package org.keycloak.proxy;

import com.fasterxml.jackson.annotation.JsonInclude;
import com.fasterxml.jackson.databind.ObjectMapper;
import io.undertow.Undertow;
import io.undertow.security.api.AuthenticationMode;
import io.undertow.security.handlers.AuthenticationMechanismsHandler;
import io.undertow.security.handlers.SecurityInitialHandler;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.Credential;
import io.undertow.security.idm.IdentityManager;
import io.undertow.security.impl.CachedAuthenticatedSessionMechanism;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.PathHandler;
import io.undertow.server.handlers.ProxyPeerAddressHandler;
import io.undertow.server.handlers.ResponseCodeHandler;
import io.undertow.server.handlers.proxy.ProxyHandler;
import io.undertow.server.handlers.proxy.SimpleProxyClientProvider;
import io.undertow.server.session.InMemorySessionManager;
import io.undertow.server.session.SessionAttachmentHandler;
import io.undertow.server.session.SessionCookieConfig;
import io.undertow.server.session.SessionManager;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import org.jboss.logging.Logger;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.NodesRegistrationManagement;
import org.keycloak.adapters.undertow.UndertowAuthenticatedActionsHandler;
import org.keycloak.adapters.undertow.UndertowAuthenticationMechanism;
import org.keycloak.adapters.undertow.UndertowPreAuthActionsHandler;
import org.keycloak.adapters.undertow.UndertowUserSessionManagement;
import org.keycloak.common.enums.SslRequired;
import org.keycloak.common.util.CertificateUtils;
import org.keycloak.common.util.FindFile;
import org.keycloak.proxy.ProxyConfig;
import org.keycloak.proxy.SecurityInfo;
import org.keycloak.proxy.SecurityPathMatches;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.keycloak.util.SystemPropertiesJsonParserFactory;
import org.xnio.Option;

/* loaded from: input_file:org/keycloak/proxy/ProxyServerBuilder.class */
public class ProxyServerBuilder {
    protected static Logger log = Logger.getLogger(ProxyServerBuilder.class);
    public static final HttpHandler NOT_FOUND = new HttpHandler() { // from class: org.keycloak.proxy.ProxyServerBuilder.1
        public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
            httpServerExchange.setResponseCode(404);
            httpServerExchange.endExchange();
        }
    };
    protected Undertow.Builder builder = Undertow.builder();
    protected PathHandler root = new PathHandler(NOT_FOUND);
    protected HttpHandler proxyHandler;
    protected boolean sendAccessToken;
    protected Map<String, String> headerNameConfig;

    /* loaded from: input_file:org/keycloak/proxy/ProxyServerBuilder$ApplicationBuilder.class */
    public class ApplicationBuilder {
        protected AdapterDeploymentContext deploymentContext;
        protected KeycloakDeployment deployment;
        protected String base;
        protected SecurityPathMatches matches;
        protected String errorPage;
        protected boolean proxyAddressForwarding;
        protected NodesRegistrationManagement nodesRegistrationManagement = new NodesRegistrationManagement();
        protected UndertowUserSessionManagement userSessionManagement = new UndertowUserSessionManagement();
        SessionManager sessionManager = new InMemorySessionManager("SESSION_MANAGER");
        protected SecurityPathMatches.Builder constraintBuilder = new SecurityPathMatches.Builder();

        /* loaded from: input_file:org/keycloak/proxy/ProxyServerBuilder$ApplicationBuilder$ConstraintBuilder.class */
        public class ConstraintBuilder {
            protected String pattern;
            protected Set<String> rolesAllowed = new HashSet();
            protected Set<String> methods = new HashSet();
            protected Set<String> excludedMethods = new HashSet();
            protected SecurityInfo.EmptyRoleSemantic semantic = SecurityInfo.EmptyRoleSemantic.AUTHENTICATE;

            public ConstraintBuilder(String str) {
                this.pattern = str;
            }

            public ConstraintBuilder deny() {
                this.semantic = SecurityInfo.EmptyRoleSemantic.DENY;
                return this;
            }

            public ConstraintBuilder permit() {
                this.semantic = SecurityInfo.EmptyRoleSemantic.PERMIT;
                return this;
            }

            public ConstraintBuilder authenticate() {
                this.semantic = SecurityInfo.EmptyRoleSemantic.AUTHENTICATE;
                return this;
            }

            public ConstraintBuilder injectIfAuthenticated() {
                this.semantic = SecurityInfo.EmptyRoleSemantic.PERMIT_AND_INJECT_IF_AUTHENTICATED;
                return this;
            }

            public ConstraintBuilder excludedMethods(Set<String> set) {
                this.excludedMethods = set;
                return this;
            }

            public ConstraintBuilder methods(Set<String> set) {
                this.methods = set;
                return this;
            }

            public ConstraintBuilder method(String str) {
                this.methods.add(str);
                return this;
            }

            public ConstraintBuilder excludeMethod(String str) {
                this.excludedMethods.add(str);
                return this;
            }

            public ConstraintBuilder roles(String... strArr) {
                for (String str : strArr) {
                    role(str);
                }
                return this;
            }

            public ConstraintBuilder roles(Set<String> set) {
                Iterator<String> it = set.iterator();
                while (it.hasNext()) {
                    role(it.next());
                }
                return this;
            }

            public ConstraintBuilder role(String str) {
                this.rolesAllowed.add(str);
                return this;
            }

            public ApplicationBuilder add() {
                ApplicationBuilder.this.constraintBuilder.addSecurityConstraint(this.rolesAllowed, this.semantic, this.pattern, this.methods, this.excludedMethods);
                return ApplicationBuilder.this;
            }
        }

        public ApplicationBuilder base(String str) {
            this.base = str;
            return this;
        }

        public ApplicationBuilder errorPage(String str) {
            if (str != null && str.startsWith("/")) {
                str = str.substring(1);
            }
            this.errorPage = str;
            return this;
        }

        public ApplicationBuilder proxyAddressForwarding(boolean z) {
            this.proxyAddressForwarding = z;
            return this;
        }

        public ApplicationBuilder(AdapterConfig adapterConfig) {
            this.deployment = KeycloakDeploymentBuilder.build(adapterConfig);
            this.deploymentContext = new AdapterDeploymentContext(this.deployment);
        }

        public ProxyServerBuilder add() {
            this.matches = this.constraintBuilder.build();
            ProxyServerBuilder.this.root.addPrefixPath(this.base, sessionHandling(addSecurity(ProxyServerBuilder.this.proxyHandler)));
            return ProxyServerBuilder.this;
        }

        public ConstraintBuilder constraint(String str) {
            ProxyServerBuilder.log.debugv("add constraint: {0}", str);
            return new ConstraintBuilder(str);
        }

        private HttpHandler addSecurity(HttpHandler httpHandler) {
            UndertowAuthenticatedActionsHandler undertowAuthenticatedActionsHandler = new UndertowAuthenticatedActionsHandler(this.deploymentContext, httpHandler);
            if (this.errorPage != null) {
                if (this.base.endsWith("/")) {
                    this.errorPage = this.base + this.errorPage;
                } else {
                    this.errorPage = this.base + "/" + this.errorPage;
                }
            }
            ConstraintMatcherHandler constraintMatcherHandler = new ConstraintMatcherHandler(this.matches, new ProxyAuthenticationCallHandler(new ConstraintAuthorizationHandler(undertowAuthenticatedActionsHandler, this.errorPage, ProxyServerBuilder.this.sendAccessToken, ProxyServerBuilder.this.headerNameConfig)), httpHandler, this.errorPage);
            LinkedList linkedList = new LinkedList();
            linkedList.add(new CachedAuthenticatedSessionMechanism());
            linkedList.add(new UndertowAuthenticationMechanism(this.deploymentContext, this.userSessionManagement, this.nodesRegistrationManagement, -1, (String) null));
            HttpHandler securityInitialHandler = new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, new IdentityManager() { // from class: org.keycloak.proxy.ProxyServerBuilder.ApplicationBuilder.1
                public Account verify(Account account) {
                    return account;
                }

                public Account verify(String str, Credential credential) {
                    throw new IllegalStateException("Should never be called in Keycloak flow");
                }

                public Account verify(Credential credential) {
                    throw new IllegalStateException("Should never be called in Keycloak flow");
                }
            }, new UndertowPreAuthActionsHandler(this.deploymentContext, this.userSessionManagement, this.sessionManager, new AuthenticationMechanismsHandler(constraintMatcherHandler, linkedList)));
            if (this.proxyAddressForwarding) {
                securityInitialHandler = new ProxyPeerAddressHandler(securityInitialHandler);
            }
            return securityInitialHandler;
        }

        private HttpHandler sessionHandling(HttpHandler httpHandler) {
            SessionCookieConfig sessionCookieConfig = new SessionCookieConfig();
            sessionCookieConfig.setCookieName("keycloak." + this.deployment.getResourceName() + ".session");
            sessionCookieConfig.setPath(this.base);
            if (this.deployment.getSslRequired() == SslRequired.ALL) {
                sessionCookieConfig.setSecure(true);
            }
            return new SessionAttachmentHandler(httpHandler, this.sessionManager, sessionCookieConfig);
        }
    }

    public ProxyServerBuilder target(String str) {
        try {
            final ProxyHandler proxyHandler = new ProxyHandler(new SimpleProxyClientProvider(new URI(str)), 30000, ResponseCodeHandler.HANDLE_404);
            this.proxyHandler = new HttpHandler() { // from class: org.keycloak.proxy.ProxyServerBuilder.2
                public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
                    httpServerExchange.setRelativePath(httpServerExchange.getRequestPath());
                    proxyHandler.handleRequest(httpServerExchange);
                }
            };
            return this;
        } catch (URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    public ProxyServerBuilder sendAccessToken(boolean z) {
        this.sendAccessToken = z;
        return this;
    }

    public ProxyServerBuilder headerNameConfig(Map<String, String> map) {
        this.headerNameConfig = map;
        return this;
    }

    public ApplicationBuilder application(AdapterConfig adapterConfig) {
        return new ApplicationBuilder(adapterConfig);
    }

    public Undertow build() {
        this.builder.setHandler(this.root);
        return this.builder.build();
    }

    public ProxyServerBuilder addHttpListener(int i, String str) {
        this.builder.addHttpListener(i, str);
        return this;
    }

    public ProxyServerBuilder addHttpsListener(int i, String str, KeyManager[] keyManagerArr, TrustManager[] trustManagerArr) {
        this.builder.addHttpsListener(i, str, keyManagerArr, trustManagerArr);
        return this;
    }

    public ProxyServerBuilder addHttpsListener(int i, String str, SSLContext sSLContext) {
        this.builder.addHttpsListener(i, str, sSLContext);
        return this;
    }

    public ProxyServerBuilder setBufferSize(int i) {
        this.builder.setBufferSize(i);
        return this;
    }

    public ProxyServerBuilder setBuffersPerRegion(int i) {
        this.builder.setBuffersPerRegion(i);
        return this;
    }

    public ProxyServerBuilder setIoThreads(int i) {
        this.builder.setIoThreads(i);
        return this;
    }

    public ProxyServerBuilder setWorkerThreads(int i) {
        this.builder.setWorkerThreads(i);
        return this;
    }

    public ProxyServerBuilder setDirectBuffers(boolean z) {
        this.builder.setDirectBuffers(z);
        return this;
    }

    public <T> ProxyServerBuilder setServerOption(Option<T> option, T t) {
        this.builder.setServerOption(option, t);
        return this;
    }

    public <T> ProxyServerBuilder setSocketOption(Option<T> option, T t) {
        this.builder.setSocketOption(option, t);
        return this;
    }

    public <T> ProxyServerBuilder setWorkerOption(Option<T> option, T t) {
        this.builder.setWorkerOption(option, t);
        return this;
    }

    public static ProxyConfig loadConfig(InputStream inputStream) {
        ObjectMapper objectMapper = new ObjectMapper(new SystemPropertiesJsonParserFactory());
        objectMapper.setSerializationInclusion(JsonInclude.Include.NON_DEFAULT);
        try {
            return (ProxyConfig) objectMapper.readValue(inputStream, ProxyConfig.class);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public static Undertow build(InputStream inputStream) {
        return build(loadConfig(inputStream));
    }

    public static Undertow build(ProxyConfig proxyConfig) {
        ProxyServerBuilder proxyServerBuilder = new ProxyServerBuilder();
        if (proxyConfig.getTargetUrl() == null) {
            log.error("Must set Target URL");
            return null;
        }
        proxyServerBuilder.target(proxyConfig.getTargetUrl());
        if (proxyConfig.getApplications() == null || proxyConfig.getApplications().size() == 0) {
            log.error("No applications defined");
            return null;
        }
        initConnections(proxyConfig, proxyServerBuilder);
        initOptions(proxyConfig, proxyServerBuilder);
        for (ProxyConfig.Application application : proxyConfig.getApplications()) {
            ApplicationBuilder proxyAddressForwarding = proxyServerBuilder.application(application.getAdapterConfig()).base(application.getBasePath()).errorPage(application.getErrorPage()).proxyAddressForwarding(application.isProxyAddressForwarding());
            if (application.getConstraints() != null) {
                for (ProxyConfig.Constraint constraint : application.getConstraints()) {
                    ApplicationBuilder.ConstraintBuilder constraint2 = proxyAddressForwarding.constraint(constraint.getPattern());
                    if (constraint.getRolesAllowed() != null) {
                        constraint2.roles(constraint.getRolesAllowed());
                    }
                    if (constraint.getMethods() != null) {
                        constraint2.methods(constraint.getMethods());
                    }
                    if (constraint.getExcludedMethods() != null) {
                        constraint2.excludedMethods(constraint.getExcludedMethods());
                    }
                    if (constraint.isDeny()) {
                        constraint2.deny();
                    }
                    if (constraint.isPermit()) {
                        constraint2.permit();
                    }
                    if (constraint.isAuthenticate()) {
                        constraint2.authenticate();
                    }
                    if (constraint.isPermitAndInject()) {
                        constraint2.injectIfAuthenticated();
                    }
                    constraint2.add();
                }
            }
            proxyAddressForwarding.add();
        }
        return proxyServerBuilder.build();
    }

    public static void initOptions(ProxyConfig proxyConfig, ProxyServerBuilder proxyServerBuilder) {
        proxyServerBuilder.sendAccessToken(proxyConfig.isSendAccessToken());
        proxyServerBuilder.headerNameConfig(proxyConfig.getHeaderNames());
        if (proxyConfig.getBufferSize() != null) {
            proxyServerBuilder.setBufferSize(proxyConfig.getBufferSize().intValue());
        }
        if (proxyConfig.getBuffersPerRegion() != null) {
            proxyServerBuilder.setBuffersPerRegion(proxyConfig.getBuffersPerRegion().intValue());
        }
        if (proxyConfig.getIoThreads() != null) {
            proxyServerBuilder.setIoThreads(proxyConfig.getIoThreads().intValue());
        }
        if (proxyConfig.getWorkerThreads() != null) {
            proxyServerBuilder.setWorkerThreads(proxyConfig.getWorkerThreads().intValue());
        }
        if (proxyConfig.getDirectBuffers() != null) {
            proxyServerBuilder.setDirectBuffers(proxyConfig.getDirectBuffers().booleanValue());
        }
    }

    public static void initConnections(ProxyConfig proxyConfig, ProxyServerBuilder proxyServerBuilder) {
        if (proxyConfig.getHttpPort() == null && proxyConfig.getHttpsPort() == null) {
            log.warn("You have not set up HTTP or HTTPS");
        }
        if (proxyConfig.getHttpPort() != null) {
            proxyServerBuilder.addHttpListener(proxyConfig.getHttpPort().intValue(), proxyConfig.getBindAddress() != null ? proxyConfig.getBindAddress() : "localhost");
        }
        if (proxyConfig.getHttpsPort() != null) {
            String bindAddress = proxyConfig.getBindAddress() != null ? proxyConfig.getBindAddress() : "localhost";
            if (proxyConfig.getKeystore() != null) {
                InputStream findFile = FindFile.findFile(proxyConfig.getKeystore());
                try {
                    KeyStore keyStore = KeyStore.getInstance("jks");
                    keyStore.load(findFile, proxyConfig.getKeystorePassword().toCharArray());
                    proxyServerBuilder.addHttpsListener(proxyConfig.getHttpsPort().intValue(), bindAddress, SslUtil.createSSLContext(keyStore, proxyConfig.getKeyPassword(), null));
                    return;
                } catch (Exception e) {
                    throw new RuntimeException(e);
                }
            }
            log.warn("Generating temporary SSL cert");
            try {
                KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
                keyPairGenerator.initialize(2048);
                KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
                try {
                    X509Certificate generateV1SelfSignedCertificate = CertificateUtils.generateV1SelfSignedCertificate(generateKeyPair, bindAddress);
                    try {
                        KeyStore keyStore2 = KeyStore.getInstance("JKS");
                        keyStore2.load(null, null);
                        keyStore2.setKeyEntry(bindAddress, generateKeyPair.getPrivate(), "password".toCharArray(), new Certificate[]{generateV1SelfSignedCertificate});
                        proxyServerBuilder.addHttpsListener(proxyConfig.getHttpsPort().intValue(), bindAddress, SslUtil.createSSLContext(keyStore2, "password", null));
                    } catch (Exception e2) {
                        throw new RuntimeException(e2);
                    }
                } catch (Exception e3) {
                    throw new RuntimeException(e3);
                }
            } catch (NoSuchAlgorithmException e4) {
                throw new RuntimeException(e4);
            }
        }
    }
}
