package org.keycloak.adapters;

import java.io.IOException;
import java.util.Iterator;
import java.util.Set;
import org.apache.http.HttpStatus;
import org.apache.http.protocol.HTTP;
import org.jboss.logging.Logger;
import org.keycloak.AuthorizationContext;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.authorization.PolicyEnforcer;
import org.keycloak.common.util.UriUtils;
import org.keycloak.constants.AdapterConstants;

/* loaded from: input_file:WEB-INF/lib/keycloak-adapter-core-2.5.5.Final.jar:org/keycloak/adapters/AuthenticatedActionsHandler.class */
public class AuthenticatedActionsHandler {
    private static final Logger log = Logger.getLogger((Class<?>) AuthenticatedActionsHandler.class);
    protected KeycloakDeployment deployment;
    protected OIDCHttpFacade facade;

    public AuthenticatedActionsHandler(KeycloakDeployment keycloakDeployment, OIDCHttpFacade oIDCHttpFacade) {
        this.deployment = keycloakDeployment;
        this.facade = oIDCHttpFacade;
    }

    public boolean handledRequest() {
        log.debugv("AuthenticatedActionsValve.invoke {0}", this.facade.getRequest().getURI());
        if (corsRequest()) {
            return true;
        }
        if (!this.facade.getRequest().getURI().endsWith(AdapterConstants.K_QUERY_BEARER_TOKEN)) {
            return !isAuthorized();
        }
        queryBearerToken();
        return true;
    }

    protected void queryBearerToken() {
        log.debugv("queryBearerToken {0}", this.facade.getRequest().getURI());
        if (abortTokenResponse()) {
            return;
        }
        this.facade.getResponse().setStatus(200);
        this.facade.getResponse().setHeader("Content-Type", HTTP.PLAIN_TEXT_TYPE);
        try {
            this.facade.getResponse().getOutputStream().write(this.facade.getSecurityContext().getTokenString().getBytes());
            this.facade.getResponse().end();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    protected boolean abortTokenResponse() {
        if (this.facade.getSecurityContext() == null) {
            log.debugv("Not logged in, sending back 401: {0}", this.facade.getRequest().getURI());
            this.facade.getResponse().sendError(HttpStatus.SC_UNAUTHORIZED);
            this.facade.getResponse().end();
            return true;
        }
        if (!this.deployment.isExposeToken()) {
            this.facade.getResponse().setStatus(200);
            this.facade.getResponse().end();
            return true;
        }
        if (this.deployment.isCors() || this.facade.getRequest().getHeader(CorsHeaders.ORIGIN) == null) {
            return false;
        }
        this.facade.getResponse().setStatus(200);
        this.facade.getResponse().end();
        return true;
    }

    protected boolean corsRequest() {
        if (!this.deployment.isCors()) {
            return false;
        }
        KeycloakSecurityContext securityContext = this.facade.getSecurityContext();
        String header = this.facade.getRequest().getHeader(CorsHeaders.ORIGIN);
        String origin = UriUtils.getOrigin(this.facade.getRequest().getURI());
        log.debugv("Origin: {0} uri: {1}", header, this.facade.getRequest().getURI());
        if (securityContext == null || header == null || header.equals(origin)) {
            log.debugv("cors validation not needed as we're not a secure session or origin header was null: {0}", this.facade.getRequest().getURI());
            return false;
        }
        Set<String> allowedOrigins = securityContext.getToken().getAllowedOrigins();
        if (log.isDebugEnabled()) {
            Iterator<String> it = allowedOrigins.iterator();
            while (it.hasNext()) {
                log.debug("   " + it.next());
            }
        }
        if (allowedOrigins != null && (allowedOrigins.contains("*") || allowedOrigins.contains(header))) {
            log.debugv("returning origin: {0}", header);
            this.facade.getResponse().setStatus(200);
            this.facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, header);
            this.facade.getResponse().setHeader(CorsHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
            return false;
        }
        if (allowedOrigins == null) {
            log.debugv("allowedOrigins was null in token", new Object[0]);
        } else {
            log.debugv("allowedOrigins did not contain origin", new Object[0]);
        }
        this.facade.getResponse().sendError(HttpStatus.SC_FORBIDDEN);
        this.facade.getResponse().end();
        return true;
    }

    private boolean isAuthorized() {
        PolicyEnforcer policyEnforcer = this.deployment.getPolicyEnforcer();
        if (policyEnforcer == null) {
            log.debugv("Policy enforcement is disabled.", new Object[0]);
            return true;
        }
        try {
            OIDCHttpFacade oIDCHttpFacade = this.facade;
            AuthorizationContext enforce = policyEnforcer.enforce(oIDCHttpFacade);
            RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext = (RefreshableKeycloakSecurityContext) oIDCHttpFacade.getSecurityContext();
            if (refreshableKeycloakSecurityContext == null) {
                return true;
            }
            refreshableKeycloakSecurityContext.setAuthorizationContext(enforce);
            return enforce.isGranted();
        } catch (Exception e) {
            throw new RuntimeException("Failed to enforce policy decisions.", e);
        }
    }
}
