package fish.payara.microprofile.jwtauth.eesecurity;

import fish.payara.security.openid.OpenIdAuthenticationMechanism;
import jakarta.enterprise.inject.spi.CDI;
import jakarta.enterprise.inject.spi.DeploymentException;
import jakarta.security.enterprise.AuthenticationException;
import jakarta.security.enterprise.AuthenticationStatus;
import jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism;
import jakarta.security.enterprise.authentication.mechanism.http.HttpMessageContext;
import jakarta.security.enterprise.identitystore.CredentialValidationResult;
import jakarta.security.enterprise.identitystore.IdentityStoreHandler;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.lang.annotation.Annotation;
import java.util.Optional;
import java.util.Properties;
import org.eclipse.microprofile.config.Config;
import org.eclipse.microprofile.config.ConfigProvider;
import org.eclipse.microprofile.jwt.config.Names;

/* loaded from: input_file:fish/payara/microprofile/jwtauth/eesecurity/JWTAuthenticationMechanism.class */
public class JWTAuthenticationMechanism implements HttpAuthenticationMechanism {
    public static final String CONFIG_TOKEN_HEADER_AUTHORIZATION = "Authorization";
    public static final String CONFIG_TOKEN_HEADER_COOKIE = "Cookie";
    private final String configJwtTokenHeader;
    private final String configJwtTokenCookie;

    public JWTAuthenticationMechanism() {
        Optional<Properties> readVendorProperties = SignedJWTIdentityStore.readVendorProperties();
        Config config = ConfigProvider.getConfig();
        this.configJwtTokenHeader = SignedJWTIdentityStore.readConfig(Names.TOKEN_HEADER, readVendorProperties, config, "Authorization");
        if (!"Authorization".equals(this.configJwtTokenHeader) && !"Cookie".equals(this.configJwtTokenHeader)) {
            throw new DeploymentException("Configuration mp.jwt.token.header must be either Authorization or Cookie, but is " + this.configJwtTokenHeader);
        }
        this.configJwtTokenCookie = SignedJWTIdentityStore.readConfig(Names.TOKEN_COOKIE, readVendorProperties, config, "Bearer");
    }

    @Override // jakarta.security.enterprise.authentication.mechanism.http.HttpAuthenticationMechanism
    public AuthenticationStatus validateRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, HttpMessageContext httpMessageContext) throws AuthenticationException {
        IdentityStoreHandler identityStoreHandler = (IdentityStoreHandler) CDI.current().select(IdentityStoreHandler.class, new Annotation[0]).get2();
        SignedJWTCredential credential = getCredential(httpServletRequest);
        if (credential == null) {
            return httpMessageContext.doNothing();
        }
        CredentialValidationResult validate = identityStoreHandler.validate(credential);
        if (validate.getStatus() != CredentialValidationResult.Status.VALID) {
            return httpMessageContext.responseUnauthorized();
        }
        httpMessageContext.getClientSubject().getPrincipals().add(validate.getCallerPrincipal());
        return httpMessageContext.notifyContainerAboutLogin(validate);
    }

    private SignedJWTCredential getCredential(HttpServletRequest httpServletRequest) {
        Optional empty = Optional.empty();
        if ("Authorization".equals(this.configJwtTokenHeader)) {
            String header = httpServletRequest.getHeader("Authorization");
            if (header != null && header.startsWith(OpenIdAuthenticationMechanism.BEARER_PREFIX)) {
                empty = Optional.of(header.substring(OpenIdAuthenticationMechanism.BEARER_PREFIX.length()));
            }
        } else {
            String str = ";" + this.configJwtTokenCookie + "=";
            String header2 = httpServletRequest.getHeader("Cookie");
            if (header2 != null && header2.startsWith("$Version=") && header2.contains(str)) {
                empty = Optional.of(header2.substring(header2.indexOf(str) + str.length()));
            }
        }
        return (SignedJWTCredential) empty.map(str2 -> {
            return createSignedJWTCredential(str2);
        }).orElse(null);
    }

    private SignedJWTCredential createSignedJWTCredential(String str) {
        if (str == null || str.isEmpty()) {
            return null;
        }
        return new SignedJWTCredential(str);
    }
}
