package org.keycloak.authentication.authenticators.client;

import java.util.Collections;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.keycloak.authentication.AuthenticationFlowError;
import org.keycloak.authentication.ClientAuthenticationFlowContext;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.models.AuthenticationExecutionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.services.resources.Cors;
import org.keycloak.util.BasicAuthHelper;

/* loaded from: input_file:org/keycloak/authentication/authenticators/client/ClientIdAndSecretAuthenticator.class */
public class ClientIdAndSecretAuthenticator extends AbstractClientAuthenticator {
    public static final String PROVIDER_ID = "client-secret";
    public static final AuthenticationExecutionModel.Requirement[] REQUIREMENT_CHOICES = {AuthenticationExecutionModel.Requirement.ALTERNATIVE, AuthenticationExecutionModel.Requirement.DISABLED};

    public void authenticateClient(ClientAuthenticationFlowContext clientAuthenticationFlowContext) {
        String str = null;
        String str2 = null;
        String str3 = (String) clientAuthenticationFlowContext.getHttpRequest().getHttpHeaders().getRequestHeaders().getFirst(Cors.AUTHORIZATION_HEADER);
        MediaType mediaType = clientAuthenticationFlowContext.getHttpRequest().getHttpHeaders().getMediaType();
        MultivaluedMap decodedFormParameters = mediaType != null && mediaType.isCompatible(MediaType.APPLICATION_FORM_URLENCODED_TYPE) ? clientAuthenticationFlowContext.getHttpRequest().getDecodedFormParameters() : null;
        if (str3 != null) {
            String[] parseHeader = BasicAuthHelper.parseHeader(str3);
            if (parseHeader != null) {
                str = parseHeader[0];
                str2 = parseHeader[1];
            } else if (decodedFormParameters != null && !decodedFormParameters.containsKey("client_id")) {
                clientAuthenticationFlowContext.challenge(Response.status(Response.Status.UNAUTHORIZED).header("WWW-Authenticate", "Basic realm=\"" + clientAuthenticationFlowContext.getRealm().getName() + "\"").build());
                return;
            }
        }
        if (decodedFormParameters != null) {
            if (decodedFormParameters.containsKey("client_id")) {
                str = (String) decodedFormParameters.getFirst("client_id");
            }
            if (decodedFormParameters.containsKey(AbstractOAuth2IdentityProvider.OAUTH2_PARAMETER_CLIENT_SECRET)) {
                str2 = (String) decodedFormParameters.getFirst(AbstractOAuth2IdentityProvider.OAUTH2_PARAMETER_CLIENT_SECRET);
            }
        }
        if (str == null) {
            str = (String) clientAuthenticationFlowContext.getSession().getAttribute("client_id", String.class);
        }
        if (str == null) {
            clientAuthenticationFlowContext.challenge(ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "invalid_client", "Missing client_id parameter"));
            return;
        }
        clientAuthenticationFlowContext.getEvent().client(str);
        ClientModel clientByClientId = clientAuthenticationFlowContext.getRealm().getClientByClientId(str);
        if (clientByClientId == null) {
            clientAuthenticationFlowContext.failure(AuthenticationFlowError.CLIENT_NOT_FOUND, (Response) null);
            return;
        }
        clientAuthenticationFlowContext.setClient(clientByClientId);
        if (!clientByClientId.isEnabled()) {
            clientAuthenticationFlowContext.failure(AuthenticationFlowError.CLIENT_DISABLED, (Response) null);
            return;
        }
        if (clientByClientId.isPublicClient()) {
            clientAuthenticationFlowContext.success();
            return;
        }
        if (str2 == null) {
            clientAuthenticationFlowContext.challenge(ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Client secret not provided in request"));
            return;
        }
        if (clientByClientId.getSecret() == null) {
            clientAuthenticationFlowContext.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Invalid client secret"));
        } else if (clientByClientId.validateSecret(str2)) {
            clientAuthenticationFlowContext.success();
        } else {
            clientAuthenticationFlowContext.failure(AuthenticationFlowError.INVALID_CLIENT_CREDENTIALS, ClientAuthUtil.errorResponse(Response.Status.BAD_REQUEST.getStatusCode(), "unauthorized_client", "Invalid client secret"));
        }
    }

    public String getDisplayType() {
        return "Client Id and Secret";
    }

    public boolean isConfigurable() {
        return false;
    }

    public AuthenticationExecutionModel.Requirement[] getRequirementChoices() {
        return REQUIREMENT_CHOICES;
    }

    public String getHelpText() {
        return "Validates client based on 'client_id' and 'client_secret' sent either in request parameters or in 'Authorization: Basic' header";
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return new LinkedList();
    }

    public List<ProviderConfigProperty> getConfigPropertiesPerClient() {
        return Collections.emptyList();
    }

    public Map<String, Object> getAdapterConfiguration(ClientModel clientModel) {
        HashMap hashMap = new HashMap();
        hashMap.put("secret", clientModel.getSecret());
        return hashMap;
    }

    public String getId() {
        return PROVIDER_ID;
    }

    public Set<String> getProtocolAuthenticatorMethods(String str) {
        if (!str.equals("openid-connect")) {
            return Collections.emptySet();
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.add(OIDCLoginProtocol.CLIENT_SECRET_BASIC);
        linkedHashSet.add(OIDCLoginProtocol.CLIENT_SECRET_POST);
        return linkedHashSet;
    }
}
