package io.quarkus.resteasy.reactive.server.test.security;

import io.quarkus.arc.Arc;
import io.quarkus.security.Authenticated;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.AuthenticationRequest;
import io.quarkus.security.test.utils.TestIdentityController;
import io.quarkus.security.test.utils.TestIdentityProvider;
import io.quarkus.test.QuarkusUnitTest;
import io.quarkus.vertx.http.runtime.security.BasicAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.ChallengeData;
import io.quarkus.vertx.http.runtime.security.HttpCredentialTransport;
import io.quarkus.vertx.http.runtime.security.annotation.BasicAuthentication;
import io.quarkus.vertx.http.runtime.security.annotation.FormAuthentication;
import io.quarkus.vertx.http.runtime.security.annotation.HttpAuthenticationMechanism;
import io.restassured.RestAssured;
import io.smallrye.mutiny.Uni;
import io.vertx.ext.web.RoutingContext;
import jakarta.annotation.security.DenyAll;
import jakarta.annotation.security.RolesAllowed;
import jakarta.inject.Inject;
import jakarta.inject.Singleton;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.Path;
import java.lang.annotation.Annotation;
import java.util.List;
import java.util.Set;
import java.util.stream.IntStream;
import org.hamcrest.CoreMatchers;
import org.hamcrest.Matcher;
import org.jboss.shrinkwrap.api.asset.StringAsset;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.MethodSource;

/* loaded from: input_file:io/quarkus/resteasy/reactive/server/test/security/AnnotationBasedAuthMechanismSelectionTest.class */
public class AnnotationBasedAuthMechanismSelectionTest {
    private static final List<AuthMechRequest> REQUESTS = List.of((Object[]) new AuthMechRequest[]{new AuthMechRequest("annotated-http-permissions/no-roles-allowed-basic").basic().noRbacAnnotation(), new AuthMechRequest("unannotated-http-permissions/no-roles-allowed-basic").basic().noRbacAnnotation(), new AuthMechRequest("annotated-http-permissions/roles-allowed-annotation-basic-auth").basic(), new AuthMechRequest("unannotated-http-permissions/roles-allowed-annotation-basic-auth").basic(), new AuthMechRequest("annotated-http-permissions/unauthenticated-form").form().noRbacAnnotation(), new AuthMechRequest("unannotated-http-permissions/unauthenticated-form").form().noRbacAnnotation(), new AuthMechRequest("annotated-http-permissions/authenticated-form").form().authRequest(), new AuthMechRequest("unannotated-http-permissions/authenticated-form").form().authRequest(), new AuthMechRequest("unannotated-http-permissions/basic-class-level-interface").basic().noRbacAnnotation().pathAnnotationDeclaredOnInterface(), new AuthMechRequest("annotated-http-permissions/basic-class-level-interface").basic().noRbacAnnotation().pathAnnotationDeclaredOnInterface(), new AuthMechRequest("annotated-http-permissions/overridden-parent-class-endpoint").custom().noRbacAnnotation(), new AuthMechRequest("annotated-http-permissions/default-impl-custom-class-level-interface").custom().noRbacAnnotation(), new AuthMechRequest("unannotated-http-permissions/overridden-parent-class-endpoint").form().noRbacAnnotation(), new AuthMechRequest("unannotated-http-permissions/default-impl-custom-class-level-interface").basic().noRbacAnnotation().pathAnnotationDeclaredOnInterface(), new AuthMechRequest("annotated-http-permissions/default-form-method-level-interface").form().noRbacAnnotation().defaultAuthMech(), new AuthMechRequest("unannotated-http-permissions/default-form-method-level-interface").form().noRbacAnnotation().defaultAuthMech(), new AuthMechRequest("annotated-http-permissions/basic-method-level-interface").basic().noRbacAnnotation().defaultAuthMech(), new AuthMechRequest("unannotated-http-permissions/basic-method-level-interface").basic().noRbacAnnotation().defaultAuthMech(), new AuthMechRequest("annotated-http-permissions/custom-inherited").custom(), new AuthMechRequest("annotated-http-permissions/basic-inherited").basic().authRequest(), new AuthMechRequest("annotated-http-permissions/form-default").form().defaultAuthMech().authRequest(), new AuthMechRequest("annotated-http-permissions/custom").custom().noRbacAnnotation(), new AuthMechRequest("annotated-http-permissions/custom-roles-allowed").custom(), new AuthMechRequest("unannotated-http-permissions/deny-custom").custom().denyPolicy(), new AuthMechRequest("annotated-http-permissions/roles-allowed-jax-rs-policy").form()});

    @RegisterExtension
    static QuarkusUnitTest runner = new QuarkusUnitTest().withApplicationRoot(javaArchive -> {
        javaArchive.addClasses(new Class[]{TestIdentityProvider.class, TestIdentityController.class, CustomBasicAuthMechanism.class, AbstractHttpPermissionsResource.class, AnnotatedHttpPermissionsResource.class, AbstractAnnotatedHttpPermissionsResource.class, UnannotatedHttpPermissionsResource.class, HttpPermissionsResourceClassLevelInterface.class, HttpPermissionsResourceMethodLevelInterface.class, AuthMechRequest.class, TestTrustedIdentityProvider.class}).addAsResource(new StringAsset("quarkus.http.auth.proactive=false\nquarkus.http.auth.form.enabled=true\nquarkus.http.auth.form.login-page=\nquarkus.http.auth.form.error-page=\nquarkus.http.auth.form.landing-page=\nquarkus.http.auth.basic=true\nquarkus.http.auth.permission.roles1.paths=/annotated-http-permissions/roles-allowed,/unannotated-http-permissions/roles-allowed\nquarkus.http.auth.permission.roles1.policy=roles1\nquarkus.http.auth.permission.jax-rs.paths=/annotated-http-permissions/roles-allowed-jax-rs-policy\nquarkus.http.auth.permission.jax-rs.policy=roles1\nquarkus.http.auth.permission.jax-rs.applies-to=JAXRS\nquarkus.http.auth.policy.roles1.roles-allowed=admin\nquarkus.http.auth.permission.authenticated.auth-mechanism=basic\nquarkus.http.auth.permission.authenticated.paths=/annotated-http-permissions/authenticated,/unannotated-http-permissions/authenticated\nquarkus.http.auth.permission.authenticated.policy=authenticated\nquarkus.http.auth.permission.same-mechanism.paths=/annotated-http-permissions/same-mech\nquarkus.http.auth.permission.same-mechanism.policy=authenticated\nquarkus.http.auth.permission.same-mechanism.auth-mechanism=custom\nquarkus.http.auth.permission.diff-mechanism.paths=/annotated-http-permissions/diff-mech\nquarkus.http.auth.permission.diff-mechanism.policy=authenticated\nquarkus.http.auth.permission.diff-mechanism.auth-mechanism=basic\nquarkus.http.auth.permission.permit1.paths=/annotated-http-permissions/permit,/unannotated-http-permissions/permit\nquarkus.http.auth.permission.permit1.policy=permit\nquarkus.http.auth.permission.deny1.paths=/annotated-http-permissions/deny,/unannotated-http-permissions/deny\nquarkus.http.auth.permission.deny1.policy=deny\n"), "application.properties");
    });

    /* loaded from: input_file:io/quarkus/resteasy/reactive/server/test/security/AnnotationBasedAuthMechanismSelectionTest$AbstractAnnotatedHttpPermissionsResource.class */
    public static class AbstractAnnotatedHttpPermissionsResource extends AbstractHttpPermissionsResource {
        @RolesAllowed({"admin"})
        @HttpAuthenticationMechanism("custom")
        @Path("custom-roles-allowed")
        @GET
        public String noPolicyCustomAuthMechRolesAllowed() {
            return "custom-roles-allowed";
        }

        @HttpAuthenticationMechanism("custom")
        @Path("custom")
        @GET
        public String noPolicyCustomAuthMech() {
            return this.securityIdentity.getPrincipal().getName();
        }

        @Path("form-default")
        @GET
        @Authenticated
        public String formDefault() {
            return "form-default";
        }
    }

    @FormAuthentication
    /* loaded from: input_file:io/quarkus/resteasy/reactive/server/test/security/AnnotationBasedAuthMechanismSelectionTest$AbstractHttpPermissionsResource.class */
    public static abstract class AbstractHttpPermissionsResource implements HttpPermissionsResourceClassLevelInterface, HttpPermissionsResourceMethodLevelInterface {

        @Inject
        SecurityIdentity securityIdentity;

        @Path("permit")
        @GET
        public String permit() {
            return "permit";
        }

        @Path("deny")
        @GET
        public String deny() {
            return "deny";
        }

        @Path("roles-allowed")
        @GET
        public String rolesAllowed() {
            return "roles-allowed";
        }

        @Path("roles-allowed-jax-rs-policy")
        @GET
        public String rolesAllowedJaxRsPolicy() {
            return "roles-allowed-jax-rs-policy";
        }

        @Path("authenticated")
        @GET
        public String authenticated() {
            return "authenticated";
        }

        @Path("authenticated-form")
        @GET
        @Authenticated
        public String authenticatedNoPolicyFormAuthMech() {
            return "authenticated-form";
        }

        @Path("unauthenticated-form")
        @GET
        public String unauthenticatedNoPolicyFormAuthMech() {
            return this.securityIdentity.getPrincipal().getName();
        }

        @BasicAuthentication
        @RolesAllowed({"admin"})
        @Path("roles-allowed-annotation-basic-auth")
        @GET
        public String rolesAllowedNoPolicyBasicAuthMech() {
            return "roles-allowed-annotation-basic-auth";
        }

        @BasicAuthentication
        @Path("no-roles-allowed-basic")
        @GET
        public String noPolicyBasicAuthMech() {
            return this.securityIdentity.getPrincipal().getName();
        }

        @RolesAllowed({"admin"})
        @Path("overridden-parent-class-endpoint")
        @GET
        public String overriddenParentClassEndpoint() {
            return this.securityIdentity.getPrincipal().getName();
        }
    }

    @HttpAuthenticationMechanism("custom")
    @Path("annotated-http-permissions")
    /* loaded from: input_file:io/quarkus/resteasy/reactive/server/test/security/AnnotationBasedAuthMechanismSelectionTest$AnnotatedHttpPermissionsResource.class */
    public static class AnnotatedHttpPermissionsResource extends AbstractAnnotatedHttpPermissionsResource {
        @BasicAuthentication
        @Path("basic-inherited")
        @GET
        @Authenticated
        public String basicInherited() {
            return "basic-inherited";
        }

        @RolesAllowed({"admin"})
        @Path("custom-inherited")
        @GET
        public String customInherited() {
            return "custom-inherited";
        }

        @Override // io.quarkus.resteasy.reactive.server.test.security.AnnotationBasedAuthMechanismSelectionTest.HttpPermissionsResourceClassLevelInterface
        @Path("default-impl-custom-class-level-interface")
        @GET
        public String defaultImplementedClassLevelInterfaceMethod() {
            return super.defaultImplementedClassLevelInterfaceMethod();
        }

        @Override // io.quarkus.resteasy.reactive.server.test.security.AnnotationBasedAuthMechanismSelectionTest.AbstractHttpPermissionsResource
        @Path("overridden-parent-class-endpoint")
        @GET
        public String overriddenParentClassEndpoint() {
            return super.overriddenParentClassEndpoint();
        }

        @HttpAuthenticationMechanism("custom")
        @GET
        @Path("same-mech")
        public String authPolicyIsUsingSameMechAsAnnotation() {
            return "same-mech";
        }

        @HttpAuthenticationMechanism("custom")
        @GET
        @Path("diff-mech")
        public String authPolicyIsUsingDiffMechAsAnnotation() {
            return "diff-mech";
        }
    }

    @Singleton
    /* loaded from: input_file:io/quarkus/resteasy/reactive/server/test/security/AnnotationBasedAuthMechanismSelectionTest$CustomBasicAuthMechanism.class */
    public static class CustomBasicAuthMechanism implements io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism {
        static final String CUSTOM_AUTH_HEADER_KEY = CustomBasicAuthMechanism.class.getName();
        private final BasicAuthenticationMechanism delegate;

        public CustomBasicAuthMechanism(BasicAuthenticationMechanism basicAuthenticationMechanism) {
            this.delegate = basicAuthenticationMechanism;
        }

        public Uni<SecurityIdentity> authenticate(RoutingContext routingContext, IdentityProviderManager identityProviderManager) {
            routingContext.response().putHeader(CUSTOM_AUTH_HEADER_KEY, "true");
            return this.delegate.authenticate(routingContext, identityProviderManager);
        }

        public Uni<ChallengeData> getChallenge(RoutingContext routingContext) {
            return this.delegate.getChallenge(routingContext);
        }

        public Set<Class<? extends AuthenticationRequest>> getCredentialTypes() {
            return this.delegate.getCredentialTypes();
        }

        public Uni<Boolean> sendChallenge(RoutingContext routingContext) {
            return this.delegate.sendChallenge(routingContext);
        }

        public Uni<HttpCredentialTransport> getCredentialTransport(RoutingContext routingContext) {
            return Uni.createFrom().item(new HttpCredentialTransport(HttpCredentialTransport.Type.AUTHORIZATION, "custom"));
        }

        public int getPriority() {
            return this.delegate.getPriority();
        }
    }

    @BasicAuthentication
    /* loaded from: input_file:io/quarkus/resteasy/reactive/server/test/security/AnnotationBasedAuthMechanismSelectionTest$HttpPermissionsResourceClassLevelInterface.class */
    public interface HttpPermissionsResourceClassLevelInterface {
        @Path("basic-class-level-interface")
        @GET
        default String basicClassLevelInterface() {
            return ((SecurityIdentity) Arc.container().instance(SecurityIdentity.class, new Annotation[0]).get()).getPrincipal().getName();
        }

        @Path("default-impl-custom-class-level-interface")
        @GET
        default String defaultImplementedClassLevelInterfaceMethod() {
            return ((SecurityIdentity) Arc.container().instance(SecurityIdentity.class, new Annotation[0]).get()).getPrincipal().getName();
        }
    }

    /* loaded from: input_file:io/quarkus/resteasy/reactive/server/test/security/AnnotationBasedAuthMechanismSelectionTest$HttpPermissionsResourceMethodLevelInterface.class */
    public interface HttpPermissionsResourceMethodLevelInterface {
        @BasicAuthentication
        @Path("basic-method-level-interface")
        @GET
        @Authenticated
        default String basicMethodLevelInterface() {
            return ((SecurityIdentity) Arc.container().instance(SecurityIdentity.class, new Annotation[0]).get()).getPrincipal().getName();
        }

        @Path("default-form-method-level-interface")
        @GET
        @Authenticated
        default String defaultFormMethodLevelInterface() {
            return ((SecurityIdentity) Arc.container().instance(SecurityIdentity.class, new Annotation[0]).get()).getPrincipal().getName();
        }
    }

    @Path("unannotated-http-permissions")
    /* loaded from: input_file:io/quarkus/resteasy/reactive/server/test/security/AnnotationBasedAuthMechanismSelectionTest$UnannotatedHttpPermissionsResource.class */
    public static class UnannotatedHttpPermissionsResource extends AbstractHttpPermissionsResource {
        @HttpAuthenticationMechanism("custom")
        @DenyAll
        @Path("deny-custom")
        @GET
        public String denyCustomAuthMechanism() {
            return "ignored";
        }

        @Override // io.quarkus.resteasy.reactive.server.test.security.AnnotationBasedAuthMechanismSelectionTest.HttpPermissionsResourceClassLevelInterface
        public String defaultImplementedClassLevelInterfaceMethod() {
            return super.defaultImplementedClassLevelInterfaceMethod();
        }

        @Override // io.quarkus.resteasy.reactive.server.test.security.AnnotationBasedAuthMechanismSelectionTest.AbstractHttpPermissionsResource
        public String overriddenParentClassEndpoint() {
            return super.overriddenParentClassEndpoint();
        }
    }

    @BeforeAll
    public static void setupUsers() {
        TestIdentityController.resetRoles().add("admin", "admin", new String[]{"admin"}).add("user", "user", new String[]{"user"});
        RestAssured.enableLoggingOfRequestAndResponseIfValidationFails();
    }

    @MethodSource({"authMechanismRequestsIdxs"})
    @ParameterizedTest
    public void testAuthMechanismSelection(int i) {
        AuthMechRequest authMechRequest = REQUESTS.get(i);
        authMechRequest.requestSpecification.get().get(authMechRequest.path, new Object[0]).then().statusCode(authMechRequest.expectedStatus).body(CoreMatchers.is(authMechRequest.expectedBody), new Matcher[0]).header(authMechRequest.expectedHeaderKey, authMechRequest.expectedHeaderVal);
        if (authMechRequest.authRequired && authMechRequest.unauthorizedRequestSpec != null) {
            authMechRequest.unauthorizedRequestSpec.get().get(authMechRequest.path, new Object[0]).then().statusCode(403).header(authMechRequest.expectedHeaderKey, authMechRequest.expectedHeaderVal);
        }
        if (authMechRequest.authRequired && authMechRequest.unauthenticatedRequestSpec != null) {
            authMechRequest.unauthenticatedRequestSpec.get().get(authMechRequest.path, new Object[0]).then().statusCode(401).header(authMechRequest.expectedHeaderKey, authMechRequest.expectedHeaderVal);
        }
        if (authMechRequest.requestUsingOtherAuthMech != null) {
            if (authMechRequest.authRequired) {
                authMechRequest.requestUsingOtherAuthMech.get().get(authMechRequest.path, new Object[0]).then().statusCode(401).header(authMechRequest.expectedHeaderKey, authMechRequest.expectedHeaderVal);
            } else {
                authMechRequest.requestUsingOtherAuthMech.get().get(authMechRequest.path, new Object[0]).then().header(authMechRequest.expectedHeaderKey, authMechRequest.expectedHeaderVal).statusCode(401);
            }
        }
    }

    @Test
    public void testHttpPolicyApplied() {
        RestAssured.given().get("/annotated-http-permissions/authenticated", new Object[0]).then().statusCode(401);
        RestAssured.given().get("/unannotated-http-permissions/authenticated", new Object[0]).then().statusCode(401);
        RestAssured.given().get("/annotated-http-permissions/deny", new Object[0]).then().statusCode(401);
        RestAssured.given().get("/unannotated-http-permissions/deny", new Object[0]).then().statusCode(401);
        AuthMechRequest.requestWithBasicAuthUser().get("/annotated-http-permissions/roles-allowed", new Object[0]).then().statusCode(403);
        AuthMechRequest.requestWithFormAuth("user").get("/unannotated-http-permissions/roles-allowed", new Object[0]).then().statusCode(403);
        AuthMechRequest.requestWithFormAuth("admin").get("/annotated-http-permissions/roles-allowed", new Object[0]).then().statusCode(200);
        AuthMechRequest.requestWithFormAuth("admin").get("/unannotated-http-permissions/roles-allowed", new Object[0]).then().statusCode(200);
        AuthMechRequest.requestWithFormAuth("user").get("/unannotated-http-permissions/authenticated", new Object[0]).then().statusCode(401);
        RestAssured.given().get("/annotated-http-permissions/permit", new Object[0]).then().statusCode(401);
        RestAssured.given().get("/unannotated-http-permissions/permit", new Object[0]).then().statusCode(401);
    }

    @Test
    public void testBothHttpSecPolicyAndAnnotationApplied() {
        AuthMechRequest.requestWithBasicAuthUser().get("/annotated-http-permissions/authenticated", new Object[0]).then().statusCode(401);
        AuthMechRequest.requestWithFormAuth("user").get("/annotated-http-permissions/authenticated", new Object[0]).then().statusCode(401);
        AuthMechRequest.requestWithFormAuth("user").auth().preemptive().basic("admin", "admin").get("/annotated-http-permissions/authenticated", new Object[0]).then().statusCode(401);
    }

    @Test
    public void testAuthenticatedHttpPolicyUsingSameMechanism() {
        AuthMechRequest.requestWithBasicAuthUser().get("/annotated-http-permissions/same-mech", new Object[0]).then().statusCode(200);
    }

    @Test
    public void testAuthenticatedHttpPolicyUsingDiffMechanism() {
        AuthMechRequest.requestWithBasicAuthUser().get("/annotated-http-permissions/diff-mech", new Object[0]).then().statusCode(401);
    }

    private static IntStream authMechanismRequestsIdxs() {
        return IntStream.range(0, REQUESTS.size());
    }
}
