package org.keycloak.protocol.docker;

import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.concurrent.atomic.AtomicReference;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.jboss.resteasy.specimpl.ResponseBuilderImpl;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeyManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.ProtocolMapperUtils;
import org.keycloak.protocol.docker.mapper.DockerAuthV2AttributeMapper;
import org.keycloak.representations.docker.DockerResponse;
import org.keycloak.representations.docker.DockerResponseToken;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/docker/DockerAuthV2Protocol.class */
public class DockerAuthV2Protocol implements LoginProtocol {
    protected static final Logger logger = Logger.getLogger(DockerEndpoint.class);
    public static final String LOGIN_PROTOCOL = "docker-v2";
    public static final String ACCOUNT_PARAM = "account";
    public static final String SERVICE_PARAM = "service";
    public static final String SCOPE_PARAM = "scope";
    public static final String ISSUER = "docker.iss";
    public static final String ISO_8601_DATE_FORMAT = "yyyy-MM-dd'T'HH:mm:ss'Z'";
    private KeycloakSession session;
    private RealmModel realm;
    private UriInfo uriInfo;
    private HttpHeaders headers;
    private EventBuilder event;

    public DockerAuthV2Protocol() {
    }

    public DockerAuthV2Protocol(KeycloakSession keycloakSession, RealmModel realmModel, UriInfo uriInfo, HttpHeaders httpHeaders, EventBuilder eventBuilder) {
        this.session = keycloakSession;
        this.realm = realmModel;
        this.uriInfo = uriInfo;
        this.headers = httpHeaders;
        this.event = eventBuilder;
    }

    public LoginProtocol setSession(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        return this;
    }

    public LoginProtocol setRealm(RealmModel realmModel) {
        this.realm = realmModel;
        return this;
    }

    public LoginProtocol setUriInfo(UriInfo uriInfo) {
        this.uriInfo = uriInfo;
        return this;
    }

    public LoginProtocol setHttpHeaders(HttpHeaders httpHeaders) {
        this.headers = httpHeaders;
        return this;
    }

    public LoginProtocol setEventBuilder(EventBuilder eventBuilder) {
        this.event = eventBuilder;
        return this;
    }

    public Response authenticated(AuthenticationSessionModel authenticationSessionModel, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        AuthenticatedClientSessionModel clientSession = clientSessionContext.getClientSession();
        ClientModel client = clientSession.getClient();
        DockerResponseToken issuedFor = new DockerResponseToken().id(KeycloakModelUtils.generateId()).type("Bearer").issuer(authenticationSessionModel.getClientNote(ISSUER)).subject(userSessionModel.getUser().getUsername()).issuedNow().audience(new String[]{client.getClientId()}).issuedFor(client.getClientId());
        int accessTokenLifespan = this.realm.getAccessTokenLifespan();
        issuedFor.notBefore(issuedFor.getIssuedAt()).expiration(issuedFor.getIssuedAt() + accessTokenLifespan);
        AtomicReference atomicReference = new AtomicReference(issuedFor);
        ProtocolMapperUtils.getSortedProtocolMappers(this.session, clientSessionContext).filter(entry -> {
            return entry.getValue() instanceof DockerAuthV2AttributeMapper;
        }).filter(entry2 -> {
            return ((DockerAuthV2AttributeMapper) entry2.getValue()).appliesTo((DockerResponseToken) atomicReference.get());
        }).forEach(entry3 -> {
            atomicReference.set(((DockerAuthV2AttributeMapper) entry3.getValue()).transformDockerResponseToken((DockerResponseToken) atomicReference.get(), (ProtocolMapperModel) entry3.getKey(), this.session, userSessionModel, clientSession));
        });
        DockerResponseToken dockerResponseToken = (DockerResponseToken) atomicReference.get();
        try {
            if (this.event.getEvent() == null || !EventType.LOGIN.equals(this.event.getEvent().getType())) {
                logger.errorv("Unable to handle request for event type {0}.  Currently only LOGIN event types are supported by docker protocol.", this.event.getEvent() == null ? "null" : this.event.getEvent().getType());
                throw new ErrorResponseException("invalid_request", "Event type not supported", Response.Status.BAD_REQUEST);
            }
            KeyManager.ActiveRsaKey activeRsaKey = this.session.keys().getActiveRsaKey(this.realm);
            return new ResponseBuilderImpl().status(Response.Status.OK).header("Content-Type", MediaType.APPLICATION_JSON).entity(new DockerResponse().setToken(new JWSBuilder().kid(new DockerKeyIdentifier(activeRsaKey.getPublicKey()).toString()).type("JWT").jsonContent(dockerResponseToken).rsa256(activeRsaKey.getPrivateKey())).setExpires_in(Integer.valueOf(accessTokenLifespan)).setIssued_at(new SimpleDateFormat(ISO_8601_DATE_FORMAT).format(new Date(dockerResponseToken.getIssuedAt() * 1000)))).build();
        } catch (InstantiationException e) {
            logger.errorv("Error attempting to create Key ID for Docker JOSE header: ", e.getMessage());
            throw new ErrorResponseException("token_error", "Unable to construct JOSE header for JWT", Response.Status.INTERNAL_SERVER_ERROR);
        }
    }

    public Response sendError(AuthenticationSessionModel authenticationSessionModel, LoginProtocol.Error error) {
        return new ResponseBuilderImpl().status(Response.Status.INTERNAL_SERVER_ERROR).build();
    }

    public Response backchannelLogout(UserSessionModel userSessionModel, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        return errorResponse(userSessionModel, "backchannelLogout");
    }

    public Response frontchannelLogout(UserSessionModel userSessionModel, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        return errorResponse(userSessionModel, "frontchannelLogout");
    }

    public Response finishBrowserLogout(UserSessionModel userSessionModel, AuthenticationSessionModel authenticationSessionModel) {
        return errorResponse(userSessionModel, "finishLogout");
    }

    public boolean requireReauthentication(UserSessionModel userSessionModel, AuthenticationSessionModel authenticationSessionModel) {
        return true;
    }

    private Response errorResponse(UserSessionModel userSessionModel, String str) {
        logger.errorv("User {0} attempted to invoke unsupported method {1} on docker protocol.", userSessionModel.getUser().getUsername(), str);
        throw new ErrorResponseException("invalid_request", String.format("Attempted to invoke unsupported docker method %s", str), Response.Status.BAD_REQUEST);
    }

    public void close() {
    }
}
