package org.commonjava.aprox.httprox.keycloak;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.util.List;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.apache.commons.codec.binary.Base64;
import org.commonjava.aprox.httprox.conf.HttproxConfig;
import org.commonjava.aprox.subsys.http.HttpWrapper;
import org.commonjava.aprox.subsys.http.util.UserPass;
import org.commonjava.aprox.subsys.keycloak.KeycloakAuthenticator;
import org.commonjava.aprox.subsys.keycloak.conf.KeycloakConfig;
import org.commonjava.aprox.subsys.keycloak.util.KeycloakBearerTokenDebug;
import org.commonjava.aprox.util.ApplicationStatus;
import org.keycloak.RSATokenVerifier;
import org.keycloak.VerificationException;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
/* loaded from: input_file:org/commonjava/aprox/httprox/keycloak/KeycloakProxyAuthenticator.class */
public class KeycloakProxyAuthenticator implements KeycloakAuthenticator {
    private static final String TOKEN_HEADER = "TOKEN";

    @Inject
    private HttproxConfig httproxConfig;

    @Inject
    private KeycloakConfig keycloakConfig;
    private KeycloakDeployment deployment;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/commonjava/aprox/httprox/keycloak/KeycloakProxyAuthenticator$AuthResult.class */
    public static final class AuthResult {
        private boolean success;
        private String reason;
        private String description;

        private AuthResult(boolean z, String str, String str2) {
            this.success = z;
            this.reason = str;
            this.description = str2;
        }

        private AuthResult(boolean z) {
            this.success = z;
        }
    }

    protected KeycloakProxyAuthenticator() {
    }

    public KeycloakProxyAuthenticator(KeycloakConfig keycloakConfig, HttproxConfig httproxConfig) {
        this.keycloakConfig = keycloakConfig;
        this.httproxConfig = httproxConfig;
    }

    public boolean authenticate(UserPass userPass, HttpWrapper httpWrapper) throws IOException {
        Logger logger = LoggerFactory.getLogger(getClass());
        if (!this.keycloakConfig.isEnabled()) {
            logger.debug("Keycloak httprox translation authenticator is disabled. Skipping authentication.");
            return true;
        }
        synchronized (this) {
            if (this.deployment == null) {
                String keycloakJson = this.keycloakConfig.getKeycloakJson();
                logger.debug("Reading keycloak deployment info from: {}", keycloakJson);
                File file = new File(keycloakJson);
                if (!file.exists()) {
                    logger.warn("Cannot read keycloak.json from: {}", keycloakJson);
                    return false;
                }
                FileInputStream fileInputStream = new FileInputStream(file);
                Throwable th = null;
                try {
                    try {
                        this.deployment = KeycloakDeploymentBuilder.build(fileInputStream);
                        logger.debug("Got public key: '{}'", this.deployment.getRealmKey());
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                    } finally {
                    }
                } finally {
                }
            }
            String password = userPass.getPassword();
            AuthResult authResult = null;
            if (password != null) {
                authResult = authenticateToken(httpWrapper, password);
            }
            if (authResult == null || !authResult.success) {
                String str = null;
                List headers = httpWrapper.getHeaders(TOKEN_HEADER);
                if (headers != null && !headers.isEmpty()) {
                    str = new String(Base64.decodeBase64((String) headers.get(0)));
                }
                if (str != null) {
                    authResult = authenticateToken(httpWrapper, str);
                }
            }
            if (authResult == null) {
                logger.info("No keycloak bearer token provided! This must either be in the password of a BASIC authentication header, or in a separate Base64-encoded header: {}", TOKEN_HEADER);
                sendChallengeResponse(httpWrapper, null, null);
                authResult = new AuthResult(false);
            } else {
                sendChallengeResponse(httpWrapper, authResult.reason, authResult.description);
            }
            return authResult.success;
        }
    }

    protected AuthResult authenticateToken(HttpWrapper httpWrapper, String str) throws IOException {
        Logger logger = LoggerFactory.getLogger(getClass());
        try {
            KeycloakBearerTokenDebug.debugToken(str);
            logger.debug("Verifying token: '{}'", str);
            if (RSATokenVerifier.verifyToken(str, this.deployment.getRealmKey(), this.deployment.getRealmInfoUrl()).getIssuedAt() < this.deployment.getNotBefore()) {
                logger.error("Stale token");
                return new AuthResult(false, "invalid_token", "Stale token");
            }
            logger.debug("Token verification succeeded!");
            return new AuthResult(true);
        } catch (VerificationException e) {
            logger.error("Failed to verify token", e);
            return new AuthResult(false, "invalid_token", e.getMessage());
        }
    }

    protected void sendChallengeResponse(HttpWrapper httpWrapper, String str, String str2) throws IOException {
        StringBuilder sb = new StringBuilder("Bearer realm=\"");
        sb.append(this.httproxConfig.getProxyRealm()).append("\"");
        if (str != null) {
            sb.append(", error=\"").append(str).append("\"");
        }
        if (str2 != null) {
            sb.append(", error_description=\"").append(str2).append("\"");
        }
        String sb2 = sb.toString();
        ApplicationStatus applicationStatus = ApplicationStatus.UNAUTHORIZED;
        httpWrapper.writeStatus(applicationStatus.code(), applicationStatus.message());
        httpWrapper.writeHeader("WWW-Authenticate", sb2);
    }
}
