package org.projectnessie.server.authn;

import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.identity.IdentityProvider;
import io.quarkus.security.identity.IdentityProviderManager;
import io.quarkus.security.identity.SecurityIdentity;
import io.quarkus.security.identity.request.AnonymousAuthenticationRequest;
import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
import io.quarkus.vertx.http.runtime.security.HttpAuthenticator;
import io.quarkus.vertx.http.runtime.security.PathMatchingHttpSecurityPolicy;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.groups.UniCreate;
import io.vertx.ext.web.RoutingContext;
import java.util.Set;
import javax.annotation.Priority;
import javax.enterprise.inject.Alternative;
import javax.enterprise.inject.Instance;
import javax.inject.Inject;
import javax.inject.Singleton;
import org.projectnessie.server.config.QuarkusNessieAuthenticationConfig;

@Alternative
@Singleton
@Priority(1)
/* loaded from: input_file:org/projectnessie/server/authn/NessieHttpAuthenticator.class */
public class NessieHttpAuthenticator extends HttpAuthenticator {
    private final IdentityProviderManager identityProvider;
    private final boolean authEnabled;
    private final Set<String> anonymousPaths;

    @Inject
    public NessieHttpAuthenticator(QuarkusNessieAuthenticationConfig quarkusNessieAuthenticationConfig, IdentityProviderManager identityProviderManager, Instance<PathMatchingHttpSecurityPolicy> instance, Instance<HttpAuthenticationMechanism> instance2, Instance<IdentityProvider<?>> instance3) {
        super(identityProviderManager, instance, instance2, instance3);
        this.identityProvider = identityProviderManager;
        this.authEnabled = quarkusNessieAuthenticationConfig.enabled();
        this.anonymousPaths = quarkusNessieAuthenticationConfig.anonymousPaths();
    }

    @Override // io.quarkus.vertx.http.runtime.security.HttpAuthenticator
    public Uni<SecurityIdentity> attemptAuthentication(RoutingContext routingContext) {
        return !this.authEnabled ? anonymous() : super.attemptAuthentication(routingContext).onItem().transformToUni(securityIdentity -> {
            if (securityIdentity != null) {
                return Uni.createFrom().item((UniCreate) securityIdentity);
            }
            String path = routingContext.request().path();
            if (path == null || !this.anonymousPaths.contains(path)) {
                throw new AuthenticationFailedException("Missing or unrecognized credentials");
            }
            return anonymous();
        });
    }

    private Uni<SecurityIdentity> anonymous() {
        return this.identityProvider.authenticate(AnonymousAuthenticationRequest.INSTANCE);
    }
}
