package org.keycloak.services.resources;

import java.util.HashMap;
import javax.ws.rs.HeaderParam;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import javax.ws.rs.ext.Providers;
import org.jboss.logging.Logger;
import org.jboss.resteasy.spi.BadRequestException;
import org.jboss.resteasy.spi.HttpRequest;
import org.jboss.resteasy.spi.UnauthorizedException;
import org.keycloak.OAuth2Constants;
import org.keycloak.common.ClientConnection;
import org.keycloak.common.util.Time;
import org.keycloak.constants.AdapterConstants;
import org.keycloak.events.Details;
import org.keycloak.events.Errors;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.services.ForbiddenException;

/* loaded from: input_file:WEB-INF/lib/keycloak-services-1.7.0.Final.jar:org/keycloak/services/resources/ClientsManagementService.class */
public class ClientsManagementService {
    protected static final Logger logger = Logger.getLogger((Class<?>) ClientsManagementService.class);
    private RealmModel realm;
    private EventBuilder event;

    @Context
    private HttpRequest request;

    @Context
    protected HttpHeaders headers;

    @Context
    private UriInfo uriInfo;

    @Context
    private ClientConnection clientConnection;

    @Context
    protected Providers providers;

    @Context
    protected KeycloakSession session;

    public ClientsManagementService(RealmModel realmModel, EventBuilder eventBuilder) {
        this.realm = realmModel;
        this.event = eventBuilder;
    }

    public static UriBuilder clientsManagementBaseUrl(UriBuilder uriBuilder) {
        return uriBuilder.path(RealmsResource.class).path(RealmsResource.class, "getClientsManagementService");
    }

    public static UriBuilder registerNodeUrl(UriBuilder uriBuilder) {
        return clientsManagementBaseUrl(uriBuilder).path(ClientsManagementService.class, "registerNode");
    }

    public static UriBuilder unregisterNodeUrl(UriBuilder uriBuilder) {
        return clientsManagementBaseUrl(uriBuilder).path(ClientsManagementService.class, "unregisterNode");
    }

    @POST
    @Produces({MediaType.APPLICATION_JSON})
    @Path("register-node")
    public Response registerNode(@HeaderParam("Authorization") String str, MultivaluedMap<String, String> multivaluedMap) {
        if (!checkSsl()) {
            throw new ForbiddenException("HTTPS required");
        }
        this.event.event(EventType.REGISTER_NODE);
        if (!this.realm.isEnabled()) {
            this.event.error(Errors.REALM_DISABLED);
            throw new UnauthorizedException("Realm not enabled");
        }
        ClientModel authorizeClient = authorizeClient();
        String clientClusterHost = getClientClusterHost(multivaluedMap);
        this.event.client(authorizeClient).detail(Details.NODE_HOST, clientClusterHost);
        logger.debugf("Registering cluster host '%s' for client '%s'", clientClusterHost, authorizeClient.getClientId());
        authorizeClient.registerNode(clientClusterHost, Time.currentTime());
        this.event.success();
        return Response.noContent().build();
    }

    @POST
    @Produces({MediaType.APPLICATION_JSON})
    @Path("unregister-node")
    public Response unregisterNode(@HeaderParam("Authorization") String str, MultivaluedMap<String, String> multivaluedMap) {
        if (!checkSsl()) {
            throw new ForbiddenException("HTTPS required");
        }
        this.event.event(EventType.UNREGISTER_NODE);
        if (!this.realm.isEnabled()) {
            this.event.error(Errors.REALM_DISABLED);
            throw new UnauthorizedException("Realm not enabled");
        }
        ClientModel authorizeClient = authorizeClient();
        String clientClusterHost = getClientClusterHost(multivaluedMap);
        this.event.client(authorizeClient).detail(Details.NODE_HOST, clientClusterHost);
        logger.debugf("Unregistering cluster host '%s' for client '%s'", clientClusterHost, authorizeClient.getClientId());
        authorizeClient.unregisterNode(clientClusterHost);
        this.event.success();
        return Response.noContent().build();
    }

    protected ClientModel authorizeClient() {
        ClientModel client = AuthorizeClientUtil.authorizeClient(this.session, this.event).getClient();
        if (!client.isPublicClient()) {
            return client;
        }
        HashMap hashMap = new HashMap();
        hashMap.put(OAuth2Constants.ERROR, "invalid_client");
        hashMap.put(OAuth2Constants.ERROR_DESCRIPTION, "Public clients not allowed");
        this.event.error("invalid_client");
        throw new BadRequestException("Public clients not allowed", Response.status(Response.Status.BAD_REQUEST).entity(hashMap).type(MediaType.APPLICATION_JSON_TYPE).build());
    }

    protected String getClientClusterHost(MultivaluedMap<String, String> multivaluedMap) {
        String first = multivaluedMap.getFirst(AdapterConstants.CLIENT_CLUSTER_HOST);
        if (first != null && first.length() != 0) {
            return first;
        }
        HashMap hashMap = new HashMap();
        hashMap.put(OAuth2Constants.ERROR, "invalid_request");
        hashMap.put(OAuth2Constants.ERROR_DESCRIPTION, "Client cluster host not specified");
        this.event.error(Errors.INVALID_CODE);
        throw new BadRequestException("Cluster host not specified", Response.status(Response.Status.BAD_REQUEST).entity(hashMap).type(MediaType.APPLICATION_JSON_TYPE).build());
    }

    private boolean checkSsl() {
        return this.uriInfo.getBaseUri().getScheme().equals("https") || !this.realm.getSslRequired().isRequired(this.clientConnection);
    }
}
