package org.keycloak.adapters.springsecurity.token;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.AdapterUtils;
import org.keycloak.adapters.CookieTokenStore;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.OidcKeycloakAccount;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.RequestAuthenticator;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount;
import org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/keycloak-spring-security-adapter-14.0.0.jar:org/keycloak/adapters/springsecurity/token/SpringSecurityCookieTokenStore.class */
public class SpringSecurityCookieTokenStore extends SpringSecurityTokenStore {
    private final Logger logger;
    private final KeycloakDeployment deployment;
    private final HttpFacade facade;
    private volatile boolean cookieChecked;

    public SpringSecurityCookieTokenStore(KeycloakDeployment keycloakDeployment, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        super(keycloakDeployment, httpServletRequest);
        this.logger = LoggerFactory.getLogger((Class<?>) SpringSecurityCookieTokenStore.class);
        this.cookieChecked = false;
        Assert.notNull(httpServletResponse, "HttpServletResponse is required");
        this.deployment = keycloakDeployment;
        this.facade = new SimpleHttpFacade(httpServletRequest, httpServletResponse);
    }

    @Override // org.keycloak.adapters.springsecurity.token.SpringSecurityTokenStore, org.keycloak.adapters.AdapterTokenStore
    public void checkCurrentToken() {
        KeycloakPrincipal<RefreshableKeycloakSecurityContext> checkPrincipalFromCookie = checkPrincipalFromCookie();
        if (checkPrincipalFromCookie != null) {
            RefreshableKeycloakSecurityContext keycloakSecurityContext = checkPrincipalFromCookie.getKeycloakSecurityContext();
            KeycloakSecurityContext securityContext = ((OIDCHttpFacade) this.facade).getSecurityContext();
            if (securityContext != null) {
                keycloakSecurityContext.setAuthorizationContext(securityContext.getAuthorizationContext());
            }
            SecurityContextHolder.getContext().setAuthentication(new KeycloakAuthenticationToken(new SimpleKeycloakAccount(checkPrincipalFromCookie, AdapterUtils.getRolesFromSecurityContext(keycloakSecurityContext), keycloakSecurityContext), false));
        } else {
            super.checkCurrentToken();
        }
        this.cookieChecked = true;
    }

    @Override // org.keycloak.adapters.springsecurity.token.SpringSecurityTokenStore, org.keycloak.adapters.AdapterTokenStore
    public boolean isCached(RequestAuthenticator requestAuthenticator) {
        if (!this.cookieChecked) {
            checkCurrentToken();
        }
        return super.isCached(requestAuthenticator);
    }

    @Override // org.keycloak.adapters.springsecurity.token.SpringSecurityTokenStore, org.keycloak.adapters.AdapterTokenStore
    public void refreshCallback(RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext) {
        super.refreshCallback(refreshableKeycloakSecurityContext);
        CookieTokenStore.setTokenCookie(this.deployment, this.facade, refreshableKeycloakSecurityContext);
    }

    @Override // org.keycloak.adapters.springsecurity.token.SpringSecurityTokenStore, org.keycloak.adapters.AdapterTokenStore
    public void saveAccountInfo(OidcKeycloakAccount oidcKeycloakAccount) {
        super.saveAccountInfo(oidcKeycloakAccount);
        CookieTokenStore.setTokenCookie(this.deployment, this.facade, (RefreshableKeycloakSecurityContext) oidcKeycloakAccount.getKeycloakSecurityContext());
    }

    @Override // org.keycloak.adapters.springsecurity.token.SpringSecurityTokenStore, org.keycloak.adapters.AdapterTokenStore
    public void logout() {
        CookieTokenStore.removeCookie(this.deployment, this.facade);
        super.logout();
    }

    private KeycloakPrincipal<RefreshableKeycloakSecurityContext> checkPrincipalFromCookie() {
        KeycloakPrincipal<RefreshableKeycloakSecurityContext> principalFromCookie = CookieTokenStore.getPrincipalFromCookie(this.deployment, this.facade, this);
        if (principalFromCookie == null) {
            this.logger.debug("Account was not in cookie or was invalid");
            return null;
        }
        RefreshableKeycloakSecurityContext keycloakSecurityContext = principalFromCookie.getKeycloakSecurityContext();
        if (keycloakSecurityContext.isActive() && !keycloakSecurityContext.getDeployment().isAlwaysRefreshToken()) {
            return principalFromCookie;
        }
        if (keycloakSecurityContext.refreshExpiredToken(false) && keycloakSecurityContext.isActive()) {
            refreshCallback(keycloakSecurityContext);
            return principalFromCookie;
        }
        this.logger.debug("Cleanup and expire cookie for user {} after failed refresh", principalFromCookie.getName());
        CookieTokenStore.removeCookie(this.deployment, this.facade);
        return null;
    }
}
