package org.wildfly.security.http.bearer;

import java.io.IOException;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import org.jboss.errai.codegen.shade.org.eclipse.jdt.internal.core.JavadocConstants;
import org.wildfly.security.auth.callback.AuthenticationCompleteCallback;
import org.wildfly.security.auth.callback.AvailableRealmsCallback;
import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
import org.wildfly.security.auth.callback.IdentityCredentialCallback;
import org.wildfly.security.credential.BearerTokenCredential;
import org.wildfly.security.evidence.BearerTokenEvidence;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.http.HttpServerAuthenticationMechanism;
import org.wildfly.security.http.HttpServerRequest;
import org.wildfly.security.http.HttpServerResponse;
import org.wildfly.security.mechanism.AuthenticationMechanismException;
import org.wildfly.security.mechanism._private.ElytronMessages;
import org.wildfly.security.mechanism._private.MechanismUtil;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/wildfly-elytron-http-bearer-1.10.7.Final.jar:org/wildfly/security/http/bearer/BearerTokenAuthenticationMechanism.class
 */
/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.10.7.Final.jar:org/wildfly/security/http/bearer/BearerTokenAuthenticationMechanism.class */
final class BearerTokenAuthenticationMechanism implements HttpServerAuthenticationMechanism {
    private static final Pattern BEARER_TOKEN_PATTERN = Pattern.compile("^Bearer *([^ ]+) *$", 2);
    private final CallbackHandler callbackHandler;

    /* JADX INFO: Access modifiers changed from: package-private */
    public BearerTokenAuthenticationMechanism(CallbackHandler callbackHandler) {
        this.callbackHandler = callbackHandler;
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public String getMechanismName() {
        return HttpConstants.BEARER_TOKEN;
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public void evaluateRequest(HttpServerRequest httpServerRequest) throws HttpAuthenticationException {
        List<String> requestHeaderValues = httpServerRequest.getRequestHeaderValues("Authorization");
        if (requestHeaderValues != null) {
            Iterator<String> it = requestHeaderValues.iterator();
            while (it.hasNext()) {
                Matcher matcher = BEARER_TOKEN_PATTERN.matcher(it.next());
                if (matcher.matches()) {
                    BearerTokenEvidence bearerTokenEvidence = new BearerTokenEvidence(matcher.group(1));
                    EvidenceVerifyCallback evidenceVerifyCallback = new EvidenceVerifyCallback(bearerTokenEvidence);
                    handleCallback(evidenceVerifyCallback);
                    if (!evidenceVerifyCallback.isVerified()) {
                        ElytronMessages.httpBearer.debugf("Token authentication failed.", new Object[0]);
                        httpServerRequest.authenticationFailed(ElytronMessages.httpBearer.authenticationFailed(), this::unauthorizedResponse);
                        return;
                    }
                    Callback authorizeCallback = new AuthorizeCallback((String) null, (String) null);
                    handleCallback(authorizeCallback);
                    if (!authorizeCallback.isAuthorized()) {
                        ElytronMessages.httpBearer.debugf("Token authorization failed.", new Object[0]);
                        httpServerRequest.authenticationFailed("Authorization failed.", httpServerResponse -> {
                            httpServerResponse.setStatusCode(403);
                        });
                        return;
                    } else {
                        ElytronMessages.httpBearer.debugf("Token authentication successful.", new Object[0]);
                        handleCallback(new IdentityCredentialCallback(new BearerTokenCredential(bearerTokenEvidence.getToken()), true));
                        handleCallback(AuthenticationCompleteCallback.SUCCEEDED);
                        httpServerRequest.authenticationComplete();
                        return;
                    }
                }
            }
        }
        httpServerRequest.noAuthenticationInProgress(this::unauthorizedResponse);
    }

    private void handleCallback(Callback callback) throws HttpAuthenticationException {
        try {
            MechanismUtil.handleCallbacks(ElytronMessages.httpBearer, this.callbackHandler, callback);
        } catch (UnsupportedCallbackException e) {
            ElytronMessages.httpBearer.tracef("Unsupported callback [%s]", callback);
        } catch (AuthenticationMechanismException e2) {
            throw e2.toHttpAuthenticationException();
        }
    }

    private void unauthorizedResponse(HttpServerResponse httpServerResponse) throws HttpAuthenticationException {
        StringBuilder sb = new StringBuilder("Bearer");
        String realmName = getRealmName();
        if (realmName != null) {
            sb.append(" ").append(HttpConstants.REALM).append("=\"").append(realmName).append(JavadocConstants.ANCHOR_PREFIX_END);
        }
        httpServerResponse.addResponseHeader("WWW-Authenticate", sb.toString());
        httpServerResponse.setStatusCode(401);
    }

    private String getRealmName() throws HttpAuthenticationException {
        try {
            AvailableRealmsCallback availableRealmsCallback = new AvailableRealmsCallback();
            this.callbackHandler.handle(new Callback[]{availableRealmsCallback});
            String[] realmNames = availableRealmsCallback.getRealmNames();
            if (realmNames == null || realmNames.length <= 0) {
                return null;
            }
            return realmNames[0];
        } catch (IOException e) {
            throw ElytronMessages.httpBearer.mechCallbackHandlerFailedForUnknownReason(e).toHttpAuthenticationException();
        } catch (UnsupportedCallbackException e2) {
            return null;
        }
    }
}
