package org.keycloak.servlet;

import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.util.List;
import javax.security.cert.X509Certificate;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.jboss.logging.Logger;
import org.keycloak.KeycloakSecurityContext;
import org.keycloak.adapters.AdapterDeploymentContext;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.OIDCHttpFacade;
import org.keycloak.adapters.ServerRequest;
import org.keycloak.adapters.spi.AuthenticationError;
import org.keycloak.adapters.spi.HttpFacade;
import org.keycloak.adapters.spi.LogoutError;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.IDToken;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/servlet/ServletOAuthClient.class */
public class ServletOAuthClient extends KeycloakDeploymentDelegateOAuthClient {
    private String codeVerifier;
    private String codeChallenge;
    private String codeChallengeMethod = "S256";
    private static Logger logger = Logger.getLogger(ServletOAuthClient.class);

    /* loaded from: input_file:org/keycloak/servlet/ServletOAuthClient$ServletFacade.class */
    public static class ServletFacade implements OIDCHttpFacade {
        private final HttpServletRequest servletRequest;

        private ServletFacade(HttpServletRequest httpServletRequest) {
            this.servletRequest = httpServletRequest;
        }

        public KeycloakSecurityContext getSecurityContext() {
            throw new IllegalStateException("Not yet implemented");
        }

        public HttpFacade.Request getRequest() {
            return new HttpFacade.Request() { // from class: org.keycloak.servlet.ServletOAuthClient.ServletFacade.1
                private InputStream inputStream;

                public String getFirstParam(String str) {
                    return ServletFacade.this.servletRequest.getParameter(str);
                }

                public String getMethod() {
                    return ServletFacade.this.servletRequest.getMethod();
                }

                public String getURI() {
                    return ServletFacade.this.servletRequest.getRequestURL().toString();
                }

                public String getRelativePath() {
                    return ServletFacade.this.servletRequest.getServletPath();
                }

                public boolean isSecure() {
                    return ServletFacade.this.servletRequest.isSecure();
                }

                public String getQueryParamValue(String str) {
                    return ServletFacade.this.servletRequest.getParameter(str);
                }

                public HttpFacade.Cookie getCookie(String str) {
                    return null;
                }

                public String getHeader(String str) {
                    return ServletFacade.this.servletRequest.getHeader(str);
                }

                public List<String> getHeaders(String str) {
                    return null;
                }

                public InputStream getInputStream() {
                    return getInputStream(false);
                }

                public InputStream getInputStream(boolean z) {
                    if (this.inputStream != null) {
                        return this.inputStream;
                    }
                    if (!z) {
                        try {
                            return ServletFacade.this.servletRequest.getInputStream();
                        } catch (IOException e) {
                            throw new RuntimeException(e);
                        }
                    }
                    try {
                        BufferedInputStream bufferedInputStream = new BufferedInputStream(ServletFacade.this.servletRequest.getInputStream());
                        this.inputStream = bufferedInputStream;
                        return bufferedInputStream;
                    } catch (IOException e2) {
                        throw new RuntimeException(e2);
                    }
                }

                public String getRemoteAddr() {
                    return ServletFacade.this.servletRequest.getRemoteAddr();
                }

                public void setError(AuthenticationError authenticationError) {
                    ServletFacade.this.servletRequest.setAttribute(AuthenticationError.class.getName(), authenticationError);
                }

                public void setError(LogoutError logoutError) {
                    ServletFacade.this.servletRequest.setAttribute(LogoutError.class.getName(), logoutError);
                }
            };
        }

        public HttpFacade.Response getResponse() {
            throw new IllegalStateException("Not yet implemented");
        }

        public X509Certificate[] getCertificateChain() {
            throw new IllegalStateException("Not yet implemented");
        }
    }

    public static String generateSecret() {
        return generateSecret(32);
    }

    public static String generateSecret(int i) {
        byte[] bArr = new byte[i];
        new SecureRandom().nextBytes(bArr);
        return Base64Url.encode(bArr);
    }

    private void setCodeVerifier() {
        this.codeVerifier = generateSecret();
        logger.debugf("Generated codeVerifier = %s", this.codeVerifier);
    }

    private void setCodeChallenge() {
        try {
            if (this.codeChallengeMethod.equals("S256")) {
                MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
                messageDigest.update(this.codeVerifier.getBytes());
                StringBuilder sb = new StringBuilder();
                for (byte b : messageDigest.digest()) {
                    sb.append(String.format("%02x", Byte.valueOf(b)));
                }
                this.codeChallenge = Base64Url.encode(sb.toString().getBytes());
            } else {
                this.codeChallenge = Base64Url.encode(this.codeVerifier.getBytes());
            }
            logger.debugf("Encode codeChallenge = %s, codeChallengeMethod = %s", this.codeChallenge, this.codeChallengeMethod);
        } catch (Exception e) {
            logger.info("PKCE client side unknown hash algorithm");
            this.codeChallenge = Base64Url.encode(this.codeVerifier.getBytes());
        }
    }

    public void stop() {
        getDeployment().getClient().getConnectionManager().shutdown();
    }

    private AccessTokenResponse resolveBearerToken(HttpServletRequest httpServletRequest, String str, String str2) throws IOException, ServerRequest.HttpFailure {
        KeycloakDeployment resolveDeployment = resolveDeployment(getDeployment(), httpServletRequest);
        if (this.codeVerifier != null) {
            logger.debugf("Before sending Token Request, codeVerifier = %s", this.codeVerifier);
            return ServerRequest.invokeAccessCodeToToken(resolveDeployment, str2, str, (String) null, this.codeVerifier);
        }
        logger.debug("Before sending Token Request without codeVerifier");
        return ServerRequest.invokeAccessCodeToToken(resolveDeployment, str2, str, (String) null);
    }

    public void redirectRelative(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        redirect(KeycloakUriBuilder.fromUri(httpServletRequest.getRequestURL().toString()).replacePath(httpServletRequest.getContextPath()).replaceQuery((String) null).path(str).toTemplate(), httpServletRequest, httpServletResponse);
    }

    public void redirect(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String stateCode = getStateCode();
        KeycloakDeployment resolveDeployment = resolveDeployment(getDeployment(), httpServletRequest);
        String uri = resolveDeployment.getAuthUrl().clone().build(new Object[0]).toString();
        String attachOIDCScope = TokenUtil.attachOIDCScope(this.scope);
        if (resolveDeployment.isPkce()) {
            setCodeVerifier();
            setCodeChallenge();
        }
        URI build = KeycloakUriBuilder.fromUri(uri).queryParam("response_type", new Object[]{"code"}).queryParam("client_id", new Object[]{getClientId()}).queryParam("redirect_uri", new Object[]{str}).queryParam("state", new Object[]{stateCode}).queryParam("scope", new Object[]{attachOIDCScope}).build(new Object[0]);
        String str2 = this.stateCookiePath;
        if (str2 == null) {
            str2 = httpServletRequest.getContextPath();
        }
        if (str2.equals("")) {
            str2 = "/";
        }
        Cookie cookie = new Cookie(this.stateCookieName, stateCode);
        cookie.setSecure(this.isSecure);
        cookie.setPath(str2);
        httpServletResponse.addCookie(cookie);
        httpServletResponse.sendRedirect(build.toString());
    }

    protected String getCookieValue(String str, HttpServletRequest httpServletRequest) {
        if (httpServletRequest.getCookies() == null) {
            return null;
        }
        for (Cookie cookie : httpServletRequest.getCookies()) {
            if (cookie.getName().equals(str)) {
                return cookie.getValue();
            }
        }
        return null;
    }

    protected String getCode(HttpServletRequest httpServletRequest) {
        String queryString = httpServletRequest.getQueryString();
        if (queryString == null) {
            return null;
        }
        for (String str : queryString.split("&")) {
            int indexOf = str.indexOf(61);
            if (indexOf != -1 && str.substring(0, indexOf).equals("code")) {
                return str.substring(indexOf + 1);
            }
        }
        return null;
    }

    public AccessTokenResponse getBearerToken(HttpServletRequest httpServletRequest) throws IOException, ServerRequest.HttpFailure {
        String parameter = httpServletRequest.getParameter("error");
        if (parameter != null) {
            throw new IOException("OAuth error: " + parameter);
        }
        String stringBuffer = httpServletRequest.getRequestURL().append("?").append(httpServletRequest.getQueryString()).toString();
        String cookieValue = getCookieValue(this.stateCookieName, httpServletRequest);
        if (cookieValue == null) {
            throw new IOException("state cookie not set");
        }
        String parameter2 = httpServletRequest.getParameter("state");
        String parameter3 = httpServletRequest.getParameter("code");
        if (parameter2 == null) {
            throw new IOException("state parameter was null");
        }
        if (!parameter2.equals(cookieValue)) {
            throw new IOException("state parameter invalid");
        }
        if (parameter3 == null) {
            throw new IOException("code parameter was null");
        }
        return resolveBearerToken(httpServletRequest, stringBuffer, parameter3);
    }

    public AccessTokenResponse refreshToken(HttpServletRequest httpServletRequest, String str) throws IOException, ServerRequest.HttpFailure {
        return ServerRequest.invokeRefresh(resolveDeployment(getDeployment(), httpServletRequest), str);
    }

    public static IDToken extractIdToken(String str) {
        if (str == null) {
            return null;
        }
        try {
            return (IDToken) new JWSInput(str).readJsonContent(IDToken.class);
        } catch (JWSInputException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    private KeycloakDeployment resolveDeployment(KeycloakDeployment keycloakDeployment, HttpServletRequest httpServletRequest) {
        return new AdapterDeploymentContext(keycloakDeployment).resolveDeployment(new ServletFacade(httpServletRequest));
    }
}
