package org.jboss.resteasy.skeleton.key.as7;

import java.io.IOException;
import java.security.Principal;
import java.security.cert.X509Certificate;
import java.util.Set;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletResponse;
import org.apache.catalina.connector.Request;
import org.jboss.resteasy.skeleton.key.RSATokenVerifier;
import org.jboss.resteasy.skeleton.key.ResourceMetadata;
import org.jboss.resteasy.skeleton.key.SkeletonKeyPrincipal;
import org.jboss.resteasy.skeleton.key.SkeletonKeySession;
import org.jboss.resteasy.skeleton.key.VerificationException;
import org.jboss.resteasy.skeleton.key.as7.i18n.LogMessages;
import org.jboss.resteasy.skeleton.key.as7.i18n.Messages;
import org.jboss.resteasy.skeleton.key.representations.SkeletonKeyToken;
import org.jboss.resteasy.spi.ResteasyProviderFactory;

/* loaded from: input_file:org/jboss/resteasy/skeleton/key/as7/CatalinaBearerTokenAuthenticator.class */
public class CatalinaBearerTokenAuthenticator {
    protected ResourceMetadata resourceMetadata;
    protected boolean challenge;
    protected String tokenString;
    protected SkeletonKeyToken token;
    private Principal principal;
    protected boolean propagateToken;

    public CatalinaBearerTokenAuthenticator(ResourceMetadata resourceMetadata, boolean z, boolean z2) {
        this.resourceMetadata = resourceMetadata;
        this.challenge = z2;
        this.propagateToken = z;
    }

    public ResourceMetadata getResourceMetadata() {
        return this.resourceMetadata;
    }

    public String getTokenString() {
        return this.tokenString;
    }

    public SkeletonKeyToken getToken() {
        return this.token;
    }

    public Principal getPrincipal() {
        return this.principal;
    }

    public boolean login(Request request, HttpServletResponse httpServletResponse) throws LoginException, IOException {
        boolean isVerifyCaller;
        String header = request.getHeader("Authorization");
        if (header == null) {
            if (!this.challenge) {
                return false;
            }
            challengeResponse(httpServletResponse, null, null);
            return false;
        }
        String[] split = header.trim().split("\\s+");
        if (split == null || split.length != 2) {
            challengeResponse(httpServletResponse, null, null);
        }
        if (!split[0].equalsIgnoreCase("Bearer")) {
            challengeResponse(httpServletResponse, null, null);
        }
        this.tokenString = split[1];
        try {
            this.token = RSATokenVerifier.verifyToken(this.tokenString, this.resourceMetadata);
        } catch (VerificationException e) {
            LogMessages.LOGGER.error(Messages.MESSAGES.failedToVerifyToken(), e);
            challengeResponse(httpServletResponse, "invalid_token", e.getMessage());
        }
        Set set = null;
        if (this.resourceMetadata.getResourceName() != null) {
            SkeletonKeyToken.Access resourceAccess = this.token.getResourceAccess(this.resourceMetadata.getResourceName());
            if (resourceAccess != null) {
                set = resourceAccess.getRoles();
            }
            isVerifyCaller = this.token.isVerifyCaller(this.resourceMetadata.getResourceName());
        } else {
            isVerifyCaller = this.token.isVerifyCaller();
            SkeletonKeyToken.Access realmAccess = this.token.getRealmAccess();
            if (realmAccess != null) {
                set = realmAccess.getRoles();
            }
        }
        String str = null;
        if (isVerifyCaller) {
            if (this.token.getTrustedCertificates() == null || this.token.getTrustedCertificates().size() == 0) {
                httpServletResponse.sendError(400);
                throw new LoginException(Messages.MESSAGES.noTrustedCertificates());
            }
            X509Certificate[] certificateChain = request.getCertificateChain();
            if (certificateChain == null || certificateChain.length == 0) {
                httpServletResponse.sendError(400);
                throw new LoginException(Messages.MESSAGES.noCertificatesProvidedByJBossWeb());
            }
            str = certificateChain[0].getSubjectX500Principal().getName();
        }
        this.principal = new CatalinaSecurityContextHelper().createPrincipal(request.getContext().getRealm(), new SkeletonKeyPrincipal(this.token.getPrincipal(), str), set);
        request.setUserPrincipal(this.principal);
        request.setAuthType("OAUTH_BEARER");
        if (!this.propagateToken) {
            return true;
        }
        SkeletonKeySession skeletonKeySession = new SkeletonKeySession(this.tokenString, this.resourceMetadata);
        request.setAttribute(SkeletonKeySession.class.getName(), skeletonKeySession);
        ResteasyProviderFactory.pushContext(SkeletonKeySession.class, skeletonKeySession);
        return true;
    }

    protected void challengeResponse(HttpServletResponse httpServletResponse, String str, String str2) throws LoginException {
        StringBuilder sb = new StringBuilder("Bearer realm=\"");
        sb.append(this.resourceMetadata.getRealm()).append("\"");
        if (str != null) {
            sb.append(", error=\"").append(str).append("\"");
        }
        if (str2 != null) {
            sb.append(", error_description=\"").append(str2).append("\"");
        }
        httpServletResponse.setHeader("WWW-Authenticate", sb.toString());
        try {
            httpServletResponse.sendError(401);
            throw new LoginException(Messages.MESSAGES.challenged());
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }
}
