package be.atbash.ee.security.octopus.keycloak.servlet;

import be.atbash.ee.security.octopus.SecurityUtils;
import be.atbash.ee.security.octopus.authc.AuthenticationException;
import be.atbash.ee.security.octopus.config.OctopusJSFConfiguration;
import be.atbash.ee.security.octopus.keycloak.adapter.AccessTokenHandler;
import be.atbash.ee.security.octopus.keycloak.adapter.KeycloakDeploymentHelper;
import be.atbash.ee.security.octopus.keycloak.adapter.OIDCAuthenticationException;
import be.atbash.ee.security.octopus.keycloak.config.OctopusKeycloakConfiguration;
import be.atbash.ee.security.octopus.session.usage.ActiveSessionRegistry;
import be.atbash.ee.security.octopus.util.SavedRequest;
import be.atbash.ee.security.octopus.util.WebUtils;
import be.atbash.util.exception.AtbashUnexpectedException;
import java.io.IOException;
import java.util.Map;
import javax.inject.Inject;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.keycloak.adapters.AdapterUtils;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OIDCAuthenticationError;
import org.keycloak.adapters.ServerRequest;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.enums.TokenStore;
import org.keycloak.representations.AccessTokenResponse;
import org.slf4j.Logger;

@WebServlet({"/keycloak/*"})
/* loaded from: input_file:be/atbash/ee/security/octopus/keycloak/servlet/KeycloakServlet.class */
public class KeycloakServlet extends HttpServlet {

    @Inject
    private Logger logger;

    @Inject
    private OctopusJSFConfiguration jsfConfiguration;

    @Inject
    private OctopusKeycloakConfiguration keycloakConfiguration;

    @Inject
    private ActiveSessionRegistry activeSessionRegistry;
    private KeycloakDeployment deployment;

    public void init() throws ServletException {
        this.deployment = KeycloakDeploymentHelper.loadDeploymentDescriptor(this.keycloakConfiguration.getLocationKeycloakFile());
    }

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        String code = getCode(httpServletRequest);
        if (code != null) {
            try {
                authenticate(httpServletRequest, httpServletResponse, code);
            } catch (IOException e) {
                throw new AtbashUnexpectedException(e);
            }
        } else {
            String generateId = AdapterUtils.generateId();
            httpServletRequest.getSession().setAttribute("state", generateId);
            try {
                WebUtils.issueRedirect(httpServletRequest, httpServletResponse, getRedirectUri(httpServletRequest, generateId), (Map) null, false, false);
            } catch (IOException e2) {
                throw new AtbashUnexpectedException(e2);
            }
        }
    }

    protected void doPost(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        handleRequest(new OIDCActions(this.deployment, httpServletRequest, httpServletResponse, this.activeSessionRegistry));
    }

    protected void doOptions(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException, IOException {
        handleRequest(new OIDCActions(this.deployment, httpServletRequest, httpServletResponse, this.activeSessionRegistry));
    }

    private boolean handleRequest(OIDCActions oIDCActions) {
        String uri = oIDCActions.getURI();
        this.logger.debug("adminRequest {0}", uri);
        if (oIDCActions.preflightCors()) {
            return true;
        }
        if (uri.endsWith("k_logout")) {
            oIDCActions.handleLogout();
            return true;
        }
        if (uri.endsWith("k_push_not_before")) {
            oIDCActions.handlePushNotBefore();
            return true;
        }
        if (uri.endsWith("k_version")) {
            oIDCActions.handleVersion();
            return true;
        }
        if (!uri.endsWith("k_test_available")) {
            return false;
        }
        oIDCActions.handleTestAvailable();
        return true;
    }

    private String getCode(HttpServletRequest httpServletRequest) {
        return getQueryParamValue(httpServletRequest, "code");
    }

    private String getState(HttpServletRequest httpServletRequest) {
        return getQueryParamValue(httpServletRequest, "state");
    }

    private String getQueryParamValue(HttpServletRequest httpServletRequest, String str) {
        return httpServletRequest.getParameter(str);
    }

    private String getRedirectUri(HttpServletRequest httpServletRequest, String str) {
        KeycloakUriBuilder queryParam = this.deployment.getAuthUrl().clone().queryParam("response_type", new Object[]{"code"}).queryParam("client_id", new Object[]{this.deployment.getResourceName()}).queryParam("redirect_uri", new Object[]{WebUtils.determineRoot(httpServletRequest) + "/keycloak"}).queryParam("state", new Object[]{str}).queryParam("login", new Object[]{"true"});
        String idpHint = this.keycloakConfiguration.getIdpHint();
        if (idpHint != null && idpHint.length() > 0) {
            queryParam.queryParam("kc_idp_hint", new Object[]{idpHint});
        }
        queryParam.queryParam("scope", new Object[]{attachOIDCScope(this.keycloakConfiguration.getScopes())});
        return queryParam.build(new Object[0]).toString();
    }

    public void authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        checkCsrfToken(httpServletRequest, httpServletResponse);
        AccessTokenResponse retrieveToken = retrieveToken(httpServletRequest, httpServletResponse, str);
        if (retrieveToken == null) {
            return;
        }
        try {
            try {
                SecurityUtils.getSubject().login(AccessTokenHandler.extractUser(this.deployment, retrieveToken));
                SavedRequest andClearSavedRequest = WebUtils.getAndClearSavedRequest(httpServletRequest);
                httpServletResponse.sendRedirect(andClearSavedRequest != null ? andClearSavedRequest.getRequestUrl() : httpServletRequest.getContextPath());
            } catch (AuthenticationException e) {
                httpServletRequest.getSession().setAttribute("AuthenticationExceptionMessage", e.getMessage());
                httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + this.jsfConfiguration.getUnauthorizedExceptionPage());
            }
            this.logger.debug("successful authenticated");
        } catch (OIDCAuthenticationException e2) {
            sendError(httpServletResponse, e2.getReason());
        }
    }

    private String attachOIDCScope(String str) {
        return (str == null || str.isEmpty()) ? "openid" : "openid " + str;
    }

    private AccessTokenResponse retrieveToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) throws IOException {
        AccessTokenResponse accessTokenResponse = null;
        try {
            accessTokenResponse = ServerRequest.invokeAccessCodeToToken(this.deployment, str, stripOauthParametersFromRedirect(httpServletRequest), this.deployment.getTokenStore() == TokenStore.SESSION ? httpServletRequest.getSession().getId() : null);
        } catch (IOException e) {
            this.logger.error("failed to turn code into token", e);
            sendError(httpServletResponse, OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE);
        } catch (ServerRequest.HttpFailure e2) {
            this.logger.error("failed to turn code into token");
            this.logger.error("status from server: " + e2.getStatus());
            if (e2.getStatus() == 400 && e2.getError() != null) {
                this.logger.error("   " + e2.getError());
            }
            sendError(httpServletResponse, OIDCAuthenticationError.Reason.CODE_TO_TOKEN_FAILURE);
        }
        return accessTokenResponse;
    }

    private void checkCsrfToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        this.logger.debug("checking state cookie for after code");
        if (checkStateCookie(httpServletRequest)) {
            return;
        }
        this.logger.warn("The CSRF token does not match");
        httpServletRequest.getSession().invalidate();
        httpServletResponse.sendRedirect(httpServletRequest.getContextPath());
    }

    private void sendError(HttpServletResponse httpServletResponse, OIDCAuthenticationError.Reason reason) throws IOException {
        httpServletResponse.sendError(403, reason.name());
    }

    protected String stripOauthParametersFromRedirect(HttpServletRequest httpServletRequest) {
        return KeycloakUriBuilder.fromUri(httpServletRequest.getRequestURL().toString()).replaceQueryParam("code", (Object[]) null).replaceQueryParam("state", (Object[]) null).build(new Object[0]).toString();
    }

    public boolean checkStateCookie(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getSession().getAttribute("state").equals(getState(httpServletRequest));
    }
}
