package io.quarkus.oidc.token.propagation.reactive;

import io.quarkus.arc.Arc;
import io.quarkus.oidc.client.OidcClient;
import io.quarkus.oidc.client.OidcClientConfig;
import io.quarkus.oidc.client.OidcClients;
import io.quarkus.oidc.client.runtime.DisabledOidcClientException;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.quarkus.security.credential.TokenCredential;
import io.smallrye.mutiny.Uni;
import jakarta.annotation.PostConstruct;
import jakarta.annotation.Priority;
import jakarta.enterprise.inject.Instance;
import jakarta.inject.Inject;
import jakarta.ws.rs.core.Response;
import java.lang.annotation.Annotation;
import java.util.Collections;
import java.util.Optional;
import java.util.function.Consumer;
import org.eclipse.microprofile.config.ConfigProvider;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.jboss.logging.Logger;
import org.jboss.resteasy.reactive.client.spi.ResteasyReactiveClientRequestContext;
import org.jboss.resteasy.reactive.client.spi.ResteasyReactiveClientRequestFilter;

@Priority(1000)
/* loaded from: input_file:io/quarkus/oidc/token/propagation/reactive/AccessTokenRequestReactiveFilter.class */
public class AccessTokenRequestReactiveFilter implements ResteasyReactiveClientRequestFilter {
    private static final Logger LOG = Logger.getLogger(AccessTokenRequestReactiveFilter.class);
    private static final String BEARER_SCHEME_WITH_SPACE = "Bearer ";

    @Inject
    Instance<TokenCredential> accessToken;

    @Inject
    @ConfigProperty(name = "quarkus.oidc-token-propagation-reactive.client-name")
    Optional<String> oidcClientName;

    @Inject
    @ConfigProperty(name = "quarkus.oidc-token-propagation-reactive.exchange-token")
    boolean exchangeToken;
    OidcClient exchangeTokenClient;
    String exchangeTokenProperty;

    @PostConstruct
    public void initExchangeTokenClient() {
        if (isExchangeToken()) {
            OidcClients oidcClients = (OidcClients) Arc.container().instance(OidcClients.class, new Annotation[0]).get();
            String clientName = getClientName();
            this.exchangeTokenClient = clientName != null ? oidcClients.getClient(clientName) : oidcClients.getClient();
            OidcClientConfig.Grant.Type type = (OidcClientConfig.Grant.Type) ConfigProvider.getConfig().getValue("quarkus.oidc-client." + (clientName != null ? clientName + "." : "") + "grant.type", OidcClientConfig.Grant.Type.class);
            if (type == OidcClientConfig.Grant.Type.EXCHANGE) {
                this.exchangeTokenProperty = "subject_token";
            } else {
                if (type != OidcClientConfig.Grant.Type.JWT) {
                    throw new ConfigurationException("Token exchange is required but OIDC client is configured to use the " + type.getGrantType() + " grantType");
                }
                this.exchangeTokenProperty = "assertion";
            }
        }
    }

    protected boolean isExchangeToken() {
        return this.exchangeToken;
    }

    public void filter(final ResteasyReactiveClientRequestContext resteasyReactiveClientRequestContext) {
        if (!verifyTokenInstance(resteasyReactiveClientRequestContext)) {
            abortRequest(resteasyReactiveClientRequestContext);
        } else if (this.exchangeTokenClient == null) {
            propagateToken(resteasyReactiveClientRequestContext, ((TokenCredential) this.accessToken.get()).getToken());
        } else {
            resteasyReactiveClientRequestContext.suspend();
            exchangeToken(((TokenCredential) this.accessToken.get()).getToken()).subscribe().with(new Consumer<String>() { // from class: io.quarkus.oidc.token.propagation.reactive.AccessTokenRequestReactiveFilter.1
                @Override // java.util.function.Consumer
                public void accept(String str) {
                    AccessTokenRequestReactiveFilter.this.propagateToken(resteasyReactiveClientRequestContext, str);
                    resteasyReactiveClientRequestContext.resume();
                }
            }, new Consumer<Throwable>() { // from class: io.quarkus.oidc.token.propagation.reactive.AccessTokenRequestReactiveFilter.2
                @Override // java.util.function.Consumer
                public void accept(Throwable th) {
                    if (th instanceof DisabledOidcClientException) {
                        AccessTokenRequestReactiveFilter.LOG.debug("Client is disabled");
                        resteasyReactiveClientRequestContext.abortWith(Response.status(Response.Status.INTERNAL_SERVER_ERROR).build());
                    } else {
                        AccessTokenRequestReactiveFilter.LOG.debugf("Access token is not available, aborting the request with HTTP 401 error: %s", th.getMessage());
                        resteasyReactiveClientRequestContext.abortWith(Response.status(Response.Status.UNAUTHORIZED).build());
                    }
                    resteasyReactiveClientRequestContext.resume();
                }
            });
        }
    }

    protected String getClientName() {
        return this.oidcClientName.orElse(null);
    }

    public void propagateToken(ResteasyReactiveClientRequestContext resteasyReactiveClientRequestContext, String str) {
        if (str != null) {
            resteasyReactiveClientRequestContext.getHeaders().putSingle("Authorization", "Bearer " + str);
        } else {
            LOG.debugf("Access token is null, aborting the request with HTTP 401 error", new Object[0]);
            abortRequest(resteasyReactiveClientRequestContext);
        }
    }

    protected boolean verifyTokenInstance(ResteasyReactiveClientRequestContext resteasyReactiveClientRequestContext) {
        if (!this.accessToken.isResolvable()) {
            LOG.debugf("Access token is not injected, aborting the request with HTTP 401 error", new Object[0]);
            return false;
        }
        if (this.accessToken.isAmbiguous()) {
            LOG.debugf("More than one access token instance is available, aborting the request with HTTP 401 error", new Object[0]);
            return false;
        }
        if (((TokenCredential) this.accessToken.get()).getToken() != null) {
            return true;
        }
        LOG.debugf("Injected access token is null, aborting the request with HTTP 401 error", new Object[0]);
        return false;
    }

    private Uni<String> exchangeToken(String str) {
        return this.exchangeTokenClient.getTokens(Collections.singletonMap(this.exchangeTokenProperty, str)).onItem().transform(tokens -> {
            return tokens.getAccessToken();
        });
    }

    protected void abortRequest(ResteasyReactiveClientRequestContext resteasyReactiveClientRequestContext) {
        resteasyReactiveClientRequestContext.abortWith(Response.status(401).build());
    }
}
