package org.gcube.common.keycloak;

import com.ibm.icu.impl.locale.LanguageTag;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import javax.ws.rs.core.MediaType;
import org.gcube.common.gxrest.request.GXHTTPStringRequest;
import org.gcube.common.gxrest.response.inbound.GXInboundResponse;
import org.gcube.common.keycloak.model.ModelUtils;
import org.gcube.common.keycloak.model.OIDCConstants;
import org.gcube.common.keycloak.model.TokenIntrospectionResponse;
import org.gcube.common.keycloak.model.TokenResponse;
import org.gcube.vremanagement.executor.client.SmartExecutorClientImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/keycloak-client-2.0.0.jar:org/gcube/common/keycloak/DefaultKeycloakClient.class */
public class DefaultKeycloakClient implements KeycloakClient {
    protected static Logger logger = LoggerFactory.getLogger(KeycloakClient.class);
    protected static final String AUTHORIZATION_HEADER = "Authorization";
    protected static final String D4S_CONTEXT_HEADER_NAME = "X-D4Science-Context";
    public static final String BASE_URL = "https://url.d4science.org/auth/realms/";

    @Override // org.gcube.common.keycloak.KeycloakClient
    public URL getRealmBaseURL(String str) throws KeycloakClientException {
        return getRealmBaseURL(str, KeycloakClient.DEFAULT_REALM);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public URL getRealmBaseURL(String str, String str2) throws KeycloakClientException {
        String str3 = BASE_URL + str2 + SmartExecutorClientImpl.PATH_SEPARATOR;
        if (!str.startsWith(KeycloakClient.PROD_ROOT_SCOPE)) {
            str3 = str3.replace("url", "url." + str.split(SmartExecutorClientImpl.PATH_SEPARATOR)[1].replaceAll("\\.", LanguageTag.SEP));
        }
        try {
            return new URL(str3);
        } catch (MalformedURLException e) {
            logger.warn("Cannot create base URL from string: {}", str3, e);
            return null;
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public URL getTokenEndpointURL(URL url) throws KeycloakClientException {
        logger.debug("Constructing token endpoint URL starting from base URL: {}", url);
        try {
            URL url2 = url.getPath().endsWith(SmartExecutorClientImpl.PATH_SEPARATOR) ? new URL(url, "protocol/openid-connect/token") : new URL(url.toString() + SmartExecutorClientImpl.PATH_SEPARATOR + KeycloakClient.OPEN_ID_URI_PATH + SmartExecutorClientImpl.PATH_SEPARATOR + "token");
            logger.debug("Constructed token URL is: {}", url2);
            return url2;
        } catch (MalformedURLException e) {
            throw new KeycloakClientException("Cannot constructs toke URL from base URL: " + url, e);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public URL getIntrospectionEndpointURL(URL url) throws KeycloakClientException {
        logger.debug("Constructing introspection URL starting from base URL: {}", url);
        try {
            URL url2 = url.getPath().endsWith(SmartExecutorClientImpl.PATH_SEPARATOR) ? new URL(url, "protocol/openid-connect/token/introspect") : new URL(url.toString() + SmartExecutorClientImpl.PATH_SEPARATOR + KeycloakClient.OPEN_ID_URI_PATH + SmartExecutorClientImpl.PATH_SEPARATOR + "token" + SmartExecutorClientImpl.PATH_SEPARATOR + KeycloakClient.TOKEN_INTROSPECT_URI_PATH);
            logger.debug("Constructed introspection URL is: {}", url2);
            return url2;
        } catch (MalformedURLException e) {
            throw new KeycloakClientException("Cannot constructs toke URL from base URL: " + url, e);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public URL computeIntrospectionEndpointURL(URL url) throws KeycloakClientException {
        logger.debug("Computing introspection endpoint URL starting from token endpoint URL: {}", url);
        try {
            URL url2 = url.getPath().endsWith("token/") ? new URL(url, KeycloakClient.TOKEN_INTROSPECT_URI_PATH) : new URL(url, "token/introspect");
            logger.debug("Computed introspection URL is: {}", url2);
            return url2;
        } catch (MalformedURLException e) {
            throw new KeycloakClientException("Cannot compute introspection URL from token URL: " + url, e);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCToken(String str, String str2, String str3) throws KeycloakClientException {
        return queryOIDCTokenWithContext(str, str2, str3, (String) null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenWithContext(String str, String str2, String str3, String str4) throws KeycloakClientException {
        return queryOIDCTokenWithContext(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUser(String str, String str2, String str3, String str4, String str5) throws KeycloakClientException {
        return queryOIDCTokenOfUserWithContext(str, str2, str3, str4, str5, (String) null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUserWithContext(String str, String str2, String str3, String str4, String str5, String str6) throws KeycloakClientException {
        return queryOIDCTokenOfUserWithContext(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4, str5, (String) null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCToken(URL url, String str, String str2) throws KeycloakClientException {
        return queryOIDCTokenWithContext(url, str, str2, (String) null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenWithContext(URL url, String str, String str2, String str3) throws KeycloakClientException {
        return queryOIDCTokenWithContext(url, constructBasicAuthenticationHeader(str, str2), str3);
    }

    protected String constructBasicAuthenticationHeader(String str, String str2) {
        return "Basic " + Base64.getEncoder().encodeToString((str + ":" + str2).getBytes());
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUserWithContext(String str, String str2, String str3, String str4, String str5) throws KeycloakClientException {
        return queryOIDCTokenOfUserWithContext(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4, str5);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCToken(String str, String str2) throws KeycloakClientException {
        return queryOIDCTokenWithContext(str, str2, (String) null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenWithContext(String str, String str2, String str3) throws KeycloakClientException {
        return queryOIDCTokenWithContext(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUserWithContext(URL url, String str, String str2, String str3, String str4, String str5) throws KeycloakClientException {
        return queryOIDCTokenOfUserWithContext(url, constructBasicAuthenticationHeader(str, str2), str3, str4, str5);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUserWithContext(URL url, String str, String str2, String str3, String str4) throws KeycloakClientException {
        HashMap hashMap = new HashMap();
        hashMap.put(OIDCConstants.GRANT_TYPE_PARAMETER, Arrays.asList("password"));
        hashMap.put(OIDCConstants.USERNAME_PARAMETER, Arrays.asList(str2));
        hashMap.put("password", Arrays.asList(str3));
        HashMap hashMap2 = new HashMap();
        logger.debug("Adding authorization header as: {}", str);
        hashMap2.put("Authorization", str);
        if (str4 != null) {
            logger.debug("Adding d4s context header as: {}", str4);
            hashMap2.put(D4S_CONTEXT_HEADER_NAME, str4);
        }
        return performRequest(url, hashMap2, hashMap);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCToken(URL url, String str) throws KeycloakClientException {
        return queryOIDCTokenWithContext(url, str, (String) null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenWithContext(URL url, String str, String str2) throws KeycloakClientException {
        logger.debug("Querying OIDC token from Keycloak server with URL: {}", url);
        HashMap hashMap = new HashMap();
        hashMap.put(OIDCConstants.GRANT_TYPE_PARAMETER, Arrays.asList(OIDCConstants.CLIENT_CREDENTIALS_GRANT_TYPE));
        HashMap hashMap2 = new HashMap();
        logger.debug("Adding authorization header as: {}", str);
        hashMap2.put("Authorization", str);
        if (str2 != null) {
            logger.debug("Adding d4s context header as: {}", str2);
            hashMap2.put(D4S_CONTEXT_HEADER_NAME, str2);
        }
        return performRequest(url, hashMap2, hashMap);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(String str, TokenResponse tokenResponse, String str2, List<String> list) throws KeycloakClientException {
        return queryUMAToken(getTokenEndpointURL(getRealmBaseURL(str)), tokenResponse, str2, list);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(URL url, TokenResponse tokenResponse, String str, List<String> list) throws KeycloakClientException {
        return queryUMAToken(url, constructBeareAuthenticationHeader(tokenResponse), str, list);
    }

    protected String constructBeareAuthenticationHeader(TokenResponse tokenResponse) {
        return "Bearer " + tokenResponse.getAccessToken();
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(String str, String str2, String str3, String str4, List<String> list) throws KeycloakClientException {
        return queryUMAToken(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4, list);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(URL url, String str, String str2, String str3, List<String> list) throws KeycloakClientException {
        return queryUMAToken(url, constructBasicAuthenticationHeader(str, str2), str3, list);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(String str, String str2, String str3, List<String> list) throws KeycloakClientException {
        return queryUMAToken(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, list);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(URL url, String str, String str2, List<String> list) throws KeycloakClientException {
        if (str2 == null || "".equals(str2)) {
            throw new KeycloakClientException("Audience must be not null nor empty");
        }
        logger.debug("Querying UMA token from Keycloak server with URL: {}", url);
        HashMap hashMap = new HashMap();
        hashMap.put(OIDCConstants.GRANT_TYPE_PARAMETER, Arrays.asList(OIDCConstants.UMA_TOKEN_GRANT_TYPE));
        try {
            String encode = URLEncoder.encode(checkAudience(str2), "UTF-8");
            hashMap.put(OIDCConstants.AUDIENCE_PARAMETER, Arrays.asList(encode));
            logger.trace("audience is {}", encode);
        } catch (UnsupportedEncodingException e) {
            logger.error("Can't URL encode audience: {}", str2, e);
        }
        HashMap hashMap2 = new HashMap();
        logger.debug("Adding authorization header as: {}", str);
        hashMap2.put("Authorization", str);
        if (list != null && !list.isEmpty()) {
            hashMap.put(OIDCConstants.PERMISSION_PARAMETER, (List) list.stream().map(str3 -> {
                try {
                    return URLEncoder.encode(str3, "UTF-8");
                } catch (UnsupportedEncodingException e2) {
                    return "";
                }
            }).collect(Collectors.toList()));
        }
        return performRequest(url, hashMap2, hashMap);
    }

    protected TokenResponse performRequest(URL url, Map<String, String> map, Map<String, List<String>> map2) throws KeycloakClientException {
        if (url == null) {
            throw new KeycloakClientException("Token URL must be not null");
        }
        if (!map.containsKey("Authorization") || "".equals(map.get("Authorization"))) {
            throw new KeycloakClientException("Authorization must be not null nor empty");
        }
        try {
            String str = (String) map2.entrySet().stream().flatMap(entry -> {
                return ((List) entry.getValue()).stream().map(str2 -> {
                    return ((String) entry.getKey()) + "=" + str2;
                });
            }).reduce((str2, str3) -> {
                return str2 + "&" + str3;
            }).orElse("");
            logger.trace("Query string is {}", str);
            GXHTTPStringRequest withBody = GXHTTPStringRequest.newRequest(url.toString()).header("Content-Type", MediaType.APPLICATION_FORM_URLENCODED).withBody(str);
            safeSetAsExternalCallForOldAPI(withBody);
            logger.trace("Adding provided headers: {}", map);
            for (String str4 : map.keySet()) {
                withBody.header(str4, map.get(str4));
            }
            try {
                GXInboundResponse m2351post = withBody.m2351post();
                if (m2351post.isSuccessResponse()) {
                    try {
                        return (TokenResponse) m2351post.tryConvertStreamedContentFromJson(TokenResponse.class);
                    } catch (Exception e) {
                        throw new KeycloakClientException("Cannot construct token response object correctly", e);
                    }
                }
                String str5 = "[empty]";
                try {
                    str5 = m2351post.getStreamedContentAsString();
                } catch (IOException e2) {
                }
                throw KeycloakClientException.create("Unable to get token", m2351post.getHTTPCode(), m2351post.getHeaderFields().getOrDefault("content-type", Collections.singletonList("unknown/unknown")).get(0), str5);
            } catch (Exception e3) {
                throw new KeycloakClientException("Cannot send request correctly", e3);
            }
        } catch (Exception e4) {
            throw new KeycloakClientException("Cannot construct the request object correctly", e4);
        }
    }

    private static String checkAudience(String str) {
        if (str.startsWith(SmartExecutorClientImpl.PATH_SEPARATOR)) {
            try {
                logger.trace("Audience was provided in non URL encoded form, encoding it");
                return URLEncoder.encode(str, "UTF-8");
            } catch (UnsupportedEncodingException e) {
                logger.error("Cannot URL encode 'audience'", e);
            }
        }
        return str;
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(String str, TokenResponse tokenResponse) throws KeycloakClientException {
        return refreshToken(getTokenEndpointURL(getRealmBaseURL(str)), tokenResponse);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(URL url, TokenResponse tokenResponse) throws KeycloakClientException {
        return refreshToken(url, (String) null, (String) null, tokenResponse);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(String str, String str2, String str3, TokenResponse tokenResponse) throws KeycloakClientException {
        return refreshToken(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, tokenResponse);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(URL url, String str, String str2, TokenResponse tokenResponse) throws KeycloakClientException {
        if (str == null) {
            logger.debug("Client id not set, trying to get it from access token info");
            try {
                str = ModelUtils.getClientIdFromToken(ModelUtils.getAccessTokenFrom(tokenResponse));
            } catch (Exception e) {
                throw new KeycloakClientException("Cannot construct access token object from token response", e);
            }
        }
        return refreshToken(url, str, str2, tokenResponse.getRefreshToken());
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(String str, String str2, String str3, String str4) throws KeycloakClientException {
        return refreshToken(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(URL url, String str, String str2, String str3) throws KeycloakClientException {
        if (url == null) {
            throw new KeycloakClientException("Token URL must be not null");
        }
        if (str == null || "".equals(str)) {
            throw new KeycloakClientException("Client id must be not null nor empty");
        }
        if (str3 == null || "".equals(str)) {
            throw new KeycloakClientException("Refresh token JWT encoded string must be not null nor empty");
        }
        logger.debug("Refreshing token from Keycloak server with URL: {}", url);
        try {
            HashMap hashMap = new HashMap();
            hashMap.put(OIDCConstants.GRANT_TYPE_PARAMETER, "refresh_token");
            hashMap.put("refresh_token", str3);
            hashMap.put(OIDCConstants.CLIENT_ID_PARAMETER, URLEncoder.encode(str, "UTF-8"));
            if (str2 != null && !"".equals(str2)) {
                hashMap.put(OIDCConstants.CLIENT_SECRET_PARAMETER, URLEncoder.encode(str2, "UTF-8"));
            }
            GXHTTPStringRequest withBody = GXHTTPStringRequest.newRequest(url.toString()).header("Content-Type", MediaType.APPLICATION_FORM_URLENCODED).withBody((String) hashMap.entrySet().stream().map(entry -> {
                return ((String) entry.getKey()) + "=" + ((String) entry.getValue());
            }).reduce((str4, str5) -> {
                return str4 + "&" + str5;
            }).orElse(""));
            safeSetAsExternalCallForOldAPI(withBody);
            try {
                GXInboundResponse m2351post = withBody.m2351post();
                if (!m2351post.isSuccessResponse()) {
                    throw KeycloakClientException.create("Unable to refresh token", m2351post.getHTTPCode(), m2351post.getHeaderFields().getOrDefault("content-type", Collections.singletonList("unknown/unknown")).get(0), m2351post.getMessage());
                }
                try {
                    return (TokenResponse) m2351post.tryConvertStreamedContentFromJson(TokenResponse.class);
                } catch (Exception e) {
                    throw new KeycloakClientException("Cannot construct token response object correctly", e);
                }
            } catch (Exception e2) {
                throw new KeycloakClientException("Cannot send request correctly", e2);
            }
        } catch (Exception e3) {
            throw new KeycloakClientException("Cannot construct the request object correctly", e3);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenIntrospectionResponse introspectAccessToken(String str, String str2, String str3, String str4) throws KeycloakClientException {
        return introspectAccessToken(getIntrospectionEndpointURL(getRealmBaseURL(str)), str2, str3, str4);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenIntrospectionResponse introspectAccessToken(URL url, String str, String str2, String str3) throws KeycloakClientException {
        if (url == null) {
            throw new KeycloakClientException("Introspection URL must be not null");
        }
        if (str == null || "".equals(str)) {
            throw new KeycloakClientException("Client id must be not null nor empty");
        }
        if (str2 == null || "".equals(str2)) {
            throw new KeycloakClientException("Client secret must be not null nor empty");
        }
        logger.debug("Verifying access token against Keycloak server with URL: {}", url);
        try {
            HashMap hashMap = new HashMap();
            hashMap.put("token", str3);
            GXHTTPStringRequest withBody = GXHTTPStringRequest.newRequest(url.toString()).header("Content-Type", MediaType.APPLICATION_FORM_URLENCODED).withBody((String) hashMap.entrySet().stream().map(entry -> {
                return ((String) entry.getKey()) + "=" + ((String) entry.getValue());
            }).reduce((str4, str5) -> {
                return str4 + "&" + str5;
            }).orElse(""));
            safeSetAsExternalCallForOldAPI(withBody);
            try {
                GXInboundResponse m2351post = withBody.header("Authorization", constructBasicAuthenticationHeader(str, str2)).m2351post();
                if (!m2351post.isSuccessResponse()) {
                    throw KeycloakClientException.create("Unable to get token introspection response", m2351post.getHTTPCode(), m2351post.getHeaderFields().getOrDefault("content-type", Collections.singletonList("unknown/unknown")).get(0), m2351post.getMessage());
                }
                try {
                    return (TokenIntrospectionResponse) m2351post.tryConvertStreamedContentFromJson(TokenIntrospectionResponse.class);
                } catch (Exception e) {
                    throw new KeycloakClientException("Cannot construct introspection response object correctly", e);
                }
            } catch (Exception e2) {
                throw new KeycloakClientException("Cannot send request correctly", e2);
            }
        } catch (Exception e3) {
            throw new KeycloakClientException("Cannot construct the request object correctly", e3);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public boolean isAccessTokenVerified(String str, String str2, String str3, String str4) throws KeycloakClientException {
        return isAccessTokenVerified(getIntrospectionEndpointURL(getRealmBaseURL(str)), str2, str3, str4);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public boolean isAccessTokenVerified(URL url, String str, String str2, String str3) throws KeycloakClientException {
        return introspectAccessToken(url, str, str2, str3).getActive().booleanValue();
    }

    protected void safeSetAsExternalCallForOldAPI(GXHTTPStringRequest gXHTTPStringRequest) {
        try {
            logger.trace("Looking for the 'isExternalCall' method in the 'GXHTTPStringRequest' class");
            Method method = gXHTTPStringRequest.getClass().getMethod("isExternalCall", Boolean.TYPE);
            logger.trace("Method found, is the old gxJRS API. Invoking it with 'true' argument");
            method.invoke(gXHTTPStringRequest, true);
        } catch (IllegalAccessException | IllegalArgumentException | SecurityException | InvocationTargetException e) {
            logger.warn("Cannot invoke 'isExternalCall' method via reflection on 'GXHTTPStringRequest' class", e);
        } catch (NoSuchMethodException e2) {
            logger.trace("Method not found, is the new gxJRS API");
        }
    }
}
