package org.keycloak.adapters.jaas;

import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.Principal;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import javax.security.auth.spi.LoginModule;
import org.jboss.logging.Logger;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.adapters.AdapterUtils;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.rotation.AdapterTokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.FindFile;
import org.keycloak.common.util.reflections.Reflections;
import org.keycloak.models.LDAPConstants;
import org.keycloak.representations.AccessToken;

/* loaded from: input_file:WEB-INF/lib/keycloak-adapter-core-20.0.2.jar:org/keycloak/adapters/jaas/AbstractKeycloakLoginModule.class */
public abstract class AbstractKeycloakLoginModule implements LoginModule {
    public static final String KEYCLOAK_CONFIG_FILE_OPTION = "keycloak-config-file";
    public static final String ROLE_PRINCIPAL_CLASS_OPTION = "role-principal-class";
    public static final String PROFILE_RESOURCE = "profile:";
    protected Subject subject;
    protected CallbackHandler callbackHandler;
    protected Auth auth;
    protected KeycloakDeployment deployment;
    protected String rolePrincipalClass;
    private static ConcurrentMap<String, KeycloakDeployment> deployments = new ConcurrentHashMap();

    /* loaded from: input_file:WEB-INF/lib/keycloak-adapter-core-20.0.2.jar:org/keycloak/adapters/jaas/AbstractKeycloakLoginModule$Auth.class */
    public static class Auth {
        private final KeycloakPrincipal<RefreshableKeycloakSecurityContext> principal;
        private final Set<String> roles;
        private final String tokenString;

        public Auth(KeycloakPrincipal<RefreshableKeycloakSecurityContext> keycloakPrincipal, Set<String> set, String str) {
            this.principal = keycloakPrincipal;
            this.roles = set;
            this.tokenString = str;
        }

        public KeycloakPrincipal<RefreshableKeycloakSecurityContext> getPrincipal() {
            return this.principal;
        }

        public Set<String> getRoles() {
            return this.roles;
        }

        public String getTokenString() {
            return this.tokenString;
        }
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        this.subject = subject;
        this.callbackHandler = callbackHandler;
        String str = (String) map2.get(KEYCLOAK_CONFIG_FILE_OPTION);
        this.rolePrincipalClass = (String) map2.get(ROLE_PRINCIPAL_CLASS_OPTION);
        getLogger().debug("Declared options: keycloak-config-file=" + str + ", " + ROLE_PRINCIPAL_CLASS_OPTION + LDAPConstants.EQUAL + this.rolePrincipalClass);
        if (str != null) {
            this.deployment = deployments.get(str);
            if (this.deployment == null) {
                this.deployment = resolveDeployment(str);
                deployments.putIfAbsent(str, this.deployment);
            }
        }
    }

    protected KeycloakDeployment resolveDeployment(String str) {
        InputStream openStream;
        try {
            if (str.startsWith(PROFILE_RESOURCE)) {
                try {
                    openStream = new URL(str).openStream();
                } catch (MalformedURLException e) {
                    throw new RuntimeException(e);
                } catch (IOException e2) {
                    throw new RuntimeException(e2);
                }
            } else {
                openStream = FindFile.findFile(str);
            }
            return KeycloakDeploymentBuilder.build(openStream);
        } catch (RuntimeException e3) {
            getLogger().debug("Unable to find or parse file " + str + " due to " + e3.getMessage(), e3);
            throw e3;
        }
    }

    public boolean login() throws LoginException {
        NameCallback[] nameCallbackArr = {new NameCallback("username"), new PasswordCallback("password", false)};
        try {
            this.callbackHandler.handle(nameCallbackArr);
            String name = nameCallbackArr[0].getName();
            String str = new String(((PasswordCallback) nameCallbackArr[1]).getPassword());
            ((PasswordCallback) nameCallbackArr[1]).clearPassword();
            Auth doAuth = doAuth(name, str);
            if (doAuth == null) {
                return false;
            }
            this.auth = doAuth;
            return true;
        } catch (UnsupportedCallbackException e) {
            getLogger().warn("Error: " + e.getCallback().toString() + " not available to gather authentication information from the user");
            return false;
        } catch (Exception e2) {
            LoginException loginException = new LoginException(e2.toString());
            loginException.initCause(e2);
            throw loginException;
        }
    }

    public boolean commit() throws LoginException {
        if (this.auth == null) {
            return false;
        }
        this.subject.getPrincipals().add(this.auth.getPrincipal());
        this.subject.getPrivateCredentials().add(this.auth.getTokenString());
        if (this.auth.getRoles() == null) {
            return true;
        }
        Iterator<String> it = this.auth.getRoles().iterator();
        while (it.hasNext()) {
            this.subject.getPrincipals().add(createRolePrincipal(it.next()));
        }
        return true;
    }

    protected Principal createRolePrincipal(String str) {
        if (this.rolePrincipalClass != null && this.rolePrincipalClass.length() > 0) {
            try {
                return (Principal) Reflections.classForName(this.rolePrincipalClass, getClass().getClassLoader()).getDeclaredConstructor(String.class).newInstance(str);
            } catch (Exception e) {
                getLogger().warn("Unable to create declared roleClass " + this.rolePrincipalClass + " due to " + e.getMessage());
            }
        }
        return new RolePrincipal(str);
    }

    public boolean abort() throws LoginException {
        return true;
    }

    public boolean logout() throws LoginException {
        for (Principal principal : new HashSet(this.subject.getPrincipals())) {
            if (principal.getClass().equals(KeycloakPrincipal.class) || principal.getClass().equals(RolePrincipal.class)) {
                this.subject.getPrincipals().remove(principal);
            }
        }
        Iterator<Object> it = this.subject.getPrivateCredentials().iterator();
        while (it.hasNext()) {
            this.subject.getPrivateCredentials().remove(it.next());
        }
        this.subject = null;
        this.callbackHandler = null;
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Auth bearerAuth(String str) throws VerificationException {
        return postTokenVerification(str, AdapterTokenVerifier.verifyToken(str, this.deployment));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Auth postTokenVerification(String str, AccessToken accessToken) {
        if (this.deployment.isUseResourceRoleMappings() ? accessToken.isVerifyCaller(this.deployment.getResourceName()) : accessToken.isVerifyCaller()) {
            throw new IllegalStateException("VerifyCaller not supported yet in login module");
        }
        RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext = new RefreshableKeycloakSecurityContext(this.deployment, null, str, accessToken, null, null, null);
        return new Auth(new KeycloakPrincipal(AdapterUtils.getPrincipalName(this.deployment, accessToken), refreshableKeycloakSecurityContext), AdapterUtils.getRolesFromSecurityContext(refreshableKeycloakSecurityContext), str);
    }

    protected abstract Auth doAuth(String str, String str2) throws Exception;

    protected abstract Logger getLogger();
}
