package org.gcube.common.keycloak;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.gcube.common.gxhttp.util.ContentUtils;
import org.gcube.common.gxrest.request.GXHTTPStringRequest;
import org.gcube.common.gxrest.response.inbound.GXInboundResponse;
import org.gcube.common.gxrest.response.inbound.JsonUtils;
import org.gcube.common.keycloak.model.JSONWebKeySet;
import org.gcube.common.keycloak.model.ModelUtils;
import org.gcube.common.keycloak.model.OIDCConstants;
import org.gcube.common.keycloak.model.PublishedRealmRepresentation;
import org.gcube.common.keycloak.model.TokenIntrospectionResponse;
import org.gcube.common.keycloak.model.TokenResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/gcube/common/keycloak/DefaultKeycloakClient.class */
public class DefaultKeycloakClient implements KeycloakClient {
    protected static Logger logger = LoggerFactory.getLogger(KeycloakClient.class);
    protected static final String AUTHORIZATION_HEADER = "Authorization";
    public static final String DEFAULT_BASE_URL = "https://url.d4science.org/auth/realms/";
    private String customBaseURL = null;
    private List<String> scopes = new ArrayList();

    public void setCustomBaseURL(String str) {
        if (str == null || str.endsWith("/")) {
            this.customBaseURL = str;
        } else {
            this.customBaseURL = str + "/";
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public KeycloakClient useScopes(List<String> list) {
        this.scopes.clear();
        this.scopes.addAll(list);
        return this;
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public KeycloakClient addScopes(List<String> list) {
        this.scopes.addAll(list);
        return this;
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public KeycloakClient removeScopes(List<String> list) {
        this.scopes.removeAll(list);
        return this;
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public KeycloakClient addDynamicScope(String str, String str2) {
        this.scopes.add(str + KeycloakClient.DEFAULT_DYNAMIC_SCOPE_SEPARATOR + str2);
        return this;
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public KeycloakClient removeAllScopes() {
        this.scopes.clear();
        return this;
    }

    public String getCustomBaseURL() {
        return this.customBaseURL;
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public URL getRealmBaseURL(String str) throws KeycloakClientException {
        return getRealmBaseURL(str, KeycloakClient.DEFAULT_REALM);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public URL getRealmBaseURL(String str, String str2) throws KeycloakClientException {
        String str3;
        if (getCustomBaseURL() != null) {
            str3 = getCustomBaseURL() + str2 + "/";
        } else {
            str3 = DEFAULT_BASE_URL + str2 + "/";
            if (!str.startsWith(KeycloakClient.PROD_ROOT_SCOPE)) {
                str3 = str3.replace("url", "url." + checkContext(str).split("/")[1].replaceAll("\\.", "-"));
            }
        }
        try {
            return new URL(str3);
        } catch (MalformedURLException e) {
            logger.error("Cannot create base URL from string: {}", str3, e);
            return null;
        }
    }

    private static String checkContext(String str) {
        if (!str.startsWith("/")) {
            try {
                logger.trace("Context was provided in URL encoded form, decoding it");
                return URLDecoder.decode(str, "UTF-8");
            } catch (UnsupportedEncodingException e) {
                logger.error("Cannot URL decode 'context'", e);
            }
        }
        return str;
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public URL getTokenEndpointURL(URL url) throws KeycloakClientException {
        logger.debug("Constructing token endpoint URL starting from base URL: {}", url);
        try {
            URL url2 = url.getPath().endsWith("/") ? new URL(url, "protocol/openid-connect/token") : new URL(url.toString() + "/" + KeycloakClient.OPEN_ID_URI_PATH + "/token");
            logger.debug("Constructed token URL is: {}", url2);
            return url2;
        } catch (MalformedURLException e) {
            throw new KeycloakClientException("Cannot constructs token URL from base URL: " + url, e);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public URL getJWKEndpointURL(URL url) throws KeycloakClientException {
        logger.debug("Constructing JWK endpoint URL starting from base URL: {}", url);
        try {
            URL url2 = url.getPath().endsWith("/") ? new URL(url, "protocol/openid-connect/certs") : new URL(url.toString() + "/" + KeycloakClient.OPEN_ID_URI_PATH + "/" + KeycloakClient.JWK_URI_PATH);
            logger.debug("Constructed JWK URL is: {}", url2);
            return url2;
        } catch (MalformedURLException e) {
            throw new KeycloakClientException("Cannot constructs JWK URL from base URL: " + url, e);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public URL getIntrospectionEndpointURL(URL url) throws KeycloakClientException {
        logger.debug("Constructing introspection URL starting from base URL: {}", url);
        try {
            URL url2 = url.getPath().endsWith("/") ? new URL(url, "protocol/openid-connect/token/introspect") : new URL(url.toString() + "/" + KeycloakClient.OPEN_ID_URI_PATH + "/token/" + KeycloakClient.TOKEN_INTROSPECT_URI_PATH);
            logger.debug("Constructed introspection URL is: {}", url2);
            return url2;
        } catch (MalformedURLException e) {
            throw new KeycloakClientException("Cannot constructs introspection URL from base URL: " + url, e);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public URL getAvatarEndpointURL(URL url) throws KeycloakClientException {
        logger.debug("Constructing token endpoint URL starting from base URL: {}", url);
        try {
            URL url2 = url.getPath().endsWith("/") ? new URL(url, KeycloakClient.AVATAR_URI_PATH) : new URL(url.toString() + "/" + KeycloakClient.AVATAR_URI_PATH);
            logger.debug("Constructed avatar URL is: {}", url2);
            return url2;
        } catch (MalformedURLException e) {
            throw new KeycloakClientException("Cannot constructs avatar URL from base URL: " + url, e);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public URL computeIntrospectionEndpointURL(URL url) throws KeycloakClientException {
        logger.debug("Computing introspection endpoint URL starting from token endpoint URL: {}", url);
        try {
            URL url2 = url.getPath().endsWith("token/") ? new URL(url, KeycloakClient.TOKEN_INTROSPECT_URI_PATH) : new URL(url, "token/introspect");
            logger.debug("Computed introspection URL is: {}", url2);
            return url2;
        } catch (MalformedURLException e) {
            throw new KeycloakClientException("Cannot compute introspection URL from token URL: " + url, e);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public PublishedRealmRepresentation getRealmInfo(URL url) throws KeycloakClientException {
        try {
            return (PublishedRealmRepresentation) JsonUtils.fromJson(ContentUtils.toByteArray(url.openStream()), PublishedRealmRepresentation.class);
        } catch (Exception e) {
            throw new KeycloakClientException("Getting realm's info", e);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public JSONWebKeySet getRealmJSONWebKeySet(URL url) throws KeycloakClientException {
        try {
            return (JSONWebKeySet) JsonUtils.fromJson(ContentUtils.toByteArray(url.openStream()), JSONWebKeySet.class);
        } catch (Exception e) {
            throw new KeycloakClientException("Getting realm's JWK", e);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCToken(String str, String str2, String str3) throws KeycloakClientException {
        return queryOIDCToken(str, str2, str3, (Map<String, String>) null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCToken(String str, String str2, String str3, Map<String, String> map) throws KeycloakClientException {
        return queryOIDCToken(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, map);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCToken(URL url, String str, String str2) throws KeycloakClientException {
        return queryOIDCToken(url, str, str2, (Map<String, String>) null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCToken(URL url, String str, String str2, Map<String, String> map) throws KeycloakClientException {
        return queryOIDCTokenWithContext(url, str, str2, (String) null, map);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCToken(String str, String str2) throws KeycloakClientException {
        return queryOIDCTokenWithContext(str, str2, (String) null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCToken(URL url, String str) throws KeycloakClientException {
        return queryOIDCToken(url, str, (Map<String, String>) null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCToken(String str, String str2, Map<String, String> map) throws KeycloakClientException {
        return queryOIDCToken(getTokenEndpointURL(getRealmBaseURL(str)), str2, map);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCToken(URL url, String str, Map<String, String> map) throws KeycloakClientException {
        return queryOIDCTokenWithContext(url, str, (String) null, map);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUser(String str, String str2, String str3, String str4, String str5) throws KeycloakClientException {
        return queryOIDCTokenOfUser(str, str2, str3, str4, str5, null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUser(String str, String str2, String str3, String str4, String str5, Map<String, String> map) throws KeycloakClientException {
        return queryOIDCTokenOfUserWithContext(str, str2, str3, str4, str5, (String) null, map);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenWithContext(String str, String str2, String str3, String str4) throws KeycloakClientException {
        return queryOIDCTokenWithContext(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenWithContext(String str, String str2, String str3) throws KeycloakClientException {
        return queryOIDCTokenWithContext(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenWithContext(URL url, String str, String str2, String str3) throws KeycloakClientException {
        return queryOIDCTokenWithContext(url, str, str2, str3, (Map<String, String>) null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenWithContext(String str, String str2, String str3, String str4, Map<String, String> map) throws KeycloakClientException {
        return queryOIDCTokenWithContext(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4, map);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenWithContext(URL url, String str, String str2, String str3, Map<String, String> map) throws KeycloakClientException {
        return queryOIDCTokenWithContext(url, constructBasicAuthenticationHeader(str, str2), str3, map);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenWithContext(String str, String str2, String str3, Map<String, String> map) throws KeycloakClientException {
        return queryOIDCTokenWithContext(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, map);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenWithContext(URL url, String str, String str2) throws KeycloakClientException {
        return queryOIDCTokenWithContext(url, str, str2, (Map<String, String>) null);
    }

    protected static String constructBasicAuthenticationHeader(String str, String str2) {
        return "Basic " + Base64.getEncoder().encodeToString((str + KeycloakClient.DEFAULT_DYNAMIC_SCOPE_SEPARATOR + str2).getBytes());
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUserWithContext(String str, String str2, String str3, String str4, String str5, String str6) throws KeycloakClientException {
        return queryOIDCTokenOfUserWithContext(str, str2, str3, str4, str5, str6, (Map<String, String>) null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUserWithContext(String str, String str2, String str3, String str4, String str5, String str6, Map<String, String> map) throws KeycloakClientException {
        return queryOIDCTokenOfUserWithContext(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4, str5, str6, map);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUserWithContext(String str, String str2, String str3, String str4, String str5) throws KeycloakClientException {
        return queryOIDCTokenOfUserWithContext(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4, str5);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUserWithContext(String str, String str2, String str3, String str4, String str5, Map<String, String> map) throws KeycloakClientException {
        return queryOIDCTokenOfUserWithContext(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4, str5, map);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUserWithContext(URL url, String str, String str2, String str3, String str4, String str5) throws KeycloakClientException {
        return queryOIDCTokenOfUserWithContext(url, str, str2, str3, str4, str5, (Map<String, String>) null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUserWithContext(URL url, String str, String str2, String str3, String str4, String str5, Map<String, String> map) throws KeycloakClientException {
        return queryOIDCTokenOfUserWithContext(url, constructBasicAuthenticationHeader(str, str2), str3, str4, str5, map);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUserWithContext(URL url, String str, String str2, String str3, String str4) throws KeycloakClientException {
        return queryOIDCTokenOfUserWithContext(url, str, str2, str3, str4, (Map<String, String>) null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenOfUserWithContext(URL url, String str, String str2, String str3, String str4, Map<String, String> map) throws KeycloakClientException {
        HashMap hashMap = new HashMap();
        hashMap.put(OIDCConstants.GRANT_TYPE_PARAMETER, Arrays.asList("password"));
        hashMap.put(OIDCConstants.USERNAME_PARAMETER, Arrays.asList(str2));
        hashMap.put("password", Arrays.asList(str3));
        if (this.scopes != null && this.scopes.size() > 0) {
            hashMap.put(OIDCConstants.SCOPE_PARAMETER, this.scopes);
        }
        HashMap hashMap2 = new HashMap();
        logger.debug("Adding authorization header as: {}", str);
        hashMap2.put(AUTHORIZATION_HEADER, str);
        if (map != null) {
            logger.debug("Adding provided extra headers: {}", map);
            hashMap2.putAll(map);
        }
        if (str4 != null) {
            logger.debug("Adding d4s context header as: {}", str4);
            hashMap2.put(KeycloakClient.D4S_CONTEXT_HEADER_NAME, str4);
        }
        return performRequest(url, hashMap2, hashMap);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryOIDCTokenWithContext(URL url, String str, String str2, Map<String, String> map) throws KeycloakClientException {
        logger.debug("Querying OIDC token from Keycloak server with URL: {}", url);
        HashMap hashMap = new HashMap();
        hashMap.put(OIDCConstants.GRANT_TYPE_PARAMETER, Arrays.asList(OIDCConstants.CLIENT_CREDENTIALS_GRANT_TYPE));
        if (this.scopes != null && this.scopes.size() > 0) {
            hashMap.put(OIDCConstants.SCOPE_PARAMETER, this.scopes);
        }
        HashMap hashMap2 = new HashMap();
        logger.debug("Adding authorization header as: {}", str);
        hashMap2.put(AUTHORIZATION_HEADER, str);
        if (str2 != null) {
            logger.debug("Adding d4s context header as: {}", str2);
            hashMap2.put(KeycloakClient.D4S_CONTEXT_HEADER_NAME, str2);
        }
        return performRequest(url, hashMap2, hashMap);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(String str, TokenResponse tokenResponse, String str2, List<String> list) throws KeycloakClientException {
        return queryUMAToken(getTokenEndpointURL(getRealmBaseURL(str)), tokenResponse, str2, list);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(URL url, TokenResponse tokenResponse, String str, List<String> list) throws KeycloakClientException {
        return queryUMAToken(url, constructBeareAuthenticationHeader(tokenResponse), str, list);
    }

    protected static String constructBeareAuthenticationHeader(TokenResponse tokenResponse) {
        return "Bearer " + tokenResponse.getAccessToken();
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(String str, String str2, String str3, String str4, List<String> list) throws KeycloakClientException {
        return queryUMAToken(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4, list);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(URL url, String str, String str2, String str3, List<String> list) throws KeycloakClientException {
        return queryUMAToken(url, constructBasicAuthenticationHeader(str, str2), str3, list);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(String str, String str2, String str3, List<String> list) throws KeycloakClientException {
        return queryUMAToken(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, list);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(URL url, String str, String str2, List<String> list) throws KeycloakClientException {
        if (str2 == null || "".equals(str2)) {
            throw new KeycloakClientException("Audience must be not null nor empty");
        }
        logger.debug("Querying UMA token from Keycloak server with URL: {}", url);
        HashMap hashMap = new HashMap();
        hashMap.put(OIDCConstants.GRANT_TYPE_PARAMETER, Arrays.asList(OIDCConstants.UMA_TOKEN_GRANT_TYPE));
        try {
            String encode = URLEncoder.encode(checkAudience(str2), "UTF-8");
            hashMap.put(OIDCConstants.AUDIENCE_PARAMETER, Arrays.asList(encode));
            logger.trace("audience is {}", encode);
        } catch (UnsupportedEncodingException e) {
            logger.error("Can't URL encode audience: {}", str2, e);
        }
        HashMap hashMap2 = new HashMap();
        logger.debug("Adding authorization header as: {}", str);
        hashMap2.put(AUTHORIZATION_HEADER, str);
        if (list != null && !list.isEmpty()) {
            hashMap.put(OIDCConstants.PERMISSION_PARAMETER, (List) list.stream().map(str3 -> {
                try {
                    return URLEncoder.encode(str3, "UTF-8");
                } catch (UnsupportedEncodingException e2) {
                    return "";
                }
            }).collect(Collectors.toList()));
        }
        return performRequest(url, hashMap2, hashMap);
    }

    protected TokenResponse performRequest(URL url, Map<String, String> map, Map<String, List<String>> map2) throws KeycloakClientException {
        return (TokenResponse) performRequest(TokenResponse.class, url, map, map2);
    }

    protected <T> T performRequest(Class<T> cls, URL url, Map<String, String> map, Map<String, List<String>> map2) throws KeycloakClientException {
        if (url == null) {
            throw new KeycloakClientException("Token URL must be not null");
        }
        String str = "";
        try {
            if (map2 != null) {
                str = (String) map2.entrySet().stream().flatMap(entry -> {
                    return ((List) entry.getValue()).stream().map(str2 -> {
                        return ((String) entry.getKey()) + "=" + str2;
                    });
                }).reduce((str2, str3) -> {
                    return str2 + "&" + str3;
                }).orElse("");
            } else if (logger.isDebugEnabled()) {
                logger.debug("Params map is null");
            }
            logger.trace("Query string is: {}", str);
            GXHTTPStringRequest withBody = GXHTTPStringRequest.newRequest(url.toString()).header("Content-Type", "application/x-www-form-urlencoded").withBody(str);
            safeSetAsExternalCallForOldAPI(withBody);
            if (map != null) {
                logger.trace("Adding provided headers: {}", map);
                for (String str4 : map.keySet()) {
                    withBody.header(str4, map.get(str4));
                }
            } else if (logger.isDebugEnabled()) {
                logger.debug("HTTP headers map is null");
            }
            try {
                GXInboundResponse post = withBody.post();
                if (post.isSuccessResponse()) {
                    try {
                        return (T) post.tryConvertStreamedContentFromJson(cls);
                    } catch (Exception e) {
                        throw new KeycloakClientException("Cannot construct token response object correctly", e);
                    }
                }
                String str5 = "[empty]";
                try {
                    str5 = post.getStreamedContentAsString();
                } catch (IOException e2) {
                }
                throw KeycloakClientException.create("Unable to get token", post.getHTTPCode(), (String) ((List) post.getHeaderFields().getOrDefault("content-type", Collections.singletonList("unknown/unknown"))).get(0), str5);
            } catch (Exception e3) {
                throw new KeycloakClientException("Cannot send request correctly", e3);
            }
        } catch (Exception e4) {
            throw new KeycloakClientException("Cannot construct the request object correctly", e4);
        }
    }

    private static String checkAudience(String str) {
        if (str.startsWith("/")) {
            try {
                logger.trace("Audience was provided in non URL encoded form, encoding it");
                return URLEncoder.encode(str, "UTF-8");
            } catch (UnsupportedEncodingException e) {
                logger.error("Cannot URL encode 'audience'", e);
            }
        }
        return str;
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(String str, TokenResponse tokenResponse) throws KeycloakClientException {
        return refreshToken(getTokenEndpointURL(getRealmBaseURL(str)), tokenResponse);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(URL url, TokenResponse tokenResponse) throws KeycloakClientException {
        return refreshToken(url, (String) null, (String) null, tokenResponse);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(String str, String str2, String str3, TokenResponse tokenResponse) throws KeycloakClientException {
        return refreshToken(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, tokenResponse);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(URL url, String str, String str2, TokenResponse tokenResponse) throws KeycloakClientException {
        if (str == null) {
            logger.debug("Client id not set, trying to get it from access token info");
            try {
                str = ModelUtils.getClientIdFromToken(ModelUtils.getAccessTokenFrom(tokenResponse));
            } catch (Exception e) {
                throw new KeycloakClientException("Cannot construct access token object from token response", e);
            }
        }
        return refreshToken(url, str, str2, tokenResponse.getRefreshToken());
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(String str, String str2, String str3, String str4) throws KeycloakClientException {
        return refreshToken(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(URL url, String str, String str2, String str3) throws KeycloakClientException {
        if (url == null) {
            throw new KeycloakClientException("Token URL must be not null");
        }
        if (str == null || "".equals(str)) {
            throw new KeycloakClientException("Client id must be not null nor empty");
        }
        if (str3 == null || "".equals(str)) {
            throw new KeycloakClientException("Refresh token JWT encoded string must be not null nor empty");
        }
        logger.debug("Refreshing token from Keycloak server with URL: {}", url);
        try {
            HashMap hashMap = new HashMap();
            hashMap.put(OIDCConstants.GRANT_TYPE_PARAMETER, Collections.singletonList("refresh_token"));
            hashMap.put("refresh_token", Collections.singletonList(str3));
            hashMap.put(OIDCConstants.CLIENT_ID_PARAMETER, Collections.singletonList(URLEncoder.encode(str, "UTF-8")));
            if (str2 != null && !"".equals(str2)) {
                hashMap.put(OIDCConstants.CLIENT_SECRET_PARAMETER, Collections.singletonList(URLEncoder.encode(str2, "UTF-8")));
            }
            return performRequest(url, null, hashMap);
        } catch (UnsupportedEncodingException e) {
            throw new KeycloakClientException("Cannot encode parameters", e);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse exchangeTokenForAccessToken(String str, String str2, String str3, String str4, String str5) throws KeycloakClientException {
        return exchangeTokenForAccessToken(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4, str5);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse exchangeTokenForAccessToken(URL url, String str, String str2, String str3, String str4) throws KeycloakClientException {
        return exchangeToken(url, str, str2, str3, str4, OIDCConstants.ACCESS_TOKEN_TOKEN_TYPE, null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse exchangeTokenForRefreshToken(String str, String str2, String str3, String str4, String str5) throws KeycloakClientException {
        return exchangeTokenForRefreshToken(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4, str5);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse exchangeTokenForRefreshToken(URL url, String str, String str2, String str3, String str4) throws KeycloakClientException {
        return exchangeToken(url, str, str2, str3, str4, OIDCConstants.REFRESH_TOKEN_TOKEN_TYPE, null);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse exchangeTokenForOfflineToken(String str, String str2, String str3, String str4, String str5) throws IllegalArgumentException, KeycloakClientException {
        return exchangeTokenForOfflineToken(getTokenEndpointURL(getRealmBaseURL(str)), str2, str3, str4, str5);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse exchangeTokenForOfflineToken(URL url, String str, String str2, String str3, String str4) throws IllegalArgumentException, KeycloakClientException {
        try {
            if (ModelUtils.getAccessTokenFrom(str).getScope().indexOf(OIDCConstants.OFFLINE_ACCESS_SCOPE) >= 0) {
                return exchangeToken(url, str, str2, str3, str4, OIDCConstants.REFRESH_TOKEN_TOKEN_TYPE, OIDCConstants.OFFLINE_ACCESS_SCOPE);
            }
            logger.info("Token to be exchanged doesn't contain 'offline_token' within scopes");
            throw new IllegalArgumentException("Orignal access token doesn't contain the 'offline_token' scope");
        } catch (Exception e) {
            throw new IllegalArgumentException("Impossible to parse the access token as JSON", e);
        }
    }

    protected TokenResponse exchangeToken(URL url, String str, String str2, String str3, String str4, String str5, String str6) throws KeycloakClientException {
        if (str4 == null || "".equals(str4)) {
            throw new KeycloakClientException("Audience must be not null nor empty");
        }
        logger.debug("Exchanging token from Keycloak server with URL: {}", url);
        HashMap hashMap = new HashMap();
        hashMap.put(OIDCConstants.SUBJECT_TOKEN_PARAMETER, Arrays.asList(str));
        hashMap.put(OIDCConstants.CLIENT_ID_PARAMETER, Arrays.asList(str2));
        hashMap.put(OIDCConstants.CLIENT_SECRET_PARAMETER, Arrays.asList(str3));
        hashMap.put(OIDCConstants.GRANT_TYPE_PARAMETER, Arrays.asList(OIDCConstants.TOKEN_EXCHANGE_GRANT_TYPE));
        hashMap.put(OIDCConstants.SUBJECT_TOKEN_TYPE_PARAMETER, Arrays.asList(OIDCConstants.ACCESS_TOKEN_TOKEN_TYPE));
        hashMap.put(OIDCConstants.REQUESTED_TOKEN_TYPE_PARAMETER, Arrays.asList(str5));
        if (str6 != null) {
            hashMap.put(OIDCConstants.SCOPE_PARAMETER, Arrays.asList(str6));
        }
        try {
            String encode = URLEncoder.encode(checkAudience(str4), "UTF-8");
            hashMap.put(OIDCConstants.AUDIENCE_PARAMETER, Arrays.asList(encode));
            logger.trace("audience is {}", encode);
        } catch (UnsupportedEncodingException e) {
            logger.error("Can't URL encode audience: {}", str4, e);
        }
        return performRequest(url, null, hashMap);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenIntrospectionResponse introspectAccessToken(String str, String str2, String str3, String str4) throws KeycloakClientException {
        return introspectAccessToken(getIntrospectionEndpointURL(getRealmBaseURL(str)), str2, str3, str4);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenIntrospectionResponse introspectAccessToken(URL url, String str, String str2, String str3) throws KeycloakClientException {
        if (url == null) {
            throw new KeycloakClientException("Introspection URL must be not null");
        }
        if (str == null || "".equals(str)) {
            throw new KeycloakClientException("Client id must be not null nor empty");
        }
        if (str2 == null || "".equals(str2)) {
            throw new KeycloakClientException("Client secret must be not null nor empty");
        }
        logger.debug("Verifying access token against Keycloak server with URL: {}", url);
        return (TokenIntrospectionResponse) performRequest(TokenIntrospectionResponse.class, url, Collections.singletonMap(AUTHORIZATION_HEADER, constructBasicAuthenticationHeader(str, str2)), Collections.singletonMap("token", Collections.singletonList(str3)));
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public boolean isAccessTokenVerified(String str, String str2, String str3, String str4) throws KeycloakClientException {
        return isAccessTokenVerified(getIntrospectionEndpointURL(getRealmBaseURL(str)), str2, str3, str4);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public boolean isAccessTokenVerified(URL url, String str, String str2, String str3) throws KeycloakClientException {
        return introspectAccessToken(url, str, str2, str3).getActive().booleanValue();
    }

    protected void safeSetAsExternalCallForOldAPI(GXHTTPStringRequest gXHTTPStringRequest) {
        try {
            logger.trace("Looking for the 'isExternalCall' method in the 'GXHTTPStringRequest' class");
            Method method = gXHTTPStringRequest.getClass().getMethod("isExternalCall", Boolean.TYPE);
            logger.trace("Method found, is the old gxJRS API. Invoking it with 'true' argument");
            method.invoke(gXHTTPStringRequest, true);
        } catch (IllegalAccessException | IllegalArgumentException | SecurityException | InvocationTargetException e) {
            logger.warn("Cannot invoke 'isExternalCall' method via reflection on 'GXHTTPStringRequest' class", e);
        } catch (NoSuchMethodException e2) {
            logger.trace("Method not found, is the new gxJRS API");
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public byte[] getAvatarData(String str, TokenResponse tokenResponse) throws KeycloakClientException {
        return getAvatarData(getAvatarEndpointURL(getRealmBaseURL(str)), tokenResponse);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public byte[] getAvatarData(URL url, TokenResponse tokenResponse) throws KeycloakClientException {
        return getAvatarData(url, constructBeareAuthenticationHeader(tokenResponse));
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public byte[] getAvatarData(URL url, String str) throws KeycloakClientException {
        logger.debug("Getting user's avatar from URL: {}", url);
        try {
            try {
                GXHTTPStringRequest newRequest = GXHTTPStringRequest.newRequest(url.toString());
                safeSetAsExternalCallForOldAPI(newRequest);
                logger.debug("Adding authorization header as: {}", str);
                try {
                    GXInboundResponse gXInboundResponse = newRequest.header(AUTHORIZATION_HEADER, str).header("Accept", "image/png, image/gif").get();
                    if (gXInboundResponse.isSuccessResponse()) {
                        return gXInboundResponse.getStreamedContent();
                    }
                    throw KeycloakClientException.create("Unable to get avatar image data", gXInboundResponse.getHTTPCode(), (String) ((List) gXInboundResponse.getHeaderFields().getOrDefault("content-type", Collections.singletonList("unknown/unknown"))).get(0), gXInboundResponse.getMessage());
                } catch (Exception e) {
                    throw new KeycloakClientException("Cannot send request correctly", e);
                }
            } catch (Exception e2) {
                throw new KeycloakClientException("Cannot construct the request object correctly", e2);
            }
        } catch (IOException e3) {
            throw new KeycloakClientException("Error getting user's avatar data", e3);
        }
    }
}
