package org.pac4j.undertow;

import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.AuthenticationMode;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.handlers.AuthenticationCallHandler;
import io.undertow.security.handlers.AuthenticationConstraintHandler;
import io.undertow.security.handlers.AuthenticationMechanismsHandler;
import io.undertow.security.handlers.SecurityInitialHandler;
import io.undertow.security.idm.IdentityManager;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.BlockingHandler;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.pac4j.core.authorization.AuthorizationChecker;
import org.pac4j.core.authorization.DefaultAuthorizationChecker;
import org.pac4j.core.client.Client;
import org.pac4j.core.client.ClientFinder;
import org.pac4j.core.client.Clients;
import org.pac4j.core.client.DefaultClientFinder;
import org.pac4j.core.client.DirectClient;
import org.pac4j.core.client.IndirectClient;
import org.pac4j.core.config.Config;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.exception.RequiresHttpAction;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.profile.ProfileManager;
import org.pac4j.core.profile.UserProfile;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.undertow.security.Pac4jAccount;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/pac4j/undertow/SecurityMechanism.class */
public class SecurityMechanism implements AuthenticationMechanism {
    private static final String NAME = "PAC4J_ACCOUNT";
    protected final Logger logger = LoggerFactory.getLogger(getClass());
    protected ClientFinder clientFinder = new DefaultClientFinder();
    protected AuthorizationChecker authorizationChecker = new DefaultAuthorizationChecker();
    protected Config config;
    protected String clients;
    protected String authorizers;

    public static HttpHandler build(HttpHandler httpHandler, Config config) {
        return build(httpHandler, new SecurityMechanism(config, null, null));
    }

    public static HttpHandler build(HttpHandler httpHandler, Config config, String str) {
        return build(httpHandler, new SecurityMechanism(config, str, null));
    }

    public static HttpHandler build(HttpHandler httpHandler, Config config, String str, String str2) {
        return build(httpHandler, new SecurityMechanism(config, str, str2));
    }

    private static HttpHandler build(HttpHandler httpHandler, SecurityMechanism securityMechanism) {
        return new BlockingHandler(new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, (IdentityManager) null, new AuthenticationMechanismsHandler(new AuthenticationConstraintHandler(new AuthenticationCallHandler(httpHandler)), Collections.singletonList(securityMechanism))));
    }

    private SecurityMechanism(Config config, String str, String str2) {
        this.config = config;
        this.clients = str;
        this.authorizers = str2;
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        UndertowWebContext undertowWebContext = new UndertowWebContext(httpServerExchange);
        Clients clients = this.config.getClients();
        CommonHelper.assertNotNull("configClients", clients);
        this.logger.debug("clients: {}", this.clients);
        List<Client> find = this.clientFinder.find(clients, undertowWebContext, this.clients);
        this.logger.debug("currentClients: {}", find);
        boolean useSession = useSession(undertowWebContext, find);
        this.logger.debug("useSession: {}", Boolean.valueOf(useSession));
        ProfileManager profileManager = new ProfileManager(undertowWebContext);
        UserProfile userProfile = profileManager.get(useSession);
        this.logger.debug("profile: {}", userProfile);
        if (userProfile == null && find != null && find.size() > 0) {
            Iterator<Client> it = find.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Client next = it.next();
                if (next instanceof DirectClient) {
                    this.logger.debug("Performing authentication for client: {}", next);
                    try {
                        Credentials credentials = next.getCredentials(undertowWebContext);
                        this.logger.debug("credentials: {}", credentials);
                        userProfile = next.getUserProfile(credentials, undertowWebContext);
                        this.logger.debug("profile: {}", userProfile);
                        if (userProfile != null) {
                            profileManager.save(useSession, userProfile);
                            break;
                        }
                    } catch (RequiresHttpAction e) {
                        throw new TechnicalException("Unexpected HTTP action", e);
                    }
                }
            }
        }
        if (userProfile == null) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        this.logger.debug("authorizers: {}", this.authorizers);
        securityContext.authenticationComplete(new Pac4jAccount(userProfile), NAME, false);
        return this.authorizationChecker.isAuthorized(undertowWebContext, userProfile, this.authorizers, this.config.getAuthorizers()) ? AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED : AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        UndertowWebContext undertowWebContext = new UndertowWebContext(httpServerExchange);
        Pac4jAccount pac4jAccount = (Pac4jAccount) securityContext.getAuthenticatedAccount();
        List<Client> find = this.clientFinder.find(this.config.getClients(), undertowWebContext, this.clients);
        if (pac4jAccount != null) {
            this.logger.debug("forbidden");
            forbidden(undertowWebContext, find, pac4jAccount.getProfile());
        } else if (startAuthentication(undertowWebContext, find)) {
            this.logger.debug("Starting authentication");
            saveRequestedUrl(undertowWebContext, find);
            redirectToIdentityProvider(undertowWebContext, find);
        } else {
            this.logger.debug("unauthorized");
            unauthorized(undertowWebContext, find);
        }
        return new AuthenticationMechanism.ChallengeResult(true);
    }

    protected boolean useSession(WebContext webContext, List<Client> list) {
        return list == null || list.size() == 0 || (list.get(0) instanceof IndirectClient);
    }

    protected void forbidden(WebContext webContext, List<Client> list, UserProfile userProfile) {
        webContext.setResponseStatus(403);
    }

    protected boolean startAuthentication(WebContext webContext, List<Client> list) {
        return list != null && list.size() > 0 && (list.get(0) instanceof IndirectClient);
    }

    protected void saveRequestedUrl(WebContext webContext, List<Client> list) {
        String fullRequestURL = webContext.getFullRequestURL();
        this.logger.debug("requestedUrl: {}", fullRequestURL);
        webContext.setSessionAttribute("pac4jRequestedUrl", fullRequestURL);
    }

    protected void redirectToIdentityProvider(WebContext webContext, List<Client> list) {
        try {
            list.get(0).redirect(webContext, true);
        } catch (RequiresHttpAction e) {
            this.logger.debug("extra HTTP action required: {}", Integer.valueOf(e.getCode()));
        }
    }

    protected void unauthorized(WebContext webContext, List<Client> list) {
        webContext.setResponseStatus(401);
    }
}
