package org.soulwing.jwt.extension.undertow;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.IdentityManager;
import io.undertow.server.HttpServerExchange;
import java.util.Deque;
import java.util.function.Supplier;
import org.soulwing.jwt.extension.service.AuthenticationException;
import org.soulwing.jwt.extension.service.AuthenticationService;
import org.soulwing.jwt.extension.service.Authenticator;
import org.soulwing.jwt.extension.service.Credential;
import org.soulwing.jwt.extension.undertow.AuthenticationChallenge;

/* loaded from: input_file:org/soulwing/jwt/extension/undertow/JwtAuthenticationMechanism.class */
public class JwtAuthenticationMechanism implements AuthenticationMechanism {
    static final String MECHANISM_NAME = "JWT";
    private static final String AUTH_HEADER = "Authorization";
    private static final String BEARER_AUTH_SCHEMA = "Bearer";
    private static final String AUTH_QUERY_PARAM = "access_token";
    private static final String NOT_AUTHORIZED_MESSAGE = "identity manager does not recognize user '%s'";
    private final IdentityManager identityManager;
    private final Supplier<AuthenticationService> authenticationService;
    private final Supplier<AuthenticationChallenge.Builder> challengeBuilder;

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtAuthenticationMechanism(IdentityManager identityManager, Supplier<AuthenticationService> supplier) {
        this(identityManager, supplier, JsonAuthenticationChallenge::builder);
    }

    private JwtAuthenticationMechanism(IdentityManager identityManager, Supplier<AuthenticationService> supplier, Supplier<AuthenticationChallenge.Builder> supplier2) {
        this.identityManager = identityManager;
        this.authenticationService = supplier;
        this.challengeBuilder = supplier2;
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        if (!securityContext.isAuthenticationRequired()) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        String token = getToken(httpServerExchange);
        if (token == null) {
            httpServerExchange.putAttachment(JwtAttachments.AUTH_MESSAGE_KEY, "Bearer token authentication is required");
            securityContext.authenticationFailed("No token present", MECHANISM_NAME);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
        try {
            Authenticator newAuthenticator = this.authenticationService.get().newAuthenticator();
            httpServerExchange.putAttachment(JwtAttachments.AUTHENTICATOR_KEY, newAuthenticator);
            Credential validate = newAuthenticator.validate(token);
            Account authorize = authorize(validate);
            httpServerExchange.putAttachment(JwtAttachments.CREDENTIAL_KEY, validate);
            securityContext.authenticationComplete(authorize, MECHANISM_NAME, true);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
        } catch (AuthenticationException e) {
            httpServerExchange.putAttachment(JwtAttachments.AUTH_MESSAGE_KEY, e.getMessage());
            securityContext.setAuthenticationRequired();
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        } catch (AuthorizationException e2) {
            httpServerExchange.putAttachment(JwtAttachments.AUTH_FAILED_KEY, 403);
            securityContext.authenticationFailed(e2.getMessage(), MECHANISM_NAME);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        } catch (Exception e3) {
            UndertowLogger.LOGGER.error(e3.getMessage(), e3);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
    }

    private String getToken(HttpServerExchange httpServerExchange) {
        String extractTokenFromHeader = extractTokenFromHeader(httpServerExchange);
        return extractTokenFromHeader != null ? extractTokenFromHeader : extractTokenFromQueryParam(httpServerExchange);
    }

    private String extractTokenFromHeader(HttpServerExchange httpServerExchange) {
        String first = httpServerExchange.getRequestHeaders().getFirst(AUTH_HEADER);
        if (first != null && first.startsWith("Bearer ")) {
            return first.substring(BEARER_AUTH_SCHEMA.length()).trim();
        }
        return null;
    }

    private String extractTokenFromQueryParam(HttpServerExchange httpServerExchange) {
        if (httpServerExchange.getQueryParameters().containsKey(AUTH_QUERY_PARAM)) {
            return (String) ((Deque) httpServerExchange.getQueryParameters().get(AUTH_QUERY_PARAM)).getFirst();
        }
        return null;
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        Integer num = (Integer) httpServerExchange.getAttachment(JwtAttachments.AUTH_FAILED_KEY);
        if (num != null) {
            httpServerExchange.removeAttachment(JwtAttachments.AUTH_FAILED_KEY);
            return new AuthenticationMechanism.ChallengeResult(false, num);
        }
        this.challengeBuilder.get().statusCode(401).issuerUrl(this.authenticationService.get().getIssuerUrl()).message((String) httpServerExchange.getAttachment(JwtAttachments.AUTH_MESSAGE_KEY)).build().send(httpServerExchange);
        httpServerExchange.removeAttachment(JwtAttachments.AUTH_MESSAGE_KEY);
        return new AuthenticationMechanism.ChallengeResult(true, 401);
    }

    private Account authorize(Credential credential) throws AuthorizationException {
        String name = credential.getPrincipal().getName();
        Account verify = this.identityManager.verify(name, credential);
        if (verify != null) {
            if (UndertowLogger.LOGGER.isDebugEnabled()) {
                UndertowLogger.LOGGER.debug("authorization successful: user=" + verify.getPrincipal().getName() + " roles=" + verify.getRoles());
            }
            return verify;
        }
        String format = String.format(NOT_AUTHORIZED_MESSAGE, name);
        if (UndertowLogger.LOGGER.isDebugEnabled()) {
            UndertowLogger.LOGGER.debug(format);
        }
        throw new AuthorizationException(format);
    }
}
