package org.infinispan.server.security;

import io.netty.channel.ChannelHandlerContext;
import java.security.Provider;
import java.util.Collection;
import java.util.Iterator;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.Executor;
import javax.security.auth.Subject;
import org.infinispan.commons.CacheConfigurationException;
import org.infinispan.rest.RestServer;
import org.infinispan.rest.authentication.Authenticator;
import org.infinispan.rest.configuration.RestServerConfiguration;
import org.infinispan.rest.framework.RestRequest;
import org.infinispan.rest.framework.RestResponse;
import org.infinispan.server.Server;
import org.wildfly.security.auth.server.MechanismConfiguration;
import org.wildfly.security.auth.server.MechanismConfigurationSelector;
import org.wildfly.security.auth.server.MechanismRealmConfiguration;
import org.wildfly.security.auth.server.SecurityIdentity;
import org.wildfly.security.auth.server.http.HttpAuthenticationFactory;
import org.wildfly.security.http.HttpAuthenticationException;
import org.wildfly.security.http.HttpServerAuthenticationMechanism;
import org.wildfly.security.http.basic.WildFlyElytronHttpBasicProvider;
import org.wildfly.security.http.bearer.WildFlyElytronHttpBearerProvider;
import org.wildfly.security.http.cert.WildFlyElytronHttpClientCertProvider;
import org.wildfly.security.http.digest.DigestMechanismFactory;
import org.wildfly.security.http.digest.WildFlyElytronHttpDigestProvider;
import org.wildfly.security.http.spnego.WildFlyElytronHttpSpnegoProvider;
import org.wildfly.security.http.util.FilterServerMechanismFactory;
import org.wildfly.security.http.util.SecurityProviderServerMechanismFactory;
import org.wildfly.security.http.util.SetMechanismInformationMechanismFactory;

/* loaded from: input_file:org/infinispan/server/security/ElytronHTTPAuthenticator.class */
public class ElytronHTTPAuthenticator implements Authenticator {
    private final HttpAuthenticationFactory factory;
    private final ServerSecurityRealm serverSecurityRealm;
    private Executor executor;
    private RestServerConfiguration configuration;

    public ElytronHTTPAuthenticator(String str, ServerSecurityRealm serverSecurityRealm, String str2, Collection<String> collection) {
        this.serverSecurityRealm = serverSecurityRealm;
        Provider[] providerArr = {WildFlyElytronHttpBasicProvider.getInstance(), WildFlyElytronHttpBearerProvider.getInstance(), WildFlyElytronHttpDigestProvider.getInstance(), WildFlyElytronHttpClientCertProvider.getInstance(), WildFlyElytronHttpSpnegoProvider.getInstance()};
        HttpAuthenticationFactory.Builder builder = HttpAuthenticationFactory.builder();
        builder.setSecurityDomain(serverSecurityRealm.getSecurityDomain());
        builder.setFactory(new SetMechanismInformationMechanismFactory(new FilterServerMechanismFactory(new SecurityProviderServerMechanismFactory(providerArr), true, collection)));
        MechanismConfiguration.Builder builder2 = MechanismConfiguration.builder();
        serverSecurityRealm.applyServerCredentials(builder2, str2);
        MechanismRealmConfiguration.Builder builder3 = MechanismRealmConfiguration.builder();
        builder3.setRealmName(str);
        builder2.addMechanismRealm(builder3.build());
        builder.setMechanismConfigurationSelector(MechanismConfigurationSelector.constantSelector(builder2.build()));
        this.factory = builder.build();
    }

    public CompletionStage<RestResponse> challenge(RestRequest restRequest, ChannelHandlerContext channelHandlerContext) {
        HttpServerRequestAdapter httpServerRequestAdapter = new HttpServerRequestAdapter(restRequest, channelHandlerContext);
        return CompletableFuture.supplyAsync(() -> {
            try {
                String authorizationHeader = restRequest.getAuthorizationHeader();
                if (authorizationHeader == null) {
                    Iterator it = this.configuration.authentication().mechanisms().iterator();
                    while (it.hasNext()) {
                        HttpServerAuthenticationMechanism httpServerAuthenticationMechanism = (HttpServerAuthenticationMechanism) this.factory.createMechanism((String) it.next());
                        httpServerAuthenticationMechanism.evaluateRequest(httpServerRequestAdapter);
                        extractSubject(restRequest, httpServerAuthenticationMechanism);
                    }
                } else {
                    String upperCase = authorizationHeader.substring(0, authorizationHeader.indexOf(32)).toUpperCase();
                    if ("BEARER".equals(upperCase)) {
                        upperCase = "BEARER_TOKEN";
                    } else if ("NEGOTIATE".equals(upperCase)) {
                        upperCase = "SPNEGO";
                    }
                    HttpServerAuthenticationMechanism httpServerAuthenticationMechanism2 = (HttpServerAuthenticationMechanism) this.factory.createMechanism(upperCase);
                    if (httpServerAuthenticationMechanism2 == null) {
                        throw Server.log.unsupportedMechanism(upperCase);
                    }
                    httpServerAuthenticationMechanism2.evaluateRequest(httpServerRequestAdapter);
                    extractSubject(restRequest, httpServerAuthenticationMechanism2);
                }
                return httpServerRequestAdapter.getResponse();
            } catch (Exception e) {
                if (e instanceof RuntimeException) {
                    throw ((RuntimeException) e);
                }
                throw new RuntimeException(e);
            }
        }, this.executor);
    }

    private void extractSubject(RestRequest restRequest, HttpServerAuthenticationMechanism httpServerAuthenticationMechanism) {
        SecurityIdentity securityIdentity = (SecurityIdentity) httpServerAuthenticationMechanism.getNegotiatedProperty("wildfly.http.security-identity");
        if (securityIdentity != null) {
            Subject subject = new Subject();
            subject.getPrincipals().add(securityIdentity.getPrincipal());
            securityIdentity.getRoles().forEach(str -> {
                subject.getPrincipals().add(new RolePrincipal(str));
            });
            restRequest.setSubject(subject);
        }
    }

    public void init(RestServer restServer) {
        this.configuration = restServer.getConfiguration();
        this.executor = restServer.getExecutor();
        for (String str : this.configuration.authentication().mechanisms()) {
            try {
                this.factory.createMechanism(str);
            } catch (HttpAuthenticationException e) {
                throw new CacheConfigurationException("Could not create HTTP authentication mechanism " + str);
            }
        }
    }

    public boolean isReadyForHttpChallenge() {
        return this.serverSecurityRealm.isReadyForHttpChallenge();
    }

    public void close() {
        if (!Boolean.getBoolean("infinispan.security.elytron.skipnonceshutdown")) {
            new DigestMechanismFactory().shutdown();
        }
        this.factory.shutdownAuthenticationMechanismFactory();
    }
}
