package org.keycloak.adapters.undertow;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderValues;
import io.undertow.util.Headers;
import java.util.HashSet;
import java.util.Iterator;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.security.cert.X509Certificate;
import org.jboss.logging.Logger;
import org.keycloak.RSATokenVerifier;
import org.keycloak.ResourceMetadata;
import org.keycloak.VerificationException;
import org.keycloak.representations.SkeletonKeyToken;

/* loaded from: input_file:org/keycloak/adapters/undertow/BearerTokenAuthenticator.class */
public class BearerTokenAuthenticator {
    protected ResourceMetadata resourceMetadata;
    protected Logger log = Logger.getLogger(BearerTokenAuthenticator.class);
    protected String tokenString;
    protected SkeletonKeyToken token;
    protected boolean useResourceRoleMappings;
    protected String surrogate;
    protected KeycloakChallenge challenge;

    public BearerTokenAuthenticator(ResourceMetadata resourceMetadata, boolean z) {
        this.resourceMetadata = resourceMetadata;
        this.useResourceRoleMappings = z;
    }

    public KeycloakChallenge getChallenge() {
        return this.challenge;
    }

    public ResourceMetadata getResourceMetadata() {
        return this.resourceMetadata;
    }

    public String getTokenString() {
        return this.tokenString;
    }

    public SkeletonKeyToken getToken() {
        return this.token;
    }

    public String getSurrogate() {
        return this.surrogate;
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange) {
        HeaderValues headerValues = httpServerExchange.getRequestHeaders().get(Headers.AUTHORIZATION);
        if (headerValues == null || headerValues.size() == 0) {
            this.challenge = challengeResponse(httpServerExchange, null, null);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        this.tokenString = null;
        Iterator it = headerValues.iterator();
        while (it.hasNext()) {
            String[] split = ((String) it.next()).trim().split("\\s+");
            if (split != null && split.length == 2 && split[0].equalsIgnoreCase("Bearer")) {
                this.tokenString = split[1];
            }
        }
        if (this.tokenString == null) {
            this.challenge = challengeResponse(httpServerExchange, null, null);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        try {
            this.token = RSATokenVerifier.verifyToken(this.tokenString, this.resourceMetadata);
            new HashSet();
            boolean isVerifyCaller = this.useResourceRoleMappings ? this.token.isVerifyCaller(this.resourceMetadata.getResourceName()) : this.token.isVerifyCaller();
            this.surrogate = null;
            if (isVerifyCaller) {
                if (this.token.getTrustedCertificates() == null || this.token.getTrustedCertificates().size() == 0) {
                    this.log.warn("No trusted certificates in token");
                    this.challenge = clientCertChallenge();
                    return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
                }
                X509Certificate[] x509CertificateArr = new X509Certificate[0];
                try {
                    x509CertificateArr = httpServerExchange.getConnection().getSslSessionInfo().getPeerCertificateChain();
                } catch (SSLPeerUnverifiedException e) {
                }
                if (x509CertificateArr == null || x509CertificateArr.length == 0) {
                    this.log.warn("No certificates provided by undertow to verify the caller");
                    this.challenge = clientCertChallenge();
                    return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
                }
                this.surrogate = x509CertificateArr[0].getSubjectDN().getName();
            }
            return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
        } catch (VerificationException e2) {
            this.log.error("Failed to verify token", e2);
            this.challenge = challengeResponse(httpServerExchange, "invalid_token", e2.getMessage());
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
    }

    protected KeycloakChallenge clientCertChallenge() {
        return new KeycloakChallenge() { // from class: org.keycloak.adapters.undertow.BearerTokenAuthenticator.1
            @Override // org.keycloak.adapters.undertow.KeycloakChallenge
            public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
                return new AuthenticationMechanism.ChallengeResult(false);
            }
        };
    }

    protected KeycloakChallenge challengeResponse(HttpServerExchange httpServerExchange, String str, String str2) {
        StringBuilder sb = new StringBuilder("Bearer realm=\"");
        sb.append(this.resourceMetadata.getRealm()).append("\"");
        if (str != null) {
            sb.append(", error=\"").append(str).append("\"");
        }
        if (str2 != null) {
            sb.append(", error_description=\"").append(str2).append("\"");
        }
        httpServerExchange.getResponseHeaders().add(Headers.WWW_AUTHENTICATE, sb.toString());
        return new KeycloakChallenge() { // from class: org.keycloak.adapters.undertow.BearerTokenAuthenticator.2
            @Override // org.keycloak.adapters.undertow.KeycloakChallenge
            public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange2, SecurityContext securityContext) {
                return new AuthenticationMechanism.ChallengeResult(true, 401);
            }
        };
    }
}
