package org.wildfly.security.http.oidc;

import java.util.Collections;
import java.util.List;
import org.wildfly.security.http.HttpConstants;
import org.wildfly.security.http.HttpScope;
import org.wildfly.security.http.Scope;
import org.wildfly.security.http.oidc.Oidc;

/* loaded from: input_file:org/wildfly/security/http/oidc/RequestAuthenticator.class */
public class RequestAuthenticator {
    protected OidcHttpFacade facade;
    protected AuthChallenge challenge;
    protected OidcClientConfiguration deployment;
    protected int sslRedirectPort;

    public RequestAuthenticator(OidcHttpFacade oidcHttpFacade, OidcClientConfiguration oidcClientConfiguration, int i) {
        this.facade = oidcHttpFacade;
        this.deployment = oidcClientConfiguration;
        this.sslRedirectPort = i;
    }

    public Oidc.AuthOutcome authenticate() {
        Oidc.AuthOutcome doAuthenticate = doAuthenticate();
        return (!Oidc.AuthOutcome.AUTHENTICATED.equals(doAuthenticate) || this.facade.isAuthorized()) ? doAuthenticate : Oidc.AuthOutcome.FAILED;
    }

    protected OidcRequestAuthenticator createOidcAuthenticator() {
        return new OidcRequestAuthenticator(this, this.facade, this.deployment, this.sslRedirectPort, this.facade.getTokenStore());
    }

    protected void completeOidcAuthentication(OidcPrincipal<RefreshableOidcSecurityContext> oidcPrincipal) {
        this.facade.authenticationComplete(new OidcAccount(oidcPrincipal), true);
    }

    protected void completeBearerAuthentication(OidcPrincipal<RefreshableOidcSecurityContext> oidcPrincipal) {
        this.facade.authenticationComplete(new OidcAccount(oidcPrincipal), false);
    }

    protected String changeHttpSessionId(boolean z) {
        HttpScope scope = this.facade.getScope(Scope.SESSION);
        if (z && !scope.exists()) {
            scope.create();
        }
        if (scope != null) {
            return scope.getID();
        }
        return null;
    }

    public AuthChallenge getChallenge() {
        return this.challenge;
    }

    private Oidc.AuthOutcome doAuthenticate() {
        if (ElytronMessages.log.isTraceEnabled()) {
            ElytronMessages.log.trace("--> authenticate()");
        }
        if (ElytronMessages.log.isTraceEnabled()) {
            ElytronMessages.log.trace("try bearer");
        }
        BearerTokenRequestAuthenticator bearerTokenRequestAuthenticator = new BearerTokenRequestAuthenticator(this.facade, this.deployment);
        Oidc.AuthOutcome authenticate = bearerTokenRequestAuthenticator.authenticate();
        if (authenticate == Oidc.AuthOutcome.FAILED) {
            this.challenge = bearerTokenRequestAuthenticator.getChallenge();
            ElytronMessages.log.debug("Bearer FAILED");
            return Oidc.AuthOutcome.FAILED;
        }
        if (authenticate == Oidc.AuthOutcome.AUTHENTICATED) {
            if (verifySSL()) {
                return Oidc.AuthOutcome.FAILED;
            }
            completeAuthentication(bearerTokenRequestAuthenticator);
            ElytronMessages.log.debug("Bearer AUTHENTICATED");
            return Oidc.AuthOutcome.AUTHENTICATED;
        }
        QueryParameterTokenRequestAuthenticator queryParameterTokenRequestAuthenticator = new QueryParameterTokenRequestAuthenticator(this.facade, this.deployment);
        if (ElytronMessages.log.isTraceEnabled()) {
            ElytronMessages.log.trace("try query parameter auth");
        }
        Oidc.AuthOutcome authenticate2 = queryParameterTokenRequestAuthenticator.authenticate();
        if (authenticate2 == Oidc.AuthOutcome.FAILED) {
            this.challenge = queryParameterTokenRequestAuthenticator.getChallenge();
            ElytronMessages.log.debug("QueryParamAuth auth FAILED");
            return Oidc.AuthOutcome.FAILED;
        }
        if (authenticate2 == Oidc.AuthOutcome.AUTHENTICATED) {
            if (verifySSL()) {
                return Oidc.AuthOutcome.FAILED;
            }
            ElytronMessages.log.debug("QueryParamAuth AUTHENTICATED");
            completeAuthentication(queryParameterTokenRequestAuthenticator);
            return Oidc.AuthOutcome.AUTHENTICATED;
        }
        if (this.deployment.isEnableBasicAuth()) {
            BasicAuthRequestAuthenticator basicAuthRequestAuthenticator = new BasicAuthRequestAuthenticator(this.facade, this.deployment);
            if (ElytronMessages.log.isTraceEnabled()) {
                ElytronMessages.log.trace("try basic auth");
            }
            Oidc.AuthOutcome authenticate3 = basicAuthRequestAuthenticator.authenticate();
            if (authenticate3 == Oidc.AuthOutcome.FAILED) {
                this.challenge = basicAuthRequestAuthenticator.getChallenge();
                ElytronMessages.log.debug("BasicAuth FAILED");
                return Oidc.AuthOutcome.FAILED;
            }
            if (authenticate3 == Oidc.AuthOutcome.AUTHENTICATED) {
                if (verifySSL()) {
                    return Oidc.AuthOutcome.FAILED;
                }
                ElytronMessages.log.debug("BasicAuth AUTHENTICATED");
                completeAuthentication(basicAuthRequestAuthenticator);
                return Oidc.AuthOutcome.AUTHENTICATED;
            }
        }
        if (this.deployment.isBearerOnly()) {
            this.challenge = bearerTokenRequestAuthenticator.getChallenge();
            ElytronMessages.log.debug("NOT_ATTEMPTED: bearer only");
            return Oidc.AuthOutcome.NOT_ATTEMPTED;
        }
        if (ElytronMessages.log.isTraceEnabled()) {
            ElytronMessages.log.trace("try oidc");
        }
        if (this.facade.getTokenStore().isCached(this)) {
            if (verifySSL()) {
                return Oidc.AuthOutcome.FAILED;
            }
            ElytronMessages.log.debug("AUTHENTICATED: was cached");
            return Oidc.AuthOutcome.AUTHENTICATED;
        }
        if (isAutodetectedBearerOnly()) {
            this.challenge = bearerTokenRequestAuthenticator.getChallenge();
            ElytronMessages.log.debug("NOT_ATTEMPTED: Treating as bearer only");
            return Oidc.AuthOutcome.NOT_ATTEMPTED;
        }
        OidcRequestAuthenticator createOidcAuthenticator = createOidcAuthenticator();
        Oidc.AuthOutcome authenticate4 = createOidcAuthenticator.authenticate();
        if (authenticate4 == Oidc.AuthOutcome.FAILED) {
            this.challenge = createOidcAuthenticator.getChallenge();
            return Oidc.AuthOutcome.FAILED;
        }
        if (authenticate4 == Oidc.AuthOutcome.NOT_ATTEMPTED) {
            this.challenge = createOidcAuthenticator.getChallenge();
            return Oidc.AuthOutcome.NOT_ATTEMPTED;
        }
        if (verifySSL()) {
            return Oidc.AuthOutcome.FAILED;
        }
        completeAuthentication(createOidcAuthenticator);
        this.facade.getResponse().setHeader("Location", createOidcAuthenticator.getStrippedOauthParametersRequestUri());
        this.facade.getResponse().setStatus(302);
        this.facade.getResponse().end();
        ElytronMessages.log.debug("AUTHENTICATED");
        return Oidc.AuthOutcome.AUTHENTICATED;
    }

    protected boolean verifySSL() {
        if (this.facade.getRequest().isSecure() || !this.deployment.getSSLRequired().isRequired(this.facade.getRequest().getRemoteAddr())) {
            return false;
        }
        ElytronMessages.log.warnf("SSL is required to authenticate. Remote address %s is secure: %s, SSL required for: %s .", this.facade.getRequest().getRemoteAddr(), Boolean.valueOf(this.facade.getRequest().isSecure()), this.deployment.getSSLRequired().name());
        return true;
    }

    protected void completeAuthentication(OidcRequestAuthenticator oidcRequestAuthenticator) {
        OidcPrincipal<RefreshableOidcSecurityContext> oidcPrincipal = new OidcPrincipal<>(oidcRequestAuthenticator.getIDToken().getPrincipalName(this.deployment), new RefreshableOidcSecurityContext(this.deployment, this.facade.getTokenStore(), oidcRequestAuthenticator.getTokenString(), oidcRequestAuthenticator.getToken(), oidcRequestAuthenticator.getIDTokenString(), oidcRequestAuthenticator.getIDToken(), oidcRequestAuthenticator.getRefreshToken()));
        completeOidcAuthentication(oidcPrincipal);
        ElytronMessages.log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", oidcPrincipal.getName(), this.facade.getRequest().getURI(), this.deployment.getResourceName());
    }

    protected void completeAuthentication(BearerTokenRequestAuthenticator bearerTokenRequestAuthenticator) {
        OidcPrincipal<RefreshableOidcSecurityContext> oidcPrincipal = new OidcPrincipal<>(bearerTokenRequestAuthenticator.getToken().getPrincipalName(this.deployment), new RefreshableOidcSecurityContext(this.deployment, null, bearerTokenRequestAuthenticator.getTokenString(), bearerTokenRequestAuthenticator.getToken(), null, null, null));
        completeBearerAuthentication(oidcPrincipal);
        ElytronMessages.log.debugv("User ''{0}'' invoking ''{1}'' on client ''{2}''", oidcPrincipal.getName(), this.facade.getRequest().getURI(), this.deployment.getResourceName());
    }

    protected boolean isAutodetectedBearerOnly() {
        if (!this.deployment.isAutodetectBearerOnly()) {
            return false;
        }
        String header = this.facade.getRequest().getHeader(HttpConstants.X_REQUESTED_WITH);
        if (header != null && header.equalsIgnoreCase(HttpConstants.XML_HTTP_REQUEST)) {
            return true;
        }
        String header2 = this.facade.getRequest().getHeader(HttpConstants.FACES_REQUEST);
        if ((header2 != null && header2.startsWith(HttpConstants.PARTIAL)) || this.facade.getRequest().getHeader(HttpConstants.SOAP_ACTION) != null) {
            return true;
        }
        List<String> headers = this.facade.getRequest().getHeaders("Accept");
        if (headers == null) {
            headers = Collections.emptyList();
        }
        for (String str : headers) {
            if (str.contains(Oidc.HTML_CONTENT_TYPE) || str.contains(Oidc.TEXT_CONTENT_TYPE) || str.contains(Oidc.WILDCARD_CONTENT_TYPE)) {
                return false;
            }
        }
        return true;
    }
}
