package org.keycloak.adapters.servlet;

import java.io.Serializable;
import java.security.Principal;
import java.util.Set;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpSession;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.AdapterTokenStore;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OidcKeycloakAccount;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.RequestAuthenticator;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.KeycloakAccount;
import org.keycloak.adapters.spi.SessionIdMapper;

/* loaded from: input_file:WEB-INF/lib/keycloak-servlet-filter-adapter-8.0.1.jar:org/keycloak/adapters/servlet/OIDCFilterSessionStore.class */
public class OIDCFilterSessionStore extends FilterSessionStore implements AdapterTokenStore {
    protected final KeycloakDeployment deployment;
    private static final Logger log = Logger.getLogger("" + OIDCFilterSessionStore.class);
    protected final SessionIdMapper idMapper;

    /* loaded from: input_file:WEB-INF/lib/keycloak-servlet-filter-adapter-8.0.1.jar:org/keycloak/adapters/servlet/OIDCFilterSessionStore$SerializableKeycloakAccount.class */
    public static class SerializableKeycloakAccount implements OidcKeycloakAccount, Serializable {
        protected Set<String> roles;
        protected Principal principal;
        protected RefreshableKeycloakSecurityContext securityContext;

        public SerializableKeycloakAccount(Set<String> set, Principal principal, RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext) {
            this.roles = set;
            this.principal = principal;
            this.securityContext = refreshableKeycloakSecurityContext;
        }

        @Override // org.keycloak.adapters.spi.KeycloakAccount
        public Principal getPrincipal() {
            return this.principal;
        }

        @Override // org.keycloak.adapters.spi.KeycloakAccount
        public Set<String> getRoles() {
            return this.roles;
        }

        @Override // org.keycloak.adapters.OidcKeycloakAccount
        public RefreshableKeycloakSecurityContext getKeycloakSecurityContext() {
            return this.securityContext;
        }
    }

    public OIDCFilterSessionStore(HttpServletRequest httpServletRequest, HttpFacade httpFacade, int i, KeycloakDeployment keycloakDeployment, SessionIdMapper sessionIdMapper) {
        super(httpServletRequest, httpFacade, i);
        this.deployment = keycloakDeployment;
        this.idMapper = sessionIdMapper;
    }

    public HttpServletRequestWrapper buildWrapper() {
        HttpSession session = this.request.getSession(false);
        KeycloakAccount keycloakAccount = null;
        if (session != null) {
            keycloakAccount = (KeycloakAccount) session.getAttribute(KeycloakAccount.class.getName());
            if (keycloakAccount == null) {
                keycloakAccount = (KeycloakAccount) this.request.getAttribute(KeycloakAccount.class.getName());
            }
        }
        if (keycloakAccount == null) {
            keycloakAccount = (KeycloakAccount) this.request.getAttribute(KeycloakAccount.class.getName());
        }
        return buildWrapper(session, keycloakAccount);
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public void checkCurrentToken() {
        SerializableKeycloakAccount serializableKeycloakAccount;
        RefreshableKeycloakSecurityContext keycloakSecurityContext;
        HttpSession session = this.request.getSession(false);
        if (session == null || (serializableKeycloakAccount = (SerializableKeycloakAccount) session.getAttribute(KeycloakAccount.class.getName())) == null || (keycloakSecurityContext = serializableKeycloakAccount.getKeycloakSecurityContext()) == null) {
            return;
        }
        if (keycloakSecurityContext.getDeployment() == null) {
            keycloakSecurityContext.setCurrentRequestInfo(this.deployment, this);
        }
        if (!keycloakSecurityContext.isActive() || keycloakSecurityContext.getDeployment().isAlwaysRefreshToken()) {
            if (keycloakSecurityContext.refreshExpiredToken(false) && keycloakSecurityContext.isActive()) {
                return;
            }
            cleanSession(session);
            session.invalidate();
        }
    }

    protected void cleanSession(HttpSession httpSession) {
        httpSession.removeAttribute(KeycloakAccount.class.getName());
        httpSession.removeAttribute(KeycloakSecurityContext.class.getName());
        clearSavedRequest(httpSession);
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public boolean isCached(RequestAuthenticator requestAuthenticator) {
        SerializableKeycloakAccount serializableKeycloakAccount;
        HttpSession session = this.request.getSession(false);
        if (session == null || (serializableKeycloakAccount = (SerializableKeycloakAccount) session.getAttribute(KeycloakAccount.class.getName())) == null) {
            return false;
        }
        log.fine("remote logged in already. Establish state from session");
        RefreshableKeycloakSecurityContext keycloakSecurityContext = serializableKeycloakAccount.getKeycloakSecurityContext();
        if (!this.deployment.getRealm().equals(keycloakSecurityContext.getRealm())) {
            log.fine("Account from cookie is from a different realm than for the request.");
            cleanSession(session);
            return false;
        }
        if (this.idMapper != null && !this.idMapper.hasSession(session.getId())) {
            log.fine("idMapper does not have session: " + session.getId());
            cleanSession(session);
            return false;
        }
        keycloakSecurityContext.setCurrentRequestInfo(this.deployment, this);
        this.request.setAttribute(KeycloakSecurityContext.class.getName(), keycloakSecurityContext);
        this.needRequestRestore = restoreRequest();
        return true;
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public void saveAccountInfo(OidcKeycloakAccount oidcKeycloakAccount) {
        SerializableKeycloakAccount serializableKeycloakAccount = new SerializableKeycloakAccount(oidcKeycloakAccount.getRoles(), oidcKeycloakAccount.getPrincipal(), (RefreshableKeycloakSecurityContext) oidcKeycloakAccount.getKeycloakSecurityContext());
        HttpSession session = this.request.getSession();
        session.setAttribute(KeycloakAccount.class.getName(), serializableKeycloakAccount);
        session.setAttribute(KeycloakSecurityContext.class.getName(), serializableKeycloakAccount.getKeycloakSecurityContext());
        if (this.idMapper != null) {
            this.idMapper.map(oidcKeycloakAccount.getKeycloakSecurityContext().getToken().getSessionState(), oidcKeycloakAccount.getPrincipal().getName(), session.getId());
        }
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public void logout() {
        HttpSession session = this.request.getSession(false);
        if (session != null) {
            SerializableKeycloakAccount serializableKeycloakAccount = (SerializableKeycloakAccount) session.getAttribute(KeycloakAccount.class.getName());
            if (serializableKeycloakAccount != null) {
                serializableKeycloakAccount.getKeycloakSecurityContext().logout(this.deployment);
            }
            cleanSession(session);
        }
    }

    @Override // org.keycloak.adapters.servlet.FilterSessionStore
    public void servletRequestLogout() {
        logout();
    }

    @Override // org.keycloak.adapters.AdapterTokenStore
    public void refreshCallback(RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext) {
    }
}
