package org.teiid.spring.keycloak;

import java.io.IOException;
import java.util.ArrayList;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.message.BasicNameValuePair;
import org.jboss.logging.Logger;
import org.keycloak.KeycloakPrincipal;
import org.keycloak.OAuth2Constants;
import org.keycloak.adapters.AdapterUtils;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.RefreshableKeycloakSecurityContext;
import org.keycloak.adapters.authentication.ClientCredentialsProviderUtils;
import org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule;
import org.keycloak.adapters.rotation.AdapterTokenVerifier;
import org.keycloak.adapters.springboot.KeycloakSpringBootConfigResolver;
import org.keycloak.adapters.springsecurity.KeycloakAuthenticationException;
import org.keycloak.adapters.springsecurity.account.SimpleKeycloakAccount;
import org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider;
import org.keycloak.adapters.springsecurity.token.KeycloakAuthenticationToken;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.constants.ServiceUrlConstants;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.idm.OAuth2ErrorRepresentation;
import org.keycloak.util.JsonSerialization;
import org.springframework.security.authentication.AuthenticationCredentialsNotFoundException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:BOOT-INF/lib/spring-keycloak-1.1.1.fuse-740014-redhat-00001.jar:org/teiid/spring/keycloak/KeycloakDirectAccessGrantAuthenticationProvider.class */
public class KeycloakDirectAccessGrantAuthenticationProvider extends KeycloakAuthenticationProvider {
    private static final Logger log = Logger.getLogger((Class<?>) DirectAccessGrantsLoginModule.class);
    private KeycloakSpringBootConfigResolver resolver;
    private KeycloakDeployment deployment;
    private String scope;

    public KeycloakDirectAccessGrantAuthenticationProvider(KeycloakSpringBootConfigResolver keycloakSpringBootConfigResolver) {
        this.resolver = keycloakSpringBootConfigResolver;
    }

    public void setScope(String str) {
        this.scope = str;
    }

    @Override // org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider, org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(cls);
    }

    @Override // org.keycloak.adapters.springsecurity.authentication.KeycloakAuthenticationProvider, org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        if (this.deployment == null) {
            this.deployment = this.resolver.resolve(null);
        }
        UsernamePasswordAuthenticationToken usernamePasswordAuthenticationToken = (UsernamePasswordAuthenticationToken) authentication;
        if (usernamePasswordAuthenticationToken.getCredentials() == null) {
            throw new AuthenticationCredentialsNotFoundException("");
        }
        try {
            return directGrantAuth(usernamePasswordAuthenticationToken.getName(), usernamePasswordAuthenticationToken.getCredentials().toString());
        } catch (IOException | VerificationException e) {
            throw new KeycloakAuthenticationException(e.getMessage(), e);
        }
    }

    protected Authentication directGrantAuth(String str, String str2) throws IOException, VerificationException {
        HttpPost httpPost = new HttpPost(KeycloakUriBuilder.fromUri(this.deployment.getAuthServerBaseUrl()).path(ServiceUrlConstants.TOKEN_PATH).build(this.deployment.getRealm()));
        ArrayList arrayList = new ArrayList();
        arrayList.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, "password"));
        arrayList.add(new BasicNameValuePair("username", str));
        arrayList.add(new BasicNameValuePair("password", str2));
        if (this.scope != null) {
            arrayList.add(new BasicNameValuePair("scope", this.scope));
        }
        ClientCredentialsProviderUtils.setClientCredentials(this.deployment, httpPost, arrayList);
        httpPost.setEntity(new UrlEncodedFormEntity(arrayList, "UTF-8"));
        HttpResponse execute = this.deployment.getClient().execute(httpPost);
        int statusCode = execute.getStatusLine().getStatusCode();
        HttpEntity entity = execute.getEntity();
        if (statusCode == 200) {
            if (entity == null) {
                throw new IOException("No Entity");
            }
            AccessTokenResponse accessTokenResponse = (AccessTokenResponse) JsonSerialization.readValue(entity.getContent(), AccessTokenResponse.class);
            return postTokenVerification(accessTokenResponse.getToken(), AdapterTokenVerifier.verifyTokens(accessTokenResponse.getToken(), accessTokenResponse.getIdToken(), this.deployment).getAccessToken());
        }
        StringBuilder sb = new StringBuilder("Login failed. Invalid status: " + statusCode);
        if (entity != null) {
            OAuth2ErrorRepresentation oAuth2ErrorRepresentation = (OAuth2ErrorRepresentation) JsonSerialization.readValue(entity.getContent(), OAuth2ErrorRepresentation.class);
            sb.append(", OAuth2 error. Error: " + oAuth2ErrorRepresentation.getError()).append(", Error description: " + oAuth2ErrorRepresentation.getErrorDescription());
        }
        String sb2 = sb.toString();
        log.warn(sb2);
        throw new IOException(sb2);
    }

    protected Authentication postTokenVerification(String str, AccessToken accessToken) {
        RefreshableKeycloakSecurityContext refreshableKeycloakSecurityContext = new RefreshableKeycloakSecurityContext(this.deployment, null, str, accessToken, null, null, null);
        return super.authenticate(new KeycloakAuthenticationToken(new SimpleKeycloakAccount(new KeycloakPrincipal(AdapterUtils.getPrincipalName(this.deployment, accessToken), refreshableKeycloakSecurityContext), AdapterUtils.getRolesFromSecurityContext(refreshableKeycloakSecurityContext), refreshableKeycloakSecurityContext), false));
    }
}
