package org.keycloak.adapters.camel.undertow;

import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.Credential;
import io.undertow.security.idm.IdentityManager;
import io.undertow.security.impl.SecurityContextImpl;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.session.InMemorySessionManager;
import io.undertow.server.session.SessionManager;
import io.undertow.util.AttachmentKey;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import org.apache.camel.Processor;
import org.apache.camel.component.undertow.UndertowConsumer;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.AdapterTokenStore;
import org.keycloak.adapters.AuthenticatedActionsHandler;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.NodesRegistrationManagement;
import org.keycloak.adapters.PreAuthActionsHandler;
import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.InMemorySessionIdMapper;
import org.keycloak.adapters.spi.SessionIdMapper;
import org.keycloak.adapters.undertow.KeycloakUndertowAccount;
import org.keycloak.adapters.undertow.OIDCUndertowHttpFacade;
import org.keycloak.adapters.undertow.SessionManagementBridge;
import org.keycloak.adapters.undertow.UndertowCookieTokenStore;
import org.keycloak.adapters.undertow.UndertowRequestAuthenticator;
import org.keycloak.adapters.undertow.UndertowSessionTokenStore;
import org.keycloak.adapters.undertow.UndertowUserSessionManagement;
import org.keycloak.enums.TokenStore;

/* loaded from: input_file:org/keycloak/adapters/camel/undertow/UndertowKeycloakConsumer.class */
public class UndertowKeycloakConsumer extends UndertowConsumer {
    private static final Logger LOG = Logger.getLogger(UndertowKeycloakConsumer.class.getName());
    public static final AttachmentKey<KeycloakPrincipal> KEYCLOAK_PRINCIPAL_KEY = AttachmentKey.create(KeycloakPrincipal.class);
    private static final IdentityManager IDENTITY_MANAGER = new IdentityManager() { // from class: org.keycloak.adapters.camel.undertow.UndertowKeycloakConsumer.1
        public Account verify(Account account) {
            return account;
        }

        public Account verify(String str, Credential credential) {
            throw new IllegalStateException("Should never be called in Keycloak flow");
        }

        public Account verify(Credential credential) {
            throw new IllegalStateException("Should never be called in Keycloak flow");
        }
    };
    protected SessionIdMapper idMapper;
    protected final NodesRegistrationManagement nodesRegistrationManagement;
    private final UndertowUserSessionManagement userSessionManagement;
    protected final AdapterDeploymentContext deploymentContext;
    protected final SessionManager sessionManager;
    protected final List<String> allowedRoles;
    private final int confidentialPort;
    private final Pattern skipPattern;

    public UndertowKeycloakConsumer(UndertowKeycloakEndpoint undertowKeycloakEndpoint, Processor processor, AdapterDeploymentContext adapterDeploymentContext, Pattern pattern, List<String> list, int i) {
        super(undertowKeycloakEndpoint, processor);
        this.idMapper = new InMemorySessionIdMapper();
        this.nodesRegistrationManagement = new NodesRegistrationManagement();
        this.userSessionManagement = new UndertowUserSessionManagement();
        this.sessionManager = new InMemorySessionManager(undertowKeycloakEndpoint.getEndpointUri());
        this.deploymentContext = adapterDeploymentContext;
        this.skipPattern = pattern;
        this.confidentialPort = i;
        this.allowedRoles = list == null ? Collections.emptyList() : list;
    }

    public int getConfidentialPort() {
        return this.confidentialPort;
    }

    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        if (shouldSkip(httpServerExchange.getRequestPath())) {
            super.handleRequest(httpServerExchange);
            return;
        }
        if (httpServerExchange.isInIoThread()) {
            httpServerExchange.dispatch(this);
            return;
        }
        OIDCUndertowHttpFacade oIDCUndertowHttpFacade = new OIDCUndertowHttpFacade(httpServerExchange);
        KeycloakDeployment resolveDeployment = this.deploymentContext.resolveDeployment(oIDCUndertowHttpFacade);
        if (resolveDeployment == null || !resolveDeployment.isConfigured()) {
            httpServerExchange.setStatusCode(403);
            LOG.fine("deployment not configured");
            return;
        }
        LOG.fine("executing PreAuthActionsHandler");
        if (new PreAuthActionsHandler(new SessionManagementBridge(this.userSessionManagement, this.sessionManager), this.deploymentContext, oIDCUndertowHttpFacade).handleRequest()) {
            return;
        }
        SecurityContextImpl securityContext = httpServerExchange.getSecurityContext();
        if (securityContext == null) {
            securityContext = new SecurityContextImpl(httpServerExchange, IDENTITY_MANAGER);
        }
        AdapterTokenStore tokenStore = getTokenStore(httpServerExchange, oIDCUndertowHttpFacade, resolveDeployment, securityContext);
        tokenStore.checkCurrentToken();
        LOG.fine("executing AuthenticatedActionsHandler");
        UndertowRequestAuthenticator undertowRequestAuthenticator = new UndertowRequestAuthenticator(oIDCUndertowHttpFacade, resolveDeployment, this.confidentialPort, securityContext, httpServerExchange, tokenStore);
        if (undertowRequestAuthenticator.authenticate() != AuthOutcome.AUTHENTICATED) {
            AuthChallenge challenge = undertowRequestAuthenticator.getChallenge();
            if (challenge == null) {
                httpServerExchange.setStatusCode(403);
                return;
            } else {
                LOG.fine("challenge");
                challenge.challenge(oIDCUndertowHttpFacade);
                return;
            }
        }
        LOG.fine("AUTHENTICATED");
        if (httpServerExchange.isResponseComplete() || new AuthenticatedActionsHandler(resolveDeployment, oIDCUndertowHttpFacade).handledRequest()) {
            return;
        }
        KeycloakUndertowAccount authenticatedAccount = securityContext.getAuthenticatedAccount();
        if (authenticatedAccount instanceof KeycloakUndertowAccount) {
            httpServerExchange.putAttachment(KEYCLOAK_PRINCIPAL_KEY, authenticatedAccount.getPrincipal());
        }
        Set<String> roles = authenticatedAccount.getRoles();
        if (roles == null) {
            roles = Collections.EMPTY_SET;
        }
        LOG.log(Level.FINE, "Allowed roles: {0}, current roles: {1}", new Object[]{this.allowedRoles, roles});
        if (isRoleAllowed(roles, httpServerExchange)) {
            super.handleRequest(httpServerExchange);
        } else {
            httpServerExchange.setStatusCode(403);
        }
    }

    public boolean isRoleAllowed(Set<String> set, HttpServerExchange httpServerExchange) throws Exception {
        Iterator<String> it = this.allowedRoles.iterator();
        while (it.hasNext()) {
            if (set.contains(it.next())) {
                return true;
            }
        }
        return false;
    }

    protected AdapterTokenStore getTokenStore(HttpServerExchange httpServerExchange, HttpFacade httpFacade, KeycloakDeployment keycloakDeployment, SecurityContext securityContext) {
        return keycloakDeployment.getTokenStore() == TokenStore.SESSION ? new UndertowSessionTokenStore(httpServerExchange, keycloakDeployment, this.userSessionManagement, securityContext) : new UndertowCookieTokenStore(httpFacade, keycloakDeployment, securityContext);
    }

    private boolean shouldSkip(String str) {
        return this.skipPattern != null && this.skipPattern.matcher(str).matches();
    }
}
