package org.keycloak.adapters.saml.undertow;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.NotificationReceiver;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.api.SecurityNotification;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.AttachmentKey;
import io.undertow.util.Headers;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Pattern;
import org.keycloak.adapters.saml.SamlAuthenticator;
import org.keycloak.adapters.saml.SamlDeployment;
import org.keycloak.adapters.saml.SamlDeploymentContext;
import org.keycloak.adapters.saml.SamlSessionStore;
import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.undertow.UndertowHttpFacade;
import org.keycloak.adapters.undertow.UndertowUserSessionManagement;

/* loaded from: input_file:org/keycloak/adapters/saml/undertow/AbstractSamlAuthMech.class */
public abstract class AbstractSamlAuthMech implements AuthenticationMechanism {
    protected SamlDeploymentContext deploymentContext;
    protected UndertowUserSessionManagement sessionManagement;
    protected String errorPage;
    private static final Logger LOG = Logger.getLogger(AbstractSamlAuthMech.class.getName());
    public static final AttachmentKey<AuthChallenge> KEYCLOAK_CHALLENGE_ATTACHMENT_KEY = AttachmentKey.create(AuthChallenge.class);
    private static final Pattern PROTOCOL_PATTERN = Pattern.compile("^[a-zA-Z][a-zA-Z0-9+.-]*:");

    public AbstractSamlAuthMech(SamlDeploymentContext samlDeploymentContext, UndertowUserSessionManagement undertowUserSessionManagement, String str) {
        this.deploymentContext = samlDeploymentContext;
        this.sessionManagement = undertowUserSessionManagement;
        this.errorPage = str;
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        AuthChallenge authChallenge = (AuthChallenge) httpServerExchange.getAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY);
        return (authChallenge == null || !authChallenge.challenge(createFacade(httpServerExchange))) ? new AuthenticationMechanism.ChallengeResult(false) : new AuthenticationMechanism.ChallengeResult(true, Integer.valueOf(httpServerExchange.getResponseCode()));
    }

    protected Integer servePage(HttpServerExchange httpServerExchange, String str) {
        sendRedirect(httpServerExchange, str);
        return 307;
    }

    static void sendRedirect(HttpServerExchange httpServerExchange, String str) {
        if (str == null) {
            LOG.log(Level.WARNING, "Logout page not set.");
            httpServerExchange.setStatusCode(404);
            httpServerExchange.endExchange();
        } else if (PROTOCOL_PATTERN.matcher(str).find()) {
            httpServerExchange.getResponseHeaders().put(Headers.LOCATION, str);
        } else {
            httpServerExchange.getResponseHeaders().put(Headers.LOCATION, httpServerExchange.getRequestScheme() + "://" + httpServerExchange.getHostAndPort() + str);
        }
    }

    protected void registerNotifications(final SecurityContext securityContext) {
        securityContext.registerNotificationReceiver(new NotificationReceiver() { // from class: org.keycloak.adapters.saml.undertow.AbstractSamlAuthMech.1
            public void handleNotification(SecurityNotification securityNotification) {
                if (securityNotification.getEventType() != SecurityNotification.EventType.LOGGED_OUT) {
                    return;
                }
                HttpServerExchange exchange = securityNotification.getExchange();
                HttpFacade createFacade = AbstractSamlAuthMech.this.createFacade(exchange);
                AbstractSamlAuthMech.this.getTokenStore(exchange, createFacade, AbstractSamlAuthMech.this.deploymentContext.resolveDeployment(createFacade), securityContext).logoutAccount();
            }
        });
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        UndertowHttpFacade createFacade = createFacade(httpServerExchange);
        SamlDeployment resolveDeployment = this.deploymentContext.resolveDeployment(createFacade);
        if (!resolveDeployment.isConfigured()) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        SamlSessionStore tokenStore = getTokenStore(httpServerExchange, createFacade, resolveDeployment, securityContext);
        SamlAuthenticator undertowSamlEndpoint = httpServerExchange.getRequestPath().endsWith("/saml") ? new UndertowSamlEndpoint(createFacade, this.deploymentContext.resolveDeployment(createFacade), tokenStore) : new UndertowSamlAuthenticator(securityContext, createFacade, this.deploymentContext.resolveDeployment(createFacade), tokenStore);
        AuthOutcome authenticate = undertowSamlEndpoint.authenticate();
        if (authenticate == AuthOutcome.AUTHENTICATED) {
            registerNotifications(securityContext);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
        }
        if (authenticate == AuthOutcome.NOT_AUTHENTICATED) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        if (authenticate == AuthOutcome.LOGGED_OUT) {
            securityContext.logout();
            if (resolveDeployment.getLogoutPage() != null) {
                redirectLogout(resolveDeployment, httpServerExchange);
            }
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        AuthChallenge challenge = undertowSamlEndpoint.getChallenge();
        if (challenge != null) {
            httpServerExchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, challenge);
            if (undertowSamlEndpoint instanceof UndertowSamlEndpoint) {
                httpServerExchange.getSecurityContext().setAuthenticationRequired();
            }
        }
        return authenticate == AuthOutcome.FAILED ? AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED : AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void redirectLogout(SamlDeployment samlDeployment, HttpServerExchange httpServerExchange) {
        sendRedirect(httpServerExchange, samlDeployment.getLogoutPage());
        httpServerExchange.setStatusCode(302);
        httpServerExchange.endExchange();
    }

    protected UndertowHttpFacade createFacade(HttpServerExchange httpServerExchange) {
        return new UndertowHttpFacade(httpServerExchange);
    }

    protected abstract SamlSessionStore getTokenStore(HttpServerExchange httpServerExchange, HttpFacade httpFacade, SamlDeployment samlDeployment, SecurityContext securityContext);
}
