package io.quarkus.oidc.token.propagation;

import io.quarkus.arc.Arc;
import io.quarkus.oidc.client.OidcClient;
import io.quarkus.oidc.client.OidcClientConfig;
import io.quarkus.oidc.client.OidcClients;
import io.quarkus.oidc.client.Tokens;
import io.quarkus.oidc.token.propagation.runtime.AbstractTokenRequestFilter;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.quarkus.security.credential.TokenCredential;
import io.quarkus.vertx.core.runtime.context.VertxContextSafetyToggle;
import io.vertx.core.Vertx;
import jakarta.annotation.PostConstruct;
import jakarta.enterprise.inject.Instance;
import jakarta.enterprise.inject.spi.CDI;
import jakarta.ws.rs.client.ClientRequestContext;
import java.io.IOException;
import java.lang.annotation.Annotation;
import java.util.Collections;
import org.eclipse.microprofile.config.ConfigProvider;

/* loaded from: input_file:io/quarkus/oidc/token/propagation/AccessTokenRequestFilter.class */
public class AccessTokenRequestFilter extends AbstractTokenRequestFilter {
    private static final String ERROR_MSG = "OIDC Token Propagation requires a safe (isolated) Vert.x sub-context because configuration property 'quarkus.resteasy-client-oidc-token-propagation.enabled-during-authentication' has been set to true, but the current context hasn't been flagged as such.";
    private final boolean enabledDuringAuthentication;
    private final Instance<TokenCredential> accessToken;
    OidcClient exchangeTokenClient;
    String exchangeTokenProperty;

    public AccessTokenRequestFilter() {
        this.enabledDuringAuthentication = Boolean.getBoolean("io.quarkus.oidc.runtime.AbstractOidcAuthenticationMechanism.PROPAGATE_TOKEN_CREDENTIAL_WITH_DUPLICATED_CTX") || Boolean.getBoolean("io.quarkus.smallrye.jwt.runtime.auth.JWTAuthMechanism.PROPAGATE_TOKEN_CREDENTIAL_WITH_DUPLICATED_CTX");
        this.accessToken = CDI.current().select(TokenCredential.class, new Annotation[0]);
    }

    @PostConstruct
    public void initExchangeTokenClient() {
        if (isExchangeToken()) {
            OidcClients oidcClients = (OidcClients) Arc.container().instance(OidcClients.class, new Annotation[0]).get();
            String clientName = getClientName();
            this.exchangeTokenClient = clientName != null ? oidcClients.getClient(clientName) : oidcClients.getClient();
            OidcClientConfig.Grant.Type type = (OidcClientConfig.Grant.Type) ConfigProvider.getConfig().getValue("quarkus.oidc-client." + (clientName != null ? clientName + "." : "") + "grant.type", OidcClientConfig.Grant.Type.class);
            if (type == OidcClientConfig.Grant.Type.EXCHANGE) {
                this.exchangeTokenProperty = "subject_token";
            } else {
                if (type != OidcClientConfig.Grant.Type.JWT) {
                    throw new ConfigurationException("Token exchange is required but OIDC client is configured to use the " + type.getGrantType() + " grantType");
                }
                this.exchangeTokenProperty = "assertion";
            }
        }
    }

    protected boolean isExchangeToken() {
        return ((Boolean) ConfigProvider.getConfig().getValue("quarkus.resteasy-client-oidc-token-propagation.exchange-token", Boolean.TYPE)).booleanValue();
    }

    public void filter(ClientRequestContext clientRequestContext) throws IOException {
        if (acquireTokenCredentialFromCtx(clientRequestContext)) {
            propagateToken(clientRequestContext, exchangeTokenIfNeeded(getTokenCredentialFromContext().getToken()));
        } else if (verifyTokenInstance(clientRequestContext, this.accessToken)) {
            propagateToken(clientRequestContext, exchangeTokenIfNeeded(((TokenCredential) this.accessToken.get()).getToken()));
        }
    }

    private String exchangeTokenIfNeeded(String str) {
        return this.exchangeTokenClient != null ? ((Tokens) this.exchangeTokenClient.getTokens(Collections.singletonMap(this.exchangeTokenProperty, str)).await().indefinitely()).getAccessToken() : str;
    }

    protected String getClientName() {
        return (String) ConfigProvider.getConfig().getOptionalValue("quarkus.resteasy-client-oidc-token-propagation.client-name", String.class).orElse(null);
    }

    private boolean acquireTokenCredentialFromCtx(ClientRequestContext clientRequestContext) {
        TokenCredential tokenCredentialFromContext;
        if (!this.enabledDuringAuthentication || (tokenCredentialFromContext = getTokenCredentialFromContext()) == null) {
            return false;
        }
        if (tokenCredentialFromContext.getToken() != null) {
            return true;
        }
        abortRequest(clientRequestContext);
        return false;
    }

    private static TokenCredential getTokenCredentialFromContext() {
        VertxContextSafetyToggle.validateContextIfExists(ERROR_MSG, ERROR_MSG);
        return (TokenCredential) Vertx.currentContext().getLocal(TokenCredential.class.getName());
    }
}
