package org.keycloak.adapters.undertow;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.server.HttpServerExchange;
import io.undertow.servlet.api.ConfidentialPortManager;
import io.undertow.util.AttachmentKey;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.AuthChallenge;
import org.keycloak.adapters.AuthOutcome;
import org.keycloak.adapters.KeycloakDeployment;

/* loaded from: input_file:org/keycloak/adapters/undertow/ServletKeycloakAuthMech.class */
public class ServletKeycloakAuthMech implements AuthenticationMechanism {
    public static final AttachmentKey<AuthChallenge> KEYCLOAK_CHALLENGE_ATTACHMENT_KEY = AttachmentKey.create(AuthChallenge.class);
    protected AdapterDeploymentContext deploymentContext;
    protected UndertowUserSessionManagement userSessionManagement;
    protected ConfidentialPortManager portManager;

    public ServletKeycloakAuthMech(AdapterDeploymentContext adapterDeploymentContext, UndertowUserSessionManagement undertowUserSessionManagement, ConfidentialPortManager confidentialPortManager) {
        this.deploymentContext = adapterDeploymentContext;
        this.userSessionManagement = undertowUserSessionManagement;
        this.portManager = confidentialPortManager;
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        UndertowHttpFacade undertowHttpFacade = new UndertowHttpFacade(httpServerExchange);
        KeycloakDeployment resolveDeployment = this.deploymentContext.resolveDeployment(undertowHttpFacade);
        if (!resolveDeployment.isConfigured()) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        ServletRequestAuthenticator createRequestAuthenticator = createRequestAuthenticator(resolveDeployment, httpServerExchange, securityContext, undertowHttpFacade);
        AuthOutcome authenticate = createRequestAuthenticator.authenticate();
        if (authenticate == AuthOutcome.AUTHENTICATED) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
        }
        AuthChallenge challenge = createRequestAuthenticator.getChallenge();
        if (challenge != null) {
            httpServerExchange.putAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY, challenge);
        }
        return authenticate == AuthOutcome.FAILED ? AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED : AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }

    protected ServletRequestAuthenticator createRequestAuthenticator(KeycloakDeployment keycloakDeployment, HttpServerExchange httpServerExchange, SecurityContext securityContext, UndertowHttpFacade undertowHttpFacade) {
        int i = 8443;
        if (this.portManager != null) {
            i = this.portManager.getConfidentialPort(httpServerExchange);
        }
        return new ServletRequestAuthenticator(undertowHttpFacade, keycloakDeployment, i, securityContext, httpServerExchange, this.userSessionManagement);
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        AuthChallenge authChallenge = (AuthChallenge) httpServerExchange.getAttachment(KEYCLOAK_CHALLENGE_ATTACHMENT_KEY);
        return (authChallenge == null || !authChallenge.challenge(new UndertowHttpFacade(httpServerExchange))) ? new AuthenticationMechanism.ChallengeResult(false) : new AuthenticationMechanism.ChallengeResult(true, Integer.valueOf(httpServerExchange.getResponseCode()));
    }
}
