package io.apiman.plugins.keycloak_oauth_policy;

import io.apiman.gateway.engine.async.IAsyncResult;
import io.apiman.gateway.engine.async.IAsyncResultHandler;
import io.apiman.gateway.engine.beans.PolicyFailure;
import io.apiman.gateway.engine.beans.ServiceRequest;
import io.apiman.gateway.engine.components.ISharedStateComponent;
import io.apiman.gateway.engine.policies.AbstractMappedPolicy;
import io.apiman.gateway.engine.policy.IPolicyChain;
import io.apiman.gateway.engine.policy.IPolicyContext;
import io.apiman.plugins.keycloak_oauth_policy.beans.ForwardAuthInfo;
import io.apiman.plugins.keycloak_oauth_policy.beans.KeycloakOauthConfigBean;
import io.apiman.plugins.keycloak_oauth_policy.failures.PolicyFailureFactory;
import io.apiman.plugins.keycloak_oauth_policy.util.Holder;
import java.util.Collections;
import org.apache.commons.lang.StringUtils;
import org.keycloak.RSATokenVerifier;
import org.keycloak.VerificationException;
import org.keycloak.constants.KerberosConstants;
import org.keycloak.representations.AccessToken;

/* loaded from: input_file:WEB-INF/classes/io/apiman/plugins/keycloak_oauth_policy/KeycloakOauthPolicy.class */
public class KeycloakOauthPolicy extends AbstractMappedPolicy<KeycloakOauthConfigBean> {
    private static final String AUTHORIZATION_KEY = "Authorization";
    private static final String ACCESS_TOKEN_QUERY_KEY = "access_token";
    private static final String BEARER = "Bearer ";
    private static final String NEGOTIATE = "Negotiate ";
    private final PolicyFailureFactory failureFactory = new PolicyFailureFactory();

    protected Class<KeycloakOauthConfigBean> getConfigurationClass() {
        return KeycloakOauthConfigBean.class;
    }

    protected void doApply(final ServiceRequest serviceRequest, final IPolicyContext iPolicyContext, KeycloakOauthConfigBean keycloakOauthConfigBean, final IPolicyChain<ServiceRequest> iPolicyChain) {
        String rawAuthToken = getRawAuthToken(serviceRequest);
        final Holder<Boolean> holder = new Holder<>(true);
        if (rawAuthToken == null) {
            if (keycloakOauthConfigBean.getRequireOauth().booleanValue()) {
                doFailure(holder, iPolicyChain, this.failureFactory.noAuthenticationProvided(iPolicyContext));
                return;
            } else {
                iPolicyChain.doApply(serviceRequest);
                return;
            }
        }
        if (doTokenAuth(holder, serviceRequest, iPolicyContext, keycloakOauthConfigBean, iPolicyChain, rawAuthToken).getValue().booleanValue()) {
            if (keycloakOauthConfigBean.getRequireTransportSecurity() && !serviceRequest.isTransportSecure()) {
                if (keycloakOauthConfigBean.getBlacklistUnsafeTokens().booleanValue()) {
                    blacklistToken(iPolicyContext, rawAuthToken, new IAsyncResultHandler<Void>() { // from class: io.apiman.plugins.keycloak_oauth_policy.KeycloakOauthPolicy.1
                        public void handle(IAsyncResult<Void> iAsyncResult) {
                            if (iAsyncResult.isError()) {
                            }
                        }
                    });
                }
                doFailure(holder, iPolicyChain, this.failureFactory.noTransportSecurity(iPolicyContext));
            } else if (keycloakOauthConfigBean.getBlacklistUnsafeTokens().booleanValue()) {
                isBlacklistedToken(iPolicyContext, rawAuthToken, new IAsyncResultHandler<Boolean>() { // from class: io.apiman.plugins.keycloak_oauth_policy.KeycloakOauthPolicy.2
                    public void handle(IAsyncResult<Boolean> iAsyncResult) {
                        if (iAsyncResult.isError()) {
                            KeycloakOauthPolicy.this.throwError(holder, iPolicyChain, iAsyncResult.getError());
                        } else if (((Boolean) iAsyncResult.getResult()).booleanValue()) {
                            KeycloakOauthPolicy.this.doFailure(holder, iPolicyChain, KeycloakOauthPolicy.this.failureFactory.blacklistedToken(iPolicyContext));
                        } else {
                            iPolicyChain.doApply(serviceRequest);
                        }
                    }
                });
            } else if (holder.getValue().booleanValue()) {
                iPolicyChain.doApply(serviceRequest);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void doFailure(Holder<Boolean> holder, IPolicyChain<?> iPolicyChain, PolicyFailure policyFailure) {
        iPolicyChain.doFailure(policyFailure);
        holder.setValue(false);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void throwError(Holder<Boolean> holder, IPolicyChain<?> iPolicyChain, Throwable th) {
        iPolicyChain.throwError(th);
        holder.setValue(false);
    }

    private Holder<Boolean> doTokenAuth(Holder<Boolean> holder, ServiceRequest serviceRequest, IPolicyContext iPolicyContext, KeycloakOauthConfigBean keycloakOauthConfigBean, IPolicyChain<ServiceRequest> iPolicyChain, String str) {
        try {
            AccessToken verifyToken = RSATokenVerifier.verifyToken(str, keycloakOauthConfigBean.getRealmCertificate().getPublicKey(), keycloakOauthConfigBean.getRealm());
            delegateKerberosTicket(serviceRequest, keycloakOauthConfigBean, verifyToken);
            forwardHeaders(serviceRequest, keycloakOauthConfigBean, str, verifyToken);
            stripAuthTokens(serviceRequest, keycloakOauthConfigBean);
            forwardAuthRoles(iPolicyContext, keycloakOauthConfigBean, verifyToken);
            return holder.setValue(true);
        } catch (VerificationException e) {
            System.out.println(e);
            iPolicyChain.doFailure(this.failureFactory.verificationException(iPolicyContext, e));
            return holder.setValue(false);
        }
    }

    private void forwardAuthRoles(IPolicyContext iPolicyContext, KeycloakOauthConfigBean keycloakOauthConfigBean, AccessToken accessToken) {
        if (keycloakOauthConfigBean.getForwardRoles().getActive().booleanValue()) {
            AccessToken.Access resourceAccess = keycloakOauthConfigBean.getForwardRoles().getApplicationName() != null ? accessToken.getResourceAccess(keycloakOauthConfigBean.getForwardRoles().getApplicationName()) : accessToken.getRealmAccess();
            if (resourceAccess == null || resourceAccess.getRoles() == null) {
                iPolicyContext.setAttribute("io.apiman.policies.auth::authenticated-user-roles", Collections.emptySet());
            } else {
                iPolicyContext.setAttribute("io.apiman.policies.auth::authenticated-user-roles", resourceAccess.getRoles());
            }
        }
    }

    private void delegateKerberosTicket(ServiceRequest serviceRequest, KeycloakOauthConfigBean keycloakOauthConfigBean, AccessToken accessToken) {
        String str = (String) accessToken.getOtherClaims().get(KerberosConstants.GSS_DELEGATION_CREDENTIAL);
        if (keycloakOauthConfigBean.getDelegateKerberosTicket()) {
            serviceRequest.getHeaders().put(AUTHORIZATION_KEY, NEGOTIATE + str);
        }
    }

    private String getRawAuthToken(ServiceRequest serviceRequest) {
        String strip = StringUtils.strip((String) serviceRequest.getHeaders().get(AUTHORIZATION_KEY));
        return (strip == null || !StringUtils.startsWith(strip, BEARER)) ? (String) serviceRequest.getQueryParams().get(ACCESS_TOKEN_QUERY_KEY) : StringUtils.removeStart(strip, BEARER);
    }

    private void stripAuthTokens(ServiceRequest serviceRequest, KeycloakOauthConfigBean keycloakOauthConfigBean) {
        if (keycloakOauthConfigBean.getStripTokens().booleanValue()) {
            serviceRequest.getHeaders().remove(AUTHORIZATION_KEY);
            serviceRequest.getQueryParams().remove(ACCESS_TOKEN_QUERY_KEY);
        }
    }

    /* JADX WARN: Failed to find 'out' block for switch in B:9:0x003d. Please report as an issue. */
    private void forwardHeaders(ServiceRequest serviceRequest, KeycloakOauthConfigBean keycloakOauthConfigBean, String str, AccessToken accessToken) {
        if (keycloakOauthConfigBean.getForwardAuthInfo().size() == 0) {
            return;
        }
        for (ForwardAuthInfo forwardAuthInfo : keycloakOauthConfigBean.getForwardAuthInfo()) {
            String str2 = null;
            switch (forwardAuthInfo.getField()) {
                case EMAIL:
                    accessToken.getEmail();
                case NAME:
                    accessToken.getName();
                case SUBJECT:
                    accessToken.getSubject();
                case USERNAME:
                    str2 = accessToken.getPreferredUsername();
                    break;
            }
            serviceRequest.getHeaders().put(forwardAuthInfo.getHeader(), str2);
        }
    }

    private void isBlacklistedToken(IPolicyContext iPolicyContext, String str, IAsyncResultHandler<Boolean> iAsyncResultHandler) {
        getDataStore(iPolicyContext).getProperty("apiman-keycloak-blacklist", str, false, iAsyncResultHandler);
    }

    private void blacklistToken(IPolicyContext iPolicyContext, String str, IAsyncResultHandler<Void> iAsyncResultHandler) {
        getDataStore(iPolicyContext).setProperty("apiman-keycloak-blacklist", str, true, iAsyncResultHandler);
    }

    private ISharedStateComponent getDataStore(IPolicyContext iPolicyContext) {
        return iPolicyContext.getComponent(ISharedStateComponent.class);
    }

    protected /* bridge */ /* synthetic */ void doApply(ServiceRequest serviceRequest, IPolicyContext iPolicyContext, Object obj, IPolicyChain iPolicyChain) {
        doApply(serviceRequest, iPolicyContext, (KeycloakOauthConfigBean) obj, (IPolicyChain<ServiceRequest>) iPolicyChain);
    }
}
