package org.keycloak.authentication.authenticators.x509;

import jakarta.ws.rs.core.Response;
import java.security.cert.X509Certificate;
import org.jboss.logging.Logger;
import org.keycloak.authentication.AuthenticationFlowContext;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.authenticators.browser.AbstractUsernameFormAuthenticator;
import org.keycloak.authentication.authenticators.util.AuthenticatorUtils;
import org.keycloak.models.ModelDuplicateException;
import org.keycloak.models.UserModel;
import org.keycloak.services.ServicesLogger;

/* loaded from: input_file:org/keycloak/authentication/authenticators/x509/ValidateX509CertificateUsername.class */
public class ValidateX509CertificateUsername extends AbstractX509ClientCertificateDirectGrantAuthenticator {
    private static final Logger logger = Logger.getLogger(ValidateX509CertificateUsername.class);

    public void authenticate(AuthenticationFlowContext authenticationFlowContext) {
        X509Certificate[] certificateChain = getCertificateChain(authenticationFlowContext);
        if (certificateChain == null || certificateChain.length == 0) {
            logger.debug("[ValidateX509CertificateUsername:authenticate] x509 client certificate is not available for mutual SSL.");
            authenticationFlowContext.getEvent().error("user_not_found");
            authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_request", "X509 client certificate is missing."));
            return;
        }
        saveX509CertificateAuditDataToAuthSession(authenticationFlowContext, certificateChain[0]);
        recordX509CertificateAuditDataViaContextEvent(authenticationFlowContext);
        X509AuthenticatorConfigModel x509AuthenticatorConfigModel = null;
        if (authenticationFlowContext.getAuthenticatorConfig() != null && authenticationFlowContext.getAuthenticatorConfig().getConfig() != null) {
            x509AuthenticatorConfigModel = new X509AuthenticatorConfigModel(authenticationFlowContext.getAuthenticatorConfig());
        }
        if (x509AuthenticatorConfigModel == null) {
            logger.warn("[ValidateX509CertificateUsername:authenticate] x509 Client Certificate Authentication configuration is not available.");
            authenticationFlowContext.getEvent().error("user_not_found");
            authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_request", "Configuration is missing."));
            return;
        }
        try {
            certificateValidationParameters(authenticationFlowContext.getSession(), x509AuthenticatorConfigModel).build(certificateChain).checkRevocationStatus().validateTrust().validateKeyUsage().validateExtendedKeyUsage().validateTimestamps().validatePolicy();
            Object extractUserIdentity = getUserIdentityExtractor(x509AuthenticatorConfigModel).extractUserIdentity(certificateChain);
            if (extractUserIdentity == null) {
                authenticationFlowContext.getEvent().error("invalid_user_credentials");
                logger.errorf("[ValidateX509CertificateUsername:authenticate] Unable to extract user identity from certificate.", new Object[0]);
                authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_request", "Unable to extract user identity from specified certificate"));
                return;
            }
            try {
                authenticationFlowContext.getEvent().detail("username", extractUserIdentity.toString());
                authenticationFlowContext.getAuthenticationSession().setAuthNote(AbstractUsernameFormAuthenticator.ATTEMPTED_USERNAME, extractUserIdentity.toString());
                UserModel find = getUserIdentityToModelMapper(x509AuthenticatorConfigModel).find(authenticationFlowContext, extractUserIdentity);
                if (find == null) {
                    authenticationFlowContext.getEvent().error("invalid_user_credentials");
                    authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_grant", "Invalid user credentials"));
                    return;
                }
                String disabledByBruteForceEventError = AuthenticatorUtils.getDisabledByBruteForceEventError(authenticationFlowContext, find);
                if (disabledByBruteForceEventError != null) {
                    authenticationFlowContext.getEvent().user(find);
                    authenticationFlowContext.getEvent().error(disabledByBruteForceEventError);
                    authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_grant", "Invalid user credentials"));
                } else if (find.isEnabled()) {
                    authenticationFlowContext.setUser(find);
                    authenticationFlowContext.success();
                } else {
                    authenticationFlowContext.getEvent().user(find);
                    authenticationFlowContext.getEvent().error("user_disabled");
                    authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_grant", "Account disabled"));
                }
            } catch (ModelDuplicateException e) {
                ServicesLogger.LOGGER.modelDuplicateException(e);
                authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_request", String.format("X509 certificate authentication's failed. Reason: \"%s\"", e.getMessage())));
            } catch (Exception e2) {
                logger.error(e2.getMessage(), e2);
                authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_request", String.format("X509 certificate authentication's failed. Reason: \"%s\"", e2.getMessage())));
            }
        } catch (Exception e3) {
            logger.error(e3.getMessage(), e3);
            authenticationFlowContext.failure(AuthenticationFlowError.INVALID_USER, errorResponse(Response.Status.UNAUTHORIZED.getStatusCode(), "invalid_request", e3.getMessage()));
        }
    }

    @Override // org.keycloak.authentication.authenticators.x509.AbstractX509ClientCertificateDirectGrantAuthenticator
    public void action(AuthenticationFlowContext authenticationFlowContext) {
    }
}
