package org.keycloak.adapters.undertow;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.AttachmentKey;
import java.security.Principal;
import java.util.Collections;
import java.util.Set;
import org.jboss.logging.Logger;
import org.keycloak.RealmConfiguration;
import org.keycloak.ResourceMetadata;
import org.keycloak.SkeletonKeyPrincipal;
import org.keycloak.SkeletonKeySession;
import org.keycloak.adapters.config.ManagedResourceConfig;
import org.keycloak.representations.SkeletonKeyToken;

/* loaded from: input_file:org/keycloak/adapters/undertow/KeycloakAuthenticationMechanism.class */
public class KeycloakAuthenticationMechanism implements AuthenticationMechanism {
    protected Logger log = Logger.getLogger(KeycloakAuthenticationMechanism.class);
    public static final AttachmentKey<KeycloakChallenge> KEYCLOAK_CHALLENGE_ATTACHMENT_KEY = AttachmentKey.create(KeycloakChallenge.class);
    public static final AttachmentKey<SkeletonKeySession> SKELETON_KEY_SESSION_ATTACHMENT_KEY = AttachmentKey.create(SkeletonKeySession.class);
    protected ResourceMetadata resourceMetadata;
    protected ManagedResourceConfig config;
    protected RealmConfiguration realmConfig;
    protected int sslRedirectPort;

    public KeycloakAuthenticationMechanism(ResourceMetadata resourceMetadata, ManagedResourceConfig managedResourceConfig, RealmConfiguration realmConfiguration, int i) {
        this.resourceMetadata = resourceMetadata;
        this.config = managedResourceConfig;
        this.realmConfig = realmConfiguration;
        this.sslRedirectPort = i;
    }

    public KeycloakAuthenticationMechanism(ResourceMetadata resourceMetadata, ManagedResourceConfig managedResourceConfig, RealmConfiguration realmConfiguration) {
        this.resourceMetadata = resourceMetadata;
        this.config = managedResourceConfig;
        this.realmConfig = realmConfiguration;
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        BearerTokenAuthenticator createBearerTokenAuthenticator = createBearerTokenAuthenticator();
        AuthenticationMechanism.AuthenticationMechanismOutcome authenticate = createBearerTokenAuthenticator.authenticate(httpServerExchange);
        if (authenticate == AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED) {
            httpServerExchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, createBearerTokenAuthenticator.getChallenge());
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
        if (authenticate == AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED) {
            SkeletonKeyToken token = createBearerTokenAuthenticator.getToken();
            String surrogate = createBearerTokenAuthenticator.getSurrogate();
            propagateBearer(httpServerExchange, new SkeletonKeySession(createBearerTokenAuthenticator.getTokenString(), token, this.resourceMetadata));
            completeAuthentication(httpServerExchange, securityContext, token, surrogate);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
        }
        if (this.config.isBearerOnly()) {
            httpServerExchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, createBearerTokenAuthenticator.getChallenge());
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        OAuthAuthenticator createOAuthAuthenticator = createOAuthAuthenticator(httpServerExchange);
        AuthenticationMechanism.AuthenticationMechanismOutcome authenticate2 = createOAuthAuthenticator.authenticate();
        if (authenticate2 == AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED) {
            httpServerExchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, createOAuthAuthenticator.getChallenge());
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
        if (authenticate2 == AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED) {
            httpServerExchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, createOAuthAuthenticator.getChallenge());
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        propagateOauth(httpServerExchange, new SkeletonKeySession(createOAuthAuthenticator.getTokenString(), createOAuthAuthenticator.getToken(), this.resourceMetadata));
        completeAuthentication(httpServerExchange, securityContext, createOAuthAuthenticator.getToken(), null);
        this.log.info("AUTHENTICATED");
        return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
    }

    protected OAuthAuthenticator createOAuthAuthenticator(HttpServerExchange httpServerExchange) {
        return new OAuthAuthenticator(httpServerExchange, this.realmConfig, this.sslRedirectPort);
    }

    protected BearerTokenAuthenticator createBearerTokenAuthenticator() {
        return new BearerTokenAuthenticator(this.resourceMetadata, this.config.isUseResourceRoleMappings());
    }

    protected void completeAuthentication(HttpServerExchange httpServerExchange, SecurityContext securityContext, SkeletonKeyToken skeletonKeyToken, String str) {
        final SkeletonKeyPrincipal skeletonKeyPrincipal = new SkeletonKeyPrincipal(skeletonKeyToken.getPrincipal(), str);
        Set set = null;
        if (this.config.isUseResourceRoleMappings()) {
            SkeletonKeyToken.Access resourceAccess = skeletonKeyToken.getResourceAccess(this.resourceMetadata.getResourceName());
            if (resourceAccess != null) {
                set = resourceAccess.getRoles();
            }
        } else {
            SkeletonKeyToken.Access realmAccess = skeletonKeyToken.getRealmAccess();
            if (realmAccess != null) {
                set = realmAccess.getRoles();
            }
        }
        if (set == null) {
            set = Collections.emptySet();
        }
        final Set set2 = set;
        securityContext.authenticationComplete(new Account() { // from class: org.keycloak.adapters.undertow.KeycloakAuthenticationMechanism.1
            public Principal getPrincipal() {
                return skeletonKeyPrincipal;
            }

            public Set<String> getRoles() {
                return set2;
            }
        }, "FORM");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void propagateBearer(HttpServerExchange httpServerExchange, SkeletonKeySession skeletonKeySession) {
        httpServerExchange.putAttachment(SKELETON_KEY_SESSION_ATTACHMENT_KEY, skeletonKeySession);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void propagateOauth(HttpServerExchange httpServerExchange, SkeletonKeySession skeletonKeySession) {
        httpServerExchange.putAttachment(SKELETON_KEY_SESSION_ATTACHMENT_KEY, skeletonKeySession);
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        KeycloakChallenge keycloakChallenge = (KeycloakChallenge) httpServerExchange.getAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY);
        return keycloakChallenge != null ? keycloakChallenge.sendChallenge(httpServerExchange, securityContext) : new AuthenticationMechanism.ChallengeResult(false);
    }
}
