package org.keycloak.services.managers;

import java.net.URI;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.core.Cookie;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.NewCookie;
import org.jboss.resteasy.logging.Logger;
import org.keycloak.RSATokenVerifier;
import org.keycloak.VerificationException;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.ClientModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.AccessToken;

/* loaded from: input_file:org/keycloak/services/managers/AppAuthManager.class */
public class AppAuthManager extends AuthenticationManager {
    protected static Logger logger = Logger.getLogger(AuthenticationManager.class);
    private String cookieName;
    private TokenManager tokenManager;

    public AppAuthManager(String str, TokenManager tokenManager) {
        this.cookieName = str;
        this.tokenManager = tokenManager;
    }

    public NewCookie createCookie(RealmModel realmModel, ClientModel clientModel, String str, URI uri) {
        JWSInput jWSInput = new JWSInput(str);
        boolean z = false;
        try {
            z = RSAProvider.verify(jWSInput, realmModel.getPublicKey());
        } catch (Exception e) {
            logger.debug("Failed to verify signature", e);
        }
        if (!z) {
            logger.debug("unverified access code");
            throw new BadRequestException();
        }
        AccessCodeEntry pullAccessCode = this.tokenManager.pullAccessCode(jWSInput.readContentAsString());
        if (pullAccessCode == null) {
            logger.debug("bad access code");
            throw new BadRequestException();
        }
        if (pullAccessCode.isExpired()) {
            logger.debug("access code expired");
            throw new BadRequestException();
        }
        if (!pullAccessCode.getToken().isActive()) {
            logger.debug("access token expired");
            throw new BadRequestException();
        }
        if (!pullAccessCode.getRealm().getId().equals(realmModel.getId())) {
            logger.debug("bad realm");
            throw new BadRequestException();
        }
        if (clientModel.getClientId().equals(pullAccessCode.getClient().getClientId())) {
            return createLoginCookie(realmModel, pullAccessCode.getUser(), pullAccessCode.getClient(), this.cookieName, uri.getRawPath(), false);
        }
        logger.debug("bad client");
        throw new BadRequestException();
    }

    public NewCookie createRefreshCookie(RealmModel realmModel, UserModel userModel, ClientModel clientModel, URI uri) {
        return createLoginCookie(realmModel, userModel, clientModel, this.cookieName, uri.getRawPath(), false);
    }

    public void expireCookie(URI uri) {
        expireCookie(this.cookieName, uri.getRawPath());
    }

    public Auth authenticateCookie(RealmModel realmModel, HttpHeaders httpHeaders) {
        return authenticateCookie(realmModel, httpHeaders, this.cookieName, true);
    }

    public Auth authenticate(RealmModel realmModel, HttpHeaders httpHeaders) {
        Auth authenticateCookie = authenticateCookie(realmModel, httpHeaders);
        return authenticateCookie != null ? authenticateCookie : authenticateBearerToken(realmModel, httpHeaders);
    }

    private Auth authenticateCookie(RealmModel realmModel, HttpHeaders httpHeaders, String str, boolean z) {
        logger.info("authenticateCookie");
        Cookie cookie = (Cookie) httpHeaders.getCookies().get(str);
        if (cookie == null) {
            logger.info("authenticateCookie could not find cookie: {0}", new Object[]{str});
            return null;
        }
        try {
            AccessToken verifyToken = RSATokenVerifier.verifyToken(cookie.getValue(), realmModel.getPublicKey(), realmModel.getName(), z);
            logger.info("token verified");
            if (z && !verifyToken.isActive()) {
                logger.info("cookie expired");
                expireCookie(cookie.getName(), cookie.getPath());
                return null;
            }
            UserModel userById = realmModel.getUserById(verifyToken.getSubject());
            if (userById == null || !userById.isEnabled()) {
                logger.info("Unknown user in cookie");
                expireCookie(cookie.getName(), cookie.getPath());
                return null;
            }
            ClientModel clientModel = null;
            if (verifyToken.getIssuedFor() != null) {
                clientModel = realmModel.findClient(verifyToken.getIssuedFor());
                if (clientModel == null || !clientModel.isEnabled()) {
                    logger.info("Unknown client in cookie");
                    expireCookie(cookie.getName(), cookie.getPath());
                    return null;
                }
            }
            return new Auth(realmModel, userById, clientModel);
        } catch (VerificationException e) {
            logger.info("Failed to verify cookie", e);
            expireCookie(cookie.getName(), cookie.getPath());
            return null;
        }
    }

    private Auth authenticateBearerToken(RealmModel realmModel, HttpHeaders httpHeaders) {
        String headerString = httpHeaders.getHeaderString("Authorization");
        if (headerString == null) {
            return null;
        }
        String[] split = headerString.trim().split("\\s+");
        if (split == null || split.length != 2) {
            throw new NotAuthorizedException("Bearer", new Object[0]);
        }
        if (!split[0].equalsIgnoreCase("Bearer")) {
            throw new NotAuthorizedException("Bearer", new Object[0]);
        }
        try {
            AccessToken verifyToken = RSATokenVerifier.verifyToken(split[1], realmModel.getPublicKey(), realmModel.getName());
            if (!verifyToken.isActive()) {
                throw new NotAuthorizedException("token_expired", new Object[0]);
            }
            UserModel userById = realmModel.getUserById(verifyToken.getSubject());
            if (userById == null || !userById.isEnabled()) {
                throw new NotAuthorizedException("invalid_user", new Object[0]);
            }
            ClientModel clientModel = null;
            if (verifyToken.getIssuedFor() != null) {
                clientModel = realmModel.findClient(verifyToken.getIssuedFor());
                if (clientModel == null || !clientModel.isEnabled()) {
                    throw new NotAuthorizedException("invalid_user", new Object[0]);
                }
            }
            return new Auth(verifyToken, userById, clientModel);
        } catch (VerificationException e) {
            logger.error("Failed to verify token", e);
            throw new NotAuthorizedException("invalid_token", new Object[0]);
        }
    }
}
