package fish.payara.microprofile.jwtauth.cdi;

import java.lang.annotation.Annotation;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.annotation.security.RolesAllowed;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.context.SessionScoped;
import javax.enterprise.event.Observes;
import javax.enterprise.inject.spi.AfterBeanDiscovery;
import javax.enterprise.inject.spi.Annotated;
import javax.enterprise.inject.spi.BeanManager;
import javax.enterprise.inject.spi.BeforeBeanDiscovery;
import javax.enterprise.inject.spi.DeploymentException;
import javax.enterprise.inject.spi.Extension;
import javax.enterprise.inject.spi.InjectionPoint;
import javax.enterprise.inject.spi.ProcessBean;
import javax.enterprise.inject.spi.ProcessInjectionTarget;
import javax.enterprise.inject.spi.ProcessManagedBean;
import javax.enterprise.inject.spi.ProcessSessionBean;
import org.eclipse.microprofile.auth.LoginConfig;
import org.eclipse.microprofile.config.Config;
import org.eclipse.microprofile.config.ConfigProvider;
import org.eclipse.microprofile.jwt.Claim;
import org.eclipse.microprofile.jwt.Claims;
import org.eclipse.microprofile.jwt.config.Names;

/* loaded from: input_file:fish/payara/microprofile/jwtauth/cdi/JwtAuthCdiExtension.class */
public class JwtAuthCdiExtension implements Extension {
    private boolean addJWTAuthenticationMechanism;
    private final Set<String> roles = new HashSet();

    public void register(@Observes BeforeBeanDiscovery beforeBeanDiscovery, BeanManager beanManager) {
        beforeBeanDiscovery.addAnnotatedType(beanManager.createAnnotatedType(InjectionPointGenerator.class), "JWT InjectionPointGenerator ");
    }

    public <T> void findLoginConfigAnnotation(@Observes ProcessBean<T> processBean, BeanManager beanManager) {
        LoginConfig loginConfig = (LoginConfig) processBean.getAnnotated().getAnnotation(LoginConfig.class);
        if (loginConfig == null || !loginConfig.authMethod().equals("MP-JWT")) {
            return;
        }
        this.addJWTAuthenticationMechanism = true;
    }

    public <T> void findRoles(@Observes ProcessManagedBean<T> processManagedBean, BeanManager beanManager) {
        if (processManagedBean instanceof ProcessSessionBean) {
            return;
        }
        ArrayList arrayList = new ArrayList(processManagedBean.getAnnotatedBeanClass().getMethods());
        arrayList.add(processManagedBean.getAnnotatedBeanClass());
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            RolesAllowed rolesAllowed = (RolesAllowed) ((Annotated) it.next()).getAnnotation(RolesAllowed.class);
            if (rolesAllowed != null) {
                this.roles.addAll(Arrays.asList(rolesAllowed.value()));
            }
        }
    }

    public <T> void checkInjectIntoRightScope(@Observes ProcessInjectionTarget<T> processInjectionTarget, BeanManager beanManager) {
        for (InjectionPoint injectionPoint : processInjectionTarget.getInjectionTarget().getInjectionPoints()) {
            Claim hasClaim = hasClaim(injectionPoint);
            if (hasClaim != null) {
                Class<? extends Annotation> scope = injectionPoint.getBean() != null ? injectionPoint.getBean().getScope() : null;
                if (scope != null && (scope.equals(ApplicationScoped.class) || scope.equals(SessionScoped.class))) {
                    throw new DeploymentException("Can't inject using qualifier " + Claim.class + " in a target with scope " + scope);
                }
                if (!hasClaim.value().equals("") && hasClaim.standard() != Claims.UNKNOWN && !hasClaim.value().equals(hasClaim.standard().name())) {
                    throw new DeploymentException("Claim value " + hasClaim.value() + " should be equal to claim standard " + hasClaim.standard().name() + " or one of those should be left at their default value");
                }
            }
        }
    }

    public void installMechanismIfNeeded(@Observes AfterBeanDiscovery afterBeanDiscovery, BeanManager beanManager) {
        if (this.addJWTAuthenticationMechanism) {
            validateConfigValue();
            CdiInitEventHandler.installAuthenticationMechanism(afterBeanDiscovery);
        }
    }

    private void validateConfigValue() {
        Config config = ConfigProvider.getConfig();
        if (config.getOptionalValue(Names.VERIFIER_PUBLIC_KEY, String.class).isPresent() && config.getOptionalValue(Names.VERIFIER_PUBLIC_KEY_LOCATION, String.class).isPresent()) {
            throw new DeploymentException("Both properties mp.jwt.verify.publickey and mp.jwt.verify.publickey.location must not be defined");
        }
    }

    public Set<String> getRoles() {
        return this.roles;
    }

    public boolean isAddJWTAuthenticationMechanism() {
        return this.addJWTAuthenticationMechanism;
    }

    private static Claim hasClaim(InjectionPoint injectionPoint) {
        for (Annotation annotation : injectionPoint.getQualifiers()) {
            if (annotation.annotationType().equals(Claim.class)) {
                return (Claim) annotation;
            }
        }
        return null;
    }
}
