package org.keycloak.services.managers;

import java.util.Iterator;
import java.util.Map;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.login.LoginFormsProvider;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.CredentialValidationOutput;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RequiredCredentialModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.Cors;

/* loaded from: input_file:org/keycloak/services/managers/HttpAuthenticationManager.class */
public class HttpAuthenticationManager {
    private static final Logger logger = Logger.getLogger(HttpAuthenticationManager.class);
    private KeycloakSession session;
    private RealmModel realm;
    private UriInfo uriInfo;
    private HttpRequest request;
    private EventBuilder event;
    private ClientConnection clientConnection;
    private ClientSessionModel clientSession;

    /* loaded from: input_file:org/keycloak/services/managers/HttpAuthenticationManager$HttpAuthChallenge.class */
    public interface HttpAuthChallenge {
        void sendChallenge(LoginFormsProvider loginFormsProvider);
    }

    /* loaded from: input_file:org/keycloak/services/managers/HttpAuthenticationManager$HttpAuthOutput.class */
    public class HttpAuthOutput {
        private final Response response;
        private final HttpAuthChallenge challenge;

        public HttpAuthOutput(Response response, HttpAuthChallenge httpAuthChallenge) {
            this.response = response;
            this.challenge = httpAuthChallenge;
        }

        public Response getResponse() {
            return this.response;
        }

        public HttpAuthChallenge getChallenge() {
            return this.challenge;
        }
    }

    public HttpAuthenticationManager(KeycloakSession keycloakSession, ClientSessionModel clientSessionModel, RealmModel realmModel, UriInfo uriInfo, HttpRequest httpRequest, ClientConnection clientConnection, EventBuilder eventBuilder) {
        this.session = keycloakSession;
        this.realm = realmModel;
        this.uriInfo = uriInfo;
        this.request = httpRequest;
        this.event = eventBuilder;
        this.clientConnection = clientConnection;
        this.clientSession = clientSessionModel;
    }

    public HttpAuthOutput spnegoAuthenticate(HttpHeaders httpHeaders) {
        boolean z = false;
        Iterator it = this.realm.getRequiredCredentials().iterator();
        while (it.hasNext()) {
            if (((RequiredCredentialModel) it.next()).getType().equals("kerberos")) {
                z = true;
            }
        }
        if (logger.isTraceEnabled()) {
            logger.trace(z ? "SPNEGO authentication is supported" : "SPNEGO authentication is not supported");
        }
        if (!z) {
            return new HttpAuthOutput(null, null);
        }
        String str = (String) this.request.getHttpHeaders().getRequestHeaders().getFirst(Cors.AUTHORIZATION_HEADER);
        if (str == null) {
            return challengeNegotiation(null);
        }
        String[] split = str.split(" ");
        if (split.length != 2) {
            logger.warn("Invalid length of tokens: " + split.length);
            return challengeNegotiation(null);
        }
        if ("Negotiate".equalsIgnoreCase(split[0])) {
            CredentialValidationOutput validCredentials = this.session.users().validCredentials(this.realm, new UserCredentialModel[]{UserCredentialModel.kerberos(split[1])});
            return validCredentials.getAuthStatus() == CredentialValidationOutput.Status.AUTHENTICATED ? sendResponse(validCredentials.getAuthenticatedUser(), validCredentials.getState(), "spnego", httpHeaders) : challengeNegotiation((String) validCredentials.getState().get("SpnegoResponseToken"));
        }
        logger.warn("Unknown scheme " + split[0]);
        return challengeNegotiation(null);
    }

    private HttpAuthOutput sendResponse(UserModel userModel, Map<String, String> map, String str, HttpHeaders httpHeaders) {
        Response nextActionAfterAuthentication;
        if (logger.isTraceEnabled()) {
            logger.trace("User " + userModel.getUsername() + " authenticated with " + str);
        }
        if (userModel.isEnabled()) {
            UserSessionModel createUserSession = this.session.sessions().createUserSession(this.realm, userModel, userModel.getUsername(), this.clientConnection.getRemoteAddr(), str, false, (String) null, (String) null);
            for (Map.Entry<String, String> entry : map.entrySet()) {
                createUserSession.setNote(entry.getKey(), entry.getValue());
            }
            TokenManager.attachClientSession(createUserSession, this.clientSession);
            this.event.user(userModel).session(createUserSession).detail("auth_method", str).detail("username", userModel.getUsername());
            nextActionAfterAuthentication = AuthenticationManager.nextActionAfterAuthentication(this.session, createUserSession, this.clientSession, this.clientConnection, this.request, this.uriInfo, this.event);
        } else {
            this.event.error("user_disabled");
            nextActionAfterAuthentication = ErrorPage.error(this.session, Messages.ACCOUNT_DISABLED, new Object[0]);
        }
        return new HttpAuthOutput(nextActionAfterAuthentication, null);
    }

    private HttpAuthOutput challengeNegotiation(final String str) {
        return new HttpAuthOutput(null, new HttpAuthChallenge() { // from class: org.keycloak.services.managers.HttpAuthenticationManager.1
            @Override // org.keycloak.services.managers.HttpAuthenticationManager.HttpAuthChallenge
            public void sendChallenge(LoginFormsProvider loginFormsProvider) {
                String str2 = str == null ? "Negotiate" : "Negotiate " + str;
                if (HttpAuthenticationManager.logger.isTraceEnabled()) {
                    HttpAuthenticationManager.logger.trace("Sending back WWW-Authenticate: " + str2);
                }
                loginFormsProvider.setStatus(Response.Status.UNAUTHORIZED);
                loginFormsProvider.setResponseHeader("WWW-Authenticate", str2);
            }
        });
    }
}
