package org.nuxeo.ecm.platform.ui.web.keycloak;

import java.lang.reflect.Method;
import java.security.Principal;
import java.util.List;
import javax.security.auth.login.LoginContext;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.catalina.authenticator.FormAuthenticator;
import org.apache.catalina.connector.Request;
import org.apache.catalina.deploy.LoginConfig;
import org.apache.catalina.realm.GenericPrincipal;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.adapters.AdapterTokenStore;
import org.keycloak.adapters.AuthChallenge;
import org.keycloak.adapters.AuthOutcome;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OAuthRequestAuthenticator;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.RequestAuthenticator;
import org.keycloak.adapters.tomcat.CatalinaCookieTokenStore;
import org.keycloak.adapters.tomcat.CatalinaHttpFacade;
import org.keycloak.adapters.tomcat.CatalinaSessionTokenStore;
import org.keycloak.adapters.tomcat.CatalinaUserSessionManagement;
import org.keycloak.adapters.tomcat.GenericPrincipalFactory;
import org.keycloak.adapters.tomcat.KeycloakAuthenticatorValve;
import org.keycloak.enums.TokenStore;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/nuxeo/ecm/platform/ui/web/keycloak/KeycloakRequestAuthenticator.class */
public class KeycloakRequestAuthenticator extends RequestAuthenticator {
    private static final Logger LOGGER = LoggerFactory.getLogger(KeycloakRequestAuthenticator.class);
    public static final String KEYCLOAK_ACCESS_TOKEN = "KEYCLOAK_ACCESS_TOKEN";
    private CatalinaUserSessionManagement userSessionManagement;
    protected Request request;
    protected HttpServletResponse response;
    protected LoginConfig loginConfig;

    public KeycloakRequestAuthenticator(Request request, HttpServletResponse httpServletResponse, CatalinaHttpFacade catalinaHttpFacade, KeycloakDeployment keycloakDeployment) {
        super(catalinaHttpFacade, keycloakDeployment);
        this.userSessionManagement = new CatalinaUserSessionManagement();
        this.request = request;
        this.response = httpServletResponse;
        this.tokenStore = getTokenStore();
        this.sslRedirectPort = request.getConnector().getRedirectPort();
    }

    public AuthOutcome authenticate() {
        if (super.authenticate() == AuthOutcome.AUTHENTICATED) {
            return AuthOutcome.AUTHENTICATED;
        }
        AuthChallenge challenge = getChallenge();
        if (challenge != null) {
            if (this.loginConfig == null) {
                this.loginConfig = this.request.getContext().getLoginConfig();
            }
            if (challenge.errorPage() && forwardToErrorPageInternal(this.request, this.response, this.loginConfig)) {
                return AuthOutcome.FAILED;
            }
            challenge.challenge(this.facade);
        }
        return AuthOutcome.FAILED;
    }

    protected boolean forwardToErrorPageInternal(Request request, HttpServletResponse httpServletResponse, Object obj) {
        if (obj == null) {
            return false;
        }
        LoginConfig loginConfig = (LoginConfig) obj;
        if (loginConfig.getErrorPage() == null) {
            return false;
        }
        try {
            Method declaredMethod = FormAuthenticator.class.getDeclaredMethod("forwardToErrorPage", Request.class, HttpServletResponse.class, LoginConfig.class);
            declaredMethod.setAccessible(true);
            declaredMethod.invoke(this, request, httpServletResponse, loginConfig);
            return true;
        } catch (Exception e) {
            LOGGER.error("Error occurred during Keycloak authentication", e);
            throw new RuntimeException("Error occurred during Keycloak authentication", e);
        }
    }

    protected GenericPrincipalFactory createPrincipalFactory() {
        return new GenericPrincipalFactory() { // from class: org.nuxeo.ecm.platform.ui.web.keycloak.KeycloakRequestAuthenticator.1
            protected GenericPrincipal createPrincipal(Principal principal, List<String> list) {
                return new GenericPrincipal(principal.getName(), (String) null, list, principal, (LoginContext) null);
            }
        };
    }

    protected AdapterTokenStore getTokenStore() {
        AdapterTokenStore adapterTokenStore = (AdapterTokenStore) this.request.getNote("TOKEN_STORE_NOTE");
        if (adapterTokenStore != null) {
            return adapterTokenStore;
        }
        CatalinaSessionTokenStore catalinaSessionTokenStore = this.deployment.getTokenStore() == TokenStore.SESSION ? new CatalinaSessionTokenStore(this.request, this.deployment, this.userSessionManagement, createPrincipalFactory(), new KeycloakAuthenticatorValve()) : new CatalinaCookieTokenStore(this.request, this.facade, this.deployment, createPrincipalFactory());
        this.request.setNote("TOKEN_STORE_NOTE", catalinaSessionTokenStore);
        return catalinaSessionTokenStore;
    }

    protected OAuthRequestAuthenticator createOAuthAuthenticator() {
        return new OAuthRequestAuthenticator(this, this.facade, this.deployment, this.sslRedirectPort, this.tokenStore);
    }

    protected void completeOAuthAuthentication(KeycloakPrincipal<RefreshableKeycloakSecurityContext> keycloakPrincipal) {
        this.request.setAttribute(KEYCLOAK_ACCESS_TOKEN, keycloakPrincipal.getKeycloakSecurityContext().getToken());
    }

    protected void completeBearerAuthentication(KeycloakPrincipal<RefreshableKeycloakSecurityContext> keycloakPrincipal, String str) {
        completeOAuthAuthentication(keycloakPrincipal);
    }

    protected String getHttpSessionId(boolean z) {
        HttpSession session = this.request.getSession(z);
        if (session != null) {
            return session.getId();
        }
        return null;
    }
}
