package io.apicurio.hub.api.security;

import io.apicurio.hub.api.beans.InitiatedLinkedAccount;
import io.apicurio.hub.core.beans.LinkedAccountType;
import io.apicurio.hub.core.config.HubConfiguration;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.annotation.PostConstruct;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.io.IOUtils;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContexts;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.representations.AccessToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
/* loaded from: input_file:io/apicurio/hub/api/security/KeycloakLinkedAccountsProvider.class */
public class KeycloakLinkedAccountsProvider implements ILinkedAccountsProvider {
    private static Logger logger = LoggerFactory.getLogger(KeycloakLinkedAccountsProvider.class);

    @Inject
    private ISecurityContext security;

    @Inject
    private HubConfiguration config;

    @Inject
    private HttpServletRequest request;
    private CloseableHttpClient httpClient;

    @PostConstruct
    protected void postConstruct() {
        try {
            if (this.config.isDisableKeycloakTrustManager()) {
                this.httpClient = HttpClients.custom().setSSLSocketFactory(new SSLConnectionSocketFactory(SSLContexts.custom().loadTrustMaterial((KeyStore) null, new TrustSelfSignedStrategy()).build(), NoopHostnameVerifier.INSTANCE)).build();
            } else {
                this.httpClient = HttpClients.createSystem();
            }
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Override // io.apicurio.hub.api.security.ILinkedAccountsProvider
    public InitiatedLinkedAccount initiateLinkedAccount(LinkedAccountType linkedAccountType, String str, String str2) {
        String keycloakAuthUrl = this.config.getKeycloakAuthUrl();
        String keycloakRealm = this.config.getKeycloakRealm();
        String alias = linkedAccountType.alias();
        AccessToken token = ((KeycloakSecurityContext) this.request.getAttribute(KeycloakSecurityContext.class.getName())).getToken();
        String issuedFor = token.getIssuedFor();
        try {
            String uri = KeycloakUriBuilder.fromUri(keycloakAuthUrl).path("/realms/{realm}/broker/{provider}/link").queryParam("nonce", new Object[]{str2}).queryParam("hash", new Object[]{Base64Url.encode(MessageDigest.getInstance("SHA-256").digest((str2 + token.getSessionState() + issuedFor + alias).getBytes(StandardCharsets.UTF_8)))}).queryParam("client_id", new Object[]{issuedFor}).queryParam("redirect_uri", new Object[]{str}).build(new Object[]{keycloakRealm, alias}).toString();
            logger.debug("Account Link URL: {}", uri);
            InitiatedLinkedAccount initiatedLinkedAccount = new InitiatedLinkedAccount();
            initiatedLinkedAccount.setAuthUrl(uri);
            initiatedLinkedAccount.setNonce(str2);
            return initiatedLinkedAccount;
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX WARN: Finally extract failed */
    @Override // io.apicurio.hub.api.security.ILinkedAccountsProvider
    public void deleteLinkedAccount(LinkedAccountType linkedAccountType) throws IOException {
        try {
            KeycloakSecurityContext keycloakSecurityContext = (KeycloakSecurityContext) this.request.getAttribute(KeycloakSecurityContext.class.getName());
            String keycloakAuthUrl = this.config.getKeycloakAuthUrl();
            String keycloakRealm = this.config.getKeycloakRealm();
            String alias = linkedAccountType.alias();
            keycloakSecurityContext.getToken().getSessionState();
            String uri = KeycloakUriBuilder.fromUri(keycloakAuthUrl).path("/realms/{realm}/account/federated-identity-update").queryParam("action", new Object[]{"REMOVE"}).queryParam("provider_id", new Object[]{alias}).build(new Object[]{keycloakRealm}).toString();
            logger.debug("Deleting identity provider using URL: {}", uri);
            HttpGet httpGet = new HttpGet(uri);
            httpGet.addHeader("Accept", "application/json");
            httpGet.addHeader("Authorization", "Bearer " + keycloakSecurityContext.getTokenString());
            CloseableHttpResponse execute = this.httpClient.execute(httpGet);
            Throwable th = null;
            try {
                if (execute.getStatusLine().getStatusCode() != 200) {
                    logger.debug("HTTP Response Status Code when deleting identity provider: {}", Integer.valueOf(execute.getStatusLine().getStatusCode()));
                }
                if (execute != null) {
                    if (0 != 0) {
                        try {
                            execute.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        execute.close();
                    }
                }
            } catch (Throwable th3) {
                if (execute != null) {
                    if (0 != 0) {
                        try {
                            execute.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        execute.close();
                    }
                }
                throw th3;
            }
        } catch (Exception e) {
            throw new IOException("Error deleting linked account.", e);
        }
    }

    @Override // io.apicurio.hub.api.security.ILinkedAccountsProvider
    public String getLinkedAccountToken(LinkedAccountType linkedAccountType) throws IOException {
        try {
            String uri = KeycloakUriBuilder.fromUri(this.config.getKeycloakAuthUrl()).path("/realms/{realm}/broker/{provider}/token").build(new Object[]{this.config.getKeycloakRealm(), linkedAccountType.alias()}).toString();
            String token = this.security.getToken();
            HttpGet httpGet = new HttpGet(uri);
            httpGet.addHeader("Accept", "application/json");
            httpGet.addHeader("Authorization", "Bearer " + token);
            CloseableHttpResponse execute = this.httpClient.execute(httpGet);
            Throwable th = null;
            try {
                if (execute.getStatusLine().getStatusCode() != 200) {
                    logger.error("Failed to access External IDP Access Token from Keycloak: {} - {}", Integer.valueOf(execute.getStatusLine().getStatusCode()), execute.getStatusLine().getReasonPhrase());
                    throw new IOException("Unexpected response from Keycloak: " + execute.getStatusLine().getStatusCode() + "::" + execute.getStatusLine().getReasonPhrase());
                }
                InputStream content = execute.getEntity().getContent();
                Throwable th2 = null;
                try {
                    try {
                        String iOUtils = IOUtils.toString(content);
                        if (content != null) {
                            if (0 != 0) {
                                try {
                                    content.close();
                                } catch (Throwable th3) {
                                    th2.addSuppressed(th3);
                                }
                            } else {
                                content.close();
                            }
                        }
                        return iOUtils;
                    } finally {
                    }
                } catch (Throwable th4) {
                    if (content != null) {
                        if (th2 != null) {
                            try {
                                content.close();
                            } catch (Throwable th5) {
                                th2.addSuppressed(th5);
                            }
                        } else {
                            content.close();
                        }
                    }
                    throw th4;
                }
            } finally {
                if (execute != null) {
                    if (0 != 0) {
                        try {
                            execute.close();
                        } catch (Throwable th6) {
                            th.addSuppressed(th6);
                        }
                    } else {
                        execute.close();
                    }
                }
            }
        } catch (IllegalArgumentException e) {
            throw new IOException("Error getting linked account token.", e);
        }
    }
}
