package ws.ament.hammock.security.keycloak;

import java.io.IOException;
import javax.annotation.PostConstruct;
import javax.annotation.PreDestroy;
import javax.annotation.Priority;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.AdapterTokenStore;
import org.keycloak.adapters.AdapterUtils;
import org.keycloak.adapters.AuthenticatedActionsHandler;
import org.keycloak.adapters.BasicAuthRequestAuthenticator;
import org.keycloak.adapters.BearerTokenRequestAuthenticator;
import org.keycloak.adapters.KeycloakConfigResolver;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.NodesRegistrationManagement;
import org.keycloak.adapters.PreAuthActionsHandler;
import org.keycloak.adapters.QueryParamterTokenRequestAuthenticator;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.UserSessionManagement;
import org.keycloak.representations.IDToken;

@PreMatching
@ApplicationScoped
@Priority(1000)
@Provider
/* loaded from: input_file:ws/ament/hammock/security/keycloak/HammockKeycloakJaxrsFilter.class */
public class HammockKeycloakJaxrsFilter implements ContainerRequestFilter {
    private static final Logger log = LogManager.getLogger(HammockKeycloakJaxrsFilter.class);

    @Inject
    private KeycloakConfigResolver keycloakConfigResolver;

    @Inject
    private UserSessionManagement userSessionManagement;
    private NodesRegistrationManagement nodesRegistrationManagement;
    private AdapterDeploymentContext deploymentContext;

    @PostConstruct
    public void init() {
        this.deploymentContext = new AdapterDeploymentContext(this.keycloakConfigResolver);
        this.nodesRegistrationManagement = new NodesRegistrationManagement();
    }

    @PreDestroy
    public void shutdown() {
        this.nodesRegistrationManagement.stop();
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        JaxrsHttpFacade jaxrsHttpFacade = new JaxrsHttpFacade(containerRequestContext, containerRequestContext.getSecurityContext());
        if (handlePreauth(jaxrsHttpFacade)) {
            return;
        }
        KeycloakDeployment resolveDeployment = this.deploymentContext.resolveDeployment(jaxrsHttpFacade);
        this.nodesRegistrationManagement.tryRegister(resolveDeployment);
        bearerAuthentication(jaxrsHttpFacade, containerRequestContext, resolveDeployment);
    }

    private boolean handlePreauth(JaxrsHttpFacade jaxrsHttpFacade) {
        if (!new PreAuthActionsHandler(this.userSessionManagement, this.deploymentContext, jaxrsHttpFacade).handleRequest()) {
            return false;
        }
        if (jaxrsHttpFacade.isResponseFinished()) {
            return true;
        }
        jaxrsHttpFacade.getResponse().end();
        return true;
    }

    private void bearerAuthentication(JaxrsHttpFacade jaxrsHttpFacade, ContainerRequestContext containerRequestContext, KeycloakDeployment keycloakDeployment) {
        BearerTokenRequestAuthenticator bearerTokenRequestAuthenticator = new BearerTokenRequestAuthenticator(keycloakDeployment);
        AuthOutcome authenticate = bearerTokenRequestAuthenticator.authenticate(jaxrsHttpFacade);
        if (authenticate == AuthOutcome.NOT_ATTEMPTED) {
            bearerTokenRequestAuthenticator = new QueryParamterTokenRequestAuthenticator(keycloakDeployment);
            authenticate = bearerTokenRequestAuthenticator.authenticate(jaxrsHttpFacade);
        }
        if (authenticate == AuthOutcome.NOT_ATTEMPTED && keycloakDeployment.isEnableBasicAuth()) {
            bearerTokenRequestAuthenticator = new BasicAuthRequestAuthenticator(keycloakDeployment);
            authenticate = bearerTokenRequestAuthenticator.authenticate(jaxrsHttpFacade);
        }
        if (authenticate != AuthOutcome.FAILED && authenticate != AuthOutcome.NOT_ATTEMPTED) {
            if (verifySslFailed(jaxrsHttpFacade, keycloakDeployment)) {
                return;
            }
            propagateSecurityContext(jaxrsHttpFacade, containerRequestContext, keycloakDeployment, bearerTokenRequestAuthenticator);
            handleAuthActions(jaxrsHttpFacade, keycloakDeployment);
            return;
        }
        if (!bearerTokenRequestAuthenticator.getChallenge().challenge(jaxrsHttpFacade)) {
            jaxrsHttpFacade.getResponse().setStatus(Response.Status.UNAUTHORIZED.getStatusCode());
        }
        if (jaxrsHttpFacade.isResponseFinished()) {
            return;
        }
        jaxrsHttpFacade.getResponse().end();
    }

    private void propagateSecurityContext(JaxrsHttpFacade jaxrsHttpFacade, ContainerRequestContext containerRequestContext, KeycloakDeployment keycloakDeployment, BearerTokenRequestAuthenticator bearerTokenRequestAuthenticator) {
        RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext = new RefreshableKeycloakSecurityContext(keycloakDeployment, (AdapterTokenStore) null, bearerTokenRequestAuthenticator.getTokenString(), bearerTokenRequestAuthenticator.getToken(), (String) null, (IDToken) null, (String) null);
        jaxrsHttpFacade.setSecurityContext(refreshableKeycloakSecurityContext);
        containerRequestContext.setSecurityContext(new HammockSecurityContext(new KeycloakPrincipal(AdapterUtils.getPrincipalName(keycloakDeployment, bearerTokenRequestAuthenticator.getToken()), refreshableKeycloakSecurityContext), AdapterUtils.getRolesFromSecurityContext(refreshableKeycloakSecurityContext), containerRequestContext.getSecurityContext().isSecure()));
    }

    private boolean verifySslFailed(JaxrsHttpFacade jaxrsHttpFacade, KeycloakDeployment keycloakDeployment) {
        if (jaxrsHttpFacade.getRequest().isSecure() || !keycloakDeployment.getSslRequired().isRequired(jaxrsHttpFacade.getRequest().getRemoteAddr())) {
            return false;
        }
        log.warn("SSL is required to authenticate, but request is not secured");
        jaxrsHttpFacade.getResponse().sendError(403, "SSL required!");
        return true;
    }

    private void handleAuthActions(JaxrsHttpFacade jaxrsHttpFacade, KeycloakDeployment keycloakDeployment) {
        if (!new AuthenticatedActionsHandler(keycloakDeployment, jaxrsHttpFacade).handledRequest() || jaxrsHttpFacade.isResponseFinished()) {
            return;
        }
        jaxrsHttpFacade.getResponse().end();
    }
}
