package org.keycloak.adapters.as7;

import java.io.IOException;
import java.util.Collections;
import java.util.Iterator;
import java.util.Set;
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
import org.apache.catalina.realm.GenericPrincipal;
import org.jboss.logging.Logger;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OAuthRequestAuthenticator;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.RequestAuthenticator;
import org.keycloak.representations.AccessToken;

/* loaded from: input_file:org/keycloak/adapters/as7/CatalinaRequestAuthenticator.class */
public class CatalinaRequestAuthenticator extends RequestAuthenticator {
    private static final Logger log = Logger.getLogger(CatalinaRequestAuthenticator.class);
    protected KeycloakAuthenticatorValve valve;
    protected CatalinaUserSessionManagement userSessionManagement;
    protected Request request;

    public CatalinaRequestAuthenticator(KeycloakDeployment keycloakDeployment, KeycloakAuthenticatorValve keycloakAuthenticatorValve, CatalinaUserSessionManagement catalinaUserSessionManagement, CatalinaHttpFacade catalinaHttpFacade, Request request) {
        super(catalinaHttpFacade, keycloakDeployment, request.getConnector().getRedirectPort());
        this.valve = keycloakAuthenticatorValve;
        this.userSessionManagement = catalinaUserSessionManagement;
        this.request = request;
    }

    protected OAuthRequestAuthenticator createOAuthAuthenticator() {
        return new OAuthRequestAuthenticator(this.facade, this.deployment, this.sslRedirectPort) { // from class: org.keycloak.adapters.as7.CatalinaRequestAuthenticator.1
            protected void saveRequest() {
                try {
                    CatalinaRequestAuthenticator.this.valve.keycloakSaveRequest(CatalinaRequestAuthenticator.this.request);
                } catch (IOException e) {
                    throw new RuntimeException(e);
                }
            }
        };
    }

    protected void completeOAuthAuthentication(KeycloakPrincipal keycloakPrincipal, RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext) {
        GenericPrincipal createPrincipal = new CatalinaSecurityContextHelper().createPrincipal(this.request.getContext().getRealm(), keycloakPrincipal, getRolesFromToken(refreshableKeycloakSecurityContext), refreshableKeycloakSecurityContext);
        Session sessionInternal = this.request.getSessionInternal(true);
        sessionInternal.setPrincipal(createPrincipal);
        sessionInternal.setAuthType("OAUTH");
        sessionInternal.setNote(KeycloakSecurityContext.class.getName(), refreshableKeycloakSecurityContext);
        String subject = refreshableKeycloakSecurityContext.getToken().getSubject();
        log.debug("userSessionManage.login: " + subject);
        this.userSessionManagement.login(sessionInternal, subject);
    }

    protected void completeBearerAuthentication(KeycloakPrincipal keycloakPrincipal, RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext) {
        Set<String> rolesFromToken = getRolesFromToken(refreshableKeycloakSecurityContext);
        Iterator<String> it = rolesFromToken.iterator();
        while (it.hasNext()) {
            log.info("Bearer role: " + it.next());
        }
        this.request.setUserPrincipal(new CatalinaSecurityContextHelper().createPrincipal(this.request.getContext().getRealm(), keycloakPrincipal, rolesFromToken, refreshableKeycloakSecurityContext));
        this.request.setAuthType("KEYCLOAK");
        this.request.setAttribute(KeycloakSecurityContext.class.getName(), refreshableKeycloakSecurityContext);
    }

    protected Set<String> getRolesFromToken(RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext) {
        Set<String> set = null;
        if (this.deployment.isUseResourceRoleMappings()) {
            AccessToken.Access resourceAccess = refreshableKeycloakSecurityContext.getToken().getResourceAccess(this.deployment.getResourceName());
            if (resourceAccess != null) {
                set = resourceAccess.getRoles();
            }
        } else {
            AccessToken.Access realmAccess = refreshableKeycloakSecurityContext.getToken().getRealmAccess();
            if (realmAccess != null) {
                set = realmAccess.getRoles();
            }
        }
        if (set == null) {
            set = Collections.emptySet();
        }
        return set;
    }

    protected boolean isCached() {
        RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext;
        if (this.request.getSessionInternal(false) == null || this.request.getSessionInternal().getPrincipal() == null) {
            return false;
        }
        log.debug("remote logged in already");
        this.request.setUserPrincipal(this.request.getSessionInternal().getPrincipal());
        this.request.setAuthType("KEYCLOAK");
        Session sessionInternal = this.request.getSessionInternal();
        if (sessionInternal != null && (refreshableKeycloakSecurityContext = (RefreshableKeycloakSecurityContext) sessionInternal.getNote(KeycloakSecurityContext.class.getName())) != null) {
            refreshableKeycloakSecurityContext.setDeployment(this.deployment);
            this.request.setAttribute(KeycloakSecurityContext.class.getName(), refreshableKeycloakSecurityContext);
        }
        restoreRequest();
        return true;
    }

    protected void restoreRequest() {
        if (this.request.getSessionInternal().getNote("org.apache.catalina.authenticator.REQUEST") != null) {
            if (this.valve.keycloakRestoreRequest(this.request)) {
                log.debug("restoreRequest");
            } else {
                log.debug("Restore of original request failed");
                throw new RuntimeException("Restore of original request failed");
            }
        }
    }
}
