package org.wildfly.security.http.impl;

import io.undertow.util.StatusCodes;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.callback.AuthenticationCompleteCallback;
import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
import org.wildfly.security.auth.callback.IdentityCredentialCallback;
import org.wildfly.security.credential.BearerTokenCredential;
import org.wildfly.security.evidence.BearerTokenEvidence;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.http.HttpServerAuthenticationMechanism;
import org.wildfly.security.http.HttpServerRequest;
import org.wildfly.security.mechanism.AuthenticationMechanismException;
import org.wildfly.security.mechanism.MechanismUtil;

/* loaded from: input_file:org/wildfly/security/http/impl/BearerTokenAuthenticationMechanism.class */
class BearerTokenAuthenticationMechanism implements HttpServerAuthenticationMechanism {
    private static final Pattern BEARER_TOKEN_PATTERN = Pattern.compile("^Bearer *([^ ]+) *$", 2);
    private final CallbackHandler callbackHandler;

    /* JADX INFO: Access modifiers changed from: package-private */
    public BearerTokenAuthenticationMechanism(CallbackHandler callbackHandler) {
        this.callbackHandler = callbackHandler;
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public String getMechanismName() {
        return HttpConstants.BEARER_TOKEN;
    }

    @Override // org.wildfly.security.http.HttpServerAuthenticationMechanism
    public void evaluateRequest(HttpServerRequest httpServerRequest) throws HttpAuthenticationException {
        List<String> requestHeaderValues = httpServerRequest.getRequestHeaderValues("Authorization");
        if (requestHeaderValues == null || requestHeaderValues.isEmpty()) {
            httpServerRequest.authenticationFailed("Bearer token required", httpServerResponse -> {
                httpServerResponse.setStatusCode(401);
            });
            return;
        }
        if (requestHeaderValues.size() > 1) {
            httpServerRequest.authenticationFailed("Multiple Authorization headers found", httpServerResponse2 -> {
                httpServerResponse2.setStatusCode(StatusCodes.BAD_REQUEST);
            });
            return;
        }
        Matcher matcher = BEARER_TOKEN_PATTERN.matcher(requestHeaderValues.get(0));
        if (!matcher.matches()) {
            httpServerRequest.authenticationFailed("Authorization is not Bearer", httpServerResponse3 -> {
                httpServerResponse3.setStatusCode(StatusCodes.BAD_REQUEST);
            });
            return;
        }
        BearerTokenEvidence bearerTokenEvidence = new BearerTokenEvidence(matcher.group(1));
        EvidenceVerifyCallback evidenceVerifyCallback = new EvidenceVerifyCallback(bearerTokenEvidence);
        handleCallback(evidenceVerifyCallback);
        if (evidenceVerifyCallback.isVerified()) {
            Callback authorizeCallback = new AuthorizeCallback((String) null, (String) null);
            handleCallback(authorizeCallback);
            if (authorizeCallback.isAuthorized()) {
                handleCallback(new IdentityCredentialCallback(new BearerTokenCredential(bearerTokenEvidence.getToken()), true));
                handleCallback(AuthenticationCompleteCallback.SUCCEEDED);
                httpServerRequest.authenticationComplete();
                return;
            }
        }
        httpServerRequest.authenticationFailed("Invalid bearer token", httpServerResponse4 -> {
            httpServerResponse4.setStatusCode(403);
        });
    }

    private void handleCallback(Callback callback) throws HttpAuthenticationException {
        try {
            MechanismUtil.handleCallbacks(HttpConstants.BEARER_TOKEN, this.callbackHandler, callback);
        } catch (UnsupportedCallbackException e) {
            ElytronMessages.log.tracef("Unsupported callback [%s]", callback);
        } catch (AuthenticationMechanismException e2) {
            throw e2.toHttpAuthenticationException();
        }
    }
}
