package org.keycloak.adapters.jaas;

import java.io.IOException;
import java.io.InputStream;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.message.BasicNameValuePair;
import org.jboss.logging.Logger;
import org.keycloak.OAuth2Constants;
import org.keycloak.adapters.authentication.ClientCredentialsProviderUtils;
import org.keycloak.adapters.jaas.AbstractKeycloakLoginModule;
import org.keycloak.adapters.rotation.AdapterTokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.constants.ServiceUrlConstants;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.idm.OAuth2ErrorRepresentation;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:BOOT-INF/lib/keycloak-adapter-core-11.0.3.jar:org/keycloak/adapters/jaas/DirectAccessGrantsLoginModule.class */
public class DirectAccessGrantsLoginModule extends AbstractKeycloakLoginModule {
    private static final Logger log = Logger.getLogger((Class<?>) DirectAccessGrantsLoginModule.class);
    public static final String SCOPE_OPTION = "scope";
    private String refreshToken;
    private String scope;

    /* loaded from: input_file:BOOT-INF/lib/keycloak-adapter-core-11.0.3.jar:org/keycloak/adapters/jaas/DirectAccessGrantsLoginModule$RefreshTokenHolder.class */
    private static class RefreshTokenHolder implements Serializable {
        private String refreshToken;

        private RefreshTokenHolder() {
        }
    }

    @Override // org.keycloak.adapters.jaas.AbstractKeycloakLoginModule
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        super.initialize(subject, callbackHandler, map, map2);
        this.scope = (String) map2.get("scope");
        Iterator it = subject.getPrivateCredentials(RefreshTokenHolder.class).iterator();
        if (it.hasNext()) {
            this.refreshToken = ((RefreshTokenHolder) it.next()).refreshToken;
        }
    }

    @Override // org.keycloak.adapters.jaas.AbstractKeycloakLoginModule
    protected AbstractKeycloakLoginModule.Auth doAuth(String str, String str2) throws IOException, VerificationException {
        return directGrantAuth(str, str2);
    }

    @Override // org.keycloak.adapters.jaas.AbstractKeycloakLoginModule
    protected Logger getLogger() {
        return log;
    }

    protected AbstractKeycloakLoginModule.Auth directGrantAuth(String str, String str2) throws IOException, VerificationException {
        HttpPost httpPost = new HttpPost(KeycloakUriBuilder.fromUri(this.deployment.getAuthServerBaseUrl()).path(ServiceUrlConstants.TOKEN_PATH).build(this.deployment.getRealm()));
        ArrayList arrayList = new ArrayList();
        arrayList.add(new BasicNameValuePair(OAuth2Constants.GRANT_TYPE, "password"));
        arrayList.add(new BasicNameValuePair("username", str));
        arrayList.add(new BasicNameValuePair("password", str2));
        if (this.scope != null) {
            arrayList.add(new BasicNameValuePair("scope", this.scope));
        }
        ClientCredentialsProviderUtils.setClientCredentials(this.deployment, httpPost, arrayList);
        httpPost.setEntity(new UrlEncodedFormEntity(arrayList, "UTF-8"));
        HttpResponse execute = this.deployment.getClient().execute(httpPost);
        int statusCode = execute.getStatusLine().getStatusCode();
        HttpEntity entity = execute.getEntity();
        if (statusCode == 200) {
            if (entity == null) {
                throw new IOException("No Entity");
            }
            AccessTokenResponse accessTokenResponse = (AccessTokenResponse) JsonSerialization.readValue(entity.getContent(), AccessTokenResponse.class);
            this.refreshToken = accessTokenResponse.getRefreshToken();
            return postTokenVerification(accessTokenResponse.getToken(), AdapterTokenVerifier.verifyTokens(accessTokenResponse.getToken(), accessTokenResponse.getIdToken(), this.deployment).getAccessToken());
        }
        StringBuilder sb = new StringBuilder("Login failed. Invalid status: " + statusCode);
        if (entity != null) {
            OAuth2ErrorRepresentation oAuth2ErrorRepresentation = (OAuth2ErrorRepresentation) JsonSerialization.readValue(entity.getContent(), OAuth2ErrorRepresentation.class);
            sb.append(", OAuth2 error. Error: " + oAuth2ErrorRepresentation.getError()).append(", Error description: " + oAuth2ErrorRepresentation.getErrorDescription());
        }
        String sb2 = sb.toString();
        log.warn(sb2);
        throw new IOException(sb2);
    }

    @Override // org.keycloak.adapters.jaas.AbstractKeycloakLoginModule
    public boolean commit() throws LoginException {
        boolean commit = super.commit();
        if (this.refreshToken != null) {
            RefreshTokenHolder refreshTokenHolder = new RefreshTokenHolder();
            refreshTokenHolder.refreshToken = this.refreshToken;
            this.subject.getPrivateCredentials().add(refreshTokenHolder);
        }
        return commit;
    }

    @Override // org.keycloak.adapters.jaas.AbstractKeycloakLoginModule
    public boolean logout() throws LoginException {
        if (this.refreshToken != null) {
            try {
                HttpPost httpPost = new HttpPost(this.deployment.getLogoutUrl().m3352clone().build(new Object[0]));
                ArrayList arrayList = new ArrayList();
                ClientCredentialsProviderUtils.setClientCredentials(this.deployment, httpPost, arrayList);
                arrayList.add(new BasicNameValuePair(OAuth2Constants.REFRESH_TOKEN, this.refreshToken));
                httpPost.setEntity(new UrlEncodedFormEntity(arrayList, "UTF-8"));
                HttpResponse execute = this.deployment.getClient().execute(httpPost);
                int statusCode = execute.getStatusLine().getStatusCode();
                HttpEntity entity = execute.getEntity();
                if (statusCode != 204) {
                    StringBuilder sb = new StringBuilder("Logout of refreshToken failed. Invalid status: " + statusCode);
                    if (entity != null) {
                        InputStream content = entity.getContent();
                        if (statusCode == 400) {
                            OAuth2ErrorRepresentation oAuth2ErrorRepresentation = (OAuth2ErrorRepresentation) JsonSerialization.readValue(content, OAuth2ErrorRepresentation.class);
                            sb.append(", OAuth2 error. Error: " + oAuth2ErrorRepresentation.getError()).append(", Error description: " + oAuth2ErrorRepresentation.getErrorDescription());
                        } else if (content != null) {
                            content.close();
                        }
                    }
                    log.warn(sb.toString());
                }
            } catch (IOException e) {
                log.warn(e);
            }
        }
        return super.logout();
    }
}
