package de.adorsys.ledgers.token.exchange;

import javax.ws.rs.Consumes;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.POST;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.OAuthErrorException;
import org.keycloak.TokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.ErrorResponse;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.resource.RealmResourceProvider;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.util.DefaultClientSessionContext;

/* loaded from: input_file:de/adorsys/ledgers/token/exchange/ConfigurableTokenResourceProvider.class */
public class ConfigurableTokenResourceProvider implements RealmResourceProvider {
    static final String ID = "configurable-token";
    private static final Logger LOG = Logger.getLogger(ConfigurableTokenResourceProvider.class);
    private final KeycloakSession session;
    private final TokenManager tokenManager = new TokenManager();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:de/adorsys/ledgers/token/exchange/ConfigurableTokenResourceProvider$ConfigurableTokenException.class */
    public static class ConfigurableTokenException extends Exception {
        public ConfigurableTokenException(String str) {
            super(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ConfigurableTokenResourceProvider(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public Object getResource() {
        return this;
    }

    public void close() {
    }

    @OPTIONS
    public Response preflight(@Context HttpRequest httpRequest) {
        return Cors.add(httpRequest, Response.ok()).auth().preflight().allowedMethods(new String[]{"POST", "OPTIONS"}).build();
    }

    @POST
    @Produces({"application/json"})
    @Consumes({"application/json"})
    public Response createToken(TokenConfiguration tokenConfiguration, @Context HttpRequest httpRequest) {
        try {
            return buildCorsResponse(httpRequest, createAccessToken(findSession(), validateTokenAndUpdateSession(httpRequest), tokenConfiguration));
        } catch (ConfigurableTokenException e) {
            LOG.error("An error occurred when fetching an access token", e);
            return ErrorResponse.error(e.getMessage(), Response.Status.BAD_REQUEST);
        }
    }

    private AccessTokenResponse createAccessToken(UserSessionModel userSessionModel, AccessToken accessToken, TokenConfiguration tokenConfiguration) {
        RealmModel realm = this.session.getContext().getRealm();
        ClientModel clientByClientId = realm.getClientByClientId(accessToken.getIssuedFor());
        LOG.infof("Configurable token requested for username=%s and client=%s on realm=%s", userSessionModel.getUser().getUsername(), clientByClientId.getClientId(), realm.getName());
        AuthenticatedClientSessionModel authenticatedClientSessionByClient = userSessionModel.getAuthenticatedClientSessionByClient(clientByClientId.getId());
        AccessToken createClientAccessToken = this.tokenManager.createClientAccessToken(this.session, realm, clientByClientId, userSessionModel.getUser(), userSessionModel, DefaultClientSessionContext.fromClientSessionScopeParameter(authenticatedClientSessionByClient, this.session));
        updateTokenExpiration(createClientAccessToken, tokenConfiguration);
        updateScope(createClientAccessToken, tokenConfiguration);
        return buildResponse(realm, userSessionModel, clientByClientId, authenticatedClientSessionByClient, createClientAccessToken);
    }

    private AccessToken validateTokenAndUpdateSession(HttpRequest httpRequest) throws ConfigurableTokenException {
        try {
            RealmModel realm = this.session.getContext().getRealm();
            TokenVerifier withChecks = TokenVerifier.create(readAccessTokenFrom(httpRequest), AccessToken.class).withChecks(new TokenVerifier.Predicate[]{TokenVerifier.IS_ACTIVE, new TokenVerifier.RealmUrlCheck(Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), realm.getName()))});
            withChecks.verifierContext(this.session.getProvider(SignatureProvider.class, withChecks.getHeader().getAlgorithm().name()).verifier(withChecks.getHeader().getKeyId()));
            AccessToken token = withChecks.verify().getToken();
            if (this.tokenManager.checkTokenValidForIntrospection(this.session, realm, token)) {
                return token;
            }
            throw new VerificationException("introspection_failed");
        } catch (VerificationException | OAuthErrorException e) {
            LOG.warn("Keycloak-ConfigurableToken: introspection of token failed", e);
            throw new ConfigurableTokenException("access_token_introspection_failed: " + e.getMessage());
        } catch (ConfigurableTokenException e2) {
            throw e2;
        }
    }

    private String readAccessTokenFrom(HttpRequest httpRequest) throws ConfigurableTokenException {
        String headerString = httpRequest.getHttpHeaders().getHeaderString("Authorization");
        if (headerString == null || !headerString.startsWith("Bearer ")) {
            LOG.warn("Keycloak-ConfigurableToken: no authorization header with bearer token");
            throw new ConfigurableTokenException("bearer_token_missing_in_authorization_header");
        }
        String substring = headerString.substring(7);
        if (!substring.isEmpty()) {
            return substring;
        }
        LOG.warn("Keycloak-ConfigurableToken: empty access token");
        throw new ConfigurableTokenException("missing_access_token");
    }

    private UserSessionModel findSession() throws ConfigurableTokenException {
        AuthenticationManager.AuthResult authenticateBearerToken = new AppAuthManager().authenticateBearerToken(this.session, this.session.getContext().getRealm());
        if (authenticateBearerToken == null) {
            LOG.warn("Keycloak-ConfigurableToken: user not authenticated");
            throw new ConfigurableTokenException("not_authenticated");
        }
        if (authenticateBearerToken.getToken().getRealmAccess() == null) {
            LOG.warn("Keycloak-ConfigurableToken: no realm associated with authorization");
            throw new ConfigurableTokenException("wrong_realm");
        }
        UserModel user = authenticateBearerToken.getUser();
        if (user == null || !user.isEnabled()) {
            LOG.warn("Keycloak-ConfigurableToken: user does not exist or is not enabled");
            throw new ConfigurableTokenException("invalid_user");
        }
        UserSessionModel session = authenticateBearerToken.getSession();
        if (session != null) {
            return session;
        }
        LOG.warn("Keycloak-ConfigurableToken: user does not have any active session");
        throw new ConfigurableTokenException("missing_user_session");
    }

    private Response buildCorsResponse(@Context HttpRequest httpRequest, AccessTokenResponse accessTokenResponse) {
        return Cors.add(httpRequest).auth().allowedMethods(new String[]{"POST"}).auth().exposedHeaders(new String[]{"Access-Control-Allow-Methods", "Access-Control-Allow-Origin"}).allowAllOrigins().builder(Response.ok(accessTokenResponse).type(MediaType.APPLICATION_JSON_TYPE)).build();
    }

    private AccessTokenResponse buildResponse(RealmModel realmModel, UserSessionModel userSessionModel, ClientModel clientModel, AuthenticatedClientSessionModel authenticatedClientSessionModel, AccessToken accessToken) {
        return this.tokenManager.responseBuilder(realmModel, clientModel, new EventBuilder(realmModel, this.session, this.session.getContext().getConnection()), this.session, userSessionModel, DefaultClientSessionContext.fromClientSessionScopeParameter(authenticatedClientSessionModel, this.session)).accessToken(accessToken).build();
    }

    private void updateTokenExpiration(AccessToken accessToken, TokenConfiguration tokenConfiguration) {
        accessToken.expiration(tokenConfiguration.computeTokenExpiration(accessToken.getExpiration(), true));
    }

    private void updateScope(AccessToken accessToken, TokenConfiguration tokenConfiguration) {
        accessToken.setScope((accessToken.getScope() + " " + tokenConfiguration.getScope() + (accessToken.getScope().contains("offline_access") ? " offline_access" : "")).trim());
    }
}
