package org.commonjava.aprox.bind.jaxrs.keycloak;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderMap;
import io.undertow.util.HttpString;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.util.ArrayList;
import java.util.Collection;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.apache.commons.io.IOUtils;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.commonjava.aprox.subsys.http.util.UserPass;
import org.commonjava.aprox.subsys.keycloak.conf.KeycloakConfig;
import org.commonjava.aprox.subsys.keycloak.util.KeycloakBearerTokenDebug;
import org.commonjava.maven.galley.transport.htcli.Http;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.util.BasicAuthHelper;
import org.keycloak.util.JsonSerialization;
import org.keycloak.util.KeycloakUriBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
/* loaded from: input_file:org/commonjava/aprox/bind/jaxrs/keycloak/BasicAuthenticationOAuthTranslator.class */
public class BasicAuthenticationOAuthTranslator implements AuthenticationMechanism {
    private static final String USERNAME = "username";
    private static final String PASSWORD = "password";
    private static final String BEARER_AUTH_PREFIX = "bearer";
    private static final String BASIC_AUTH_PREFIX = "basic";
    private static final String AUTHORIZATION_HEADER = "Authorization";
    private static final String APROX_BEARER_TOKEN = "Aprox-Bearer";
    private final Logger logger = LoggerFactory.getLogger(getClass());

    @Inject
    private KeycloakConfig config;

    @Inject
    private Http http;
    private boolean enabled;

    protected BasicAuthenticationOAuthTranslator() {
    }

    public BasicAuthenticationOAuthTranslator(KeycloakConfig keycloakConfig, Http http) {
        this.config = keycloakConfig;
        this.http = http;
        init();
    }

    @PostConstruct
    public void init() {
        if (this.config.getServerCredentialSecret() == null || this.config.getServerResource() == null) {
            this.logger.warn("BASIC authentication is disabled; server.resource and/or server.credential.secret are missing from keycloak.conf!");
        } else {
            this.enabled = true;
        }
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        AccessTokenResponse lookupToken;
        if (!this.enabled) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        this.logger.debug("BASIC authenticate injector checking for Authorization header.");
        HeaderMap requestHeaders = httpServerExchange.getRequestHeaders();
        Collection<String> remove = requestHeaders.remove(AUTHORIZATION_HEADER);
        String str = null;
        String str2 = null;
        ArrayList arrayList = new ArrayList();
        if (remove != null) {
            for (String str3 : remove) {
                this.logger.debug("Found Authorization header: '{}'", str3);
                if (str3.toLowerCase().startsWith(BASIC_AUTH_PREFIX)) {
                    this.logger.debug("detected basic auth");
                    str = str3;
                } else if (str3.toLowerCase().startsWith(BEARER_AUTH_PREFIX)) {
                    str2 = str3;
                    arrayList.add(str3);
                } else {
                    arrayList.add(str3);
                }
            }
        }
        if (str2 == null && str != null) {
            UserPass parse = UserPass.parse(str);
            this.logger.debug("Parsed BASIC authorization: {}", parse);
            if (parse != null && (lookupToken = lookupToken(parse)) != null) {
                String token = lookupToken.getToken();
                this.logger.debug("Raw token: {}", token);
                String str4 = "bearer " + token;
                this.logger.debug("Adding {} value: {}", AUTHORIZATION_HEADER, str4);
                this.logger.info("BASIC authentication translated into OAuth 2.0 bearer token. Handing off to Keycloak.");
                arrayList.add(str4);
                KeycloakBearerTokenDebug.debugToken(token);
                httpServerExchange.getResponseHeaders().add(new HttpString(APROX_BEARER_TOKEN), token);
            }
        }
        this.logger.debug("Re-adding {} values: {}", AUTHORIZATION_HEADER, arrayList);
        requestHeaders.addAll(new HttpString(AUTHORIZATION_HEADER), arrayList);
        return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }

    private AccessTokenResponse lookupToken(UserPass userPass) {
        URI build = KeycloakUriBuilder.fromUri(this.config.getUrl()).path("/realms/{realm-name}/protocol/openid-connect/token").build(new Object[]{this.config.getRealm()});
        this.logger.debug("Looking up token at: {}", build);
        HttpPost httpPost = new HttpPost(build);
        ArrayList arrayList = new ArrayList();
        arrayList.add(new BasicNameValuePair(USERNAME, userPass.getUser()));
        arrayList.add(new BasicNameValuePair(PASSWORD, userPass.getPassword()));
        arrayList.add(new BasicNameValuePair("grant_type", PASSWORD));
        httpPost.setHeader(AUTHORIZATION_HEADER, BasicAuthHelper.createHeader(this.config.getServerResource(), this.config.getServerCredentialSecret()));
        CloseableHttpClient closeableHttpClient = null;
        CloseableHttpResponse closeableHttpResponse = null;
        AccessTokenResponse accessTokenResponse = null;
        try {
            closeableHttpClient = this.http.createClient();
            httpPost.setEntity(new UrlEncodedFormEntity(arrayList, "UTF-8"));
            closeableHttpResponse = closeableHttpClient.execute(httpPost);
            this.logger.debug("Got response status: {}", closeableHttpResponse.getStatusLine());
            if (closeableHttpResponse.getStatusLine().getStatusCode() == 200) {
                InputStream content = closeableHttpResponse.getEntity().getContent();
                Throwable th = null;
                try {
                    try {
                        String iOUtils = IOUtils.toString(content);
                        this.logger.debug("Token response:\n\n{}\n\n", iOUtils);
                        accessTokenResponse = (AccessTokenResponse) JsonSerialization.readValue(iOUtils, AccessTokenResponse.class);
                        if (content != null) {
                            if (0 != 0) {
                                try {
                                    content.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                content.close();
                            }
                        }
                    } finally {
                    }
                } finally {
                }
            }
        } catch (IOException e) {
            this.logger.error(String.format("Keycloak token request failed: %s", e.getMessage()), e);
            this.http.cleanup(closeableHttpClient, httpPost, closeableHttpResponse);
        }
        return accessTokenResponse;
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        this.logger.debug("BASIC sendChallenge");
        httpServerExchange.getResponseHeaders().add(new HttpString("WWW-Authenticate"), "BASIC realm=\"" + this.config.getRealm() + "\"");
        httpServerExchange.setResponseCode(401);
        return new AuthenticationMechanism.ChallengeResult(true, 401);
    }
}
