package org.keycloak.authentication.authenticators.client;

import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.ClientAuthenticationFlowContext;
import org.keycloak.authentication.forms.RegistrationRecaptcha;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.services.resources.Cors;
import org.keycloak.util.BasicAuthHelper;

/* loaded from: input_file:org/keycloak/authentication/authenticators/client/ClientIdAndSecretAuthenticator.class */
public class ClientIdAndSecretAuthenticator extends AbstractClientAuthenticator {
    public static final String PROVIDER_ID = "client-secret";
    protected static Logger logger = Logger.getLogger(ClientIdAndSecretAuthenticator.class);
    public static final AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {AuthenticationExecutionModel.Requirement.ALTERNATIVE, AuthenticationExecutionModel.Requirement.DISABLED};

    @Override // org.keycloak.authentication.ClientAuthenticator
    public void authenticateClient(ClientAuthenticationFlowContext clientAuthenticationFlowContext) {
        String str = null;
        String str2 = null;
        String str3 = (String) clientAuthenticationFlowContext.getHttpRequest().getHttpHeaders().getRequestHeaders().getFirst(Cors.AUTHORIZATION_HEADER);
        MultivaluedMap decodedFormParameters = clientAuthenticationFlowContext.getHttpRequest().getDecodedFormParameters();
        if (str3 != null) {
            String[] parseHeader = BasicAuthHelper.parseHeader(str3);
            if (parseHeader != null) {
                str = parseHeader[0];
                str2 = parseHeader[1];
            } else if (!decodedFormParameters.containsKey(OIDCLoginProtocol.CLIENT_ID_PARAM)) {
                clientAuthenticationFlowContext.challenge(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", "Basic realm=\"" + clientAuthenticationFlowContext.getRealm().getName() + "\"").build());
                return;
            }
        }
        if (str == null) {
            str = (String) decodedFormParameters.getFirst(OIDCLoginProtocol.CLIENT_ID_PARAM);
            str2 = (String) decodedFormParameters.getFirst("client_secret");
        }
        if (str == null) {
            clientAuthenticationFlowContext.challenge(ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Missing client_id parameter"));
            return;
        }
        clientAuthenticationFlowContext.getEvent().client(str);
        ClientModel clientByClientId = clientAuthenticationFlowContext.getRealm().getClientByClientId(str);
        if (clientByClientId == null) {
            clientAuthenticationFlowContext.failure(AuthenticationFlowError.CLIENT_NOT_FOUND, null);
            return;
        }
        clientAuthenticationFlowContext.setClient(clientByClientId);
        if (!clientByClientId.isEnabled()) {
            clientAuthenticationFlowContext.failure(AuthenticationFlowError.CLIENT_DISABLED, null);
            return;
        }
        if (clientByClientId.isPublicClient()) {
            clientAuthenticationFlowContext.success();
            return;
        }
        if (str2 == null) {
            clientAuthenticationFlowContext.challenge(ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Client secret not provided in request"));
            return;
        }
        if (clientByClientId.getSecret() == null) {
            clientAuthenticationFlowContext.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Invalid client secret"));
        } else if (clientByClientId.validateSecret(str2)) {
            clientAuthenticationFlowContext.success();
        } else {
            clientAuthenticationFlowContext.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Invalid client secret"));
        }
    }

    @Override // org.keycloak.authentication.ConfigurableAuthenticatorFactory
    public String getDisplayType() {
        return "Client Id and Secret";
    }

    @Override // org.keycloak.authentication.ClientAuthenticatorFactory, org.keycloak.authentication.ConfigurableAuthenticatorFactory
    public boolean isConfigurable() {
        return false;
    }

    @Override // org.keycloak.authentication.ConfigurableAuthenticatorFactory
    public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
        return REQUIREMENT_CHOICES;
    }

    public String getHelpText() {
        return "Validates client based on 'client_id' and 'client_secret' sent either in request parameters or in 'Authorization: Basic' header";
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return new LinkedList();
    }

    @Override // org.keycloak.authentication.ClientAuthenticatorFactory
    public List<ProviderConfigProperty> getConfigPropertiesPerClient() {
        return Collections.emptyList();
    }

    @Override // org.keycloak.authentication.ClientAuthenticatorFactory
    public Map<String, Object> getAdapterConfiguration(ClientModel clientModel) {
        HashMap hashMap = new HashMap();
        hashMap.put(RegistrationRecaptcha.SITE_SECRET, clientModel.getSecret());
        return hashMap;
    }

    public String getId() {
        return PROVIDER_ID;
    }
}
