package org.wildfly.security.http.oidc;

import java.util.Map;
import javax.security.auth.callback.CallbackHandler;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpServerAuthenticationMechanism;
import org.wildfly.security.http.HttpServerRequest;
import org.wildfly.security.http.Scope;
import org.wildfly.security.http.oidc.Oidc;

/* loaded from: input_file:org/wildfly/security/http/oidc/OidcAuthenticationMechanism.class */
final class OidcAuthenticationMechanism implements HttpServerAuthenticationMechanism {
    private final Map<String, ?> properties;
    private final CallbackHandler callbackHandler;
    private final OidcClientContext oidcClientContext;

    /* JADX INFO: Access modifiers changed from: package-private */
    public OidcAuthenticationMechanism(Map<String, ?> map, CallbackHandler callbackHandler, OidcClientContext oidcClientContext) {
        this.properties = map;
        this.callbackHandler = callbackHandler;
        this.oidcClientContext = oidcClientContext;
    }

    public String getMechanismName() {
        return Oidc.OIDC_NAME;
    }

    public void evaluateRequest(HttpServerRequest httpServerRequest) throws HttpAuthenticationException {
        OidcClientContext oidcClientContext = getOidcClientContext(httpServerRequest);
        if (oidcClientContext == null) {
            ElytronMessages.log.debugf("Ignoring request for path [%s] from mechanism [%s]. No client configuration context found.", httpServerRequest.getRequestURI(), getMechanismName());
            httpServerRequest.noAuthenticationInProgress();
            return;
        }
        OidcHttpFacade oidcHttpFacade = new OidcHttpFacade(httpServerRequest, oidcClientContext, this.callbackHandler);
        OidcClientConfiguration oidcClientConfiguration = oidcHttpFacade.getOidcClientConfiguration();
        if (!oidcClientConfiguration.isConfigured()) {
            httpServerRequest.noAuthenticationInProgress();
            return;
        }
        RequestAuthenticator createRequestAuthenticator = createRequestAuthenticator(oidcHttpFacade, oidcClientConfiguration);
        oidcHttpFacade.getTokenStore().checkCurrentToken();
        if ((oidcClientConfiguration.getAuthServerBaseUrl() != null && keycloakPreActions(oidcHttpFacade, oidcClientConfiguration)) || preflightCors(oidcHttpFacade, oidcClientConfiguration)) {
            ElytronMessages.log.debugf("Pre-actions has aborted the evaluation of [%s]", httpServerRequest.getRequestURI());
            oidcHttpFacade.authenticationInProgress();
            return;
        }
        Oidc.AuthOutcome authenticate = createRequestAuthenticator.authenticate();
        if (Oidc.AuthOutcome.AUTHENTICATED.equals(authenticate)) {
            if (new AuthenticatedActionsHandler(oidcClientConfiguration, oidcHttpFacade).handledRequest()) {
                oidcHttpFacade.authenticationInProgress();
                return;
            } else {
                oidcHttpFacade.authenticationComplete();
                return;
            }
        }
        AuthChallenge challenge = createRequestAuthenticator.getChallenge();
        if (challenge != null) {
            oidcHttpFacade.noAuthenticationInProgress(challenge);
        } else if (!Oidc.AuthOutcome.FAILED.equals(authenticate)) {
            oidcHttpFacade.noAuthenticationInProgress();
        } else {
            oidcHttpFacade.getResponse().setStatus(403);
            oidcHttpFacade.authenticationFailed();
        }
    }

    private RequestAuthenticator createRequestAuthenticator(OidcHttpFacade oidcHttpFacade, OidcClientConfiguration oidcClientConfiguration) {
        return new RequestAuthenticator(oidcHttpFacade, oidcClientConfiguration, getConfidentialPort());
    }

    private OidcClientContext getOidcClientContext(HttpServerRequest httpServerRequest) {
        return this.oidcClientContext == null ? (OidcClientContext) httpServerRequest.getScope(Scope.APPLICATION).getAttachment(Oidc.OIDC_CLIENT_CONTEXT_KEY) : this.oidcClientContext;
    }

    private int getConfidentialPort() {
        return 8443;
    }

    private boolean keycloakPreActions(OidcHttpFacade oidcHttpFacade, OidcClientConfiguration oidcClientConfiguration) {
        new NodesRegistrationManagement().tryRegister(oidcClientConfiguration);
        return false;
    }

    private boolean preflightCors(OidcHttpFacade oidcHttpFacade, OidcClientConfiguration oidcClientConfiguration) {
        ElytronMessages.log.debugv("adminRequest {0}", oidcHttpFacade.getRequest().getURI());
        if (!oidcClientConfiguration.isCors()) {
            return false;
        }
        ElytronMessages.log.debugv("checkCorsPreflight {0}", oidcHttpFacade.getRequest().getURI());
        if (!oidcHttpFacade.getRequest().getMethod().equalsIgnoreCase(Oidc.OPTIONS)) {
            return false;
        }
        String header = oidcHttpFacade.getRequest().getHeader("Origin");
        if (header == null) {
            ElytronMessages.log.debug("checkCorsPreflight: no origin header");
            return false;
        }
        ElytronMessages.log.debug("Preflight request returning");
        oidcHttpFacade.getResponse().setStatus(200);
        oidcHttpFacade.getResponse().setHeader("Access-Control-Allow-Origin", header);
        oidcHttpFacade.getResponse().setHeader("Access-Control-Allow-Credentials", "true");
        String header2 = oidcHttpFacade.getRequest().getHeader("Access-Control-Request-Method");
        if (header2 != null) {
            if (oidcClientConfiguration.getCorsAllowedMethods() != null) {
                header2 = oidcClientConfiguration.getCorsAllowedMethods();
            }
            oidcHttpFacade.getResponse().setHeader("Access-Control-Allow-Methods", header2);
        }
        String header3 = oidcHttpFacade.getRequest().getHeader("Access-Control-Request-Headers");
        if (header3 != null) {
            if (oidcClientConfiguration.getCorsAllowedHeaders() != null) {
                header3 = oidcClientConfiguration.getCorsAllowedHeaders();
            }
            oidcHttpFacade.getResponse().setHeader("Access-Control-Allow-Headers", header3);
        }
        if (oidcClientConfiguration.getCorsMaxAge() <= -1) {
            return true;
        }
        oidcHttpFacade.getResponse().setHeader("Access-Control-Max-Age", Integer.toString(oidcClientConfiguration.getCorsMaxAge()));
        return true;
    }
}
