package org.keycloak.protocol.oidc;

import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import javax.ws.rs.GET;
import javax.ws.rs.NotFoundException;
import javax.ws.rs.OPTIONS;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.HttpRequest;
import org.jboss.resteasy.spi.ResteasyProviderFactory;
import org.keycloak.common.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.forms.login.LoginFormsProvider;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jwk.JWKBuilder;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.endpoints.AuthorizationEndpoint;
import org.keycloak.protocol.oidc.endpoints.LoginStatusIframeEndpoint;
import org.keycloak.protocol.oidc.endpoints.LogoutEndpoint;
import org.keycloak.protocol.oidc.endpoints.ThirdPartyCookiesIframeEndpoint;
import org.keycloak.protocol.oidc.endpoints.TokenEndpoint;
import org.keycloak.protocol.oidc.endpoints.TokenRevocationEndpoint;
import org.keycloak.protocol.oidc.endpoints.UserInfoEndpoint;
import org.keycloak.protocol.oidc.ext.OIDCExtProvider;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.services.CorsErrorResponseException;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.Cors;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.util.CacheControlUtil;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/oidc/OIDCLoginProtocolService.class */
public class OIDCLoginProtocolService {
    private static final Logger logger = Logger.getLogger(OIDCLoginProtocolService.class);
    private RealmModel realm;
    private TokenManager tokenManager = new TokenManager();
    private EventBuilder event;

    @Context
    private KeycloakSession session;

    @Context
    private HttpHeaders headers;

    @Context
    private HttpRequest request;

    @Context
    private ClientConnection clientConnection;

    public OIDCLoginProtocolService(RealmModel realmModel, EventBuilder eventBuilder) {
        this.realm = realmModel;
        this.event = eventBuilder;
    }

    public static UriBuilder tokenServiceBaseUrl(UriInfo uriInfo) {
        return tokenServiceBaseUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder tokenServiceBaseUrl(UriBuilder uriBuilder) {
        return uriBuilder.path(RealmsResource.class).path("{realm}/protocol/openid-connect");
    }

    public static UriBuilder authUrl(UriInfo uriInfo) {
        return authUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder authUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "auth");
    }

    public static UriBuilder delegatedUrl(UriInfo uriInfo) {
        return tokenServiceBaseUrl(uriInfo).path(OIDCLoginProtocolService.class, "kcinitBrowserLoginComplete");
    }

    public static UriBuilder tokenUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, OIDCResponseType.TOKEN);
    }

    public static UriBuilder certsUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "certs");
    }

    public static UriBuilder userInfoUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "issueUserInfo");
    }

    public static UriBuilder tokenIntrospectionUrl(UriBuilder uriBuilder) {
        return tokenUrl(uriBuilder).path(TokenEndpoint.class, "introspect");
    }

    public static UriBuilder logoutUrl(UriInfo uriInfo) {
        return logoutUrl(uriInfo.getBaseUriBuilder());
    }

    public static UriBuilder logoutUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "logout");
    }

    public static UriBuilder tokenRevocationUrl(UriBuilder uriBuilder) {
        return tokenServiceBaseUrl(uriBuilder).path(OIDCLoginProtocolService.class, "revoke");
    }

    @Path("auth")
    public Object auth() {
        AuthorizationEndpoint authorizationEndpoint = new AuthorizationEndpoint(this.realm, this.event);
        ResteasyProviderFactory.getInstance().injectProperties(authorizationEndpoint);
        return authorizationEndpoint;
    }

    @Path("registrations")
    public Object registerPage() {
        AuthorizationEndpoint authorizationEndpoint = new AuthorizationEndpoint(this.realm, this.event);
        ResteasyProviderFactory.getInstance().injectProperties(authorizationEndpoint);
        return authorizationEndpoint.register();
    }

    @Path("forgot-credentials")
    public Object forgotCredentialsPage() {
        AuthorizationEndpoint authorizationEndpoint = new AuthorizationEndpoint(this.realm, this.event);
        ResteasyProviderFactory.getInstance().injectProperties(authorizationEndpoint);
        return authorizationEndpoint.forgotCredentials();
    }

    @Path(OIDCResponseType.TOKEN)
    public Object token() {
        TokenEndpoint tokenEndpoint = new TokenEndpoint(this.tokenManager, this.realm, this.event);
        ResteasyProviderFactory.getInstance().injectProperties(tokenEndpoint);
        return tokenEndpoint;
    }

    @Path("login-status-iframe.html")
    public Object getLoginStatusIframe() {
        LoginStatusIframeEndpoint loginStatusIframeEndpoint = new LoginStatusIframeEndpoint();
        ResteasyProviderFactory.getInstance().injectProperties(loginStatusIframeEndpoint);
        return loginStatusIframeEndpoint;
    }

    @Path("3p-cookies")
    public Object thirdPartyCookiesCheck() {
        ThirdPartyCookiesIframeEndpoint thirdPartyCookiesIframeEndpoint = new ThirdPartyCookiesIframeEndpoint();
        ResteasyProviderFactory.getInstance().injectProperties(thirdPartyCookiesIframeEndpoint);
        return thirdPartyCookiesIframeEndpoint;
    }

    @Produces({MediaType.APPLICATION_JSON})
    @Path("certs")
    @OPTIONS
    public Response getVersionPreflight() {
        return Cors.add(this.request, Response.ok()).allowedMethods("GET").preflight().auth().build();
    }

    @GET
    @Path("certs")
    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    public Response certs() {
        checkSsl();
        JWK[] jwkArr = (JWK[]) this.session.keys().getKeysStream(this.realm).filter(keyWrapper -> {
            return keyWrapper.getStatus().isEnabled() && keyWrapper.getPublicKey() != null;
        }).map(keyWrapper2 -> {
            JWKBuilder algorithm = JWKBuilder.create().kid(keyWrapper2.getKid()).algorithm(keyWrapper2.getAlgorithmOrDefault());
            List list = (List) Optional.ofNullable(keyWrapper2.getCertificateChain()).filter(list2 -> {
                return !list2.isEmpty();
            }).orElseGet(() -> {
                return Collections.singletonList(keyWrapper2.getCertificate());
            });
            if (keyWrapper2.getType().equals("RSA")) {
                return algorithm.rsa(keyWrapper2.getPublicKey(), list, keyWrapper2.getUse());
            }
            if (keyWrapper2.getType().equals("EC")) {
                return algorithm.ec(keyWrapper2.getPublicKey());
            }
            return null;
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toArray(i -> {
            return new JWK[i];
        });
        JSONWebKeySet jSONWebKeySet = new JSONWebKeySet();
        jSONWebKeySet.setKeys(jwkArr);
        return Cors.add(this.request, Response.ok(jSONWebKeySet).cacheControl(CacheControlUtil.getDefaultCacheControl())).allowedOrigins(Cors.ACCESS_CONTROL_ALLOW_ORIGIN_WILDCARD).auth().build();
    }

    @Path("userinfo")
    public Object issueUserInfo() {
        UserInfoEndpoint userInfoEndpoint = new UserInfoEndpoint(this.tokenManager, this.realm);
        ResteasyProviderFactory.getInstance().injectProperties(userInfoEndpoint);
        return userInfoEndpoint;
    }

    @Path("logout")
    public Object logout() {
        LogoutEndpoint logoutEndpoint = new LogoutEndpoint(this.tokenManager, this.realm, this.event);
        ResteasyProviderFactory.getInstance().injectProperties(logoutEndpoint);
        return logoutEndpoint;
    }

    @Path("revoke")
    public Object revoke() {
        TokenRevocationEndpoint tokenRevocationEndpoint = new TokenRevocationEndpoint(this.realm, this.event);
        ResteasyProviderFactory.getInstance().injectProperties(tokenRevocationEndpoint);
        return tokenRevocationEndpoint;
    }

    @GET
    @Path("oauth/oob")
    public Response installedAppUrnCallback(@QueryParam("code") String str, @QueryParam("error") String str2, @QueryParam("error_description") String str3) {
        LoginFormsProvider provider = this.session.getProvider(LoginFormsProvider.class);
        return str != null ? provider.setClientSessionCode(str).createCode() : provider.setError(str2, new Object[0]).createCode();
    }

    @GET
    @Path("delegated")
    public Response kcinitBrowserLoginComplete(@QueryParam("error") boolean z) {
        AuthenticationManager.expireIdentityCookie(this.realm, this.session.getContext().getUri(), this.clientConnection);
        AuthenticationManager.expireRememberMeCookie(this.realm, this.session.getContext().getUri(), this.clientConnection);
        if (z) {
            LoginFormsProvider provider = this.session.getProvider(LoginFormsProvider.class);
            return provider.setAttribute("messageHeader", provider.getMessage(Messages.DELEGATION_FAILED_HEADER)).setAttribute("skipLink", true).setError(Messages.DELEGATION_FAILED, new Object[0]).createInfoPage();
        }
        LoginFormsProvider provider2 = this.session.getProvider(LoginFormsProvider.class);
        return provider2.setAttribute("messageHeader", provider2.getMessage(Messages.DELEGATION_COMPLETE_HEADER)).setAttribute("skipLink", true).setSuccess(Messages.DELEGATION_COMPLETE, new Object[0]).createInfoPage();
    }

    @Path("ext/{extension}")
    public Object resolveExtension(@PathParam("extension") String str) {
        OIDCExtProvider oIDCExtProvider = (OIDCExtProvider) this.session.getProvider(OIDCExtProvider.class, str);
        if (oIDCExtProvider == null) {
            throw new NotFoundException();
        }
        oIDCExtProvider.setEvent(this.event);
        return oIDCExtProvider;
    }

    private void checkSsl() {
        if (!this.session.getContext().getUri().getBaseUri().getScheme().equals("https") && this.realm.getSslRequired().isRequired(this.clientConnection)) {
            throw new CorsErrorResponseException(Cors.add(this.request).auth().allowedMethods(this.request.getHttpMethod()).auth().exposedHeaders(Cors.ACCESS_CONTROL_ALLOW_METHODS).allowAllOrigins(), "invalid_request", "HTTPS required", Response.Status.FORBIDDEN);
        }
    }
}
