package org.keycloak.adapters;

import com.google.common.net.HttpHeaders;
import org.jboss.logging.Logger;
import org.keycloak.adapters.authentication.ClientCredentialsProvider;
import org.keycloak.adapters.authentication.JWTClientCredentialsProvider;
import org.keycloak.adapters.rotation.AdapterRSATokenVerifier;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.UserSessionManagement;
import org.keycloak.common.util.StreamUtil;
import org.keycloak.constants.AdapterConstants;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jwk.JWKBuilder;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.representations.VersionRepresentation;
import org.keycloak.representations.adapters.action.AdminAction;
import org.keycloak.representations.adapters.action.LogoutAction;
import org.keycloak.representations.adapters.action.PushNotBeforeAction;
import org.keycloak.representations.adapters.action.TestAvailabilityAction;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:WEB-INF/lib/keycloak-adapter-core-3.1.0.Final.jar:org/keycloak/adapters/PreAuthActionsHandler.class */
public class PreAuthActionsHandler {
    private static final Logger log = Logger.getLogger((Class<?>) PreAuthActionsHandler.class);
    protected UserSessionManagement userSessionManagement;
    protected AdapterDeploymentContext deploymentContext;
    protected KeycloakDeployment deployment;
    protected HttpFacade facade;

    public PreAuthActionsHandler(UserSessionManagement userSessionManagement, AdapterDeploymentContext adapterDeploymentContext, HttpFacade httpFacade) {
        this.userSessionManagement = userSessionManagement;
        this.deploymentContext = adapterDeploymentContext;
        this.facade = httpFacade;
    }

    protected boolean resolveDeployment() {
        this.deployment = this.deploymentContext.resolveDeployment(this.facade);
        if (this.deployment.isConfigured()) {
            return true;
        }
        log.warn("can't take request, adapter not configured");
        this.facade.getResponse().sendError(403, "adapter not configured");
        return false;
    }

    public boolean handleRequest() {
        String uri = this.facade.getRequest().getURI();
        log.debugv("adminRequest {0}", uri);
        if (preflightCors()) {
            return true;
        }
        if (uri.endsWith(AdapterConstants.K_LOGOUT)) {
            if (!resolveDeployment()) {
                return true;
            }
            handleLogout();
            return true;
        }
        if (uri.endsWith(AdapterConstants.K_PUSH_NOT_BEFORE)) {
            if (!resolveDeployment()) {
                return true;
            }
            handlePushNotBefore();
            return true;
        }
        if (uri.endsWith(AdapterConstants.K_VERSION)) {
            handleVersion();
            return true;
        }
        if (uri.endsWith(AdapterConstants.K_TEST_AVAILABLE)) {
            if (!resolveDeployment()) {
                return true;
            }
            handleTestAvailable();
            return true;
        }
        if (!uri.endsWith(AdapterConstants.K_JWKS)) {
            return false;
        }
        if (!resolveDeployment()) {
            return true;
        }
        handleJwksRequest();
        return true;
    }

    public boolean preflightCors() {
        KeycloakDeployment resolveDeployment = this.deploymentContext.resolveDeployment(this.facade);
        if (!resolveDeployment.isCors()) {
            return false;
        }
        log.debugv("checkCorsPreflight {0}", this.facade.getRequest().getURI());
        if (!this.facade.getRequest().getMethod().equalsIgnoreCase("OPTIONS")) {
            return false;
        }
        if (this.facade.getRequest().getHeader("Origin") == null) {
            log.debug("checkCorsPreflight: no origin header");
            return false;
        }
        log.debug("Preflight request returning");
        this.facade.getResponse().setStatus(200);
        this.facade.getResponse().setHeader("Access-Control-Allow-Origin", this.facade.getRequest().getHeader("Origin"));
        this.facade.getResponse().setHeader("Access-Control-Allow-Credentials", "true");
        String header = this.facade.getRequest().getHeader("Access-Control-Request-Method");
        if (header != null) {
            if (resolveDeployment.getCorsAllowedMethods() != null) {
                header = resolveDeployment.getCorsAllowedMethods();
            }
            this.facade.getResponse().setHeader("Access-Control-Allow-Methods", header);
        }
        String header2 = this.facade.getRequest().getHeader("Access-Control-Request-Headers");
        if (header2 != null) {
            if (resolveDeployment.getCorsAllowedHeaders() != null) {
                header2 = resolveDeployment.getCorsAllowedHeaders();
            }
            this.facade.getResponse().setHeader("Access-Control-Allow-Headers", header2);
        }
        if (resolveDeployment.getCorsMaxAge() <= -1) {
            return true;
        }
        this.facade.getResponse().setHeader("Access-Control-Max-Age", Integer.toString(resolveDeployment.getCorsMaxAge()));
        return true;
    }

    protected void handleLogout() {
        if (log.isTraceEnabled()) {
            log.trace("K_LOGOUT sent");
        }
        try {
            JWSInput verifyAdminRequest = verifyAdminRequest();
            if (verifyAdminRequest == null) {
                return;
            }
            LogoutAction logoutAction = (LogoutAction) JsonSerialization.readValue(verifyAdminRequest.getContent(), LogoutAction.class);
            if (validateAction(logoutAction)) {
                if (logoutAction.getAdapterSessionIds() != null) {
                    this.userSessionManagement.logoutHttpSessions(logoutAction.getAdapterSessionIds());
                } else {
                    log.debugf("logout of all sessions for application '%s'", logoutAction.getResource());
                    if (logoutAction.getNotBefore() > this.deployment.getNotBefore()) {
                        this.deployment.updateNotBefore(logoutAction.getNotBefore());
                    }
                    this.userSessionManagement.logoutAll();
                }
            }
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    protected void handlePushNotBefore() {
        if (log.isTraceEnabled()) {
            log.trace("K_PUSH_NOT_BEFORE sent");
        }
        try {
            JWSInput verifyAdminRequest = verifyAdminRequest();
            if (verifyAdminRequest == null) {
                return;
            }
            PushNotBeforeAction pushNotBeforeAction = (PushNotBeforeAction) JsonSerialization.readValue(verifyAdminRequest.getContent(), PushNotBeforeAction.class);
            if (validateAction(pushNotBeforeAction)) {
                this.deployment.updateNotBefore(pushNotBeforeAction.getNotBefore());
            }
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    protected void handleTestAvailable() {
        if (log.isTraceEnabled()) {
            log.trace("K_TEST_AVAILABLE sent");
        }
        try {
            JWSInput verifyAdminRequest = verifyAdminRequest();
            if (verifyAdminRequest == null) {
                return;
            }
            validateAction((TestAvailabilityAction) JsonSerialization.readValue(verifyAdminRequest.getContent(), TestAvailabilityAction.class));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    protected JWSInput verifyAdminRequest() throws Exception {
        if (!this.facade.getRequest().isSecure() && this.deployment.getSslRequired().isRequired(this.facade.getRequest().getRemoteAddr())) {
            log.warn("SSL is required for adapter admin action");
            this.facade.getResponse().sendError(403, "ssl required");
            return null;
        }
        String readString = StreamUtil.readString(this.facade.getRequest().getInputStream());
        if (readString == null) {
            log.warn("admin request failed, no token");
            this.facade.getResponse().sendError(403, "no token");
            return null;
        }
        try {
            JWSInput jWSInput = new JWSInput(readString);
            if (RSAProvider.verify(jWSInput, AdapterRSATokenVerifier.getPublicKey(jWSInput.getHeader().getKeyId(), this.deployment))) {
                return jWSInput;
            }
        } catch (JWSInputException e) {
        }
        log.warn("admin request failed, unable to verify token");
        this.facade.getResponse().sendError(403, "no token");
        return null;
    }

    protected boolean validateAction(AdminAction adminAction) {
        if (!adminAction.validate()) {
            log.warn("admin request failed, not validated" + adminAction.getAction());
            this.facade.getResponse().sendError(400, "Not validated");
            return false;
        }
        if (adminAction.isExpired()) {
            log.warn("admin request failed, expired token");
            this.facade.getResponse().sendError(400, "Expired token");
            return false;
        }
        if (this.deployment.getResourceName().equals(adminAction.getResource())) {
            return true;
        }
        log.warn("Resource name does not match");
        this.facade.getResponse().sendError(400, "Resource name does not match");
        return false;
    }

    protected void handleVersion() {
        try {
            this.facade.getResponse().setStatus(200);
            this.facade.getResponse().setHeader(HttpHeaders.CONTENT_TYPE, "application/json");
            JsonSerialization.writeValueToStream(this.facade.getResponse().getOutputStream(), VersionRepresentation.SINGLETON);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    protected void handleJwksRequest() {
        try {
            JSONWebKeySet jSONWebKeySet = new JSONWebKeySet();
            ClientCredentialsProvider clientAuthenticator = this.deployment.getClientAuthenticator();
            if (clientAuthenticator instanceof JWTClientCredentialsProvider) {
                jSONWebKeySet.setKeys(new JWK[]{JWKBuilder.create().rs256(((JWTClientCredentialsProvider) clientAuthenticator).getPublicKey())});
            } else {
                jSONWebKeySet.setKeys(new JWK[0]);
            }
            this.facade.getResponse().setStatus(200);
            this.facade.getResponse().setHeader(HttpHeaders.CONTENT_TYPE, "application/json");
            JsonSerialization.writeValueToStream(this.facade.getResponse().getOutputStream(), jSONWebKeySet);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
