package io.quarkus.security.runtime.interceptor;

import io.quarkus.security.Authenticated;
import io.quarkus.security.ForbiddenException;
import io.quarkus.security.UnauthorizedException;
import io.quarkus.security.identity.SecurityIdentity;
import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.function.Supplier;
import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.inject.Inject;
import javax.inject.Singleton;

@Singleton
/* loaded from: input_file:io/quarkus/security/runtime/interceptor/SecurityConstrainer.class */
public class SecurityConstrainer {
    private static final List<Class<? extends Annotation>> SECURITY_ANNOTATIONS = Arrays.asList(Authenticated.class, DenyAll.class, PermitAll.class, RolesAllowed.class);
    private final Map<Method, Optional<Check>> checkForMethod = new ConcurrentHashMap();

    @Inject
    SecurityIdentity identity;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/security/runtime/interceptor/SecurityConstrainer$AuthenticatedCheck.class */
    public static class AuthenticatedCheck implements Check {
        private AuthenticatedCheck() {
        }

        @Override // io.quarkus.security.runtime.interceptor.SecurityConstrainer.Check
        public void apply(SecurityIdentity securityIdentity) {
            if (securityIdentity.isAnonymous()) {
                throw new UnauthorizedException();
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/security/runtime/interceptor/SecurityConstrainer$Check.class */
    public interface Check {
        void apply(SecurityIdentity securityIdentity);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/security/runtime/interceptor/SecurityConstrainer$DenyAllCheck.class */
    public static class DenyAllCheck implements Check {
        private DenyAllCheck() {
        }

        @Override // io.quarkus.security.runtime.interceptor.SecurityConstrainer.Check
        public void apply(SecurityIdentity securityIdentity) {
            if (!securityIdentity.isAnonymous()) {
                throw new ForbiddenException();
            }
            throw new UnauthorizedException();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/security/runtime/interceptor/SecurityConstrainer$PermitAllCheck.class */
    public static class PermitAllCheck implements Check {
        private PermitAllCheck() {
        }

        @Override // io.quarkus.security.runtime.interceptor.SecurityConstrainer.Check
        public void apply(SecurityIdentity securityIdentity) {
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/security/runtime/interceptor/SecurityConstrainer$RolesAllowedCheck.class */
    public static class RolesAllowedCheck implements Check {
        private final String[] allowedRoles;

        private RolesAllowedCheck(String[] strArr) {
            this.allowedRoles = strArr;
        }

        @Override // io.quarkus.security.runtime.interceptor.SecurityConstrainer.Check
        public void apply(SecurityIdentity securityIdentity) {
            Set roles = securityIdentity.getRoles();
            if (roles != null) {
                for (String str : this.allowedRoles) {
                    if (roles.contains(str)) {
                        return;
                    }
                }
            }
            if (!securityIdentity.isAnonymous()) {
                throw new ForbiddenException();
            }
            throw new UnauthorizedException();
        }
    }

    public void checkRoles(Method method, Collection<Annotation> collection) {
        Optional<Check> check = getCheck(method, collection);
        if (check.isPresent()) {
            check.get().apply(this.identity);
        }
    }

    private Optional<Check> getCheck(Method method, Collection<Annotation> collection) {
        Optional<Check> optional = this.checkForMethod.get(method);
        if (optional == null) {
            optional = determineSecurityCheck(method, collection);
            this.checkForMethod.put(method, optional);
        }
        return optional;
    }

    private Optional<Check> determineSecurityCheck(Method method, Collection<Annotation> collection) {
        Annotation[] declaredAnnotations = method.getDeclaredAnnotations();
        method.getClass();
        Annotation determineSecurityAnnotation = determineSecurityAnnotation(declaredAnnotations, method::toString);
        if (determineSecurityAnnotation == null) {
            Class<?> declaringClass = method.getDeclaringClass();
            Annotation[] declaredAnnotations2 = declaringClass.getDeclaredAnnotations();
            declaringClass.getClass();
            determineSecurityAnnotation = determineSecurityAnnotation(declaredAnnotations2, declaringClass::getCanonicalName);
        }
        if (determineSecurityAnnotation == null) {
            method.getClass();
            determineSecurityAnnotation = determineSecurityAnnotationFromBindings(collection, method::toString);
        }
        return checkForAnnotation(determineSecurityAnnotation);
    }

    private Optional<Check> checkForAnnotation(Annotation annotation) {
        return annotation instanceof DenyAll ? Optional.of(new DenyAllCheck()) : annotation instanceof RolesAllowed ? Optional.of(new RolesAllowedCheck(((RolesAllowed) annotation).value())) : annotation instanceof PermitAll ? Optional.of(new PermitAllCheck()) : annotation instanceof Authenticated ? Optional.of(new AuthenticatedCheck()) : Optional.empty();
    }

    private Annotation determineSecurityAnnotationFromBindings(Collection<Annotation> collection, Supplier<String> supplier) {
        ArrayList arrayList = new ArrayList();
        for (Annotation annotation : collection) {
            if (isSecurityAnnotation(annotation)) {
                arrayList.add(annotation);
            }
        }
        return getExactlyOne(arrayList, supplier);
    }

    private Annotation determineSecurityAnnotation(Annotation[] annotationArr, Supplier<String> supplier) {
        ArrayList arrayList = new ArrayList();
        for (Annotation annotation : annotationArr) {
            if (isSecurityAnnotation(annotation)) {
                arrayList.add(annotation);
            }
        }
        return getExactlyOne(arrayList, supplier);
    }

    private boolean isSecurityAnnotation(Annotation annotation) {
        boolean z = false;
        Iterator<Class<? extends Annotation>> it = SECURITY_ANNOTATIONS.iterator();
        while (it.hasNext()) {
            if (it.next() == annotation.annotationType()) {
                z = true;
            }
        }
        return z;
    }

    private Annotation getExactlyOne(List<Annotation> list, Supplier<String> supplier) {
        switch (list.size()) {
            case 0:
                return null;
            case 1:
                return list.get(0);
            default:
                throw new IllegalStateException("Duplicate security annotations found on " + supplier.get() + ". Expected at most 1 annotation, found: " + list);
        }
    }
}
