package org.keycloak.proxy;

import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HttpString;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.keycloak.adapters.undertow.KeycloakUndertowAccount;
import org.keycloak.proxy.SecurityInfo;
import org.keycloak.representations.AccessToken;

/* loaded from: input_file:org/keycloak/proxy/ConstraintAuthorizationHandler.class */
public class ConstraintAuthorizationHandler implements HttpHandler {
    public static final String KEYCLOAK_SUBJECT = "KEYCLOAK_SUBJECT";
    public static final String KEYCLOAK_USERNAME = "KEYCLOAK_USERNAME";
    public static final String KEYCLOAK_EMAIL = "KEYCLOAK_EMAIL";
    public static final String KEYCLOAK_NAME = "KEYCLOAK_NAME";
    public static final String KEYCLOAK_ACCESS_TOKEN = "KEYCLOAK_ACCESS_TOKEN";
    private final Map<String, HttpString> httpHeaderNames = new HashMap();
    protected HttpHandler next;
    protected String errorPage;
    protected boolean sendAccessToken;

    public ConstraintAuthorizationHandler(HttpHandler httpHandler, String str, boolean z, Map<String, String> map) {
        this.next = httpHandler;
        this.errorPage = str;
        this.sendAccessToken = z;
        this.httpHeaderNames.put(KEYCLOAK_SUBJECT, new HttpString(getOrDefault(map, "keycloak-subject", KEYCLOAK_SUBJECT)));
        this.httpHeaderNames.put(KEYCLOAK_USERNAME, new HttpString(getOrDefault(map, "keycloak-username", KEYCLOAK_USERNAME)));
        this.httpHeaderNames.put(KEYCLOAK_EMAIL, new HttpString(getOrDefault(map, "keycloak-email", KEYCLOAK_EMAIL)));
        this.httpHeaderNames.put(KEYCLOAK_NAME, new HttpString(getOrDefault(map, "keycloak-name", KEYCLOAK_NAME)));
        this.httpHeaderNames.put(KEYCLOAK_ACCESS_TOKEN, new HttpString(getOrDefault(map, "keycloak-access-token", KEYCLOAK_ACCESS_TOKEN)));
    }

    private String getOrDefault(Map<String, String> map, String str, String str2) {
        return map.containsKey(str) ? map.get(str) : str2;
    }

    public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
        KeycloakUndertowAccount keycloakUndertowAccount = (KeycloakUndertowAccount) httpServerExchange.getSecurityContext().getAuthenticatedAccount();
        SingleConstraintMatch singleConstraintMatch = (SingleConstraintMatch) httpServerExchange.getAttachment(ConstraintMatcherHandler.CONSTRAINT_KEY);
        if (singleConstraintMatch == null || (singleConstraintMatch.getRequiredRoles().isEmpty() && singleConstraintMatch.getEmptyRoleSemantic() == SecurityInfo.EmptyRoleSemantic.AUTHENTICATE)) {
            authenticatedRequest(keycloakUndertowAccount, httpServerExchange);
            return;
        }
        if (singleConstraintMatch != null) {
            if (SecurityInfo.EmptyRoleSemantic.PERMIT_AND_INJECT_IF_AUTHENTICATED.equals(singleConstraintMatch.getEmptyRoleSemantic())) {
                authenticatedRequest(keycloakUndertowAccount, httpServerExchange);
                return;
            }
            Iterator<String> it = singleConstraintMatch.getRequiredRoles().iterator();
            while (it.hasNext()) {
                if (keycloakUndertowAccount.getRoles().contains(it.next())) {
                    authenticatedRequest(keycloakUndertowAccount, httpServerExchange);
                    return;
                }
            }
        }
        if (this.errorPage == null) {
            httpServerExchange.setResponseCode(403);
            httpServerExchange.endExchange();
        } else {
            httpServerExchange.setRequestPath(this.errorPage);
            httpServerExchange.setRelativePath(this.errorPage);
            httpServerExchange.setResolvedPath(this.errorPage);
            this.next.handleRequest(httpServerExchange);
        }
    }

    public void authenticatedRequest(KeycloakUndertowAccount keycloakUndertowAccount, HttpServerExchange httpServerExchange) throws Exception {
        if (keycloakUndertowAccount != null) {
            AccessToken token = keycloakUndertowAccount.getKeycloakSecurityContext().getToken();
            if (token == null) {
                return;
            }
            if (token.getSubject() != null) {
                httpServerExchange.getRequestHeaders().put(this.httpHeaderNames.get(KEYCLOAK_SUBJECT), token.getSubject());
            }
            if (token.getPreferredUsername() != null) {
                httpServerExchange.getRequestHeaders().put(this.httpHeaderNames.get(KEYCLOAK_USERNAME), token.getPreferredUsername());
            }
            if (token.getEmail() != null) {
                httpServerExchange.getRequestHeaders().put(this.httpHeaderNames.get(KEYCLOAK_EMAIL), token.getEmail());
            }
            if (token.getName() != null) {
                httpServerExchange.getRequestHeaders().put(this.httpHeaderNames.get(KEYCLOAK_NAME), token.getName());
            }
            if (this.sendAccessToken) {
                httpServerExchange.getRequestHeaders().put(this.httpHeaderNames.get(KEYCLOAK_ACCESS_TOKEN), keycloakUndertowAccount.getKeycloakSecurityContext().getTokenString());
            }
        }
        this.next.handleRequest(httpServerExchange);
    }
}
