package org.keycloak.services.clientregistration;

import java.util.List;
import java.util.Map;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.resteasy.spi.Failure;
import org.keycloak.Config;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.common.util.Time;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.AdminRoles;
import org.keycloak.models.ClientInitialAccessModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.clientregistration.ClientRegistrationTokenUtils;
import org.keycloak.services.clientregistration.policy.ClientRegistrationPolicyException;
import org.keycloak.services.clientregistration.policy.ClientRegistrationPolicyManager;
import org.keycloak.services.clientregistration.policy.RegistrationAuth;
import org.keycloak.services.resources.Cors;

/* loaded from: input_file:org/keycloak/services/clientregistration/ClientRegistrationAuth.class */
public class ClientRegistrationAuth {
    private final KeycloakSession session;
    private final ClientRegistrationProvider provider;
    private final EventBuilder event;
    private RealmModel realm;
    private JsonWebToken jwt;
    private ClientInitialAccessModel initialAccessModel;
    private String kid;
    private String token;

    public ClientRegistrationAuth(KeycloakSession keycloakSession, ClientRegistrationProvider clientRegistrationProvider, EventBuilder eventBuilder) {
        this.session = keycloakSession;
        this.provider = clientRegistrationProvider;
        this.event = eventBuilder;
    }

    private void init() {
        this.realm = this.session.getContext().getRealm();
        UriInfo uri = this.session.getContext().getUri();
        String str = (String) this.session.getContext().getRequestHeaders().getRequestHeaders().getFirst(Cors.AUTHORIZATION_HEADER);
        if (str == null) {
            return;
        }
        String[] split = str.split(" ");
        if (split[0].equalsIgnoreCase("bearer")) {
            this.token = split[1];
            ClientRegistrationTokenUtils.TokenVerification verifyToken = ClientRegistrationTokenUtils.verifyToken(this.session, this.realm, uri, this.token);
            if (verifyToken.getError() != null) {
                throw unauthorized(verifyToken.getError().getMessage());
            }
            this.kid = verifyToken.getKid();
            this.jwt = verifyToken.getJwt();
            if (isInitialAccessToken()) {
                this.initialAccessModel = this.session.realms().getClientInitialAccessModel(this.session.getContext().getRealm(), this.jwt.getId());
                if (this.initialAccessModel == null) {
                    throw unauthorized("Initial Access Token not found");
                }
            }
        }
    }

    public String getToken() {
        return this.token;
    }

    public String getKid() {
        return this.kid;
    }

    public JsonWebToken getJwt() {
        return this.jwt;
    }

    private boolean isBearerToken() {
        return this.jwt != null && "Bearer".equals(this.jwt.getType());
    }

    public boolean isInitialAccessToken() {
        return this.jwt != null && ClientRegistrationTokenUtils.TYPE_INITIAL_ACCESS_TOKEN.equals(this.jwt.getType());
    }

    public boolean isRegistrationAccessToken() {
        return this.jwt != null && ClientRegistrationTokenUtils.TYPE_REGISTRATION_ACCESS_TOKEN.equals(this.jwt.getType());
    }

    public RegistrationAuth requireCreate(ClientRegistrationContext clientRegistrationContext) {
        init();
        RegistrationAuth registrationAuth = RegistrationAuth.ANONYMOUS;
        if (isBearerToken()) {
            if (!hasRole(AdminRoles.MANAGE_CLIENTS, AdminRoles.CREATE_CLIENT)) {
                throw forbidden();
            }
            registrationAuth = RegistrationAuth.AUTHENTICATED;
        } else if (isInitialAccessToken()) {
            if (this.initialAccessModel.getRemainingCount() <= 0) {
                throw unauthorized("No remaining count on initial access token");
            }
            if (this.initialAccessModel.getExpiration() != 0 && this.initialAccessModel.getTimestamp() + this.initialAccessModel.getExpiration() <= Time.currentTime()) {
                throw unauthorized("Expired initial access token");
            }
            registrationAuth = RegistrationAuth.AUTHENTICATED;
        }
        try {
            ClientRegistrationPolicyManager.triggerBeforeRegister(clientRegistrationContext, registrationAuth);
            return registrationAuth;
        } catch (ClientRegistrationPolicyException e) {
            throw forbidden(e.getMessage());
        }
    }

    public void requireView(ClientModel clientModel) {
        RegistrationAuth registrationAuth = null;
        boolean z = false;
        init();
        if (isBearerToken()) {
            if (!hasRole(AdminRoles.MANAGE_CLIENTS, AdminRoles.VIEW_CLIENTS)) {
                throw forbidden();
            }
            if (clientModel == null) {
                throw notFound();
            }
            z = true;
            registrationAuth = RegistrationAuth.AUTHENTICATED;
        } else if (isRegistrationAccessToken()) {
            if (clientModel != null && clientModel.getRegistrationToken() != null && clientModel.getRegistrationToken().equals(this.jwt.getId())) {
                z = true;
                registrationAuth = getRegistrationAuth();
            }
        } else {
            if (isInitialAccessToken()) {
                throw unauthorized("Not initial access token allowed");
            }
            if (authenticateClient(clientModel)) {
                z = true;
                registrationAuth = RegistrationAuth.AUTHENTICATED;
            }
        }
        if (!z) {
            throw unauthorized("Not authorized to view client. Not valid token or client credentials provided.");
        }
        try {
            ClientRegistrationPolicyManager.triggerBeforeView(this.session, this.provider, registrationAuth, clientModel);
        } catch (ClientRegistrationPolicyException e) {
            throw forbidden(e.getMessage());
        }
    }

    public RegistrationAuth getRegistrationAuth() {
        return RegistrationAuth.fromString((String) this.jwt.getOtherClaims().get(RegistrationAccessToken.REGISTRATION_AUTH));
    }

    public RegistrationAuth requireUpdate(ClientRegistrationContext clientRegistrationContext, ClientModel clientModel) {
        RegistrationAuth requireUpdateAuth = requireUpdateAuth(clientModel);
        try {
            ClientRegistrationPolicyManager.triggerBeforeUpdate(clientRegistrationContext, requireUpdateAuth, clientModel);
            return requireUpdateAuth;
        } catch (ClientRegistrationPolicyException e) {
            throw forbidden(e.getMessage());
        }
    }

    public void requireDelete(ClientModel clientModel) {
        try {
            ClientRegistrationPolicyManager.triggerBeforeRemove(this.session, this.provider, requireUpdateAuth(clientModel), clientModel);
        } catch (ClientRegistrationPolicyException e) {
            throw forbidden(e.getMessage());
        }
    }

    private RegistrationAuth requireUpdateAuth(ClientModel clientModel) {
        init();
        if (isBearerToken()) {
            if (!hasRole(AdminRoles.MANAGE_CLIENTS)) {
                throw forbidden();
            }
            if (clientModel == null) {
                throw notFound();
            }
            return RegistrationAuth.AUTHENTICATED;
        }
        if (!isRegistrationAccessToken() || clientModel == null || clientModel.getRegistrationToken() == null || !clientModel.getRegistrationToken().equals(this.jwt.getId())) {
            throw unauthorized("Not authorized to update client. Maybe missing token or bad token type.");
        }
        return getRegistrationAuth();
    }

    public ClientInitialAccessModel getInitialAccessModel() {
        return this.initialAccessModel;
    }

    private boolean hasRole(String... strArr) {
        try {
            return (this.jwt.getIssuedFor().equals("admin-cli") || this.jwt.getIssuedFor().equals("security-admin-console")) ? hasRoleInModel(strArr) : hasRoleInToken(strArr);
        } catch (Throwable th) {
            return false;
        }
    }

    private boolean hasRoleInModel(String[] strArr) {
        UserModel userById = this.session.users().getUserById(this.jwt.getSubject(), this.realm);
        if (userById == null) {
            return false;
        }
        ClientModel masterAdminClient = this.realm.getName().equals(Config.getAdminRealm()) ? this.realm.getMasterAdminClient() : this.realm.getClientByClientId("realm-management");
        for (String str : strArr) {
            if (userById.hasRole(masterAdminClient.getRole(str))) {
                return true;
            }
        }
        return false;
    }

    private boolean hasRoleInToken(String[] strArr) {
        Map map;
        if (this.jwt.getOtherClaims() == null || (map = (Map) this.jwt.getOtherClaims().get("resource_access")) == null) {
            return false;
        }
        Map map2 = this.realm.getName().equals(Config.getAdminRealm()) ? (Map) map.get(this.realm.getMasterAdminClient().getClientId()) : (Map) map.get("realm-management");
        List list = map2 != null ? (List) map2.get("roles") : null;
        if (list == null) {
            return false;
        }
        for (String str : strArr) {
            if (list.contains(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean authenticateClient(ClientModel clientModel) {
        if (clientModel == null) {
            return false;
        }
        if (clientModel.isPublicClient()) {
            return true;
        }
        AuthenticationProcessor authenticationProcessor = AuthorizeClientUtil.getAuthenticationProcessor(this.session, this.event);
        if (authenticationProcessor.authenticateClient() != null) {
            this.event.client(clientModel.getClientId()).error("not_allowed");
            throw unauthorized("Failed to authenticate client");
        }
        ClientModel client = authenticationProcessor.getClient();
        if (client == null) {
            this.event.client(clientModel.getClientId()).error("not_allowed");
            throw unauthorized("No client authenticated");
        }
        if (client.getClientId().equals(clientModel.getClientId())) {
            return true;
        }
        this.event.client(clientModel.getClientId()).error("not_allowed");
        throw unauthorized("Different client authenticated");
    }

    private Failure unauthorized(String str) {
        this.event.detail("reason", str).error("invalid_token");
        throw new ErrorResponseException("invalid_token", str, Response.Status.UNAUTHORIZED);
    }

    private Failure forbidden() {
        return forbidden("Forbidden");
    }

    private Failure forbidden(String str) {
        this.event.error("not_allowed");
        throw new ErrorResponseException("insufficient_scope", str, Response.Status.FORBIDDEN);
    }

    private Failure notFound() {
        this.event.error("client_not_found");
        throw new ErrorResponseException("invalid_request", "Client not found", Response.Status.NOT_FOUND);
    }
}
