package org.keycloak.client.admin.cli.util;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.KeyPair;
import java.util.UUID;
import org.keycloak.client.admin.cli.config.ConfigData;
import org.keycloak.client.admin.cli.config.RealmConfigData;
import org.keycloak.common.util.KeystoreUtil;
import org.keycloak.common.util.Time;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.util.BasicAuthHelper;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/client/admin/cli/util/AuthUtil.class */
public class AuthUtil {
    public static String ensureToken(ConfigData configData) {
        if (configData.getExternalToken() != null) {
            return configData.getExternalToken();
        }
        ConfigUtil.checkAuthInfo(configData);
        RealmConfigData sessionRealmConfigData = configData.sessionRealmConfigData();
        long currentTimeMillis = System.currentTimeMillis();
        if (sessionRealmConfigData.getExpiresAt().longValue() - currentTimeMillis >= 5000) {
            return sessionRealmConfigData.getToken();
        }
        if (sessionRealmConfigData.getRefreshExpiresAt() != null && sessionRealmConfigData.getRefreshExpiresAt().longValue() - currentTimeMillis < 5000) {
            throw new RuntimeException("Session has expired. Login again with '" + OsUtil.CMD + " config credentials'");
        }
        if (sessionRealmConfigData.getSigExpiresAt() != null && sessionRealmConfigData.getSigExpiresAt().longValue() - currentTimeMillis < 5000) {
            throw new RuntimeException("Session has expired. Login again with '" + OsUtil.CMD + " config credentials'");
        }
        try {
            String str = null;
            StringBuilder sb = new StringBuilder();
            if (sessionRealmConfigData.getRefreshToken() != null) {
                sb.append("grant_type=refresh_token").append("&refresh_token=").append(sessionRealmConfigData.getRefreshToken());
            } else {
                sb.append("grant_type=").append(sessionRealmConfigData.getGrantTypeForAuthentication());
            }
            sb.append("&client_id=").append(HttpUtil.urlencode(sessionRealmConfigData.getClientId()));
            if (sessionRealmConfigData.getSigningToken() != null) {
                sb.append("&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer").append("&client_assertion=").append(sessionRealmConfigData.getSigningToken());
            } else if (sessionRealmConfigData.getSecret() != null) {
                str = BasicAuthHelper.createHeader(sessionRealmConfigData.getClientId(), sessionRealmConfigData.getSecret());
            }
            AccessTokenResponse accessTokenResponse = (AccessTokenResponse) JsonSerialization.readValue(HttpUtil.doPost(sessionRealmConfigData.serverUrl() + "/realms/" + sessionRealmConfigData.realm() + "/protocol/openid-connect/token", "application/x-www-form-urlencoded", HttpUtil.APPLICATION_JSON, sb.toString(), str), AccessTokenResponse.class);
            ConfigUtil.saveMergeConfig(configData2 -> {
                RealmConfigData sessionRealmConfigData2 = configData2.sessionRealmConfigData();
                sessionRealmConfigData2.setToken(accessTokenResponse.getToken());
                sessionRealmConfigData2.setRefreshToken(accessTokenResponse.getRefreshToken());
                sessionRealmConfigData2.setExpiresAt(Long.valueOf(System.currentTimeMillis() + (accessTokenResponse.getExpiresIn() * 1000)));
                if (accessTokenResponse.getRefreshToken() != null) {
                    sessionRealmConfigData2.setRefreshExpiresAt(Long.valueOf(System.currentTimeMillis() + (accessTokenResponse.getRefreshExpiresIn() * 1000)));
                }
            });
            return accessTokenResponse.getToken();
        } catch (Exception e) {
            throw new RuntimeException("Failed to refresh access token - " + e.getMessage(), e);
        }
    }

    public static AccessTokenResponse getAuthTokens(String str, String str2, String str3, String str4, String str5) {
        StringBuilder sb = new StringBuilder();
        try {
            sb.append("grant_type=password").append("&username=").append(HttpUtil.urlencode(str3)).append("&password=").append(HttpUtil.urlencode(str4)).append("&client_id=").append(HttpUtil.urlencode(str5));
            return (AccessTokenResponse) JsonSerialization.readValue(HttpUtil.doPost(str + "/realms/" + str2 + "/protocol/openid-connect/token", "application/x-www-form-urlencoded", HttpUtil.APPLICATION_JSON, sb.toString(), null), AccessTokenResponse.class);
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException("Unexpected error: ", e);
        } catch (IOException e2) {
            throw new RuntimeException("Error receiving response: ", e2);
        }
    }

    public static AccessTokenResponse getAuthTokensByJWT(String str, String str2, String str3, String str4, String str5, String str6) {
        StringBuilder sb = new StringBuilder();
        try {
            sb.append("client_id=").append(HttpUtil.urlencode(str5)).append("&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer").append("&client_assertion=").append(str6);
            if (str3 == null) {
                sb.append("&grant_type=client_credentials");
            } else {
                if (str4 == null) {
                    throw new RuntimeException("No password specified");
                }
                sb.append("&grant_type=password").append("&username=").append(HttpUtil.urlencode(str3)).append("&password=").append(HttpUtil.urlencode(str4));
            }
            return (AccessTokenResponse) JsonSerialization.readValue(HttpUtil.doPost(str + "/realms/" + str2 + "/protocol/openid-connect/token", "application/x-www-form-urlencoded", HttpUtil.APPLICATION_JSON, sb.toString(), null), AccessTokenResponse.class);
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException("Unexpected error: ", e);
        } catch (IOException e2) {
            throw new RuntimeException("Error receiving response: ", e2);
        }
    }

    public static AccessTokenResponse getAuthTokensBySecret(String str, String str2, String str3, String str4, String str5, String str6) {
        StringBuilder sb = new StringBuilder();
        try {
            if (str3 == null) {
                sb.append("grant_type=client_credentials");
            } else {
                if (str4 == null) {
                    throw new RuntimeException("No password specified");
                }
                sb.append("client_id=").append(HttpUtil.urlencode(str5)).append("&grant_type=password").append("&username=").append(HttpUtil.urlencode(str3)).append("&password=").append(HttpUtil.urlencode(str4));
            }
            return (AccessTokenResponse) JsonSerialization.readValue(HttpUtil.doPost(str + "/realms/" + str2 + "/protocol/openid-connect/token", "application/x-www-form-urlencoded", HttpUtil.APPLICATION_JSON, sb.toString(), BasicAuthHelper.createHeader(str5, str6)), AccessTokenResponse.class);
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException("Unexpected error: ", e);
        } catch (IOException e2) {
            throw new RuntimeException("Error receiving response: ", e2);
        }
    }

    public static String getSignedRequestToken(String str, String str2, String str3, String str4, int i, String str5, String str6) {
        KeyPair loadKeyPairFromKeystore = KeystoreUtil.loadKeyPairFromKeystore(str, str2, str3, str4, KeystoreUtil.KeystoreFormat.JKS);
        JsonWebToken jsonWebToken = new JsonWebToken();
        jsonWebToken.id(UUID.randomUUID().toString());
        jsonWebToken.issuer(str5);
        jsonWebToken.subject(str5);
        jsonWebToken.audience(str6);
        int currentTime = Time.currentTime();
        jsonWebToken.issuedAt(currentTime);
        jsonWebToken.expiration(currentTime + i);
        jsonWebToken.notBefore(currentTime);
        return new JWSBuilder().jsonContent(jsonWebToken).rsa256(loadKeyPairFromKeystore.getPrivate());
    }
}
