package org.wildfly.security.http.oidc;

import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Matcher;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.http.oidc.AuthenticationError;
import org.wildfly.security.http.oidc.Oidc;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/wildfly/security/http/oidc/BearerTokenRequestAuthenticator.class */
public class BearerTokenRequestAuthenticator {
    protected OidcHttpFacade facade;
    protected OidcClientConfiguration oidcClientConfiguration;
    protected AuthChallenge challenge;
    protected String tokenString;
    private AccessToken token;
    private String surrogate;

    public BearerTokenRequestAuthenticator(OidcHttpFacade oidcHttpFacade, OidcClientConfiguration oidcClientConfiguration) {
        this.facade = oidcHttpFacade;
        this.oidcClientConfiguration = oidcClientConfiguration;
    }

    public AuthChallenge getChallenge() {
        return this.challenge;
    }

    public String getTokenString() {
        return this.tokenString;
    }

    public AccessToken getToken() {
        return this.token;
    }

    public String getSurrogate() {
        return this.surrogate;
    }

    public Oidc.AuthOutcome authenticate() {
        List<String> headers = this.facade.getRequest().getHeaders("Authorization");
        if (headers == null || headers.isEmpty()) {
            this.challenge = challengeResponse(AuthenticationError.Reason.NO_BEARER_TOKEN, null, null);
            return Oidc.AuthOutcome.NOT_ATTEMPTED;
        }
        Iterator<String> it = headers.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Matcher matcher = HttpConstants.BEARER_TOKEN_PATTERN.matcher(it.next());
            if (matcher.matches()) {
                this.tokenString = matcher.group(1);
                ElytronMessages.log.debugf("Found [%d] values in authorization header, selecting the first value for Bearer", Integer.valueOf(headers.size()));
                break;
            }
        }
        if (this.tokenString != null) {
            return verifyToken(this.tokenString);
        }
        this.challenge = challengeResponse(AuthenticationError.Reason.NO_BEARER_TOKEN, null, null);
        return Oidc.AuthOutcome.NOT_ATTEMPTED;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Oidc.AuthOutcome verifyToken(String str) {
        ElytronMessages.log.debug("Verifying access_token");
        Oidc.logToken("\taccess_token", str);
        try {
            this.token = TokenValidator.builder(this.oidcClientConfiguration).build().parseAndVerifyToken(str);
            ElytronMessages.log.debug("Token Verification succeeded!");
            if (this.token.getIssuedAt().longValue() < this.oidcClientConfiguration.getNotBefore()) {
                ElytronMessages.log.debug(HttpConstants.STALE_TOKEN);
                this.challenge = challengeResponse(AuthenticationError.Reason.STALE_TOKEN, HttpConstants.INVALID_TOKEN, HttpConstants.STALE_TOKEN);
                return Oidc.AuthOutcome.FAILED;
            }
            if (this.oidcClientConfiguration.isUseResourceRoleMappings() ? isVerifyCaller(this.token.getResourceAccessClaim(this.oidcClientConfiguration.getResourceName())) : isVerifyCaller(this.token.getRealmAccessClaim())) {
                List<String> trustedCertsClaim = this.token.getTrustedCertsClaim();
                if (trustedCertsClaim == null || trustedCertsClaim.isEmpty()) {
                    ElytronMessages.log.noTrustedCertificatesInToken();
                    this.challenge = clientCertChallenge();
                    return Oidc.AuthOutcome.FAILED;
                }
                Certificate[] certificateChain = this.facade.getCertificateChain();
                if (certificateChain == null || certificateChain.length == 0) {
                    ElytronMessages.log.noPeerCertificatesEstablishedOnConnection();
                    this.challenge = clientCertChallenge();
                    return Oidc.AuthOutcome.FAILED;
                }
                this.surrogate = ((X509Certificate) certificateChain[0]).getSubjectDN().getName();
            }
            ElytronMessages.log.debug("Successfully authorized");
            return Oidc.AuthOutcome.AUTHENTICATED;
        } catch (OidcException e) {
            ElytronMessages.log.failedVerificationOfToken(e.getMessage());
            this.challenge = challengeResponse(AuthenticationError.Reason.INVALID_TOKEN, HttpConstants.INVALID_TOKEN, e.getMessage());
            return Oidc.AuthOutcome.FAILED;
        }
    }

    private boolean isVerifyCaller(RealmAccessClaim realmAccessClaim) {
        if (realmAccessClaim == null || realmAccessClaim.getVerifyCaller() == null) {
            return false;
        }
        return realmAccessClaim.getVerifyCaller().booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AuthChallenge challengeResponse(final AuthenticationError.Reason reason, String str, final String str2) {
        StringBuilder sb = new StringBuilder("Bearer");
        if (this.oidcClientConfiguration.getRealm() != null) {
            sb.append(" ").append(HttpConstants.REALM).append("=\"").append(this.oidcClientConfiguration.getRealm()).append("\"");
            if (str != null || str2 != null) {
                sb.append(",");
            }
        }
        if (str != null) {
            sb.append(" ").append("error").append("=\"").append(str).append("\"");
            if (str2 != null) {
                sb.append(",");
            }
        }
        if (str2 != null) {
            sb.append(" ").append(HttpConstants.ERROR_DESCRIPTION).append("=\"").append(str2).append("\"");
        }
        final String sb2 = sb.toString();
        return new AuthChallenge() { // from class: org.wildfly.security.http.oidc.BearerTokenRequestAuthenticator.1
            @Override // org.wildfly.security.http.oidc.AuthChallenge
            public int getResponseCode() {
                return 401;
            }

            @Override // org.wildfly.security.http.oidc.AuthChallenge
            public boolean challenge(OidcHttpFacade oidcHttpFacade) {
                oidcHttpFacade.getRequest().setError(new AuthenticationError(reason, str2));
                oidcHttpFacade.getResponse().addHeader("WWW-Authenticate", sb2);
                if (BearerTokenRequestAuthenticator.this.oidcClientConfiguration.isDelegateBearerErrorResponseSending()) {
                    oidcHttpFacade.getResponse().setStatus(401);
                    return true;
                }
                oidcHttpFacade.getResponse().sendError(401);
                return true;
            }
        };
    }

    protected AuthChallenge clientCertChallenge() {
        return new AuthChallenge() { // from class: org.wildfly.security.http.oidc.BearerTokenRequestAuthenticator.2
            @Override // org.wildfly.security.http.oidc.AuthChallenge
            public int getResponseCode() {
                return 0;
            }

            @Override // org.wildfly.security.http.oidc.AuthChallenge
            public boolean challenge(OidcHttpFacade oidcHttpFacade) {
                return false;
            }
        };
    }
}
