package org.wildfly.security.auth.realm.token.validator;

import java.io.BufferedInputStream;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.UnsupportedEncodingException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.HashMap;
import java.util.Map;
import javax.json.Json;
import javax.json.JsonObject;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import org.keycloak.common.constants.ServiceAccountConstants;
import org.springframework.security.web.server.ServerHttpBasicAuthenticationConverter;
import org.wildfly.common.Assert;
import org.wildfly.common.bytes.ByteStringBuilder;
import org.wildfly.common.iteration.CodePointIterator;
import org.wildfly.security.auth.realm.token.TokenValidator;
import org.wildfly.security.auth.realm.token._private.ElytronMessages;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.authz.Attributes;
import org.wildfly.security.evidence.BearerTokenEvidence;
import org.wildfly.security.json.util.JsonUtil;
import org.wildfly.security.x500.cert.acme.Acme;

/* JADX WARN: Classes with same name are omitted:
  input_file:BOOT-INF/lib/wildfly-elytron-1.12.1.Final.jar:org/wildfly/security/auth/realm/token/validator/OAuth2IntrospectValidator.class
 */
/* loaded from: input_file:BOOT-INF/lib/wildfly-elytron-realm-token-1.12.1.Final.jar:org/wildfly/security/auth/realm/token/validator/OAuth2IntrospectValidator.class */
public class OAuth2IntrospectValidator implements TokenValidator {
    private final URL tokenIntrospectionUrl;
    private final String clientId;
    private final String clientSecret;
    private final SSLContext sslContext;
    private final HostnameVerifier hostnameVerifier;

    /* JADX WARN: Classes with same name are omitted:
      input_file:BOOT-INF/lib/wildfly-elytron-1.12.1.Final.jar:org/wildfly/security/auth/realm/token/validator/OAuth2IntrospectValidator$Builder.class
     */
    /* loaded from: input_file:BOOT-INF/lib/wildfly-elytron-realm-token-1.12.1.Final.jar:org/wildfly/security/auth/realm/token/validator/OAuth2IntrospectValidator$Builder.class */
    public static class Builder {
        private String clientId;
        private String clientSecret;
        private URL tokenIntrospectionUrl;
        private SSLContext sslContext;
        private HostnameVerifier hostnameVerifier;

        private Builder() {
        }

        public Builder tokenIntrospectionUrl(URL url) {
            this.tokenIntrospectionUrl = url;
            return this;
        }

        public Builder clientId(String str) {
            this.clientId = str;
            return this;
        }

        public Builder clientSecret(String str) {
            this.clientSecret = str;
            return this;
        }

        public Builder useSslContext(SSLContext sSLContext) {
            this.sslContext = sSLContext;
            return this;
        }

        public Builder useSslHostnameVerifier(HostnameVerifier hostnameVerifier) {
            this.hostnameVerifier = hostnameVerifier;
            return this;
        }

        public OAuth2IntrospectValidator build() {
            return new OAuth2IntrospectValidator(this);
        }
    }

    public static Builder builder() {
        return new Builder();
    }

    OAuth2IntrospectValidator(Builder builder) {
        this.tokenIntrospectionUrl = (URL) Assert.checkNotNullParam("tokenIntrospectionUrl", builder.tokenIntrospectionUrl);
        this.clientId = (String) Assert.checkNotNullParam(ServiceAccountConstants.CLIENT_ID, builder.clientId);
        this.clientSecret = (String) Assert.checkNotNullParam("clientSecret", builder.clientSecret);
        if (this.tokenIntrospectionUrl.getProtocol().equalsIgnoreCase("https")) {
            Assert.checkNotNullParam("sslContext", builder.sslContext);
        }
        this.sslContext = builder.sslContext;
        this.hostnameVerifier = builder.hostnameVerifier;
    }

    @Override // org.wildfly.security.auth.realm.token.TokenValidator
    public Attributes validate(BearerTokenEvidence bearerTokenEvidence) throws RealmUnavailableException {
        Assert.checkNotNullParam("evidence", bearerTokenEvidence);
        try {
            JsonObject introspectAccessToken = introspectAccessToken(this.tokenIntrospectionUrl, this.clientId, this.clientSecret, bearerTokenEvidence.getToken(), this.sslContext, this.hostnameVerifier);
            if (isValidToken(introspectAccessToken)) {
                return JsonUtil.toAttributes(introspectAccessToken);
            }
            return null;
        } catch (Exception e) {
            throw ElytronMessages.log.tokenRealmOAuth2TokenIntrospectionFailed(e);
        }
    }

    private boolean isValidToken(JsonObject jsonObject) {
        return jsonObject != null && jsonObject.getBoolean("active", false);
    }

    private JsonObject introspectAccessToken(URL url, String str, String str2, String str3, SSLContext sSLContext, HostnameVerifier hostnameVerifier) throws RealmUnavailableException {
        Assert.checkNotNullParam(ServiceAccountConstants.CLIENT_ID, str);
        Assert.checkNotNullParam("clientSecret", str2);
        Assert.checkNotNullParam(Acme.TOKEN, str3);
        HttpURLConnection httpURLConnection = null;
        try {
            HttpURLConnection openConnection = openConnection(url, sSLContext, hostnameVerifier);
            HashMap hashMap = new HashMap();
            hashMap.put(Acme.TOKEN, str3);
            hashMap.put("token_type_hint", "access_token");
            byte[] buildParameters = buildParameters(hashMap);
            openConnection.setDoOutput(true);
            openConnection.setRequestMethod("POST");
            openConnection.setRequestProperty("Content-Type", "application/x-www-form-urlencoded");
            openConnection.setRequestProperty("Content-Length", String.valueOf(buildParameters.length));
            openConnection.setRequestProperty("Authorization", ServerHttpBasicAuthenticationConverter.BASIC + CodePointIterator.ofString(str + ":" + str2).asUtf8().base64Encode().drainToString());
            OutputStream outputStream = openConnection.getOutputStream();
            try {
                outputStream.write(buildParameters);
                if (outputStream != null) {
                    outputStream.close();
                }
                BufferedInputStream bufferedInputStream = new BufferedInputStream(openConnection.getInputStream());
                try {
                    JsonObject readObject = Json.createReader(bufferedInputStream).readObject();
                    bufferedInputStream.close();
                    return readObject;
                } catch (Throwable th) {
                    try {
                        bufferedInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                if (outputStream != null) {
                    try {
                        outputStream.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                }
                throw th3;
            }
        } catch (IOException e) {
            if (0 == 0 || httpURLConnection.getErrorStream() == null) {
                throw ElytronMessages.log.tokenRealmOAuth2TokenIntrospectionFailed(e);
            }
            try {
                BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpURLConnection.getErrorStream()));
                try {
                    ElytronMessages.log.errorf(e, "Unexpected response from token introspection endpoint [%s]. Response: [%s]", url, (StringBuffer) bufferedReader.lines().reduce(new StringBuffer(), (v0, v1) -> {
                        return v0.append(v1);
                    }, (stringBuffer, stringBuffer2) -> {
                        return stringBuffer;
                    }));
                    bufferedReader.close();
                    return null;
                } finally {
                }
            } catch (IOException e2) {
                throw ElytronMessages.log.tokenRealmOAuth2TokenIntrospectionFailed(e);
            }
        } catch (Exception e3) {
            throw ElytronMessages.log.tokenRealmOAuth2TokenIntrospectionFailed(e3);
        }
    }

    private HttpURLConnection openConnection(URL url, SSLContext sSLContext, HostnameVerifier hostnameVerifier) throws IOException {
        Assert.checkNotNullParam(Acme.URL, url);
        boolean equalsIgnoreCase = url.getProtocol().equalsIgnoreCase("https");
        try {
            ElytronMessages.log.debugf("Opening connection to token introspection endpoint [%s]", url);
            HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection();
            if (equalsIgnoreCase) {
                HttpsURLConnection httpsURLConnection = (HttpsURLConnection) httpURLConnection;
                httpsURLConnection.setSSLSocketFactory(sSLContext.getSocketFactory());
                if (hostnameVerifier != null) {
                    httpsURLConnection.setHostnameVerifier(hostnameVerifier);
                }
            }
            return httpURLConnection;
        } catch (IOException e) {
            throw e;
        }
    }

    private byte[] buildParameters(Map<String, String> map) throws UnsupportedEncodingException {
        ByteStringBuilder byteStringBuilder = new ByteStringBuilder();
        map.entrySet().stream().forEach(entry -> {
            if (byteStringBuilder.length() > 0) {
                byteStringBuilder.append('&');
            }
            byteStringBuilder.append((String) entry.getKey()).append('=').append((String) entry.getValue());
        });
        return byteStringBuilder.toArray();
    }
}
