package io.quarkus.elytron.security.oauth2.runtime.auth;

import io.undertow.UndertowLogger;
import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.IdentityManager;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.Headers;

/* loaded from: input_file:io/quarkus/elytron/security/oauth2/runtime/auth/OAuth2AuthMechanism.class */
public class OAuth2AuthMechanism implements AuthenticationMechanism {
    private IdentityManager identityManager;

    public OAuth2AuthMechanism(IdentityManager identityManager) {
        this.identityManager = identityManager;
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        String first = httpServerExchange.getRequestHeaders().getFirst("Authorization");
        String substring = first != null ? first.substring(7) : null;
        if (substring == null) {
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
        }
        try {
            Oauth2Credential oauth2Credential = new Oauth2Credential(substring);
            if (UndertowLogger.SECURITY_LOGGER.isTraceEnabled()) {
                UndertowLogger.SECURITY_LOGGER.tracef("Bearer token: %s", oauth2Credential);
            }
            Account verify = this.identityManager.verify(oauth2Credential);
            if (verify == null) {
                UndertowLogger.SECURITY_LOGGER.info("Failed to authenticate OAuth2 bearer token");
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            }
            securityContext.authenticationComplete(verify, "BEARER_TOKEN", false);
            UndertowLogger.SECURITY_LOGGER.debugf("Authenticated credential(%s) for path(%s) with roles: %s", oauth2Credential, httpServerExchange.getRequestPath(), verify.getRoles());
            return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
        } catch (Exception e) {
            UndertowLogger.SECURITY_LOGGER.infof(e, "Failed to validate OAuth2 bearer token", new Object[0]);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        httpServerExchange.getResponseHeaders().add(Headers.WWW_AUTHENTICATE, "Bearer {token}");
        UndertowLogger.SECURITY_LOGGER.debugf("Sending Bearer {token} challenge for %s", httpServerExchange);
        return new AuthenticationMechanism.ChallengeResult(true, 401);
    }
}
