package org.keycloak.authentication.authenticators.x509;

import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.LinkedList;
import javax.ws.rs.core.Response;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.FormMessage;
import org.keycloak.services.ServicesLogger;

/* loaded from: input_file:org/keycloak/authentication/authenticators/x509/X509ClientCertificateAuthenticator.class */
public class X509ClientCertificateAuthenticator extends AbstractX509ClientCertificateAuthenticator {
    protected static ServicesLogger logger = ServicesLogger.LOGGER;

    @Override // org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateAuthenticator
    public void close() {
    }

    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        try {
            dumpContainerAttributes(authenticationFlowContext);
            X509Certificate[] certificateChain = getCertificateChain(authenticationFlowContext);
            if (certificateChain == null || certificateChain.length == 0) {
                logger.debug("[X509ClientCertificateAuthenticator:authenticate] x509 client certificate is not available for mutual SSL.");
                authenticationFlowContext.attempted();
                return;
            }
            X509AuthenticatorConfigModel x509AuthenticatorConfigModel = null;
            if (authenticationFlowContext.getAuthenticatorConfig() != null && authenticationFlowContext.getAuthenticatorConfig().getConfig() != null) {
                x509AuthenticatorConfigModel = new X509AuthenticatorConfigModel(authenticationFlowContext.getAuthenticatorConfig());
            }
            if (x509AuthenticatorConfigModel == null) {
                logger.warn("[X509ClientCertificateAuthenticator:authenticate] x509 Client Certificate Authentication configuration is not available.");
                authenticationFlowContext.challenge(createInfoResponse(authenticationFlowContext, "X509 client authentication has not been configured yet", new Object[0]));
                authenticationFlowContext.attempted();
                return;
            }
            try {
                certificateValidationParameters(x509AuthenticatorConfigModel).build(certificateChain).checkRevocationStatus().validateKeyUsage().validateExtendedKeyUsage();
                Object extractUserIdentity = getUserIdentityExtractor(x509AuthenticatorConfigModel).extractUserIdentity(certificateChain);
                if (extractUserIdentity == null) {
                    authenticationFlowContext.getEvent().error("invalid_user_credentials");
                    logger.warnf("[X509ClientCertificateAuthenticator:authenticate] Unable to extract user identity from certificate.", new Object[0]);
                    authenticationFlowContext.challenge(createErrorResponse(authenticationFlowContext, certificateChain[0].getSubjectDN().getName(), "Unable to extract user identity from specified certificate", new String[0]));
                    authenticationFlowContext.attempted();
                    return;
                }
                try {
                    authenticationFlowContext.getEvent().detail("username", extractUserIdentity.toString());
                    authenticationFlowContext.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, extractUserIdentity.toString());
                    UserModel find = getUserIdentityToModelMapper(x509AuthenticatorConfigModel).find(authenticationFlowContext, extractUserIdentity);
                    if (invalidUser(authenticationFlowContext, find)) {
                        authenticationFlowContext.challenge(createErrorResponse(authenticationFlowContext, certificateChain[0].getSubjectDN().getName(), "X509 certificate authentication's failed.", "Invalid user"));
                        authenticationFlowContext.attempted();
                        return;
                    }
                    if (!userEnabled(authenticationFlowContext, find)) {
                        authenticationFlowContext.challenge(createErrorResponse(authenticationFlowContext, certificateChain[0].getSubjectDN().getName(), "X509 certificate authentication's failed.", "User is disabled"));
                        authenticationFlowContext.attempted();
                        return;
                    }
                    if (authenticationFlowContext.getRealm().isBruteForceProtected() && authenticationFlowContext.getProtector().isTemporarilyDisabled(authenticationFlowContext.getSession(), authenticationFlowContext.getRealm(), find)) {
                        authenticationFlowContext.getEvent().user(find);
                        authenticationFlowContext.getEvent().error("user_temporarily_disabled");
                        authenticationFlowContext.challenge(createErrorResponse(authenticationFlowContext, certificateChain[0].getSubjectDN().getName(), "X509 certificate authentication's failed.", "User is temporarily disabled. Contact administrator."));
                        authenticationFlowContext.attempted();
                        return;
                    }
                    authenticationFlowContext.setUser(find);
                    if (x509AuthenticatorConfigModel.getConfirmationPageDisallowed()) {
                        authenticationFlowContext.success();
                    } else {
                        authenticationFlowContext.forceChallenge(createSuccessResponse(authenticationFlowContext, certificateChain[0].getSubjectDN().getName()));
                    }
                } catch (ModelDuplicateException e) {
                    logger.modelDuplicateException(e);
                    authenticationFlowContext.challenge(createErrorResponse(authenticationFlowContext, certificateChain[0].getSubjectDN().getName(), "X509 certificate authentication's failed.", e.getMessage()));
                    authenticationFlowContext.attempted();
                }
            } catch (Exception e2) {
                logger.error(e2.getMessage(), e2);
                authenticationFlowContext.challenge(createErrorResponse(authenticationFlowContext, certificateChain[0].getSubjectDN().getName(), "Certificate validation's failed.", e2.getMessage()));
                authenticationFlowContext.attempted();
            }
        } catch (Exception e3) {
            logger.errorf("[X509ClientCertificateAuthenticator:authenticate] Exception: %s", e3.getMessage());
            authenticationFlowContext.attempted();
        }
    }

    private Response createErrorResponse(AuthenticationFlowContext authenticationFlowContext, String str, String str2, String... strArr) {
        return createResponse(authenticationFlowContext, str, false, str2, strArr);
    }

    private Response createSuccessResponse(AuthenticationFlowContext authenticationFlowContext, String str) {
        return createResponse(authenticationFlowContext, str, true, null, null);
    }

    private Response createResponse(AuthenticationFlowContext authenticationFlowContext, String str, boolean z, String str2, Object[] objArr) {
        LoginFormsProvider form = authenticationFlowContext.form();
        if (str2 != null && str2.trim().length() > 0) {
            LinkedList linkedList = new LinkedList();
            linkedList.add(new FormMessage(str2, new Object[0]));
            if (objArr != null) {
                for (Object obj : objArr) {
                    if (obj != null) {
                        for (String str3 : obj.toString().split("\n")) {
                            linkedList.add(new FormMessage(str3, new Object[0]));
                        }
                    }
                }
            }
            form.setErrors(linkedList);
        }
        return form.setAttribute("username", authenticationFlowContext.getUser() != null ? authenticationFlowContext.getUser().getUsername() : "unknown user").setAttribute("subjectDN", str).setAttribute("isUserEnabled", Boolean.valueOf(z)).createForm("login-x509-info.ftl");
    }

    private void dumpContainerAttributes(AuthenticationFlowContext authenticationFlowContext) {
        Enumeration attributeNames = authenticationFlowContext.getHttpRequest().getAttributeNames();
        while (attributeNames.hasMoreElements()) {
            logger.tracef("[X509ClientCertificateAuthenticator:dumpContainerAttributes] \"%s\"", (String) attributeNames.nextElement());
        }
    }

    private boolean userEnabled(AuthenticationFlowContext authenticationFlowContext, UserModel userModel) {
        if (userModel.isEnabled()) {
            return true;
        }
        authenticationFlowContext.getEvent().user(userModel);
        authenticationFlowContext.getEvent().error("user_disabled");
        return false;
    }

    private boolean invalidUser(AuthenticationFlowContext authenticationFlowContext, UserModel userModel) {
        if (userModel != null) {
            return false;
        }
        authenticationFlowContext.getEvent().error("user_not_found");
        return true;
    }

    public void action(AuthenticationFlowContext authenticationFlowContext) {
        if (authenticationFlowContext.getHttpRequest().getDecodedFormParameters().containsKey("cancel")) {
            authenticationFlowContext.clearUser();
            authenticationFlowContext.attempted();
        } else if (authenticationFlowContext.getUser() != null) {
            authenticationFlowContext.success();
        } else {
            authenticationFlowContext.attempted();
        }
    }
}
