package org.keycloak.secretstore.api;

import com.google.common.net.HttpHeaders;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderValues;
import io.undertow.util.HttpString;
import java.io.StringReader;
import java.net.URLEncoder;
import java.time.ZonedDateTime;
import java.util.Base64;
import java.util.UUID;
import java.util.regex.Pattern;
import javax.annotation.security.PermitAll;
import javax.ejb.Singleton;
import javax.inject.Inject;
import javax.json.Json;
import javax.json.JsonObject;
import org.keycloak.secretstore.api.internal.MsgLogger;
import org.keycloak.secretstore.common.AuthServerRequestExecutor;
import org.keycloak.secretstore.common.AuthServerUrl;
import org.keycloak.secretstore.common.RealmName;

@Singleton
@PermitAll
/* loaded from: input_file:WEB-INF/lib/secret-store-api-1.0.10.Final.jar:org/keycloak/secretstore/api/RequestRewriter.class */
public class RequestRewriter {
    private static final Pattern UUID_PATTERN = Pattern.compile("[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}");
    private final MsgLogger logger = MsgLogger.LOGGER;

    @Inject
    @RealmName
    String realmName;

    @Inject
    @AuthServerUrl
    String authServerUrl;

    @Inject
    AuthServerRequestExecutor authServerRequestExecutor;

    @Inject
    TokenService tokenService;

    public HttpServerExchange rewrite(HttpServerExchange httpServerExchange) throws Exception {
        HeaderValues headerValues = httpServerExchange.getRequestHeaders().get(HttpHeaders.AUTHORIZATION);
        if (headerValues == null || headerValues.size() < 1) {
            this.logger.noAuthorizationHeader();
            return httpServerExchange;
        }
        String first = headerValues.getFirst();
        String[] split = first.trim().split("\\s+");
        if (split.length != 2) {
            this.logger.authorizationHeaderInvalid(first);
            return httpServerExchange;
        }
        if (!split[0].equalsIgnoreCase("Basic")) {
            this.logger.noBasicAuth();
            return httpServerExchange;
        }
        String[] split2 = new String(Base64.getDecoder().decode(split[1])).split(":");
        String str = split2[0];
        String str2 = split2[1];
        if (str == null || str.isEmpty()) {
            this.logger.keyIsEmpty();
            return httpServerExchange;
        }
        if (!UUID_PATTERN.matcher(str).matches()) {
            this.logger.notLikeUUID(str);
            return httpServerExchange;
        }
        try {
            Token validate = this.tokenService.validate(UUID.fromString(str), str2);
            if (validate == null) {
                this.logger.tokenNotFound(str);
                httpServerExchange.setStatusCode(403);
                httpServerExchange.endExchange();
                return null;
            }
            if (null != validate.getExpiresAt() && ZonedDateTime.now().isAfter(validate.getExpiresAt())) {
                this.logger.tokenExpired(validate.getId().toString(), validate.getExpiresAt().toString(), ZonedDateTime.now().toString());
                httpServerExchange.setStatusCode(403);
                httpServerExchange.endExchange();
                return null;
            }
            String bearerToken = getBearerToken(validate);
            if (bearerToken == null) {
                this.logger.cannotGetBearerToken(validate.getId().toString());
                httpServerExchange.setStatusCode(403);
                httpServerExchange.endExchange();
                return null;
            }
            this.logger.tokenReplaced(validate.getId().toString(), bearerToken);
            httpServerExchange.getRequestHeaders().remove(HttpHeaders.AUTHORIZATION);
            httpServerExchange.getRequestHeaders().put(new HttpString(HttpHeaders.AUTHORIZATION), "Bearer " + bearerToken);
            validate.getAttributes().forEach((str3, str4) -> {
                httpServerExchange.getRequestHeaders().remove(str3);
                httpServerExchange.getRequestHeaders().put(new HttpString(str3), str4);
            });
            return httpServerExchange;
        } catch (Throwable th) {
            this.logger.notAnUUID(str);
            return httpServerExchange;
        }
    }

    private String getBearerToken(Token token) throws Exception {
        JsonObject readObject = Json.createReader(new StringReader(this.authServerRequestExecutor.execute(this.authServerUrl + "/realms/" + URLEncoder.encode(this.realmName, "UTF-8") + "/protocol/openid-connect/token", "scope=offline_access&grant_type=refresh_token&refresh_token=" + URLEncoder.encode(token.getRefreshToken(), "UTF-8"), "POST"))).readObject();
        if (readObject.get("error") != null) {
            this.logger.errorResponseFromServer(readObject.getString("error"));
            return null;
        }
        String string = readObject.getString("token_type");
        String string2 = readObject.getString("access_token");
        if (null == string || string.isEmpty() || !string.equalsIgnoreCase("bearer")) {
            this.logger.invalidResponseFromServer();
            return null;
        }
        if (null != string2 && !string2.isEmpty()) {
            return string2;
        }
        this.logger.invalidBearerTokenFromServer();
        return null;
    }
}
