package org.keycloak.adapters;

import java.util.Collections;
import java.util.List;
import org.apache.http.HttpHeaders;
import org.apache.http.HttpStatus;
import org.jboss.logging.Logger;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.adapters.spi.AuthChallenge;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.HttpFacade;

/* loaded from: input_file:WEB-INF/lib/keycloak-adapter-core-20.0.2.jar:org/keycloak/adapters/RequestAuthenticator.class */
public abstract class RequestAuthenticator {
    protected static Logger log = Logger.getLogger((Class<?>) RequestAuthenticator.class);
    protected HttpFacade facade;
    protected AuthChallenge challenge;
    protected KeycloakDeployment deployment;
    protected AdapterTokenStore tokenStore;
    protected int sslRedirectPort;

    public RequestAuthenticator(HttpFacade httpFacade, KeycloakDeployment keycloakDeployment, AdapterTokenStore adapterTokenStore, int i) {
        this.facade = httpFacade;
        this.deployment = keycloakDeployment;
        this.tokenStore = adapterTokenStore;
        this.sslRedirectPort = i;
    }

    public RequestAuthenticator(HttpFacade httpFacade, KeycloakDeployment keycloakDeployment) {
        this.facade = httpFacade;
        this.deployment = keycloakDeployment;
    }

    public AuthChallenge getChallenge() {
        return this.challenge;
    }

    public AuthOutcome authenticate() {
        if (log.isTraceEnabled()) {
            log.trace("--> authenticate()");
        }
        BearerTokenRequestAuthenticator createBearerTokenAuthenticator = createBearerTokenAuthenticator();
        if (log.isTraceEnabled()) {
            log.trace("try bearer");
        }
        AuthOutcome authenticate = createBearerTokenAuthenticator.authenticate(this.facade);
        if (authenticate == AuthOutcome.FAILED) {
            this.challenge = createBearerTokenAuthenticator.getChallenge();
            log.debug("Bearer FAILED");
            return AuthOutcome.FAILED;
        }
        if (authenticate == AuthOutcome.AUTHENTICATED) {
            if (verifySSL()) {
                return AuthOutcome.FAILED;
            }
            completeAuthentication(createBearerTokenAuthenticator, "KEYCLOAK");
            log.debug("Bearer AUTHENTICATED");
            return AuthOutcome.AUTHENTICATED;
        }
        QueryParameterTokenRequestAuthenticator createQueryParameterTokenRequestAuthenticator = createQueryParameterTokenRequestAuthenticator();
        if (log.isTraceEnabled()) {
            log.trace("try query parameter auth");
        }
        AuthOutcome authenticate2 = createQueryParameterTokenRequestAuthenticator.authenticate(this.facade);
        if (authenticate2 == AuthOutcome.FAILED) {
            this.challenge = createQueryParameterTokenRequestAuthenticator.getChallenge();
            log.debug("QueryParamAuth auth FAILED");
            return AuthOutcome.FAILED;
        }
        if (authenticate2 == AuthOutcome.AUTHENTICATED) {
            if (verifySSL()) {
                return AuthOutcome.FAILED;
            }
            log.debug("QueryParamAuth AUTHENTICATED");
            completeAuthentication(createQueryParameterTokenRequestAuthenticator, "KEYCLOAK");
            return AuthOutcome.AUTHENTICATED;
        }
        if (this.deployment.isEnableBasicAuth()) {
            BasicAuthRequestAuthenticator createBasicAuthAuthenticator = createBasicAuthAuthenticator();
            if (log.isTraceEnabled()) {
                log.trace("try basic auth");
            }
            AuthOutcome authenticate3 = createBasicAuthAuthenticator.authenticate(this.facade);
            if (authenticate3 == AuthOutcome.FAILED) {
                this.challenge = createBasicAuthAuthenticator.getChallenge();
                log.debug("BasicAuth FAILED");
                return AuthOutcome.FAILED;
            }
            if (authenticate3 == AuthOutcome.AUTHENTICATED) {
                if (verifySSL()) {
                    return AuthOutcome.FAILED;
                }
                log.debug("BasicAuth AUTHENTICATED");
                completeAuthentication(createBasicAuthAuthenticator, "BASIC");
                return AuthOutcome.AUTHENTICATED;
            }
        }
        if (this.deployment.isBearerOnly()) {
            this.challenge = createBearerTokenAuthenticator.getChallenge();
            log.debug("NOT_ATTEMPTED: bearer only");
            return AuthOutcome.NOT_ATTEMPTED;
        }
        if (isAutodetectedBearerOnly(this.facade.getRequest())) {
            this.challenge = createBearerTokenAuthenticator.getChallenge();
            log.debug("NOT_ATTEMPTED: Treating as bearer only");
            return AuthOutcome.NOT_ATTEMPTED;
        }
        if (log.isTraceEnabled()) {
            log.trace("try oauth");
        }
        if (this.tokenStore.isCached(this)) {
            if (verifySSL()) {
                return AuthOutcome.FAILED;
            }
            log.debug("AUTHENTICATED: was cached");
            return AuthOutcome.AUTHENTICATED;
        }
        OAuthRequestAuthenticator createOAuthAuthenticator = createOAuthAuthenticator();
        AuthOutcome authenticate4 = createOAuthAuthenticator.authenticate();
        if (authenticate4 == AuthOutcome.FAILED) {
            this.challenge = createOAuthAuthenticator.getChallenge();
            return AuthOutcome.FAILED;
        }
        if (authenticate4 == AuthOutcome.NOT_ATTEMPTED) {
            this.challenge = createOAuthAuthenticator.getChallenge();
            return AuthOutcome.NOT_ATTEMPTED;
        }
        if (verifySSL()) {
            return AuthOutcome.FAILED;
        }
        completeAuthentication(createOAuthAuthenticator);
        this.facade.getResponse().setHeader(HttpHeaders.LOCATION, createOAuthAuthenticator.getStrippedOauthParametersRequestUri());
        this.facade.getResponse().setStatus(HttpStatus.SC_MOVED_TEMPORARILY);
        this.facade.getResponse().end();
        log.debug("AUTHENTICATED");
        return AuthOutcome.AUTHENTICATED;
    }

    protected boolean verifySSL() {
        if (this.facade.getRequest().isSecure() || !this.deployment.getSslRequired().isRequired(this.facade.getRequest().getRemoteAddr())) {
            return false;
        }
        log.warnf("SSL is required to authenticate. Remote address %s is secure: %s, SSL required for: %s .", this.facade.getRequest().getRemoteAddr(), Boolean.valueOf(this.facade.getRequest().isSecure()), this.deployment.getSslRequired().name());
        return true;
    }

    protected boolean isAutodetectedBearerOnly(HttpFacade.Request request) {
        if (!this.deployment.isAutodetectBearerOnly()) {
            return false;
        }
        String header = this.facade.getRequest().getHeader("X-Requested-With");
        if (header != null && header.equalsIgnoreCase("XMLHttpRequest")) {
            return true;
        }
        String header2 = this.facade.getRequest().getHeader("Faces-Request");
        if ((header2 != null && header2.startsWith("partial/")) || this.facade.getRequest().getHeader("SOAPAction") != null) {
            return true;
        }
        List<String> headers = this.facade.getRequest().getHeaders(HttpHeaders.ACCEPT);
        if (headers == null) {
            headers = Collections.emptyList();
        }
        for (String str : headers) {
            if (str.contains("text/html") || str.contains("text/*") || str.contains("*/*")) {
                return false;
            }
        }
        return true;
    }

    protected abstract OAuthRequestAuthenticator createOAuthAuthenticator();

    protected BearerTokenRequestAuthenticator createBearerTokenAuthenticator() {
        return new BearerTokenRequestAuthenticator(this.deployment);
    }

    protected BasicAuthRequestAuthenticator createBasicAuthAuthenticator() {
        return new BasicAuthRequestAuthenticator(this.deployment);
    }

    protected QueryParameterTokenRequestAuthenticator createQueryParameterTokenRequestAuthenticator() {
        return new QueryParameterTokenRequestAuthenticator(this.deployment);
    }

    protected void completeAuthentication(OAuthRequestAuthenticator oAuthRequestAuthenticator) {
        KeycloakPrincipal<RefreshableKeycloakSecurityContext> keycloakPrincipal = new KeycloakPrincipal<>(AdapterUtils.getPrincipalName(this.deployment, oAuthRequestAuthenticator.getToken()), new RefreshableKeycloakSecurityContext(this.deployment, this.tokenStore, oAuthRequestAuthenticator.getTokenString(), oAuthRequestAuthenticator.getToken(), oAuthRequestAuthenticator.getIdTokenString(), oAuthRequestAuthenticator.getIdToken(), oAuthRequestAuthenticator.getRefreshToken()));
        completeOAuthAuthentication(keycloakPrincipal);
        log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", keycloakPrincipal.getName(), this.facade.getRequest().getURI(), this.deployment.getResourceName());
    }

    protected abstract void completeOAuthAuthentication(KeycloakPrincipal<RefreshableKeycloakSecurityContext> keycloakPrincipal);

    protected abstract void completeBearerAuthentication(KeycloakPrincipal<RefreshableKeycloakSecurityContext> keycloakPrincipal, String str);

    /* JADX INFO: Access modifiers changed from: protected */
    public abstract String changeHttpSessionId(boolean z);

    protected void completeAuthentication(BearerTokenRequestAuthenticator bearerTokenRequestAuthenticator, String str) {
        KeycloakPrincipal<RefreshableKeycloakSecurityContext> keycloakPrincipal = new KeycloakPrincipal<>(AdapterUtils.getPrincipalName(this.deployment, bearerTokenRequestAuthenticator.getToken()), new RefreshableKeycloakSecurityContext(this.deployment, null, bearerTokenRequestAuthenticator.getTokenString(), bearerTokenRequestAuthenticator.getToken(), null, null, null));
        completeBearerAuthentication(keycloakPrincipal, str);
        log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", keycloakPrincipal.getName(), this.facade.getRequest().getURI(), this.deployment.getResourceName());
    }
}
