package de.governikus.autent.eudiwallet.keycloak.endpoints;

import de.governikus.autent.eudiwallet.keycloak.constants.Constants;
import jakarta.ws.rs.Path;
import org.apache.commons.lang3.StringUtils;
import org.keycloak.common.VerificationException;
import org.keycloak.models.KeycloakSession;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.util.DPoPUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/endpoints/SecuredEndpoints.class */
public class SecuredEndpoints extends CorsEndpoint {
    private static final Logger log = LoggerFactory.getLogger(SecuredEndpoints.class);

    public SecuredEndpoints(KeycloakSession keycloakSession) {
        super(keycloakSession);
        AuthenticationManager.AuthResult authenticate = new AppAuthManager.BearerTokenAuthenticator(keycloakSession).authenticate();
        if (authenticate == null) {
            throw this.oAuth2Error.cors(this.cors.allowAllOrigins()).invalidToken("Invalid or missing AccessToken");
        }
        keycloakSession.setAttribute(Constants.AUTH_RESULT, authenticate);
        validateDpop(authenticate);
    }

    protected void validateDpop(AuthenticationManager.AuthResult authResult) {
        try {
            if (!StringUtils.equals("DPoP", authResult.getToken().getType())) {
                throw getUnauthorizedException(String.format("Invalid DPOP token. Token type must be '%s'", "DPoP"));
            }
            DPoPUtil.validateBinding(authResult.getToken(), new DPoPUtil.Validator(this.keycloakSession).request(this.keycloakSession.getContext().getHttpRequest()).uriInfo(this.keycloakSession.getContext().getUri()).validate());
        } catch (VerificationException e) {
            throw getUnauthorizedException("DPoP proof and token binding verification failed");
        }
    }

    @Path("credential")
    public CredentialEndpointHandler getCredentialEndpoint() {
        return new CredentialEndpointHandler(this.keycloakSession);
    }
}
