildStep
    AuthFormBuildItem authFormEnabledBuildItem() {
        return new AuthFormBuildItem(((Boolean) ConfigProvider.getConfig().getOptionalValue("quarkus.http.auth.form.enabled", Boolean.class).orElse(false)).booleanValue());
    }

    @BuildStep
    void registerHillaSecurityPolicy(AuthFormBuildItem authFormBuildItem, BuildProducer<AdditionalBeanBuildItem> buildProducer) {
        if (authFormBuildItem.isEnabled()) {
            buildProducer.produce(AdditionalBeanBuildItem.builder().addBeanClasses(new Class[]{HillaSecurityPolicy.class, EndpointUtil.class}).setDefaultScope(DotNames.APPLICATION_SCOPED).setUnremovable().build());
        }
    }

    @BuildStep
    @Record(ExecutionTime.RUNTIME_INIT)
    void registerHillaFormAuthenticationMechanism(AuthFormBuildItem authFormBuildItem, HillaSecurityRecorder hillaSecurityRecorder, BuildProducer<SyntheticBeanBuildItem> buildProducer) {
        if (authFormBuildItem.isEnabled()) {
            buildProducer.produce(SyntheticBeanBuildItem.configure(HillaFormAuthenticationMechanism.class).types(new Class[]{HttpAuthenticationMechanism.class}).setRuntimeInit().scope(ApplicationScoped.class).alternative(true).priority(1).supplier(hillaSecurityRecorder.setupFormAuthenticationMechanism()).done());
        }
    }

    @BuildStep
    @Record(ExecutionTime.RUNTIME_INIT)
    @Consume(SyntheticBeansRuntimeInitBuildItem.class)
    void configureHillaSecurityComponents(AuthFormBuildItem authFormBuildItem, HillaSecurityRecorder hillaSecurityRecorder, BeanContainerBuildItem beanContainerBuildItem) {
        if (authFormBuildItem.isEnabled()) {
            hillaSecurityRecorder.configureHttpSecurityPolicy(beanContainerBuildItem.getValue());
        }
    }

    @BuildStep
    @Record(ExecutionTime.RUNTIME_INIT)
    void configureNavigationAccessControl(HillaSecurityRecorder hillaSecurityRecorder, BeanContainerBuildItem beanContainerBuildItem, Optional<NavigationAccessControlBuildItem> optional) {
        optional.map((v0) -> {
            return v0.getLoginPath();
        }).ifPresent(str -> {
            hillaSecurityRecorder.configureNavigationAccessControl(beanContainerBuildItem.getValue(), str);
        });
    }

    @BuildStep
    void configureNavigationControlAccessCheckers(List<NavigationAccessCheckerBuildItem> list, BuildProducer<AdditionalBeanBuildItem> buildProducer) {
        buildProducer.produce(AdditionalBeanBuildItem.builder().addBeanClasses(list.stream().map(navigationAccessCheckerBuildItem -> {
            return navigationAccessCheckerBuildItem.getAccessChecker().toString();
        }).toList()).setUnremovable().setDefaultScope(DotNames.APPLICATION_SCOPED).build());
    }

    @BuildStep
    void registerNavigationAccessControl(AuthFormBuildItem authFormBuildItem, CombinedIndexBuildItem combinedIndexBuildItem, BuildProducer<AdditionalBeanBuildItem> buildProducer, BuildProducer<NavigationAccessControlBuildItem> buildProducer2, BuildProducer<NavigationAccessCheckerBuildItem> buildProducer3) {
        if (authFormBuildItem.isEnabled()) {
            buildProducer.produce(AdditionalBeanBuildItem.builder().addBeanClasses(new Class[]{QuarkusNavigationAccessControl.class, QuarkusNavigationAccessControl.Installer.class, DefaultAccessCheckDecisionResolver.class}).setUnremovable().build());
            if (hasSecuredRoutes(combinedIndexBuildItem)) {
                buildProducer3.produce(new NavigationAccessCheckerBuildItem(DotName.createSimple(AnnotatedViewAccessChecker.class)));
            }
            Optional map = ConfigProvider.getConfig().getOptionalValue("quarkus.http.auth.form.login-page", String.class).map(NavigationAccessControlBuildItem::new);
            Objects.requireNonNull(buildProducer2);
            map.ifPresent((v1) -> {
                r1.produce(v1);
            });
        }
    }

    private boolean hasSecuredRoutes(CombinedIndexBuildItem combinedIndexBuildItem) {
        Set of = Set.of(DotName.createSimple(DenyAll.class.getName()), DotName.createSimple(AnonymousAllowed.class.getName()), DotName.createSimple(RolesAllowed.class.getName()), DotName.createSimple(PermitAll.class.getName()));
        Stream flatMap = combinedIndexBuildItem.getComputingIndex().getAnnotations(DotName.createSimple(Route.class.getName())).stream().flatMap(annotationInstance -> {
            return annotationInstance.target().annotations().stream().map((v0) -> {
                return v0.name();
            });
        });
        Objects.requireNonNull(of);
        return flatMap.anyMatch((v1) -> {
            return r1.contains(v1);
        });
    }
}
