package io.apicurio.registry.services.auth;

import io.apicurio.rest.client.auth.OidcAuth;
import io.apicurio.rest.client.auth.exception.NotAuthorizedException;
import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.AuthenticationRequest;
import io.quarkus.security.identity.request.TokenAuthenticationRequest;
import io.quarkus.vertx.http.runtime.security.ChallengeData;
import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.HttpCredentialTransport;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;
import java.util.Collections;
import java.util.Set;
import javax.annotation.Priority;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.inject.Alternative;
import javax.inject.Inject;
import org.apache.commons.lang3.tuple.Pair;
import org.eclipse.microprofile.config.inject.ConfigProperty;

@Alternative
@Priority(1)
@ApplicationScoped
/* loaded from: input_file:io/apicurio/registry/services/auth/BasicAuthClientCredentialsMechanism.class */
public class BasicAuthClientCredentialsMechanism implements HttpAuthenticationMechanism {

    @Inject
    CustomAuthenticationMechanism customAuthenticationMechanism;

    @ConfigProperty(name = "registry.auth.enabled")
    boolean authEnabled;

    @ConfigProperty(name = "registry.auth.basic-auth-client-credentials.enabled")
    boolean fakeBasicAuthEnabled;

    @ConfigProperty(name = "registry.auth.token.endpoint")
    String authServerUrl;

    public Uni<SecurityIdentity> authenticate(RoutingContext routingContext, IdentityProviderManager identityProviderManager) {
        Pair<String, String> extractCredentialsFromContext;
        if (!this.authEnabled) {
            return Uni.createFrom().nullItem();
        }
        if (this.fakeBasicAuthEnabled && null != (extractCredentialsFromContext = CredentialsHelper.extractCredentialsFromContext(routingContext))) {
            try {
                return authenticateWithClientCredentials(extractCredentialsFromContext, routingContext, identityProviderManager);
            } catch (NotAuthorizedException e) {
                throw new AuthenticationFailedException();
            }
        }
        return this.customAuthenticationMechanism.authenticate(routingContext, identityProviderManager);
    }

    public Uni<ChallengeData> getChallenge(RoutingContext routingContext) {
        return this.customAuthenticationMechanism.getChallenge(routingContext);
    }

    public Set<Class<? extends AuthenticationRequest>> getCredentialTypes() {
        return Collections.singleton(TokenAuthenticationRequest.class);
    }

    public HttpCredentialTransport getCredentialTransport() {
        return new HttpCredentialTransport(HttpCredentialTransport.Type.AUTHORIZATION, "bearer");
    }

    private Uni<SecurityIdentity> authenticateWithClientCredentials(Pair<String, String> pair, RoutingContext routingContext, IdentityProviderManager identityProviderManager) {
        return identityProviderManager.authenticate(new TokenAuthenticationRequest(new AccessTokenCredential(new OidcAuth(this.authServerUrl, (String) pair.getLeft(), (String) pair.getRight()).authenticate(), routingContext)));
    }
}
