package org.keycloak.adapters;

import java.util.Iterator;
import java.util.List;
import javax.security.cert.X509Certificate;
import org.jboss.logging.Logger;
import org.keycloak.OAuthErrorException;
import org.keycloak.adapters.OIDCAuthenticationError;
import org.keycloak.adapters.rotation.AdapterRSATokenVerifier;
import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.common.VerificationException;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.representations.AccessToken;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/adapters/BearerTokenRequestAuthenticator.class */
public class BearerTokenRequestAuthenticator {
    protected Logger log = Logger.getLogger((Class<?>) BearerTokenRequestAuthenticator.class);
    protected String tokenString;
    protected AccessToken token;
    protected String surrogate;
    protected AuthChallenge challenge;
    protected KeycloakDeployment deployment;

    public BearerTokenRequestAuthenticator(KeycloakDeployment keycloakDeployment) {
        this.deployment = keycloakDeployment;
    }

    public AuthChallenge getChallenge() {
        return this.challenge;
    }

    public String getTokenString() {
        return this.tokenString;
    }

    public AccessToken getToken() {
        return this.token;
    }

    public String getSurrogate() {
        return this.surrogate;
    }

    public AuthOutcome authenticate(HttpFacade httpFacade) {
        List<String> headers = httpFacade.getRequest().getHeaders("Authorization");
        if (headers == null || headers.size() == 0) {
            this.challenge = challengeResponse(httpFacade, OIDCAuthenticationError.Reason.NO_BEARER_TOKEN, null, null);
            return AuthOutcome.NOT_ATTEMPTED;
        }
        this.tokenString = null;
        Iterator<String> it = headers.iterator();
        while (it.hasNext()) {
            String[] split = it.next().trim().split("\\s+");
            if (split != null && split.length == 2 && split[0].equalsIgnoreCase(TokenUtil.TOKEN_TYPE_BEARER)) {
                this.tokenString = split[1];
            }
        }
        if (this.tokenString != null) {
            return authenticateToken(httpFacade, this.tokenString);
        }
        this.challenge = challengeResponse(httpFacade, OIDCAuthenticationError.Reason.NO_BEARER_TOKEN, null, null);
        return AuthOutcome.NOT_ATTEMPTED;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthOutcome authenticateToken(HttpFacade httpFacade, String str) {
        this.log.debug("Verifying access_token");
        if (this.log.isTraceEnabled()) {
            try {
                String wireString = new JWSInput(str).getWireString();
                this.log.tracef("\taccess_token: %s", wireString.substring(0, wireString.lastIndexOf(".")) + ".signature");
            } catch (JWSInputException e) {
                this.log.errorf(e, "Failed to parse access_token: %s", str);
            }
        }
        try {
            this.token = AdapterRSATokenVerifier.verifyToken(str, this.deployment);
            if (this.token.getIssuedAt() < this.deployment.getNotBefore()) {
                this.log.error("Stale token");
                this.challenge = challengeResponse(httpFacade, OIDCAuthenticationError.Reason.STALE_TOKEN, OAuthErrorException.INVALID_TOKEN, "Stale token");
                return AuthOutcome.FAILED;
            }
            boolean isVerifyCaller = this.deployment.isUseResourceRoleMappings() ? this.token.isVerifyCaller(this.deployment.getResourceName()) : this.token.isVerifyCaller();
            this.surrogate = null;
            if (isVerifyCaller) {
                if (this.token.getTrustedCertificates() == null || this.token.getTrustedCertificates().size() == 0) {
                    this.log.warn("No trusted certificates in token");
                    this.challenge = clientCertChallenge();
                    return AuthOutcome.FAILED;
                }
                X509Certificate[] x509CertificateArr = new X509Certificate[0];
                try {
                    x509CertificateArr = httpFacade.getCertificateChain();
                } catch (Exception e2) {
                }
                if (x509CertificateArr == null || x509CertificateArr.length == 0) {
                    this.log.warn("No certificates provided by undertow to verify the caller");
                    this.challenge = clientCertChallenge();
                    return AuthOutcome.FAILED;
                }
                this.surrogate = x509CertificateArr[0].getSubjectDN().getName();
            }
            this.log.debug("successful authorized");
            return AuthOutcome.AUTHENTICATED;
        } catch (VerificationException e3) {
            this.log.error("Failed to verify token", e3);
            this.challenge = challengeResponse(httpFacade, OIDCAuthenticationError.Reason.INVALID_TOKEN, OAuthErrorException.INVALID_TOKEN, e3.getMessage());
            return AuthOutcome.FAILED;
        }
    }

    protected AuthChallenge clientCertChallenge() {
        return new AuthChallenge() { // from class: org.keycloak.adapters.BearerTokenRequestAuthenticator.1
            @Override // org.keycloak.adapters.spi.AuthChallenge
            public int getResponseCode() {
                return 0;
            }

            @Override // org.keycloak.adapters.spi.AuthChallenge
            public boolean challenge(HttpFacade httpFacade) {
                return false;
            }
        };
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthChallenge challengeResponse(HttpFacade httpFacade, final OIDCAuthenticationError.Reason reason, String str, final String str2) {
        StringBuilder sb = new StringBuilder("Bearer realm=\"");
        sb.append(this.deployment.getRealm()).append("\"");
        if (str != null) {
            sb.append(", error=\"").append(str).append("\"");
        }
        if (str2 != null) {
            sb.append(", error_description=\"").append(str2).append("\"");
        }
        final String sb2 = sb.toString();
        return new AuthChallenge() { // from class: org.keycloak.adapters.BearerTokenRequestAuthenticator.2
            @Override // org.keycloak.adapters.spi.AuthChallenge
            public int getResponseCode() {
                return 401;
            }

            @Override // org.keycloak.adapters.spi.AuthChallenge
            public boolean challenge(HttpFacade httpFacade2) {
                httpFacade2.getRequest().setError(new OIDCAuthenticationError(reason, str2));
                httpFacade2.getResponse().addHeader("WWW-Authenticate", sb2);
                if (BearerTokenRequestAuthenticator.this.deployment.isDelegateBearerErrorResponseSending()) {
                    httpFacade2.getResponse().setStatus(401);
                    return true;
                }
                httpFacade2.getResponse().sendError(401);
                return true;
            }
        };
    }
}
