package io.apicurio.common.apps.auth.authn;

import io.apicurio.common.apps.config.Dynamic;
import io.apicurio.common.apps.config.Info;
import io.apicurio.common.apps.logging.audit.AuditHttpRequestInfo;
import io.apicurio.common.apps.logging.audit.AuditLogService;
import io.apicurio.common.apps.util.Pair;
import io.apicurio.rest.client.VertxHttpClientProvider;
import io.apicurio.rest.client.auth.Auth;
import io.apicurio.rest.client.auth.OidcAuth;
import io.apicurio.rest.client.auth.exception.AuthErrorHandler;
import io.apicurio.rest.client.auth.exception.AuthException;
import io.apicurio.rest.client.auth.exception.ForbiddenException;
import io.apicurio.rest.client.auth.exception.NotAuthorizedException;
import io.apicurio.rest.client.error.ApicurioRestClientException;
import io.apicurio.rest.client.spi.ApicurioHttpClient;
import io.quarkus.oidc.runtime.BearerAuthenticationMechanism;
import io.quarkus.oidc.runtime.OidcAuthenticationMechanism;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.AuthenticationRequest;
import io.quarkus.security.identity.request.TokenAuthenticationRequest;
import io.quarkus.vertx.http.runtime.security.ChallengeData;
import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.HttpCredentialTransport;
import io.smallrye.mutiny.Uni;
import io.vertx.core.Vertx;
import io.vertx.ext.web.RoutingContext;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.util.Collections;
import java.util.HashMap;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.BiConsumer;
import java.util.function.Supplier;
import javax.annotation.PostConstruct;
import javax.annotation.Priority;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Alternative;
import javax.inject.Inject;
import org.apache.commons.codec.digest.DigestUtils;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.eclipse.microprofile.faulttolerance.Retry;
import org.slf4j.Logger;

@Alternative
@Priority(1)
@ApplicationScoped
/* loaded from: input_file:io/apicurio/common/apps/auth/authn/AppAuthenticationMechanism.class */
public class AppAuthenticationMechanism implements HttpAuthenticationMechanism {

    @ConfigProperty(name = "app.authn.enabled", defaultValue = "false")
    @Info(category = "auth", description = "Enable auth", availableSince = "0.1.18-SNAPSHOT", registryAvailableSince = "2.0.0.Final")
    boolean authEnabled;

    @Dynamic(label = "HTTP basic authentication", description = "When selected, users are permitted to authenticate using HTTP basic authentication (in addition to OAuth).", requires = {"app.authn.enabled=true"})
    @ConfigProperty(name = "app.authn.basic-auth-client-credentials.enabled", defaultValue = "false")
    @Info(category = "auth", description = "Enable basic auth client credentials", availableSince = "0.1.18-SNAPSHOT", registryAvailableSince = "2.1.0.Final")
    Supplier<Boolean> fakeBasicAuthEnabled;

    @ConfigProperty(name = "app.authn.basic-auth-client-credentials.cache-expiration", defaultValue = "10")
    @Info(category = "auth", description = "Client credentials token expiration time.", availableSince = "0.1.18-SNAPSHOT", registryAvailableSince = "2.2.6.Final")
    Integer accessTokenExpiration;

    @ConfigProperty(name = "app.authn.basic-auth.scope")
    @Info(category = "auth", description = "Client credentials scope.", availableSince = "0.1.21-SNAPSHOT", registryAvailableSince = "2.5.0.Final")
    Optional<String> scope;

    @ConfigProperty(name = "app.authn.audit.log.prefix", defaultValue = "audit")
    @Info(category = "auth", description = "Prefix used for application audit logging.", availableSince = "0.1.18-SNAPSHOT", registryAvailableSince = "2.2.6")
    String auditLogPrefix;

    @ConfigProperty(name = "app.authn.token.endpoint", defaultValue = "")
    @Info(category = "auth", description = "Authentication server url.", availableSince = "0.1.18-SNAPSHOT", registryAvailableSince = "2.1.0.Final")
    String authServerUrl;

    @ConfigProperty(name = "app.authn.client-secret")
    @Info(category = "auth", description = "Client secret used by the server for authentication.", availableSince = "0.1.18-SNAPSHOT", registryAvailableSince = "2.1.0.Final")
    Optional<String> clientSecret;

    @ConfigProperty(name = "app.authn.client-id", defaultValue = "")
    @Info(category = "auth", description = "Client identifier used by the server for authentication.", availableSince = "0.1.18-SNAPSHOT", registryAvailableSince = "2.0.0.Final")
    String clientId;

    @Inject
    OidcAuthenticationMechanism oidcAuthenticationMechanism;

    @Inject
    AuditLogService auditLog;

    @Inject
    Logger log;

    @Inject
    Vertx vertx;
    private BearerAuthenticationMechanism bearerAuth;
    private ApicurioHttpClient httpClient;
    private ConcurrentHashMap<String, WrappedValue<String>> cachedAccessTokens;
    private ConcurrentHashMap<String, WrappedValue<ApicurioRestClientException>> cachedAuthFailures;

    @PostConstruct
    public void init() {
        if (this.authEnabled) {
            this.cachedAccessTokens = new ConcurrentHashMap<>();
            this.cachedAuthFailures = new ConcurrentHashMap<>();
            this.httpClient = new VertxHttpClientProvider(this.vertx).create(this.authServerUrl, Collections.emptyMap(), (Auth) null, new AuthErrorHandler());
            this.bearerAuth = new BearerAuthenticationMechanism();
        }
    }

    public Uni<SecurityIdentity> authenticate(RoutingContext routingContext, IdentityProviderManager identityProviderManager) {
        Pair<String, String> extractCredentialsFromContext;
        if (!this.authEnabled) {
            return Uni.createFrom().nullItem();
        }
        setAuditLogger(routingContext);
        if (this.fakeBasicAuthEnabled.get().booleanValue() && null != (extractCredentialsFromContext = CredentialsHelper.extractCredentialsFromContext(routingContext))) {
            try {
                return authenticateWithClientCredentials(extractCredentialsFromContext, routingContext, identityProviderManager);
            } catch (AuthException | NotAuthorizedException e) {
                this.log.warn(String.format("Exception trying to get an access token with client credentials with client id: %s", extractCredentialsFromContext.getLeft()), e);
                return this.oidcAuthenticationMechanism.authenticate(routingContext, identityProviderManager);
            }
        }
        return customAuthentication(routingContext, identityProviderManager);
    }

    public Uni<SecurityIdentity> customAuthentication(RoutingContext routingContext, IdentityProviderManager identityProviderManager) {
        Pair<String, String> extractCredentialsFromContext;
        if (!this.clientSecret.isEmpty() && (extractCredentialsFromContext = CredentialsHelper.extractCredentialsFromContext(routingContext)) != null) {
            OidcAuth oidcAuth = new OidcAuth(this.httpClient, this.clientId, this.clientSecret.get());
            String obtainAccessTokenPasswordGrant = oidcAuth.obtainAccessTokenPasswordGrant((String) extractCredentialsFromContext.getLeft(), (String) extractCredentialsFromContext.getRight());
            oidcAuth.close();
            if (obtainAccessTokenPasswordGrant == null) {
                return Uni.createFrom().nullItem();
            }
            routingContext.request().headers().set("Authorization", "Bearer " + obtainAccessTokenPasswordGrant);
            return this.oidcAuthenticationMechanism.authenticate(routingContext, identityProviderManager);
        }
        return this.oidcAuthenticationMechanism.authenticate(routingContext, identityProviderManager);
    }

    private void setAuditLogger(RoutingContext routingContext) {
        BiConsumer biConsumer = (BiConsumer) routingContext.get("io.quarkus.vertx.http.auth-failure-handler");
        routingContext.put("io.quarkus.vertx.http.auth-failure-handler", (routingContext2, th) -> {
            biConsumer.accept(routingContext2, th);
            if (routingContext2.response().getStatusCode() >= 400) {
                HashMap hashMap = new HashMap();
                hashMap.put("method", routingContext2.request().method().name());
                hashMap.put("path", routingContext2.request().path());
                hashMap.put("response_code", String.valueOf(routingContext2.response().getStatusCode()));
                if (th != null) {
                    hashMap.put("error_msg", th.getMessage());
                }
                this.auditLog.log(this.auditLogPrefix, "authenticate", "failure", hashMap, new AuditHttpRequestInfo() { // from class: io.apicurio.common.apps.auth.authn.AppAuthenticationMechanism.1
                    public String getSourceIp() {
                        return routingContext2.request().remoteAddress().toString();
                    }

                    public String getForwardedFor() {
                        return routingContext2.request().getHeader("x-forwarded-for");
                    }
                });
            }
        });
    }

    public Uni<ChallengeData> getChallenge(RoutingContext routingContext) {
        return this.bearerAuth.getChallenge(routingContext);
    }

    public Set<Class<? extends AuthenticationRequest>> getCredentialTypes() {
        return Collections.singleton(TokenAuthenticationRequest.class);
    }

    public HttpCredentialTransport getCredentialTransport() {
        return new HttpCredentialTransport(HttpCredentialTransport.Type.AUTHORIZATION, "bearer");
    }

    private Uni<SecurityIdentity> authenticateWithClientCredentials(Pair<String, String> pair, RoutingContext routingContext, IdentityProviderManager identityProviderManager) {
        String credentialsHash = getCredentialsHash(((String) pair.getLeft()) + ((String) pair.getRight()));
        if (authFailureIsCached(credentialsHash)) {
            throw this.cachedAuthFailures.get(credentialsHash).getValue();
        }
        routingContext.request().headers().set("Authorization", "Bearer " + (accessTokenIsCached(credentialsHash) ? this.cachedAccessTokens.get(credentialsHash).getValue() : getAccessToken(pair, credentialsHash)));
        return this.oidcAuthenticationMechanism.authenticate(routingContext, identityProviderManager);
    }

    private boolean authFailureIsCached(String str) {
        return this.cachedAuthFailures.containsKey(str) && !this.cachedAuthFailures.get(str).isExpired();
    }

    private boolean accessTokenIsCached(String str) {
        return this.cachedAccessTokens.containsKey(str) && !this.cachedAccessTokens.get(str).isExpired();
    }

    @Retry(retryOn = {AuthException.class}, maxRetries = 4, delay = 1, delayUnit = ChronoUnit.SECONDS)
    public String getAccessToken(Pair<String, String> pair, String str) {
        try {
            String authenticate = new OidcAuth(this.httpClient, (String) pair.getLeft(), (String) pair.getRight(), Duration.ofSeconds(1L), this.scope.orElse(null)).authenticate();
            this.cachedAccessTokens.put(str, new WrappedValue<>(Duration.ofMinutes(this.accessTokenExpiration.intValue()), Instant.now(), authenticate));
            return authenticate;
        } catch (NotAuthorizedException | ForbiddenException e) {
            this.cachedAuthFailures.put(str, new WrappedValue<>(Duration.ofMinutes(this.accessTokenExpiration.intValue()), Instant.now(), e));
            throw e;
        }
    }

    private String getCredentialsHash(String str) {
        return DigestUtils.sha256Hex(str);
    }
}
