package org.keycloak.adapters;

import ar.com.fernandospr.wns.model.types.WnsRequestForStatusType;
import java.io.IOException;
import java.util.UUID;
import java.util.concurrent.atomic.AtomicLong;
import org.apache.commons.httpclient.cookie.CookieSpec;
import org.jboss.logging.Logger;
import org.keycloak.OAuth2Constants;
import org.keycloak.RSATokenVerifier;
import org.keycloak.VerificationException;
import org.keycloak.adapters.HttpFacade;
import org.keycloak.adapters.ServerRequest;
import org.keycloak.enums.TokenStore;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.IDToken;
import org.keycloak.util.KeycloakUriBuilder;
import org.keycloak.util.UriUtils;

/* loaded from: input_file:WEB-INF/lib/keycloak-adapter-core-1.1.0.Final.jar:org/keycloak/adapters/OAuthRequestAuthenticator.class */
public class OAuthRequestAuthenticator {
    protected KeycloakDeployment deployment;
    protected RequestAuthenticator reqAuthenticator;
    protected int sslRedirectPort;
    protected AdapterTokenStore tokenStore;
    protected String tokenString;
    protected String idTokenString;
    protected IDToken idToken;
    protected AccessToken token;
    protected HttpFacade facade;
    protected AuthChallenge challenge;
    protected String refreshToken;
    protected String strippedOauthParametersRequestUri;
    private static final Logger log = Logger.getLogger(OAuthRequestAuthenticator.class);
    protected static final AtomicLong counter = new AtomicLong();

    public OAuthRequestAuthenticator(RequestAuthenticator requestAuthenticator, HttpFacade httpFacade, KeycloakDeployment keycloakDeployment, int i, AdapterTokenStore adapterTokenStore) {
        this.reqAuthenticator = requestAuthenticator;
        this.facade = httpFacade;
        this.deployment = keycloakDeployment;
        this.sslRedirectPort = i;
        this.tokenStore = adapterTokenStore;
    }

    public AuthChallenge getChallenge() {
        return this.challenge;
    }

    public String getTokenString() {
        return this.tokenString;
    }

    public AccessToken getToken() {
        return this.token;
    }

    public String getRefreshToken() {
        return this.refreshToken;
    }

    public String getIdTokenString() {
        return this.idTokenString;
    }

    public void setIdTokenString(String str) {
        this.idTokenString = str;
    }

    public IDToken getIdToken() {
        return this.idToken;
    }

    public void setIdToken(IDToken iDToken) {
        this.idToken = iDToken;
    }

    public String getStrippedOauthParametersRequestUri() {
        return this.strippedOauthParametersRequestUri;
    }

    public void setStrippedOauthParametersRequestUri(String str) {
        this.strippedOauthParametersRequestUri = str;
    }

    protected String getRequestUrl() {
        return this.facade.getRequest().getURI();
    }

    protected boolean isRequestSecure() {
        return this.facade.getRequest().isSecure();
    }

    protected HttpFacade.Cookie getCookie(String str) {
        return this.facade.getRequest().getCookie(str);
    }

    protected String getCookieValue(String str) {
        HttpFacade.Cookie cookie = getCookie(str);
        if (cookie == null) {
            return null;
        }
        return cookie.getValue();
    }

    protected String getQueryParamValue(String str) {
        return this.facade.getRequest().getQueryParamValue(str);
    }

    protected String getError() {
        return getQueryParamValue("error");
    }

    protected String getCode() {
        return getQueryParamValue(OAuth2Constants.CODE);
    }

    protected String getRedirectUri(String str) {
        String requestUrl = getRequestUrl();
        log.debugf("callback uri: %s", requestUrl);
        if (!this.facade.getRequest().isSecure() && this.deployment.getSslRequired().isRequired(this.facade.getRequest().getRemoteAddr())) {
            int sslRedirectPort = sslRedirectPort();
            if (sslRedirectPort < 0) {
                return null;
            }
            KeycloakUriBuilder port = KeycloakUriBuilder.fromUri(requestUrl).scheme("https").port(-1);
            if (sslRedirectPort != 443) {
                port.port(sslRedirectPort);
            }
            requestUrl = port.build(new Object[0]).toString();
        }
        String queryParamValue = getQueryParamValue("login_hint");
        KeycloakUriBuilder queryParam = this.deployment.getAuthUrl().m1077clone().queryParam(OAuth2Constants.CLIENT_ID, this.deployment.getResourceName()).queryParam(OAuth2Constants.REDIRECT_URI, UriUtils.stripQueryParam(requestUrl, "login_hint")).queryParam(OAuth2Constants.STATE, str).queryParam("login", WnsRequestForStatusType.TRUE);
        if (queryParamValue != null && queryParamValue.length() > 0) {
            queryParam.queryParam("login_hint", queryParamValue);
        }
        return queryParam.build(new Object[0]).toString();
    }

    protected int sslRedirectPort() {
        return this.sslRedirectPort;
    }

    protected String getStateCode() {
        return counter.getAndIncrement() + CookieSpec.PATH_DELIM + UUID.randomUUID().toString();
    }

    protected AuthChallenge loginRedirect() {
        final String stateCode = getStateCode();
        final String redirectUri = getRedirectUri(stateCode);
        return redirectUri == null ? new AuthChallenge() { // from class: org.keycloak.adapters.OAuthRequestAuthenticator.1
            @Override // org.keycloak.adapters.AuthChallenge
            public boolean challenge(HttpFacade httpFacade) {
                httpFacade.getResponse().setStatus(403);
                return true;
            }

            @Override // org.keycloak.adapters.AuthChallenge
            public boolean errorPage() {
                return true;
            }
        } : new AuthChallenge() { // from class: org.keycloak.adapters.OAuthRequestAuthenticator.2
            @Override // org.keycloak.adapters.AuthChallenge
            public boolean errorPage() {
                return false;
            }

            @Override // org.keycloak.adapters.AuthChallenge
            public boolean challenge(HttpFacade httpFacade) {
                OAuthRequestAuthenticator.this.tokenStore.saveRequest();
                OAuthRequestAuthenticator.log.debug("Sending redirect to login page: " + redirectUri);
                httpFacade.getResponse().setStatus(302);
                httpFacade.getResponse().setCookie(OAuthRequestAuthenticator.this.deployment.getStateCookieName(), stateCode, null, null, -1, OAuthRequestAuthenticator.this.deployment.getSslRequired().isRequired(OAuthRequestAuthenticator.this.facade.getRequest().getRemoteAddr()), false);
                httpFacade.getResponse().setHeader("Location", redirectUri);
                return true;
            }
        };
    }

    protected AuthChallenge checkStateCookie() {
        HttpFacade.Cookie cookie = getCookie(this.deployment.getStateCookieName());
        if (cookie == null) {
            log.warn("No state cookie");
            return challenge(400);
        }
        log.debug("** reseting application state cookie");
        this.facade.getResponse().resetCookie(this.deployment.getStateCookieName(), cookie.getPath());
        String cookieValue = getCookieValue(this.deployment.getStateCookieName());
        String queryParamValue = getQueryParamValue(OAuth2Constants.STATE);
        if (queryParamValue == null) {
            log.warn("state parameter was null");
            return challenge(400);
        }
        if (queryParamValue.equals(cookieValue)) {
            return null;
        }
        log.warn("state parameter invalid");
        log.warn("cookie: " + cookieValue);
        log.warn("queryParam: " + queryParamValue);
        return challenge(400);
    }

    public AuthOutcome authenticate() {
        String code = getCode();
        if (code != null) {
            log.debug("there was a code, resolving");
            this.challenge = resolveCode(code);
            return this.challenge != null ? AuthOutcome.FAILED : AuthOutcome.AUTHENTICATED;
        }
        log.debug("there was no code");
        String error = getError();
        if (error != null) {
            log.warn("There was an error: " + error);
            this.challenge = challenge(400);
            return AuthOutcome.FAILED;
        }
        log.debug("redirecting to auth server");
        this.challenge = loginRedirect();
        return AuthOutcome.NOT_ATTEMPTED;
    }

    protected AuthChallenge challenge(final int i) {
        return new AuthChallenge() { // from class: org.keycloak.adapters.OAuthRequestAuthenticator.3
            @Override // org.keycloak.adapters.AuthChallenge
            public boolean errorPage() {
                return true;
            }

            @Override // org.keycloak.adapters.AuthChallenge
            public boolean challenge(HttpFacade httpFacade) {
                httpFacade.getResponse().setStatus(i);
                return true;
            }
        };
    }

    protected AuthChallenge resolveCode(String str) {
        if (!isRequestSecure() && this.deployment.getSslRequired().isRequired(this.facade.getRequest().getRemoteAddr())) {
            log.error("Adapter requires SSL. Request: " + this.facade.getRequest().getURI());
            return challenge(403);
        }
        log.debug("checking state cookie for after code");
        AuthChallenge checkStateCookie = checkStateCookie();
        if (checkStateCookie != null) {
            return checkStateCookie;
        }
        this.strippedOauthParametersRequestUri = stripOauthParametersFromRedirect();
        try {
            AccessTokenResponse invokeAccessCodeToToken = ServerRequest.invokeAccessCodeToToken(this.deployment, str, this.strippedOauthParametersRequestUri, this.deployment.getTokenStore() == TokenStore.SESSION ? this.reqAuthenticator.getHttpSessionId(true) : null);
            this.tokenString = invokeAccessCodeToToken.getToken();
            this.refreshToken = invokeAccessCodeToToken.getRefreshToken();
            this.idTokenString = invokeAccessCodeToToken.getIdToken();
            try {
                this.token = RSATokenVerifier.verifyToken(this.tokenString, this.deployment.getRealmKey(), this.deployment.getRealm());
                if (this.idTokenString != null) {
                    try {
                        this.idToken = (IDToken) new JWSInput(this.idTokenString).readJsonContent(IDToken.class);
                    } catch (IOException e) {
                        throw new VerificationException();
                    }
                }
                log.debug("Token Verification succeeded!");
                if (invokeAccessCodeToToken.getNotBeforePolicy() > this.deployment.getNotBefore()) {
                    this.deployment.setNotBefore(invokeAccessCodeToToken.getNotBeforePolicy());
                }
                if (this.token.getIssuedAt() < this.deployment.getNotBefore()) {
                    log.error("Stale token");
                    return challenge(403);
                }
                log.debug("successful authenticated");
                return null;
            } catch (VerificationException e2) {
                log.error("failed verification of token");
                return challenge(403);
            }
        } catch (IOException e3) {
            log.error("failed to turn code into token", e3);
            return challenge(403);
        } catch (ServerRequest.HttpFailure e4) {
            log.error("failed to turn code into token");
            log.error("status from server: " + e4.getStatus());
            if (e4.getStatus() == 400 && e4.getError() != null) {
                log.error("   " + e4.getError());
            }
            return challenge(403);
        }
    }

    protected String stripOauthParametersFromRedirect() {
        return KeycloakUriBuilder.fromUri(this.facade.getRequest().getURI()).replaceQueryParam(OAuth2Constants.CODE, null).replaceQueryParam(OAuth2Constants.STATE, null).build(new Object[0]).toString();
    }
}
