package org.alfresco.repo.security.authentication.identityservice;

import javax.servlet.http.HttpServletRequest;
import org.alfresco.repo.management.subsystems.ActivateableBean;
import org.alfresco.repo.security.authentication.AuthenticationException;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.authentication.external.RemoteUserMapper;
import org.alfresco.service.cmr.security.PersonService;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.keycloak.adapters.BasicAuthRequestAuthenticator;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.spi.AuthOutcome;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.representations.AccessToken;

/* loaded from: input_file:org/alfresco/repo/security/authentication/identityservice/IdentityServiceRemoteUserMapper.class */
public class IdentityServiceRemoteUserMapper implements RemoteUserMapper, ActivateableBean {
    private static Log logger = LogFactory.getLog(IdentityServiceRemoteUserMapper.class);
    private boolean isEnabled;
    private boolean isValidationFailureSilent;
    private PersonService personService;
    private KeycloakDeployment keycloakDeployment;

    public void setActive(boolean z) {
        this.isEnabled = z;
    }

    public void setValidationFailureSilent(boolean z) {
        this.isValidationFailureSilent = z;
    }

    public void setPersonService(PersonService personService) {
        this.personService = personService;
    }

    public void setIdentityServiceDeployment(KeycloakDeployment keycloakDeployment) {
        this.keycloakDeployment = keycloakDeployment;
    }

    @Override // org.alfresco.repo.security.authentication.external.RemoteUserMapper
    public String getRemoteUser(HttpServletRequest httpServletRequest) {
        if (logger.isDebugEnabled()) {
            logger.debug("Retrieving username from http request...");
        }
        if (!this.isEnabled) {
            if (!logger.isDebugEnabled()) {
                return null;
            }
            logger.debug("TokenRemoteUserMapper is disabled, returning null.");
            return null;
        }
        String extractUserFromHeader = extractUserFromHeader(httpServletRequest);
        if (extractUserFromHeader == null) {
            return null;
        }
        String normalizeUserId = normalizeUserId(extractUserFromHeader);
        if (logger.isDebugEnabled()) {
            logger.debug("Returning username: " + normalizeUserId);
        }
        return normalizeUserId;
    }

    @Override // org.alfresco.repo.management.subsystems.ActivateableBean
    public boolean isActive() {
        return this.isEnabled;
    }

    private String extractUserFromHeader(HttpServletRequest httpServletRequest) {
        String str = null;
        HttpFacade identityServiceHttpFacade = new IdentityServiceHttpFacade(httpServletRequest);
        if (logger.isDebugEnabled()) {
            logger.debug("Trying bearer token...");
        }
        AlfrescoBearerTokenRequestAuthenticator alfrescoBearerTokenRequestAuthenticator = new AlfrescoBearerTokenRequestAuthenticator(this.keycloakDeployment);
        AuthOutcome authenticate = alfrescoBearerTokenRequestAuthenticator.authenticate(identityServiceHttpFacade);
        if (logger.isDebugEnabled()) {
            logger.debug("Bearer token outcome: " + authenticate);
        }
        if (authenticate == AuthOutcome.FAILED && !this.isValidationFailureSilent) {
            throw new AuthenticationException("Token validation failed: " + alfrescoBearerTokenRequestAuthenticator.getValidationFailureDescription());
        }
        if (authenticate == AuthOutcome.AUTHENTICATED) {
            str = extractUserFromToken(alfrescoBearerTokenRequestAuthenticator.getToken());
        } else if (this.keycloakDeployment.isEnableBasicAuth()) {
            if (logger.isDebugEnabled()) {
                logger.debug("Trying basic auth...");
            }
            BasicAuthRequestAuthenticator basicAuthRequestAuthenticator = new BasicAuthRequestAuthenticator(this.keycloakDeployment);
            AuthOutcome authenticate2 = basicAuthRequestAuthenticator.authenticate(identityServiceHttpFacade);
            if (logger.isDebugEnabled()) {
                logger.debug("Basic auth outcome: " + authenticate2);
            }
            if (authenticate2 == AuthOutcome.AUTHENTICATED) {
                str = extractUserFromToken(basicAuthRequestAuthenticator.getToken());
            }
        }
        return str;
    }

    private String extractUserFromToken(AccessToken accessToken) {
        String preferredUsername = accessToken.getPreferredUsername();
        if (logger.isDebugEnabled()) {
            logger.debug("Extracted username: " + preferredUsername);
        }
        return preferredUsername;
    }

    private String normalizeUserId(final String str) {
        if (str == null) {
            return null;
        }
        String str2 = (String) AuthenticationUtil.runAs(new AuthenticationUtil.RunAsWork<String>() { // from class: org.alfresco.repo.security.authentication.identityservice.IdentityServiceRemoteUserMapper.1
            /* renamed from: doWork, reason: merged with bridge method [inline-methods] */
            public String m907doWork() throws Exception {
                return IdentityServiceRemoteUserMapper.this.personService.getUserIdentifier(str);
            }
        }, AuthenticationUtil.getSystemUserName());
        if (logger.isDebugEnabled()) {
            logger.debug("Normalized user name for '" + str + "': " + str2);
        }
        return str2 == null ? str : str2;
    }
}
