package org.keycloak.authentication.authenticators.client;

import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.ClientAuthenticationFlowContext;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.services.ServicesLogger;
import org.keycloak.services.x509.X509ClientCertificateLookup;

/* loaded from: input_file:org/keycloak/authentication/authenticators/client/X509ClientAuthenticator.class */
public class X509ClientAuthenticator extends AbstractClientAuthenticator {
    public static final String PROVIDER_ID = "client-x509";
    public static final String ATTR_PREFIX = "x509";
    public static final String ATTR_SUBJECT_DN = "x509.subjectdn";
    protected static ServicesLogger logger = ServicesLogger.LOGGER;
    public static final AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {AuthenticationExecutionModel.Requirement.ALTERNATIVE, AuthenticationExecutionModel.Requirement.DISABLED};

    public void authenticateClient(ClientAuthenticationFlowContext clientAuthenticationFlowContext) {
        X509ClientCertificateLookup x509ClientCertificateLookup = (X509ClientCertificateLookup) clientAuthenticationFlowContext.getSession().getProvider(X509ClientCertificateLookup.class);
        if (x509ClientCertificateLookup == null) {
            logger.errorv("\"{0}\" Spi is not available, did you forget to update the configuration?", X509ClientCertificateLookup.class);
            return;
        }
        try {
            X509Certificate[] certificateChain = x509ClientCertificateLookup.getCertificateChain(clientAuthenticationFlowContext.getHttpRequest());
            String str = null;
            MediaType mediaType = clientAuthenticationFlowContext.getHttpRequest().getHttpHeaders().getMediaType();
            MultivaluedMap decodedFormParameters = mediaType != null && mediaType.isCompatible(MediaType.APPLICATION_FORM_URLENCODED_TYPE) ? clientAuthenticationFlowContext.getHttpRequest().getDecodedFormParameters() : null;
            MultivaluedMap queryParameters = clientAuthenticationFlowContext.getHttpRequest().getUri().getQueryParameters();
            if (decodedFormParameters != null) {
                str = (String) decodedFormParameters.getFirst("client_id");
            }
            if (str == null && queryParameters != null) {
                str = (String) queryParameters.getFirst("client_id");
            }
            if (str == null) {
                clientAuthenticationFlowContext.challenge(ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Missing client_id parameter"));
                return;
            }
            ClientModel clientByClientId = clientAuthenticationFlowContext.getRealm().getClientByClientId(str);
            if (clientByClientId == null) {
                clientAuthenticationFlowContext.failure(AuthenticationFlowError.CLIENT_NOT_FOUND, (Response) null);
                return;
            }
            clientAuthenticationFlowContext.getEvent().client(str);
            clientAuthenticationFlowContext.setClient(clientByClientId);
            if (!clientByClientId.isEnabled()) {
                clientAuthenticationFlowContext.failure(AuthenticationFlowError.CLIENT_DISABLED, (Response) null);
                return;
            }
            if (certificateChain == null || certificateChain.length == 0) {
                logger.debug("[X509ClientCertificateAuthenticator:authenticate] x509 client certificate is not available for mutual SSL.");
                clientAuthenticationFlowContext.attempted();
                return;
            }
            String attribute = clientByClientId.getAttribute(ATTR_SUBJECT_DN);
            if (attribute == null || attribute.length() == 0) {
                logger.errorf("[X509ClientCertificateAuthenticator:authenticate] x509.subjectdn is null or empty", new Object[0]);
                clientAuthenticationFlowContext.attempted();
                return;
            }
            Pattern compile = Pattern.compile(attribute);
            Optional findFirst = Arrays.stream(certificateChain).map(x509Certificate -> {
                return x509Certificate.getSubjectDN().getName();
            }).filter(str2 -> {
                return compile.matcher(str2).matches();
            }).findFirst();
            if (findFirst.isPresent()) {
                logger.debug("[X509ClientCertificateAuthenticator:authenticate] Matched " + ((String) findFirst.get()) + " certificate.");
                clientAuthenticationFlowContext.success();
            } else {
                if (logger.isDebugEnabled()) {
                    logger.debug("[X509ClientCertificateAuthenticator:authenticate] Couldn't match any certificate for pattern " + attribute);
                    logger.debug("[X509ClientCertificateAuthenticator:authenticate] Available SubjectDNs: " + Arrays.stream(certificateChain).map(x509Certificate2 -> {
                        return x509Certificate2.getSubjectDN().getName();
                    }).collect(Collectors.toList()));
                }
                clientAuthenticationFlowContext.attempted();
            }
        } catch (GeneralSecurityException e) {
            logger.errorf("[X509ClientCertificateAuthenticator:authenticate] Exception: %s", e.getMessage());
            clientAuthenticationFlowContext.attempted();
        }
    }

    public String getDisplayType() {
        return "X509 Certificate";
    }

    public boolean isConfigurable() {
        return false;
    }

    public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
        return REQUIREMENT_CHOICES;
    }

    public List<ProviderConfigProperty> getConfigPropertiesPerClient() {
        return Collections.emptyList();
    }

    public Map<String, Object> getAdapterConfiguration(ClientModel clientModel) {
        return Collections.emptyMap();
    }

    public Set<String> getProtocolAuthenticatorMethods(String str) {
        return str.equals("openid-connect") ? new HashSet() : Collections.emptySet();
    }

    public String getHelpText() {
        return "Validates client based on a X509 Certificate";
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return Collections.emptyList();
    }

    public String getId() {
        return PROVIDER_ID;
    }
}
