package org.keycloak.jaxrs;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.Principal;
import java.util.List;
import java.util.Set;
import java.util.logging.Logger;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.AdapterTokenStore;
import org.keycloak.adapters.AdapterUtils;
import org.keycloak.adapters.AuthenticatedActionsHandler;
import org.keycloak.adapters.BasicAuthRequestAuthenticator;
import org.keycloak.adapters.BearerTokenRequestAuthenticator;
import org.keycloak.adapters.KeycloakConfigResolver;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.NodesRegistrationManagement;
import org.keycloak.adapters.PreAuthActionsHandler;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.UserSessionManagement;
import org.keycloak.representations.IDToken;

@Priority(1000)
@PreMatching
@Deprecated
/* loaded from: input_file:org/keycloak/jaxrs/JaxrsBearerTokenFilterImpl.class */
public class JaxrsBearerTokenFilterImpl implements JaxrsBearerTokenFilter {
    private static final Logger log = Logger.getLogger("" + JaxrsBearerTokenFilterImpl.class);
    private String keycloakConfigFile;
    private String keycloakConfigResolverClass;
    protected volatile boolean started;
    protected AdapterDeploymentContext deploymentContext;
    protected NodesRegistrationManagement nodesRegistrationManagement;
    protected UserSessionManagement userSessionManagement = new EmptyUserSessionManagement();

    /* loaded from: input_file:org/keycloak/jaxrs/JaxrsBearerTokenFilterImpl$EmptyUserSessionManagement.class */
    private static class EmptyUserSessionManagement implements UserSessionManagement {
        private EmptyUserSessionManagement() {
        }

        public void logoutAll() {
        }

        public void logoutHttpSessions(List<String> list) {
        }
    }

    public void setKeycloakConfigFile(String str) {
        this.keycloakConfigFile = str;
        attemptStart();
    }

    public String getKeycloakConfigFile() {
        return this.keycloakConfigFile;
    }

    public String getKeycloakConfigResolverClass() {
        return this.keycloakConfigResolverClass;
    }

    public void setKeycloakConfigResolverClass(String str) {
        this.keycloakConfigResolverClass = str;
        attemptStart();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void attemptStart() {
        if (this.started) {
            throw new IllegalStateException("Filter already started. Make sure to specify just keycloakConfigResolver or keycloakConfigFile but not both");
        }
        if (isInitialized()) {
            start();
        } else {
            log.fine("Not yet initialized");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isInitialized() {
        return (this.keycloakConfigFile == null && this.keycloakConfigResolverClass == null) ? false : true;
    }

    protected void start() {
        if (this.started) {
            throw new IllegalStateException("Filter already started. Make sure to specify just keycloakConfigResolver or keycloakConfigFile but not both");
        }
        if (this.keycloakConfigResolverClass != null) {
            Class<? extends KeycloakConfigResolver> loadResolverClass = loadResolverClass();
            try {
                KeycloakConfigResolver newInstance = loadResolverClass.newInstance();
                log.info("Using " + newInstance + " to resolve Keycloak configuration on a per-request basis.");
                this.deploymentContext = new AdapterDeploymentContext(newInstance);
            } catch (Exception e) {
                throw new RuntimeException("Unable to instantiate resolver " + loadResolverClass);
            }
        } else {
            if (this.keycloakConfigFile == null) {
                throw new IllegalArgumentException("You need to specify either keycloakConfigResolverClass or keycloakConfigFile in configuration");
            }
            this.deploymentContext = new AdapterDeploymentContext(KeycloakDeploymentBuilder.build(loadKeycloakConfigFile()));
            log.info("Keycloak is using a per-deployment configuration loaded from: " + this.keycloakConfigFile);
        }
        this.nodesRegistrationManagement = new NodesRegistrationManagement();
        this.started = true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Class<? extends KeycloakConfigResolver> loadResolverClass() {
        try {
            return getClass().getClassLoader().loadClass(this.keycloakConfigResolverClass);
        } catch (ClassNotFoundException e) {
            try {
                return Thread.currentThread().getContextClassLoader().loadClass(this.keycloakConfigResolverClass);
            } catch (ClassNotFoundException e2) {
                throw new RuntimeException("Unable to find resolver class: " + this.keycloakConfigResolverClass);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public InputStream loadKeycloakConfigFile() {
        if (!this.keycloakConfigFile.startsWith("classpath:")) {
            try {
                log.fine("Loading config from file: " + this.keycloakConfigFile);
                return new FileInputStream(this.keycloakConfigFile);
            } catch (FileNotFoundException e) {
                log.severe("Config not found on " + this.keycloakConfigFile);
                throw new RuntimeException(e);
            }
        }
        String replace = this.keycloakConfigFile.replace("classpath:", "");
        log.fine("Loading config from classpath on location: " + replace);
        InputStream resourceAsStream = getClass().getClassLoader().getResourceAsStream(replace);
        if (resourceAsStream == null) {
            resourceAsStream = Thread.currentThread().getContextClassLoader().getResourceAsStream(replace);
        }
        if (resourceAsStream != null) {
            return resourceAsStream;
        }
        throw new RuntimeException("Unable to find config from classpath: " + this.keycloakConfigFile);
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        JaxrsHttpFacade jaxrsHttpFacade = new JaxrsHttpFacade(containerRequestContext, getRequestSecurityContext(containerRequestContext));
        if (handlePreauth(jaxrsHttpFacade)) {
            return;
        }
        KeycloakDeployment resolveDeployment = this.deploymentContext.resolveDeployment(jaxrsHttpFacade);
        this.nodesRegistrationManagement.tryRegister(resolveDeployment);
        bearerAuthentication(jaxrsHttpFacade, containerRequestContext, resolveDeployment);
    }

    protected boolean handlePreauth(JaxrsHttpFacade jaxrsHttpFacade) {
        if (!new PreAuthActionsHandler(this.userSessionManagement, this.deploymentContext, jaxrsHttpFacade).handleRequest()) {
            return false;
        }
        if (jaxrsHttpFacade.isResponseFinished()) {
            return true;
        }
        jaxrsHttpFacade.getResponse().end();
        return true;
    }

    protected void bearerAuthentication(JaxrsHttpFacade jaxrsHttpFacade, ContainerRequestContext containerRequestContext, KeycloakDeployment keycloakDeployment) {
        BearerTokenRequestAuthenticator bearerTokenRequestAuthenticator = new BearerTokenRequestAuthenticator(keycloakDeployment);
        AuthOutcome authenticate = bearerTokenRequestAuthenticator.authenticate(jaxrsHttpFacade);
        if (authenticate == AuthOutcome.NOT_ATTEMPTED && keycloakDeployment.isEnableBasicAuth()) {
            bearerTokenRequestAuthenticator = new BasicAuthRequestAuthenticator(keycloakDeployment);
            authenticate = bearerTokenRequestAuthenticator.authenticate(jaxrsHttpFacade);
        }
        if (authenticate != AuthOutcome.FAILED && authenticate != AuthOutcome.NOT_ATTEMPTED) {
            if (verifySslFailed(jaxrsHttpFacade, keycloakDeployment)) {
                return;
            }
            propagateSecurityContext(jaxrsHttpFacade, containerRequestContext, keycloakDeployment, bearerTokenRequestAuthenticator);
            handleAuthActions(jaxrsHttpFacade, keycloakDeployment);
            return;
        }
        AuthChallenge challenge = bearerTokenRequestAuthenticator.getChallenge();
        log.fine("Authentication outcome: " + authenticate);
        if (!challenge.challenge(jaxrsHttpFacade)) {
            jaxrsHttpFacade.getResponse().setStatus(Response.Status.UNAUTHORIZED.getStatusCode());
        }
        if (jaxrsHttpFacade.isResponseFinished()) {
            return;
        }
        jaxrsHttpFacade.getResponse().end();
    }

    protected void propagateSecurityContext(JaxrsHttpFacade jaxrsHttpFacade, ContainerRequestContext containerRequestContext, KeycloakDeployment keycloakDeployment, BearerTokenRequestAuthenticator bearerTokenRequestAuthenticator) {
        RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext = new RefreshableKeycloakSecurityContext(keycloakDeployment, (AdapterTokenStore) null, bearerTokenRequestAuthenticator.getTokenString(), bearerTokenRequestAuthenticator.getToken(), (String) null, (IDToken) null, (String) null);
        jaxrsHttpFacade.setSecurityContext(refreshableKeycloakSecurityContext);
        final KeycloakPrincipal keycloakPrincipal = new KeycloakPrincipal(AdapterUtils.getPrincipalName(keycloakDeployment, bearerTokenRequestAuthenticator.getToken()), refreshableKeycloakSecurityContext);
        final boolean isSecure = getRequestSecurityContext(containerRequestContext).isSecure();
        final Set rolesFromSecurityContext = AdapterUtils.getRolesFromSecurityContext(refreshableKeycloakSecurityContext);
        containerRequestContext.setSecurityContext(new SecurityContext() { // from class: org.keycloak.jaxrs.JaxrsBearerTokenFilterImpl.1
            public Principal getUserPrincipal() {
                return keycloakPrincipal;
            }

            public boolean isUserInRole(String str) {
                return rolesFromSecurityContext.contains(str);
            }

            public boolean isSecure() {
                return isSecure;
            }

            public String getAuthenticationScheme() {
                return "OAUTH_BEARER";
            }
        });
    }

    protected boolean verifySslFailed(JaxrsHttpFacade jaxrsHttpFacade, KeycloakDeployment keycloakDeployment) {
        if (jaxrsHttpFacade.getRequest().isSecure() || !keycloakDeployment.getSslRequired().isRequired(jaxrsHttpFacade.getRequest().getRemoteAddr())) {
            return false;
        }
        log.warning("SSL is required to authenticate, but request is not secured");
        jaxrsHttpFacade.getResponse().sendError(403, "SSL required!");
        return true;
    }

    protected SecurityContext getRequestSecurityContext(ContainerRequestContext containerRequestContext) {
        return containerRequestContext.getSecurityContext();
    }

    protected void handleAuthActions(JaxrsHttpFacade jaxrsHttpFacade, KeycloakDeployment keycloakDeployment) {
        if (!new AuthenticatedActionsHandler(keycloakDeployment, jaxrsHttpFacade).handledRequest() || jaxrsHttpFacade.isResponseFinished()) {
            return;
        }
        jaxrsHttpFacade.getResponse().end();
    }
}
