package org.keycloak.adapters;

import org.apache.http.HttpHeaders;
import org.jboss.logging.Logger;
import org.keycloak.KeycloakPrincipal;

/* loaded from: input_file:WEB-INF/lib/keycloak-adapter-core-1.0-beta-4.jar:org/keycloak/adapters/RequestAuthenticator.class */
public abstract class RequestAuthenticator {
    protected static Logger log = Logger.getLogger(RequestAuthenticator.class);
    protected HttpFacade facade;
    protected KeycloakDeployment deployment;
    protected AuthChallenge challenge;
    protected int sslRedirectPort;

    public RequestAuthenticator(HttpFacade httpFacade, KeycloakDeployment keycloakDeployment, int i) {
        this.facade = httpFacade;
        this.deployment = keycloakDeployment;
        this.sslRedirectPort = i;
    }

    public RequestAuthenticator(HttpFacade httpFacade, KeycloakDeployment keycloakDeployment) {
        this.facade = httpFacade;
        this.deployment = keycloakDeployment;
    }

    public AuthChallenge getChallenge() {
        return this.challenge;
    }

    public AuthOutcome authenticate() {
        log.info("--> authenticate()");
        BearerTokenRequestAuthenticator createBearerTokenAuthenticator = createBearerTokenAuthenticator();
        log.info("try bearer");
        AuthOutcome authenticate = createBearerTokenAuthenticator.authenticate(this.facade);
        if (authenticate == AuthOutcome.FAILED) {
            this.challenge = createBearerTokenAuthenticator.getChallenge();
            log.info("Bearer FAILED");
            return AuthOutcome.FAILED;
        }
        if (authenticate == AuthOutcome.AUTHENTICATED) {
            if (verifySSL()) {
                return AuthOutcome.FAILED;
            }
            completeAuthentication(createBearerTokenAuthenticator);
            log.info("Bearer AUTHENTICATED");
            return AuthOutcome.AUTHENTICATED;
        }
        if (this.deployment.isBearerOnly()) {
            this.challenge = createBearerTokenAuthenticator.getChallenge();
            log.info("NOT_ATTEMPTED: bearer only");
            return AuthOutcome.NOT_ATTEMPTED;
        }
        log.info("try oauth");
        if (isCached()) {
            if (verifySSL()) {
                return AuthOutcome.FAILED;
            }
            log.info("AUTHENTICATED: was cached");
            return AuthOutcome.AUTHENTICATED;
        }
        OAuthRequestAuthenticator createOAuthAuthenticator = createOAuthAuthenticator();
        AuthOutcome authenticate2 = createOAuthAuthenticator.authenticate();
        if (authenticate2 == AuthOutcome.FAILED) {
            this.challenge = createOAuthAuthenticator.getChallenge();
            return AuthOutcome.FAILED;
        }
        if (authenticate2 == AuthOutcome.NOT_ATTEMPTED) {
            this.challenge = createOAuthAuthenticator.getChallenge();
            return AuthOutcome.NOT_ATTEMPTED;
        }
        if (verifySSL()) {
            return AuthOutcome.FAILED;
        }
        completeAuthentication(createOAuthAuthenticator);
        this.facade.getResponse().setHeader(HttpHeaders.LOCATION, createOAuthAuthenticator.getStrippedOauthParametersRequestUri());
        this.facade.getResponse().setStatus(302);
        this.facade.getResponse().end();
        log.info("AUTHENTICATED");
        return AuthOutcome.AUTHENTICATED;
    }

    protected boolean verifySSL() {
        if (this.facade.getRequest().isSecure() || !this.deployment.getSslRequired().isRequired(this.facade.getRequest().getRemoteAddr())) {
            return false;
        }
        log.warn("SSL is required to authenticate");
        return true;
    }

    protected abstract OAuthRequestAuthenticator createOAuthAuthenticator();

    protected BearerTokenRequestAuthenticator createBearerTokenAuthenticator() {
        return new BearerTokenRequestAuthenticator(this.deployment);
    }

    protected void completeAuthentication(OAuthRequestAuthenticator oAuthRequestAuthenticator) {
        RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext = new RefreshableKeycloakSecurityContext(this.deployment, oAuthRequestAuthenticator.getTokenString(), oAuthRequestAuthenticator.getToken(), oAuthRequestAuthenticator.getIdTokenString(), oAuthRequestAuthenticator.getIdToken(), oAuthRequestAuthenticator.getRefreshToken());
        completeOAuthAuthentication(new KeycloakPrincipal(oAuthRequestAuthenticator.getToken().getSubject(), refreshableKeycloakSecurityContext), refreshableKeycloakSecurityContext);
    }

    protected abstract void completeOAuthAuthentication(KeycloakPrincipal keycloakPrincipal, RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext);

    protected abstract void completeBearerAuthentication(KeycloakPrincipal keycloakPrincipal, RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext);

    protected abstract boolean isCached();

    protected void completeAuthentication(BearerTokenRequestAuthenticator bearerTokenRequestAuthenticator) {
        RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext = new RefreshableKeycloakSecurityContext(this.deployment, bearerTokenRequestAuthenticator.getTokenString(), bearerTokenRequestAuthenticator.getToken(), null, null, null);
        completeBearerAuthentication(new KeycloakPrincipal(bearerTokenRequestAuthenticator.getToken().getSubject(), refreshableKeycloakSecurityContext), refreshableKeycloakSecurityContext);
    }
}
