package org.keycloak.adapters.undertow;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.Cookie;
import io.undertow.server.handlers.CookieImpl;
import io.undertow.util.Headers;
import java.io.IOException;
import java.util.Deque;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.atomic.AtomicLong;
import org.jboss.logging.Logger;
import org.keycloak.RSATokenVerifier;
import org.keycloak.VerificationException;
import org.keycloak.adapters.TokenGrantRequest;
import org.keycloak.adapters.config.RealmConfiguration;
import org.keycloak.representations.SkeletonKeyToken;
import org.keycloak.util.KeycloakUriBuilder;

/* loaded from: input_file:org/keycloak/adapters/undertow/OAuthAuthenticator.class */
public class OAuthAuthenticator {
    protected RealmConfiguration realmInfo;
    protected int sslRedirectPort;
    protected String tokenString;
    protected SkeletonKeyToken token;
    protected HttpServerExchange exchange;
    protected KeycloakChallenge challenge;
    private static final Logger log = Logger.getLogger(OAuthAuthenticator.class);
    protected static final AtomicLong counter = new AtomicLong();

    public OAuthAuthenticator(HttpServerExchange httpServerExchange, RealmConfiguration realmConfiguration, int i) {
        this.exchange = httpServerExchange;
        this.realmInfo = realmConfiguration;
        this.sslRedirectPort = i;
    }

    public KeycloakChallenge getChallenge() {
        return this.challenge;
    }

    public String getTokenString() {
        return this.tokenString;
    }

    public SkeletonKeyToken getToken() {
        return this.token;
    }

    protected String getRequestUrl() {
        KeycloakUriBuilder replaceQuery = KeycloakUriBuilder.fromUri(this.exchange.getRequestURI()).replaceQuery(this.exchange.getQueryString());
        if (!this.exchange.isHostIncludedInRequestURI()) {
            replaceQuery.scheme(this.exchange.getRequestScheme()).host(this.exchange.getHostAndPort());
        }
        return replaceQuery.build(new Object[0]).toString();
    }

    protected boolean isRequestSecure() {
        return this.exchange.getProtocol().toString().equalsIgnoreCase("https");
    }

    protected Cookie getCookie(String str) {
        Map requestCookies = this.exchange.getRequestCookies();
        if (requestCookies == null) {
            return null;
        }
        return (Cookie) requestCookies.get(str);
    }

    protected String getCookieValue(String str) {
        Cookie cookie = getCookie(str);
        if (cookie == null) {
            return null;
        }
        return cookie.getValue();
    }

    protected String getQueryParamValue(String str) {
        Deque deque;
        Map queryParameters = this.exchange.getQueryParameters();
        if (queryParameters == null || (deque = (Deque) queryParameters.get(str)) == null) {
            return null;
        }
        return (String) deque.getFirst();
    }

    protected String getError() {
        return getQueryParamValue("error");
    }

    protected String getCode() {
        return getQueryParamValue("code");
    }

    protected String getRedirectUri(String str) {
        String requestUrl = getRequestUrl();
        log.info("sending redirect uri: " + requestUrl);
        if (!isRequestSecure() && this.realmInfo.isSslRequired()) {
            int sslRedirectPort = sslRedirectPort();
            if (sslRedirectPort < 0) {
                return null;
            }
            KeycloakUriBuilder port = KeycloakUriBuilder.fromUri(requestUrl).scheme("https").port(-1);
            if (sslRedirectPort != 443) {
                port.port(sslRedirectPort);
            }
            requestUrl = port.build(new Object[0]).toString();
        }
        return this.realmInfo.getAuthUrl().clone().queryParam("client_id", new Object[]{this.realmInfo.getMetadata().getResourceName()}).queryParam("redirect_uri", new Object[]{requestUrl}).queryParam("state", new Object[]{str}).queryParam("login", new Object[]{"true"}).build(new Object[0]).toString();
    }

    protected int sslRedirectPort() {
        return this.sslRedirectPort;
    }

    protected String getStateCode() {
        return counter.getAndIncrement() + "/" + UUID.randomUUID().toString();
    }

    protected KeycloakChallenge loginRedirect() {
        final String stateCode = getStateCode();
        final String redirectUri = getRedirectUri(stateCode);
        return new KeycloakChallenge() { // from class: org.keycloak.adapters.undertow.OAuthAuthenticator.1
            @Override // org.keycloak.adapters.undertow.KeycloakChallenge
            public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
                if (redirectUri == null) {
                    return new AuthenticationMechanism.ChallengeResult(true, 403);
                }
                CookieImpl cookieImpl = new CookieImpl(OAuthAuthenticator.this.realmInfo.getStateCookieName(), stateCode);
                cookieImpl.setSecure(OAuthAuthenticator.this.realmInfo.isSslRequired());
                httpServerExchange.setResponseCookie(cookieImpl);
                httpServerExchange.getResponseHeaders().put(Headers.LOCATION, redirectUri);
                return new AuthenticationMechanism.ChallengeResult(true, 302);
            }
        };
    }

    protected KeycloakChallenge checkStateCookie() {
        Cookie cookie = getCookie(this.realmInfo.getStateCookieName());
        if (cookie == null) {
            log.warn("No state cookie");
            return challenge(400);
        }
        log.info("** reseting application state cookie");
        CookieImpl cookieImpl = new CookieImpl(this.realmInfo.getStateCookieName(), "");
        cookieImpl.setPath(cookie.getPath());
        cookieImpl.setMaxAge(0);
        this.exchange.setResponseCookie(cookieImpl);
        String cookieValue = getCookieValue(this.realmInfo.getStateCookieName());
        String queryParamValue = getQueryParamValue("state");
        if (queryParamValue == null) {
            log.warn("state parameter was null");
            return challenge(400);
        }
        if (queryParamValue.equals(cookieValue)) {
            return null;
        }
        log.warn("state parameter invalid");
        log.warn("cookie: " + cookieValue);
        log.warn("queryParam: " + queryParamValue);
        return challenge(400);
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate() {
        String code = getCode();
        if (code != null) {
            log.info("there was a code, resolving");
            this.challenge = resolveCode(code);
            return this.challenge != null ? AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED : AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
        }
        log.info("there was no code");
        String error = getError();
        if (error != null) {
            log.warn("There was an error: " + error);
            this.challenge = challenge(400);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
        log.info("redirecting to auth server");
        this.challenge = loginRedirect();
        return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }

    protected KeycloakChallenge challenge(final int i) {
        return new KeycloakChallenge() { // from class: org.keycloak.adapters.undertow.OAuthAuthenticator.2
            @Override // org.keycloak.adapters.undertow.KeycloakChallenge
            public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
                return new AuthenticationMechanism.ChallengeResult(true, Integer.valueOf(i));
            }
        };
    }

    protected KeycloakChallenge resolveCode(String str) {
        if (this.realmInfo.isSslRequired() && !isRequestSecure()) {
            log.error("SSL is required");
            return challenge(403);
        }
        log.info("checking state cookie for after code");
        KeycloakChallenge checkStateCookie = checkStateCookie();
        if (checkStateCookie != null) {
            return checkStateCookie;
        }
        try {
            this.tokenString = TokenGrantRequest.invoke(this.realmInfo, str, stripOauthParametersFromRedirect()).getToken();
            try {
                this.token = RSATokenVerifier.verifyToken(this.tokenString, this.realmInfo.getMetadata().getRealmKey(), this.realmInfo.getMetadata().getRealm());
                log.debug("Token Verification succeeded!");
                log.info("successful authenticated");
                return null;
            } catch (VerificationException e) {
                log.error("failed verification of token");
                return challenge(403);
            }
        } catch (IOException e2) {
            log.error("failed to turn code into token");
            return challenge(403);
        } catch (TokenGrantRequest.HttpFailure e3) {
            log.error("failed to turn code into token");
            log.error("status from server: " + e3.getStatus());
            if (e3.getStatus() == 400 && e3.getError() != null) {
                log.error("   " + e3.getError());
            }
            return challenge(403);
        }
    }

    protected String stripOauthParametersFromRedirect() {
        return KeycloakUriBuilder.fromUri(this.exchange.getRequestURI()).replaceQuery(this.exchange.getQueryString()).replaceQueryParam("code", (Object[]) null).replaceQueryParam("state", (Object[]) null).build(new Object[0]).toString();
    }
}
