package org.keycloak.protocol.oidc;

import com.fasterxml.jackson.databind.node.ObjectNode;
import jakarta.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.TokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.keys.Attributes;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ImpersonationSessionNote;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.Urls;
import org.keycloak.services.util.DefaultClientSessionContext;
import org.keycloak.util.JsonSerialization;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.class */
public class AccessTokenIntrospectionProvider implements TokenIntrospectionProvider {
    private final KeycloakSession session;
    private final TokenManager tokenManager = new TokenManager();
    private final RealmModel realm;
    private static final Logger logger = Logger.getLogger(AccessTokenIntrospectionProvider.class);

    public AccessTokenIntrospectionProvider(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        this.realm = keycloakSession.getContext().getRealm();
    }

    public Response introspect(String str, EventBuilder eventBuilder) {
        ObjectNode createObjectNode;
        AccessToken accessToken = null;
        try {
            accessToken = verifyAccessToken(str, eventBuilder, false);
            UserSessionModel validUserSessionIfTokenIsValid = this.tokenManager.getValidUserSessionIfTokenIsValid(this.session, this.realm, accessToken, eventBuilder);
            ClientModel client = this.session.getContext().getClient();
            if (validUserSessionIfTokenIsValid != null) {
                accessToken = transformAccessToken(accessToken, validUserSessionIfTokenIsValid);
                createObjectNode = JsonSerialization.createObjectNode(accessToken);
                createObjectNode.put("client_id", accessToken.getIssuedFor());
                String scope = accessToken.getScope();
                if (scope != null && scope.trim().isEmpty()) {
                    createObjectNode.remove("scope");
                }
                if (!createObjectNode.has("username")) {
                    if (accessToken.getPreferredUsername() != null) {
                        createObjectNode.put("username", accessToken.getPreferredUsername());
                    } else {
                        UserModel user = validUserSessionIfTokenIsValid.getUser();
                        if (user != null) {
                            createObjectNode.put("username", user.getUsername());
                        }
                    }
                }
                String note = validUserSessionIfTokenIsValid.getNote(ImpersonationSessionNote.IMPERSONATOR_USERNAME.toString());
                if (note != null) {
                    createObjectNode.putObject("act").put("sub", note);
                }
                createObjectNode.put("token_type", accessToken.getType());
            } else {
                createObjectNode = JsonSerialization.createObjectNode();
                logger.debug("Keycloak token introspection return false");
                eventBuilder.error("token_introspection_failed");
            }
            createObjectNode.put(Attributes.ACTIVE_KEY, validUserSessionIfTokenIsValid != null);
            if (MediaType.APPLICATION_JWT.equals(this.session.getContext().getRequestHeaders().getHeaderString("Accept")) && Boolean.parseBoolean(client.getAttribute("client.introspection.response.allow.jwt.claim.enabled"))) {
                createObjectNode.put("jwt", this.session.tokens().encode(accessToken));
            }
            return Response.ok(JsonSerialization.writeValueAsBytes(createObjectNode)).type(jakarta.ws.rs.core.MediaType.APPLICATION_JSON_TYPE).build();
        } catch (Exception e) {
            logger.debugf(e, "Exception during Keycloak introspection for %s client in realm %s", accessToken != null ? accessToken.getIssuedFor() : "unknown", this.realm.getName());
            eventBuilder.detail("reason", e.getMessage());
            eventBuilder.error("token_introspection_failed");
            throw new RuntimeException("Error creating token introspection response.", e);
        }
    }

    public AccessToken transformAccessToken(AccessToken accessToken, UserSessionModel userSessionModel) {
        AuthenticatedClientSessionModel authenticatedClientSessionByClient = userSessionModel.getAuthenticatedClientSessionByClient(this.realm.getClientByClientId(accessToken.getIssuedFor()).getId());
        if (authenticatedClientSessionByClient == null) {
            return accessToken;
        }
        DefaultClientSessionContext fromClientSessionAndScopeParameter = DefaultClientSessionContext.fromClientSessionAndScopeParameter(authenticatedClientSessionByClient, accessToken.getScope(), this.session);
        return this.tokenManager.transformIntrospectionAccessToken(this.session, getAccessTokenFromStoredData(accessToken), userSessionModel, fromClientSessionAndScopeParameter);
    }

    private AccessToken getAccessTokenFromStoredData(AccessToken accessToken) {
        AccessToken accessToken2 = new AccessToken();
        accessToken2.id(accessToken.getId());
        accessToken2.type(accessToken.getType());
        accessToken2.subject(accessToken.getSubject());
        accessToken2.iat(accessToken.getIat());
        accessToken2.exp(accessToken.getExp());
        accessToken2.issuedFor(accessToken.getIssuedFor());
        accessToken2.issuer(accessToken.getIssuer());
        accessToken2.setNonce(accessToken.getNonce());
        accessToken2.setScope(accessToken.getScope());
        accessToken2.setSessionId(accessToken.getSessionId());
        accessToken2.audience(accessToken.getAudience());
        accessToken2.setConfirmation(accessToken.getConfirmation());
        return accessToken2;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AccessToken verifyAccessToken(String str, EventBuilder eventBuilder, boolean z) {
        try {
            TokenVerifier realmUrl = TokenVerifier.create(str, AccessToken.class).realmUrl(Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
            realmUrl.verifierContext(this.session.getProvider(SignatureProvider.class, realmUrl.getHeader().getAlgorithm().name()).verifier(realmUrl.getHeader().getKeyId()));
            return z ? this.tokenManager.checkTokenValidForIntrospection(this.session, this.realm, (AccessToken) realmUrl.verify().getToken(), eventBuilder) : realmUrl.verify().getToken();
        } catch (VerificationException e) {
            logger.debugf("Introspection access token : JWT check failed: %s", e.getMessage());
            eventBuilder.detail("reason", "Access token JWT check failed");
            return null;
        }
    }

    public void close() {
    }
}
