package org.wildfly.swarm.microprofile.jwtauth.deployment.auth;

import io.smallrye.jwt.auth.AbstractBearerTokenExtractor;
import io.smallrye.jwt.auth.cdi.PrincipalProducer;
import io.smallrye.jwt.auth.principal.JWTAuthContextInfo;
import io.undertow.UndertowLogger;
import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.IdentityManager;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.Cookie;
import io.undertow.util.Headers;
import java.lang.annotation.Annotation;
import java.security.acl.Group;
import javax.enterprise.inject.spi.CDI;
import javax.security.auth.Subject;
import org.eclipse.microprofile.jwt.JsonWebToken;
import org.jboss.security.SecurityContextAssociation;
import org.jboss.security.identity.RoleGroup;
import org.jboss.security.identity.plugins.SimpleRoleGroup;
import org.wildfly.swarm.microprofile.jwtauth.deployment.auth.jaas.JWTCredential;

/* loaded from: input_file:org/wildfly/swarm/microprofile/jwtauth/deployment/auth/JWTAuthMechanism.class */
public class JWTAuthMechanism implements AuthenticationMechanism {
    private JWTAuthContextInfo authContextInfo;
    private IdentityManager identityManager;

    /* loaded from: input_file:org/wildfly/swarm/microprofile/jwtauth/deployment/auth/JWTAuthMechanism$UndertowBearerTokenExtractor.class */
    private static class UndertowBearerTokenExtractor extends AbstractBearerTokenExtractor {
        private HttpServerExchange httpExchange;

        UndertowBearerTokenExtractor(JWTAuthContextInfo jWTAuthContextInfo, HttpServerExchange httpServerExchange) {
            super(jWTAuthContextInfo);
            this.httpExchange = httpServerExchange;
        }

        protected String getHeaderValue(String str) {
            return this.httpExchange.getRequestHeaders().getFirst(str);
        }

        protected String getCookieValue(String str) {
            Cookie cookie = (Cookie) this.httpExchange.getRequestCookies().get(str);
            if (cookie != null) {
                return cookie.getValue();
            }
            return null;
        }
    }

    public JWTAuthMechanism(JWTAuthContextInfo jWTAuthContextInfo) {
        this.authContextInfo = jWTAuthContextInfo;
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        String bearerToken = new UndertowBearerTokenExtractor(this.authContextInfo, httpServerExchange).getBearerToken();
        if (bearerToken == null) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        try {
            this.identityManager = securityContext.getIdentityManager();
            JWTCredential jWTCredential = new JWTCredential(bearerToken, this.authContextInfo);
            Account verify = this.identityManager.verify(jWTCredential.getName(), jWTCredential);
            if (verify == null) {
                UndertowLogger.SECURITY_LOGGER.info("Failed to authenticate JWT bearer token");
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            }
            JsonWebToken jsonWebToken = (JsonWebToken) verify.getPrincipal();
            preparePrincipalProducer(jsonWebToken);
            securityContext.authenticationComplete(verify, "MP-JWT", false);
            org.jboss.security.SecurityContext securityContext2 = SecurityContextAssociation.getSecurityContext();
            Subject subject = securityContext2.getUtil().getSubject();
            securityContext2.getUtil().createSubjectInfo(jsonWebToken, bearerToken, subject);
            securityContext2.getUtil().setRoles(extract(subject));
            UndertowLogger.SECURITY_LOGGER.debugf("Authenticated caller(%s) for path(%s) with roles: %s", jWTCredential.getName(), httpServerExchange.getRequestPath(), verify.getRoles());
            return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
        } catch (Exception e) {
            UndertowLogger.SECURITY_LOGGER.infof(e, "Failed to validate JWT bearer token", new Object[0]);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
    }

    private void preparePrincipalProducer(JsonWebToken jsonWebToken) {
        ((PrincipalProducer) CDI.current().select(PrincipalProducer.class, new Annotation[0]).get()).setJsonWebToken(jsonWebToken);
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        httpServerExchange.getResponseHeaders().add(Headers.WWW_AUTHENTICATE, "Bearer {token}");
        UndertowLogger.SECURITY_LOGGER.debugf("Sending Bearer {token} challenge for %s", httpServerExchange);
        return new AuthenticationMechanism.ChallengeResult(true, 401);
    }

    protected RoleGroup extract(Subject subject) {
        return new SimpleRoleGroup((Group) subject.getPrincipals().stream().filter(principal -> {
            return principal.getName().equals("Roles");
        }).findFirst().get());
    }
}
