package io.quarkus.smallrye.jwt.runtime.auth;

import io.smallrye.jwt.auth.principal.JWTAuthContextInfo;
import io.undertow.UndertowLogger;
import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.IdentityManager;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderValues;
import io.undertow.util.Headers;
import java.util.Locale;
import javax.inject.Inject;

/* loaded from: input_file:io/quarkus/smallrye/jwt/runtime/auth/JWTAuthMechanism.class */
public class JWTAuthMechanism implements AuthenticationMechanism {

    @Inject
    private JWTAuthContextInfo authContextInfo;
    private IdentityManager identityManager;

    public JWTAuthMechanism(JWTAuthContextInfo jWTAuthContextInfo, IdentityManager identityManager) {
        this.authContextInfo = jWTAuthContextInfo;
        this.identityManager = identityManager;
    }

    public JWTAuthMechanism(IdentityManager identityManager) {
        this.identityManager = identityManager;
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        HeaderValues<String> headerValues = httpServerExchange.getRequestHeaders().get(Headers.AUTHORIZATION);
        if (headerValues != null) {
            for (String str : headerValues) {
                if (str.toLowerCase(Locale.ENGLISH).startsWith("bearer ")) {
                    String substring = str.substring(7);
                    if (UndertowLogger.SECURITY_LOGGER.isTraceEnabled()) {
                        UndertowLogger.SECURITY_LOGGER.tracef("Bearer token: %s", substring);
                    }
                    try {
                        JWTCredential jWTCredential = new JWTCredential(substring, this.authContextInfo);
                        if (UndertowLogger.SECURITY_LOGGER.isTraceEnabled()) {
                            UndertowLogger.SECURITY_LOGGER.tracef("Bearer token: %s", substring);
                        }
                        Account verify = this.identityManager.verify(jWTCredential.getName(), jWTCredential);
                        if (verify == null) {
                            UndertowLogger.SECURITY_LOGGER.info("Failed to authenticate JWT bearer token");
                            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
                        }
                        securityContext.authenticationComplete(new JWTAccount(verify.getPrincipal(), verify), "MP-JWT", false);
                        UndertowLogger.SECURITY_LOGGER.debugf("Authenticated caller(%s) for path(%s) with roles: %s", jWTCredential.getName(), httpServerExchange.getRequestPath(), verify.getRoles());
                        return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
                    } catch (Exception e) {
                        UndertowLogger.SECURITY_LOGGER.infof(e, "Failed to validate JWT bearer token", new Object[0]);
                        return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
                    }
                }
            }
        }
        return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        httpServerExchange.getResponseHeaders().add(Headers.WWW_AUTHENTICATE, "Bearer {token}");
        UndertowLogger.SECURITY_LOGGER.debugf("Sending Bearer {token} challenge for %s", httpServerExchange);
        return new AuthenticationMechanism.ChallengeResult(true, 401);
    }
}
