package org.keycloak.adapters.springsecurity.token;

import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.AdapterTokenStore;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OidcKeycloakAccount;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.RequestAuthenticator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.Assert;

/* loaded from: input_file:BOOT-INF/lib/keycloak-spring-security-adapter-14.0.0.jar:org/keycloak/adapters/springsecurity/token/SpringSecurityTokenStore.class */
public class SpringSecurityTokenStore implements AdapterTokenStore {
    private final Logger logger = LoggerFactory.getLogger((Class<?>) SpringSecurityTokenStore.class);
    private final KeycloakDeployment deployment;
    private final HttpServletRequest request;

    public SpringSecurityTokenStore(KeycloakDeployment keycloakDeployment, HttpServletRequest httpServletRequest) {
        Assert.notNull(keycloakDeployment, "KeycloakDeployment is required");
        Assert.notNull(httpServletRequest, "HttpServletRequest is required");
        this.deployment = keycloakDeployment;
        this.request = httpServletRequest;
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public void checkCurrentToken() {
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public boolean isCached(RequestAuthenticator requestAuthenticator) {
        this.logger.debug("Checking if {} is cached", requestAuthenticator);
        SecurityContext context = SecurityContextHolder.getContext();
        if (context == null || context.getAuthentication() == null) {
            return false;
        }
        if (!KeycloakAuthenticationToken.class.isAssignableFrom(context.getAuthentication().getClass())) {
            this.logger.warn("Expected a KeycloakAuthenticationToken, but found {}", context.getAuthentication());
            return false;
        }
        this.logger.debug("Remote logged in already. Establishing state from security context.");
        KeycloakSecurityContext keycloakSecurityContext = ((KeycloakAuthenticationToken) context.getAuthentication()).getAccount().getKeycloakSecurityContext();
        if (!this.deployment.getRealm().equals(keycloakSecurityContext.getRealm())) {
            this.logger.debug("Account from security context is from a different realm than for the request.");
            logout();
            return false;
        }
        if (keycloakSecurityContext.getToken().isExpired()) {
            this.logger.warn("Security token expired ... not returning from cache");
            return false;
        }
        this.request.setAttribute(KeycloakSecurityContext.class.getName(), keycloakSecurityContext);
        return true;
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public void saveAccountInfo(OidcKeycloakAccount oidcKeycloakAccount) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication != null) {
            throw new IllegalStateException(String.format("Went to save Keycloak account %s, but already have %s", oidcKeycloakAccount, authentication));
        }
        this.logger.debug("Saving account info {}", oidcKeycloakAccount);
        SecurityContext createEmptyContext = SecurityContextHolder.createEmptyContext();
        createEmptyContext.setAuthentication(new KeycloakAuthenticationToken(oidcKeycloakAccount, true));
        SecurityContextHolder.setContext(createEmptyContext);
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public void logout() {
        this.logger.debug("Handling logout request");
        HttpSession session = this.request.getSession(false);
        if (session != null) {
            session.setAttribute(KeycloakSecurityContext.class.getName(), null);
            session.invalidate();
        }
        SecurityContextHolder.clearContext();
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public void refreshCallback(RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext) {
    }

    @Override // org.keycloak.adapters.spi.AdapterSessionStore
    public void saveRequest() {
    }

    @Override // org.keycloak.adapters.spi.AdapterSessionStore
    public boolean restoreRequest() {
        return false;
    }
}
