package org.keycloak.adapters.tomcat;

import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.Serializable;
import java.security.Principal;
import java.util.Set;
import java.util.logging.Logger;
import org.apache.catalina.Session;
import org.apache.catalina.connector.Request;
import org.apache.catalina.realm.GenericPrincipal;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.AdapterTokenStore;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OidcKeycloakAccount;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.RequestAuthenticator;
import org.keycloak.common.util.DelegatingSerializationFilter;

/* loaded from: input_file:BOOT-INF/lib/spring-boot-container-bundle-11.0.0.jar:org/keycloak/adapters/tomcat/CatalinaSessionTokenStore.class */
public class CatalinaSessionTokenStore extends CatalinaAdapterSessionStore implements AdapterTokenStore {
    private static final Logger log = Logger.getLogger("" + CatalinaSessionTokenStore.class);
    private KeycloakDeployment deployment;
    private CatalinaUserSessionManagement sessionManagement;
    protected GenericPrincipalFactory principalFactory;

    /* loaded from: input_file:BOOT-INF/lib/spring-boot-container-bundle-11.0.0.jar:org/keycloak/adapters/tomcat/CatalinaSessionTokenStore$SerializableKeycloakAccount.class */
    public static class SerializableKeycloakAccount implements OidcKeycloakAccount, Serializable {
        protected Set<String> roles;
        protected Principal principal;
        protected RefreshableKeycloakSecurityContext securityContext;

        public SerializableKeycloakAccount(Set<String> set, Principal principal, RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext) {
            this.roles = set;
            this.principal = principal;
            this.securityContext = refreshableKeycloakSecurityContext;
        }

        @Override // org.keycloak.adapters.spi.KeycloakAccount
        public Principal getPrincipal() {
            return this.principal;
        }

        @Override // org.keycloak.adapters.spi.KeycloakAccount
        public Set<String> getRoles() {
            return this.roles;
        }

        @Override // org.keycloak.adapters.OidcKeycloakAccount
        public RefreshableKeycloakSecurityContext getKeycloakSecurityContext() {
            return this.securityContext;
        }

        private void readObject(ObjectInputStream objectInputStream) throws IOException, ClassNotFoundException {
            DelegatingSerializationFilter.builder().addAllowedClass(SerializableKeycloakAccount.class).addAllowedClass(RefreshableKeycloakSecurityContext.class).addAllowedClass(KeycloakSecurityContext.class).addAllowedClass(KeycloakPrincipal.class).setFilter(objectInputStream);
            objectInputStream.defaultReadObject();
        }
    }

    public CatalinaSessionTokenStore(Request request, KeycloakDeployment keycloakDeployment, CatalinaUserSessionManagement catalinaUserSessionManagement, GenericPrincipalFactory genericPrincipalFactory, AbstractKeycloakAuthenticatorValve abstractKeycloakAuthenticatorValve) {
        super(request, abstractKeycloakAuthenticatorValve);
        this.deployment = keycloakDeployment;
        this.sessionManagement = catalinaUserSessionManagement;
        this.principalFactory = genericPrincipalFactory;
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public void checkCurrentToken() {
        SerializableKeycloakAccount serializableKeycloakAccount;
        RefreshableKeycloakSecurityContext keycloakSecurityContext;
        Session sessionInternal = this.request.getSessionInternal(false);
        if (sessionInternal == null || (serializableKeycloakAccount = (SerializableKeycloakAccount) sessionInternal.getSession().getAttribute(SerializableKeycloakAccount.class.getName())) == null || (keycloakSecurityContext = serializableKeycloakAccount.getKeycloakSecurityContext()) == null) {
            return;
        }
        if (keycloakSecurityContext.getDeployment() == null) {
            keycloakSecurityContext.setCurrentRequestInfo(this.deployment, this);
        }
        if (keycloakSecurityContext.isActive() && !keycloakSecurityContext.getDeployment().isAlwaysRefreshToken()) {
            this.request.setAttribute(KeycloakSecurityContext.class.getName(), keycloakSecurityContext);
            this.request.setUserPrincipal(serializableKeycloakAccount.getPrincipal());
            this.request.setAuthType("KEYCLOAK");
        } else if (keycloakSecurityContext.refreshExpiredToken(false) && keycloakSecurityContext.isActive()) {
            this.request.setAttribute(KeycloakSecurityContext.class.getName(), keycloakSecurityContext);
            this.request.setUserPrincipal(serializableKeycloakAccount.getPrincipal());
            this.request.setAuthType("KEYCLOAK");
        } else {
            log.fine("Cleanup and expire session " + sessionInternal.getId() + " after failed refresh");
            this.request.setUserPrincipal(null);
            this.request.setAuthType(null);
            cleanSession(sessionInternal);
            sessionInternal.expire();
        }
    }

    protected void cleanSession(Session session) {
        session.getSession().removeAttribute(KeycloakSecurityContext.class.getName());
        session.getSession().removeAttribute(SerializableKeycloakAccount.class.getName());
        session.getSession().removeAttribute(OidcKeycloakAccount.class.getName());
        session.setPrincipal(null);
        session.setAuthType(null);
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public boolean isCached(RequestAuthenticator requestAuthenticator) {
        SerializableKeycloakAccount serializableKeycloakAccount;
        Session sessionInternal = this.request.getSessionInternal(false);
        if (sessionInternal == null || (serializableKeycloakAccount = (SerializableKeycloakAccount) sessionInternal.getSession().getAttribute(SerializableKeycloakAccount.class.getName())) == null) {
            return false;
        }
        log.fine("remote logged in already. Establish state from session");
        RefreshableKeycloakSecurityContext keycloakSecurityContext = serializableKeycloakAccount.getKeycloakSecurityContext();
        if (!this.deployment.getRealm().equals(keycloakSecurityContext.getRealm())) {
            log.fine("Account from cookie is from a different realm than for the request.");
            cleanSession(sessionInternal);
            return false;
        }
        keycloakSecurityContext.setCurrentRequestInfo(this.deployment, this);
        this.request.setAttribute(KeycloakSecurityContext.class.getName(), keycloakSecurityContext);
        GenericPrincipal genericPrincipal = (GenericPrincipal) sessionInternal.getPrincipal();
        if (genericPrincipal == null) {
            genericPrincipal = this.principalFactory.createPrincipal(this.request.getContext().getRealm(), serializableKeycloakAccount.getPrincipal(), serializableKeycloakAccount.getRoles());
            sessionInternal.setPrincipal(genericPrincipal);
            sessionInternal.setAuthType("KEYCLOAK");
        }
        this.request.setUserPrincipal(genericPrincipal);
        this.request.setAuthType("KEYCLOAK");
        restoreRequest();
        return true;
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public void saveAccountInfo(OidcKeycloakAccount oidcKeycloakAccount) {
        RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext = (RefreshableKeycloakSecurityContext) oidcKeycloakAccount.getKeycloakSecurityContext();
        Set<String> roles = oidcKeycloakAccount.getRoles();
        GenericPrincipal createPrincipal = this.principalFactory.createPrincipal(this.request.getContext().getRealm(), oidcKeycloakAccount.getPrincipal(), roles);
        SerializableKeycloakAccount serializableKeycloakAccount = new SerializableKeycloakAccount(roles, oidcKeycloakAccount.getPrincipal(), refreshableKeycloakSecurityContext);
        Session sessionInternal = this.request.getSessionInternal(true);
        sessionInternal.setPrincipal(createPrincipal);
        sessionInternal.setAuthType("KEYCLOAK");
        sessionInternal.getSession().setAttribute(SerializableKeycloakAccount.class.getName(), serializableKeycloakAccount);
        sessionInternal.getSession().setAttribute(KeycloakSecurityContext.class.getName(), oidcKeycloakAccount.getKeycloakSecurityContext());
        log.fine("userSessionManagement.login: " + refreshableKeycloakSecurityContext.getToken().getSubject());
        this.sessionManagement.login(sessionInternal);
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public void logout() {
        Session sessionInternal = this.request.getSessionInternal(false);
        if (sessionInternal != null) {
            cleanSession(sessionInternal);
        }
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public void refreshCallback(RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext) {
    }
}
