package org.keycloak.adapters.installed;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Paths;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.Entity;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.ServerRequest;
import org.keycloak.adapters.installed.KeycloakInstalled;
import org.keycloak.common.util.Base64;
import org.keycloak.common.util.Time;
import org.keycloak.jose.jwe.JWE;
import org.keycloak.jose.jwe.JWEException;
import org.keycloak.jose.jwe.JWEHeader;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.keycloak.representations.idm.OAuth2ErrorRepresentation;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/adapters/installed/KcinitDriver.class */
public class KcinitDriver {
    public static final String KC_SESSION_KEY = "KC_SESSION_KEY";
    public static final String KC_LOGIN_CONFIG_PATH = "KC_LOGIN_CONFIG_PATH";
    protected Map<String, String> config;
    protected static byte[] salt = {-4, 88, 66, -101, 78, -94, 21, 105};
    protected boolean forceLogin;
    protected boolean browserLogin;
    protected String encryptionKey;
    protected boolean debug = true;
    String[] args = null;
    protected boolean encrypted = false;

    public void mainCmd(String[] strArr) throws Exception {
        this.args = strArr;
        if (strArr.length == 0) {
            printHelp();
            return;
        }
        if (strArr[0].equalsIgnoreCase("token")) {
            token();
            return;
        }
        if (strArr[0].equalsIgnoreCase("login")) {
            login();
            return;
        }
        if (strArr[0].equalsIgnoreCase("logout")) {
            logout();
            return;
        }
        if (strArr[0].equalsIgnoreCase("env")) {
            System.out.println(System.getenv().toString());
            return;
        }
        if (strArr[0].equalsIgnoreCase("install")) {
            install();
            return;
        }
        if (strArr[0].equalsIgnoreCase("uninstall")) {
            uninstall();
        } else {
            if (strArr[0].equalsIgnoreCase("password")) {
                passwordKey();
                return;
            }
            KeycloakInstalled.console().writer().println("Unknown command: " + strArr[0]);
            KeycloakInstalled.console().writer().println();
            printHelp();
        }
    }

    public String getHome() {
        String str = System.getenv("HOME");
        if (str == null) {
            str = System.getProperty("HOME");
            if (str == null) {
                str = Paths.get("", new String[0]).toAbsolutePath().normalize().toString();
            }
        }
        return str;
    }

    public void passwordKey() {
        if (this.args.length < 2) {
            printHelp();
            System.exit(1);
        }
        try {
            System.out.printf(generateEncryptionKey(this.args[1]), new Object[0]);
        } catch (Exception e) {
            e.printStackTrace();
            System.exit(1);
        }
    }

    protected String generateEncryptionKey(String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return Base64.encodeBytes(SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256").generateSecret(new PBEKeySpec(str.toCharArray(), salt, 100, KeycloakInstalled.Pkce.PKCE_CODE_VERIFIER_MAX_LENGTH)).getEncoded());
    }

    public JWE createJWE() {
        String encryptionKey = getEncryptionKey();
        if (encryptionKey == null) {
            throw new RuntimeException("KC_SESSION_KEY env var not set");
        }
        try {
            byte[] decode = Base64.decode(encryptionKey.getBytes(StandardCharsets.UTF_8));
            JWE jwe = new JWE();
            jwe.getKeyStorage().setDecryptionKey(new SecretKeySpec(decode, "AES"));
            return jwe;
        } catch (IOException e) {
            throw new RuntimeException("invalid KC_SESSION_KEYenv var");
        }
    }

    protected String getEncryptionKey() {
        return this.encryptionKey != null ? this.encryptionKey : System.getenv(KC_SESSION_KEY);
    }

    public String encrypt(String str) {
        JWE createJWE = createJWE();
        createJWE.header(new JWEHeader("A128KW", "A128CBC-HS256", (String) null)).content(str.getBytes(StandardCharsets.UTF_8));
        try {
            return createJWE.encodeJwe();
        } catch (JWEException e) {
            throw new RuntimeException("cannot encrypt payload", e);
        }
    }

    public String decrypt(String str) {
        JWE createJWE = createJWE();
        try {
            createJWE.verifyAndDecodeJwe(str);
            byte[] content = createJWE.getContent();
            if (content == null) {
                return null;
            }
            return new String(content, StandardCharsets.UTF_8);
        } catch (Exception e) {
            throw new RuntimeException("cannot decrypt payload", e);
        }
    }

    public static String getenv(String str, String str2) {
        String str3 = System.getenv(str);
        return str3 == null ? str2 : str3;
    }

    public File getConfigDirectory() {
        return Paths.get(getHome(), getenv(KC_LOGIN_CONFIG_PATH, ".keycloak"), "kcinit").toFile();
    }

    public File getConfigFile() {
        return Paths.get(getHome(), getenv(KC_LOGIN_CONFIG_PATH, ".keycloak"), "kcinit", "config.json").toFile();
    }

    public File getTokenFilePath(String str) {
        return Paths.get(getHome(), getenv(KC_LOGIN_CONFIG_PATH, ".keycloak"), "kcinit", "tokens", str).toFile();
    }

    public File getTokenDirectory() {
        return Paths.get(getHome(), getenv(KC_LOGIN_CONFIG_PATH, ".keycloak"), "kcinit", "tokens").toFile();
    }

    protected void checkEnv() {
        File configFile = getConfigFile();
        if (!configFile.exists()) {
            KeycloakInstalled.console().writer().println("You have not configured kcinit.  Please run 'kcinit install' to configure.");
            System.exit(1);
        }
        byte[] bArr = new byte[0];
        try {
            bArr = readFileRaw(configFile);
        } catch (IOException e) {
        }
        if (bArr == null) {
            KeycloakInstalled.console().writer().println("Config file unreadable.  Please run 'kcinit install' to configure.");
            System.exit(1);
        }
        if (new String(bArr, StandardCharsets.UTF_8).contains("realm")) {
            this.encrypted = false;
            return;
        }
        this.encrypted = true;
        if (System.getenv(KC_SESSION_KEY) == null) {
            promptLocalPassword();
        }
    }

    protected void promptLocalPassword() {
        try {
            this.encryptionKey = generateEncryptionKey(KeycloakInstalled.console().passwordPrompt("Enter password to unlock kcinit config files: ", new Object[0]));
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    protected String readFile(File file) {
        try {
            byte[] readFileRaw = readFileRaw(file);
            if (readFileRaw == null) {
                return null;
            }
            String str = new String(readFileRaw, StandardCharsets.UTF_8);
            if (!this.encrypted) {
                return str;
            }
            String decrypt = decrypt(str);
            if (decrypt == null) {
                throw new RuntimeException("Unable to decrypt file.  Did you set your local password correctly?");
            }
            return decrypt;
        } catch (IOException e) {
            throw new RuntimeException("failed to decrypt file: " + file.getAbsolutePath() + " Did you set your local password correctly?", e);
        }
    }

    protected byte[] readFileRaw(File file) throws IOException {
        if (!file.exists()) {
            return null;
        }
        FileInputStream fileInputStream = new FileInputStream(file);
        Throwable th = null;
        try {
            byte[] bArr = new byte[(int) file.length()];
            fileInputStream.read(bArr);
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            return bArr;
        } catch (Throwable th3) {
            if (fileInputStream != null) {
                if (0 != 0) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            throw th3;
        }
    }

    protected void writeFile(File file, String str) {
        try {
            String str2 = str;
            if (this.encrypted) {
                str2 = encrypt(str);
            }
            FileOutputStream fileOutputStream = new FileOutputStream(file);
            fileOutputStream.write(str2.getBytes(StandardCharsets.UTF_8));
            fileOutputStream.flush();
            fileOutputStream.close();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:14:0x0074, code lost:
    
        r7 = move-exception;
     */
    /* JADX WARN: Code restructure failed: missing block: B:15:0x0075, code lost:
    
        r7.printStackTrace();
        java.lang.System.exit(1);
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void install() {
        /*
            Method dump skipped, instructions count: 399
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.keycloak.adapters.installed.KcinitDriver.install():void");
    }

    public void printHelp() {
        KeycloakInstalled.console().writer().println("Commands:");
        KeycloakInstalled.console().writer().println("  login [-f] -f forces login");
        KeycloakInstalled.console().writer().println("  logout");
        KeycloakInstalled.console().writer().println("  token [client] - print access token of desired client.  Defaults to default master client.  Will print either 'error', 'not-allowed',  or 'login-required' on error.");
        KeycloakInstalled.console().writer().println("  install - Install this utility.  Will store in $HOME/.keycloak/kcinit unless KC_LOGIN_CONFIG_PATH env var is set");
        System.exit(1);
    }

    public AdapterConfig getConfig() {
        if (!getConfigFile().exists()) {
            KeycloakInstalled.console().writer().println("You have not configured kcinit.  Please run 'kcinit install' to configure.");
            System.exit(1);
            return null;
        }
        AdapterConfig adapterConfig = new AdapterConfig();
        adapterConfig.setAuthServerUrl(getConfigProperties().get("server"));
        adapterConfig.setRealm(getConfigProperties().get("realm"));
        adapterConfig.setResource(getConfigProperties().get("client"));
        adapterConfig.setSslRequired("external");
        String str = getConfigProperties().get("secret");
        if (str == null || str.trim().equals("")) {
            adapterConfig.setPublicClient(true);
        } else {
            HashMap hashMap = new HashMap();
            hashMap.put("secret", str);
            adapterConfig.setCredentials(hashMap);
        }
        return adapterConfig;
    }

    private Map<String, String> getConfigProperties() {
        if (this.config != null) {
            return this.config;
        }
        if (!getConfigFile().exists()) {
            KeycloakInstalled.console().writer().println();
            KeycloakInstalled.console().writer().println("Config file does not exist.  Run kcinit install to set it up.");
            System.exit(1);
        }
        try {
            this.config = (Map) JsonSerialization.readValue(readFile(getConfigFile()), Map.class);
            return this.config;
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    public String readToken(String str) throws Exception {
        String tokenResponse = getTokenResponse(str);
        if (tokenResponse == null || tokenResponse == null) {
            return null;
        }
        try {
            AccessTokenResponse accessTokenResponse = (AccessTokenResponse) JsonSerialization.readValue(tokenResponse, AccessTokenResponse.class);
            if (Time.currentTime() < accessTokenResponse.getExpiresIn()) {
                return accessTokenResponse.getToken();
            }
            KeycloakInstalled keycloakInstalled = new KeycloakInstalled(KeycloakDeploymentBuilder.build(getConfig()));
            keycloakInstalled.refreshToken(accessTokenResponse.getRefreshToken());
            processResponse(keycloakInstalled, str);
            return accessTokenResponse.getToken();
        } catch (Exception e) {
            File tokenFilePath = getTokenFilePath(str);
            if (!tokenFilePath.exists()) {
                return null;
            }
            tokenFilePath.delete();
            return null;
        }
    }

    public String readRefreshToken(String str) throws Exception {
        String tokenResponse = getTokenResponse(str);
        if (tokenResponse == null || tokenResponse == null) {
            return null;
        }
        try {
            return ((AccessTokenResponse) JsonSerialization.readValue(tokenResponse, AccessTokenResponse.class)).getRefreshToken();
        } catch (Exception e) {
            if (this.debug) {
                e.printStackTrace();
            }
            File tokenFilePath = getTokenFilePath(str);
            if (!tokenFilePath.exists()) {
                return null;
            }
            tokenFilePath.delete();
            return null;
        }
    }

    private String getTokenResponse(String str) {
        File tokenFilePath = getTokenFilePath(str);
        try {
            return readFile(tokenFilePath);
        } catch (Exception e) {
            if (this.debug) {
                System.err.println("Failed to read encrypted file");
                e.printStackTrace();
            }
            if (!tokenFilePath.exists()) {
                return null;
            }
            tokenFilePath.delete();
            return null;
        }
    }

    public void token() throws Exception {
        KeycloakInstalled.console().stderrOutput();
        checkEnv();
        String masterClient = getMasterClient();
        String str = masterClient;
        if (this.args.length > 1) {
            str = this.args[1];
        }
        String readToken = readToken(str);
        if (readToken != null) {
            System.out.print(readToken);
            return;
        }
        if (readToken == null && str.equals(masterClient)) {
            doConsoleLogin();
            String readToken2 = readToken(str);
            if (readToken2 != null) {
                System.out.print(readToken2);
                return;
            }
        }
        String readToken3 = readToken(masterClient);
        if (readToken3 == null) {
            doConsoleLogin();
            readToken3 = readToken(masterClient);
            if (readToken3 == null) {
                System.err.println("Login failed.  Cannot retrieve token");
                System.exit(1);
            }
        }
        WebTarget path = getHttpClient().target(getServer()).path("/realms").path(getRealm()).path("protocol/openid-connect/token");
        Form param = new Form().param("grant_type", "urn:ietf:params:oauth:grant-type:token-exchange").param("client_id", masterClient).param("subject_token", readToken3).param("subject_token_type", "urn:ietf:params:oauth:token-type:access_token").param("requested_token_type", "urn:ietf:params:oauth:token-type:refresh_token").param("audience", str);
        if (getMasterClientSecret() != null) {
            param.param("client_secret", getMasterClientSecret());
        }
        Response post = path.request().post(Entity.form(param));
        if (post.getStatus() == 401 || post.getStatus() == 403) {
            post.close();
            System.err.println("Not allowed to exchange for client token");
            System.exit(1);
        }
        if (post.getStatus() != 200) {
            if (post.getMediaType() != null && post.getMediaType().equals(MediaType.APPLICATION_JSON_TYPE)) {
                try {
                    OAuth2ErrorRepresentation oAuth2ErrorRepresentation = (OAuth2ErrorRepresentation) JsonSerialization.readValue((String) post.readEntity(String.class), OAuth2ErrorRepresentation.class);
                    System.err.println("Failed to exchange token: " + oAuth2ErrorRepresentation.getError() + ". " + oAuth2ErrorRepresentation.getErrorDescription());
                    System.exit(1);
                } catch (Exception e) {
                    e.printStackTrace();
                }
            }
            post.close();
            System.err.println("Unknown error exchanging for client token: " + post.getStatus());
            System.exit(1);
        }
        String str2 = (String) post.readEntity(String.class);
        post.close();
        AccessTokenResponse accessTokenResponse = (AccessTokenResponse) JsonSerialization.readValue(str2, AccessTokenResponse.class);
        if (accessTokenResponse.getToken() == null) {
            System.err.println("Error processing token");
            System.exit(1);
            return;
        }
        getTokenDirectory().mkdirs();
        accessTokenResponse.setExpiresIn(Time.currentTime() + accessTokenResponse.getExpiresIn());
        accessTokenResponse.setIdToken((String) null);
        writeFile(getTokenFilePath(str), JsonSerialization.writeValueAsString(accessTokenResponse));
        System.out.printf(accessTokenResponse.getToken(), new Object[0]);
    }

    protected String getMasterClientSecret() {
        return getProperty("secret");
    }

    protected String getServer() {
        return getProperty("server");
    }

    protected String getRealm() {
        return getProperty("realm");
    }

    public String getProperty(String str) {
        return getConfigProperties().get(str);
    }

    protected boolean forceLogin() {
        return this.args.length > 0 && this.args[0].equals("-f");
    }

    public Client getHttpClient() {
        return new ResteasyClientBuilder().disableTrustManager().build();
    }

    public void login() throws Exception {
        checkEnv();
        this.args = (String[]) Arrays.copyOfRange(this.args, 1, this.args.length);
        for (String str : this.args) {
            if (str.equals("-f") || str.equals("-force")) {
                this.forceLogin = true;
                this.args = (String[]) Arrays.copyOfRange(this.args, 1, this.args.length);
            } else if (str.equals("-browser") || str.equals("-b")) {
                this.browserLogin = true;
                this.args = (String[]) Arrays.copyOfRange(this.args, 1, this.args.length);
            } else {
                System.err.println("Illegal argument: " + str);
                printHelp();
                System.exit(1);
            }
        }
        String masterClient = getMasterClient();
        if (this.forceLogin || readToken(masterClient) == null) {
            doConsoleLogin();
            KeycloakInstalled.console().writer().println("Login successful!");
        } else {
            KeycloakInstalled.console().writer().println("Already logged in.  `kcinit -f` to force relogin");
        }
    }

    public void doConsoleLogin() throws Exception {
        String masterClient = getMasterClient();
        KeycloakInstalled keycloakInstalled = new KeycloakInstalled(KeycloakDeploymentBuilder.build(getConfig()));
        if (!keycloakInstalled.loginCommandLine()) {
            System.exit(1);
        }
        processResponse(keycloakInstalled, masterClient);
    }

    private String getMasterClient() {
        return getProperty("client");
    }

    private void processResponse(KeycloakInstalled keycloakInstalled, String str) throws IOException {
        AccessTokenResponse tokenResponse = keycloakInstalled.getTokenResponse();
        tokenResponse.setExpiresIn(Time.currentTime() + tokenResponse.getExpiresIn());
        tokenResponse.setIdToken((String) null);
        String writeValueAsString = JsonSerialization.writeValueAsString(tokenResponse);
        getTokenDirectory().mkdirs();
        writeFile(getTokenFilePath(str), writeValueAsString);
    }

    public void logout() throws Exception {
        String readRefreshToken = readRefreshToken(getMasterClient());
        if (readRefreshToken != null) {
            try {
                ServerRequest.invokeLogout(KeycloakDeploymentBuilder.build(getConfig()), readRefreshToken);
            } catch (Exception e) {
                if (this.debug) {
                    e.printStackTrace();
                }
            }
        }
        if (getTokenDirectory().exists()) {
            for (File file : getTokenDirectory().listFiles()) {
                file.delete();
            }
        }
    }

    public void uninstall() throws Exception {
        File configFile = getConfigFile();
        if (configFile.exists()) {
            configFile.delete();
        }
        if (getTokenDirectory().exists()) {
            for (File file : getTokenDirectory().listFiles()) {
                file.delete();
            }
        }
    }
}
