package cz.integsoft.mule.security.internal;

import cz.integsoft.mule.security.api.SecurityConstants;
import cz.integsoft.mule.security.api.SecurityErrorCode;
import cz.integsoft.mule.security.api.TokenCacheManager;
import cz.integsoft.mule.security.api.UserSource;
import cz.integsoft.mule.security.api.exception.CredentialsNotSetException;
import cz.integsoft.mule.security.api.exception.UnauthorizedException;
import cz.integsoft.mule.security.api.util.SecurityUtils;
import cz.integsoft.mule.security.internal.component.KeycloakAuthenticationRetryStrategy;
import cz.integsoft.mule.security.internal.config.AuthenticationConfig;
import cz.integsoft.mule.security.internal.http.HeadersRewriteRequestWrapper;
import cz.integsoft.mule.security.internal.http.HeadersRewriteResponseWrapper;
import cz.integsoft.mule.security.internal.http.MuleHttpListenerServletRequest;
import cz.integsoft.mule.security.internal.http.MuleHttpListenerServletResponse;
import cz.integsoft.mule.security.internal.parameter.AuthenticationParameters;
import cz.integsoft.mule.security.internal.spring.SpringAuthenticationAdapter;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.exception.ExceptionUtils;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade;
import org.keycloak.adapters.springsecurity.filter.KeycloakAuthenticationProcessingFilter;
import org.keycloak.common.util.Base64;
import org.keycloak.representations.AccessTokenResponse;
import org.mule.extension.http.api.HttpListenerResponseAttributes;
import org.mule.extension.http.api.HttpRequestAttributes;
import org.mule.runtime.api.message.Message;
import org.mule.runtime.api.security.Authentication;
import org.mule.runtime.api.security.SecurityException;
import org.mule.runtime.api.security.SecurityProviderNotFoundException;
import org.mule.runtime.api.security.UnknownAuthenticationTypeException;
import org.mule.runtime.api.util.MultiMap;
import org.mule.runtime.core.api.security.SecurityManager;
import org.mule.runtime.extension.api.security.AuthenticationHandler;
import org.mule.runtime.http.api.HttpConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.AuthorityUtils;

/* loaded from: input_file:cz/integsoft/mule/security/internal/KeycloakAuthenticationDelegate.class */
public class KeycloakAuthenticationDelegate {
    private static final Logger D = LoggerFactory.getLogger("SECURITY_AUDIT");
    private static final Logger a = LoggerFactory.getLogger(KeycloakAuthenticationDelegate.class);
    private KeycloakAuthenticationProcessingFilter H;
    private AdapterDeploymentContext I;
    private SecurityManager J;
    private TokenCacheManager K;

    public void authenticate(AuthenticationConfig authenticationConfig, AuthenticationParameters authenticationParameters, Map<String, Object> map, HttpRequestAttributes httpRequestAttributes, AuthenticationHandler authenticationHandler) throws UnknownAuthenticationTypeException {
        String headerIgnoreCase = SecurityUtils.getHeaderIgnoreCase(httpRequestAttributes, "Authorization");
        if (a.isDebugEnabled()) {
            a.debug("Authorization header: " + headerIgnoreCase);
        }
        HttpServletRequest headersRewriteRequestWrapper = new HeadersRewriteRequestWrapper(new MuleHttpListenerServletRequest(httpRequestAttributes, SecurityUtils.getDefaultEncoding()));
        HttpServletResponse headersRewriteResponseWrapper = new HeadersRewriteResponseWrapper(new MuleHttpListenerServletResponse(httpRequestAttributes, SecurityUtils.getDefaultEncoding()));
        if (authenticationParameters.getRealmNameOverride() != null && !authenticationParameters.getRealmNameOverride().isEmpty()) {
            headersRewriteRequestWrapper.putHeader(SecurityConstants.HEADER_REALM_OVERRIDE_NAME, authenticationParameters.getRealmNameOverride());
        }
        if (authenticationParameters.getClientIdOverride() != null && !authenticationParameters.getClientIdOverride().isEmpty()) {
            headersRewriteRequestWrapper.putHeader(SecurityConstants.HEADER_CLIENT_ID_OVERRIDE_NAME, authenticationParameters.getClientIdOverride());
        }
        if (HttpConstants.Method.OPTIONS.name().equalsIgnoreCase(headersRewriteRequestWrapper.getMethod())) {
            return;
        }
        if (headerIgnoreCase == null) {
            if (authenticationParameters.isFailOnMissingHeader()) {
                D.error("Authentication failure for request {} from {}: {}", new Object[]{headersRewriteRequestWrapper.getRequestURI(), SecurityUtils.getRemoteAddress(httpRequestAttributes), "Missing security header."});
                throw new UnauthorizedException(SecurityErrorCode.SEC_ANY_001, MessageFormat.format("Authentication failure for request {0} from {1}: {2}", headersRewriteRequestWrapper.getRequestURI(), SecurityUtils.getRemoteAddress(httpRequestAttributes), "Missing security header."), b(authenticationConfig.getRealmName()));
            }
            if (a.isWarnEnabled()) {
                a.warn("Missing Authorization header. This means that later on your identity cannot be verified. As a result, calling secured methods will result in Access Denied.");
            }
            a(authenticationConfig, authenticationParameters, headersRewriteRequestWrapper, httpRequestAttributes, null, true, authenticationHandler);
            return;
        }
        if (SecurityUtils.isBearerTokenRequest(headerIgnoreCase)) {
            try {
                a(a(headersRewriteRequestWrapper, headersRewriteResponseWrapper, authenticationHandler), headersRewriteRequestWrapper, httpRequestAttributes, null, authenticationHandler);
                return;
            } catch (UnauthorizedException e) {
                if (System.getProperty(SecurityConstants.LOG_TOKEN_SYSTEM_PROPERTY_NAME) != null || authenticationParameters.isLogFailedTokens()) {
                    D.error("Bearer authentication failed: {}\nToken:{}", ExceptionUtils.getRootCauseMessage(e), SecurityUtils.getBearerToken(headerIgnoreCase, "N/A"));
                }
                a(authenticationConfig, authenticationParameters, headersRewriteRequestWrapper, httpRequestAttributes, e, false, authenticationHandler);
                return;
            }
        }
        if (!SecurityUtils.isBasicAuthRequest(headerIgnoreCase) || authenticationParameters.isDisableBasicAuth()) {
            a(authenticationConfig, authenticationParameters, headersRewriteRequestWrapper, httpRequestAttributes, null, false, authenticationHandler);
            return;
        }
        try {
            String[] split = headerIgnoreCase.trim().split("\\s+");
            if (split == null || split.length != 2) {
                a(authenticationConfig, authenticationParameters, headersRewriteRequestWrapper, httpRequestAttributes, null, false, authenticationHandler);
            }
            KeycloakDeployment resolveDeployment = this.I.resolveDeployment(new SimpleHttpFacade(headersRewriteRequestWrapper, headersRewriteResponseWrapper));
            UserSource orThrow = UserSource.getOrThrow(headersRewriteRequestWrapper.getHeader(SecurityConstants.HEADER_TENANT_USER_SOURCE_KEY) == null ? SecurityConstants.DEFAULT_USER_SOURCE.name().toLowerCase() : headersRewriteRequestWrapper.getHeader(SecurityConstants.HEADER_TENANT_USER_SOURCE_KEY));
            AccessTokenResponse accessTokenResponse = null;
            try {
                String[] split2 = new String(Base64.decode(split[1]), "UTF-8").split(":");
                if (authenticationConfig.isEnableTokenCache()) {
                    accessTokenResponse = this.K.get(authenticationConfig.getCacheName(), headerIgnoreCase, orThrow, resolveDeployment.getRealm(), str -> {
                        try {
                            return SecurityUtils.refreshToken(str, resolveDeployment, orThrow);
                        } catch (IOException e2) {
                            throw new UncheckedIOException(e2);
                        }
                    });
                }
                if (accessTokenResponse == null) {
                    accessTokenResponse = SecurityUtils.getToken(split2[0], split2[1], orThrow.name().toLowerCase(), resolveDeployment, new KeycloakAuthenticationRetryStrategy());
                }
                headersRewriteRequestWrapper.putHeader("Authorization", "Bearer " + accessTokenResponse.getToken());
                Authentication a2 = a(headersRewriteRequestWrapper, headersRewriteResponseWrapper, authenticationHandler);
                if (authenticationConfig.isEnableTokenCache()) {
                    try {
                        this.K.store(authenticationConfig.getCacheName(), headerIgnoreCase, accessTokenResponse, orThrow, resolveDeployment.getRealm());
                    } catch (Exception e2) {
                        a.warn("Failed to store token to the SSO token cache!", e2);
                    }
                }
                a(a2, headersRewriteRequestWrapper, httpRequestAttributes, accessTokenResponse, authenticationHandler);
            } catch (Exception e3) {
                throw new CredentialsNotSetException(SecurityErrorCode.SEC_ANY_001, MessageFormat.format("Error while fetching token. {0}", e3.getMessage()), e3);
            }
        } catch (CredentialsNotSetException | UnauthorizedException e4) {
            if (System.getProperty(SecurityConstants.LOG_TOKEN_SYSTEM_PROPERTY_NAME) != null || authenticationParameters.isLogFailedTokens()) {
                D.error("Basic authentication failed: {}\nAuthentication header:{}", ExceptionUtils.getRootCauseMessage(e4), headerIgnoreCase);
            }
            a(authenticationConfig, authenticationParameters, headersRewriteRequestWrapper, httpRequestAttributes, e4, false, authenticationHandler);
        }
    }

    private Authentication a(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationHandler authenticationHandler) throws UnauthorizedException {
        try {
            authenticationHandler.setAuthentication(e(), new SpringAuthenticationAdapter(this.H.attemptAuthentication(httpServletRequest, httpServletResponse)));
            return (Authentication) authenticationHandler.getAuthentication().get();
        } catch (Exception e) {
            throw new UnauthorizedException(SecurityErrorCode.SEC_ANY_001, "Failed to authorize the request.", e, null);
        }
    }

    private List<String> e() {
        ArrayList arrayList = new ArrayList();
        this.J.getProviders().forEach(securityProvider -> {
            arrayList.add(securityProvider.getName());
        });
        return arrayList;
    }

    private void a(Authentication authentication, HttpServletRequest httpServletRequest, HttpRequestAttributes httpRequestAttributes, AccessTokenResponse accessTokenResponse, AuthenticationHandler authenticationHandler) throws UnknownAuthenticationTypeException {
        Logger logger = D;
        Object[] objArr = new Object[3];
        objArr[0] = httpServletRequest == null ? "N/A" : httpServletRequest.getRequestURI();
        objArr[1] = authentication.getPrincipal();
        objArr[2] = SecurityUtils.getRemoteAddress(httpRequestAttributes);
        logger.info("Authentication success for request {}: user {} remote {}", objArr);
        if (accessTokenResponse != null) {
            Map<String, Object> properties = authentication.getProperties();
            if (properties == null) {
                properties = new HashMap();
            }
            properties.put(SecurityConstants.ACCESS_TOKEN_PROPERTY_NAME, accessTokenResponse.getToken());
            properties.put(SecurityConstants.REFRESH_TOKEN_PROPERTY_NAME, accessTokenResponse.getRefreshToken());
            properties.put(SecurityConstants.PRINCIPAL_PROPERTY, authentication.getPrincipal());
            a(authenticationHandler, authentication, properties);
            return;
        }
        if (authentication.getCredentials() instanceof KeycloakSecurityContext) {
            KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) authentication.getCredentials();
            Map<String, Object> properties2 = authentication.getProperties();
            if (properties2 == null) {
                properties2 = new HashMap();
            }
            properties2.put(SecurityConstants.ACCESS_TOKEN_PROPERTY_NAME, keycloakSecurityContext.getTokenString());
            properties2.put(SecurityConstants.PRINCIPAL_PROPERTY, authentication.getPrincipal());
            a(authenticationHandler, authentication, properties2);
        }
    }

    private void a(AuthenticationHandler authenticationHandler, Authentication authentication, Map<String, Object> map) {
        try {
            authenticationHandler.setAuthentication(e(), authentication.setProperties(map));
        } catch (SecurityProviderNotFoundException | SecurityException | UnknownAuthenticationTypeException e) {
            a.warn("Error while updating authentication object with properties.", e);
        }
    }

    private void a(AuthenticationConfig authenticationConfig, AuthenticationParameters authenticationParameters, HttpServletRequest httpServletRequest, HttpRequestAttributes httpRequestAttributes, Exception exc, boolean z, AuthenticationHandler authenticationHandler) throws UnknownAuthenticationTypeException {
        Logger logger = D;
        Object[] objArr = new Object[3];
        objArr[0] = httpServletRequest == null ? "N/A" : httpServletRequest.getRequestURI();
        objArr[1] = httpServletRequest == null ? "N/A" : SecurityUtils.getRemoteAddress(httpRequestAttributes);
        objArr[2] = exc == null ? "N/A" : ExceptionUtils.getRootCauseMessage(exc);
        logger.error("Authentication failure for request {} from {}: {}", objArr);
        if (!z || !authenticationParameters.isUseAnonymousFallback()) {
            throw new UnauthorizedException(SecurityErrorCode.SEC_ANY_001, MessageFormat.format("Authentication failure for request {0}", httpServletRequest.getRequestURI()), exc, b(authenticationConfig.getRealmName()));
        }
        a.warn("Falling back to anonymous token. Please be careful when using anonymous fallback.");
        try {
            authenticationHandler.setAuthentication(e(), a(authenticationParameters));
        } catch (SecurityProviderNotFoundException | SecurityException e) {
            throw new UnauthorizedException(SecurityErrorCode.SEC_ANY_001, MessageFormat.format("Authentication failure for request {0}", httpServletRequest.getRequestURI()), exc, b(authenticationConfig.getRealmName()));
        }
    }

    private Message b(String str) {
        String str2;
        str2 = "Basic realm=";
        str2 = str != null ? str2 + "\"" + str + "\"" : "Basic realm=";
        MultiMap multiMap = new MultiMap();
        multiMap.put("WWW-Authenticate", str2);
        return Message.builder().nullValue().attributesValue(new HttpListenerResponseAttributes(HttpConstants.HttpStatus.UNAUTHORIZED.getStatusCode(), HttpConstants.HttpStatus.UNAUTHORIZED.getReasonPhrase(), multiMap)).build();
    }

    private Authentication a(AuthenticationParameters authenticationParameters) {
        return new SpringAuthenticationAdapter(new AnonymousAuthenticationToken(authenticationParameters.getKey(), authenticationParameters.getPrincipal(), c(authenticationParameters.getAuthorities())), null);
    }

    private List<GrantedAuthority> c(String str) {
        return StringUtils.isBlank(str) ? new ArrayList() : AuthorityUtils.createAuthorityList(str.split(","));
    }

    public KeycloakAuthenticationProcessingFilter getKeycloakFilter() {
        return this.H;
    }

    public void setKeycloakFilter(KeycloakAuthenticationProcessingFilter keycloakAuthenticationProcessingFilter) {
        this.H = keycloakAuthenticationProcessingFilter;
    }

    public AdapterDeploymentContext getDeploymentContext() {
        return this.I;
    }

    public void setDeploymentContext(AdapterDeploymentContext adapterDeploymentContext) {
        this.I = adapterDeploymentContext;
    }

    public SecurityManager getSecurityManager() {
        return this.J;
    }

    public void setSecurityManager(SecurityManager securityManager) {
        this.J = securityManager;
    }

    public void setTokenCacheManager(TokenCacheManager tokenCacheManager) {
        this.K = tokenCacheManager;
    }

    public String toString() {
        return "KeycloakAuthenticationDelegate [keycloakFilter=" + this.H + ", deploymentContext=" + this.I + ", securityManager=" + this.J + "]";
    }
}
