package org.keycloak.adapters.elytron;

import javax.security.auth.callback.CallbackHandler;
import org.jboss.logging.Logger;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.AdapterUtils;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OidcKeycloakAccount;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.RequestAuthenticator;
import org.wildfly.security.http.HttpScope;
import org.wildfly.security.http.HttpScopeNotification;
import org.wildfly.security.http.Scope;

/* loaded from: input_file:org/keycloak/adapters/elytron/ElytronSessionTokenStore.class */
public class ElytronSessionTokenStore implements ElytronTokeStore {
    private static Logger log = Logger.getLogger(ElytronSessionTokenStore.class);
    private final ElytronHttpFacade httpFacade;
    private final CallbackHandler callbackHandler;

    public ElytronSessionTokenStore(ElytronHttpFacade elytronHttpFacade, CallbackHandler callbackHandler) {
        this.httpFacade = elytronHttpFacade;
        this.callbackHandler = callbackHandler;
    }

    public void checkCurrentToken() {
        RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext;
        HttpScope scope = this.httpFacade.getScope(Scope.SESSION);
        if (scope == null || !scope.exists() || (refreshableKeycloakSecurityContext = (RefreshableKeycloakSecurityContext) scope.getAttachment(KeycloakSecurityContext.class.getName())) == null) {
            return;
        }
        if (refreshableKeycloakSecurityContext.getDeployment() == null) {
            refreshableKeycloakSecurityContext.setCurrentRequestInfo(this.httpFacade.getDeployment(), this);
        }
        if (!refreshableKeycloakSecurityContext.isActive() || refreshableKeycloakSecurityContext.getDeployment().isAlwaysRefreshToken()) {
            if (refreshableKeycloakSecurityContext.refreshExpiredToken(false) && refreshableKeycloakSecurityContext.isActive()) {
                return;
            }
            scope.setAttachment(KeycloakSecurityContext.class.getName(), (Object) null);
            scope.invalidate();
        }
    }

    public boolean isCached(RequestAuthenticator requestAuthenticator) {
        HttpScope scope = this.httpFacade.getScope(Scope.SESSION);
        if (scope == null || !scope.supportsAttachments()) {
            log.debug("session was null, returning null");
            return false;
        }
        try {
            ElytronAccount elytronAccount = (ElytronAccount) scope.getAttachment(ElytronAccount.class.getName());
            if (elytronAccount == null) {
                log.debug("Account was not in session, returning null");
                return false;
            }
            if (!this.httpFacade.getDeployment().getRealm().equals(elytronAccount.m1getKeycloakSecurityContext().getRealm())) {
                log.debug("Account in session belongs to a different realm than for this request.");
                return false;
            }
            boolean checkActive = elytronAccount.checkActive();
            if (!checkActive) {
                checkActive = elytronAccount.tryRefresh(this.callbackHandler);
            }
            if (checkActive) {
                log.debug("Cached account found");
                restoreRequest();
                this.httpFacade.authenticationComplete(elytronAccount, true);
                return true;
            }
            log.debug("Refresh failed. Account was not active. Returning null and invalidating Http session");
            try {
                scope.setAttachment(KeycloakSecurityContext.class.getName(), (Object) null);
                scope.setAttachment(ElytronAccount.class.getName(), (Object) null);
                scope.invalidate();
                return false;
            } catch (Exception e) {
                log.debug("Failed to invalidate session, might already be invalidated");
                return false;
            }
        } catch (IllegalStateException e2) {
            log.debug("session was invalidated.  Return false.");
            return false;
        }
    }

    public void saveAccountInfo(OidcKeycloakAccount oidcKeycloakAccount) {
        HttpScope scope = this.httpFacade.getScope(Scope.SESSION);
        if (!scope.exists()) {
            scope.create();
        }
        scope.setAttachment(ElytronAccount.class.getName(), oidcKeycloakAccount);
        scope.setAttachment(KeycloakSecurityContext.class.getName(), oidcKeycloakAccount.getKeycloakSecurityContext());
        scope.registerForNotification(httpScopeNotification -> {
            if (httpScopeNotification.isOfType(new Enum[]{HttpScopeNotification.SessionNotificationType.UNDEPLOY})) {
                return;
            }
            logout();
        });
        this.httpFacade.getScope(Scope.EXCHANGE).setAttachment(KeycloakSecurityContext.class.getName(), oidcKeycloakAccount.getKeycloakSecurityContext());
    }

    public void logout() {
        logout(false);
    }

    public void refreshCallback(RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext) {
        saveAccountInfo(new ElytronAccount(new KeycloakPrincipal(AdapterUtils.getPrincipalName(this.httpFacade.getDeployment(), refreshableKeycloakSecurityContext.getToken()), refreshableKeycloakSecurityContext)));
    }

    public void saveRequest() {
        this.httpFacade.suspendRequest();
    }

    public boolean restoreRequest() {
        return this.httpFacade.restoreRequest();
    }

    @Override // org.keycloak.adapters.elytron.ElytronTokeStore
    public void logout(boolean z) {
        HttpScope scope = this.httpFacade.getScope(Scope.SESSION);
        if (scope.exists()) {
            if (z) {
                try {
                    RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext = (KeycloakSecurityContext) scope.getAttachment(KeycloakSecurityContext.class.getName());
                    if (refreshableKeycloakSecurityContext == null) {
                        return;
                    }
                    KeycloakDeployment deployment = this.httpFacade.getDeployment();
                    if (!deployment.isBearerOnly() && refreshableKeycloakSecurityContext != null && (refreshableKeycloakSecurityContext instanceof RefreshableKeycloakSecurityContext)) {
                        refreshableKeycloakSecurityContext.logout(deployment);
                    }
                } catch (IllegalStateException e) {
                    log.debugf("Session %s logged-out already", scope.getID());
                    return;
                }
            }
            scope.setAttachment(KeycloakSecurityContext.class.getName(), (Object) null);
            scope.setAttachment(ElytronAccount.class.getName(), (Object) null);
            scope.invalidate();
        }
    }
}
