package org.keycloak.protocol.oidc.endpoints;

import javax.ws.rs.POST;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.annotations.cache.NoCache;
import org.jboss.resteasy.spi.HttpRequest;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.common.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.TokenIntrospectionProvider;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.services.ErrorResponseException;

/* loaded from: input_file:org/keycloak/protocol/oidc/endpoints/TokenIntrospectionEndpoint.class */
public class TokenIntrospectionEndpoint {
    private static final String PARAM_TOKEN_TYPE_HINT = "token_type_hint";
    private static final String PARAM_TOKEN = "token";

    @Context
    private KeycloakSession session;

    @Context
    private HttpRequest request;

    @Context
    private HttpHeaders headers;

    @Context
    private ClientConnection clientConnection;
    private final RealmModel realm;
    private final EventBuilder event;

    public TokenIntrospectionEndpoint(RealmModel realmModel, EventBuilder eventBuilder) {
        this.realm = realmModel;
        this.event = eventBuilder;
    }

    @POST
    @NoCache
    public Response introspect() {
        this.event.event(EventType.INTROSPECT_TOKEN);
        checkSsl();
        checkRealm();
        authorizeClient();
        MultivaluedMap decodedFormParameters = this.request.getDecodedFormParameters();
        String str = (String) decodedFormParameters.getFirst(PARAM_TOKEN_TYPE_HINT);
        if (str == null) {
            str = "access_token";
        }
        String str2 = (String) decodedFormParameters.getFirst("token");
        if (str2 == null) {
            throw throwErrorResponseException("invalid_request", "Token not provided.", Response.Status.BAD_REQUEST);
        }
        TokenIntrospectionProvider provider = this.session.getProvider(TokenIntrospectionProvider.class, str);
        if (provider == null) {
            throw throwErrorResponseException("invalid_request", "Unsupported token type [" + str + "].", Response.Status.BAD_REQUEST);
        }
        try {
            Response introspect = provider.introspect(str2);
            this.event.success();
            return introspect;
        } catch (Exception e) {
            throw throwErrorResponseException("invalid_request", "Failed to introspect token.", Response.Status.BAD_REQUEST);
        } catch (ErrorResponseException e2) {
            throw e2;
        }
    }

    private void authorizeClient() {
        try {
            ClientModel client = AuthorizeClientUtil.authorizeClient(this.session, this.event).getClient();
            this.event.client(client);
            if (client == null || client.isPublicClient()) {
                throw throwErrorResponseException("invalid_request", "Client not allowed.", Response.Status.FORBIDDEN);
            }
        } catch (Exception e) {
            throw throwErrorResponseException("invalid_request", "Authentication failed.", Response.Status.UNAUTHORIZED);
        } catch (ErrorResponseException e2) {
            throw e2;
        }
    }

    private void checkSsl() {
        if (!this.session.getContext().getUri().getBaseUri().getScheme().equals("https") && this.realm.getSslRequired().isRequired(this.clientConnection)) {
            throw new ErrorResponseException("invalid_request", "HTTPS required", Response.Status.FORBIDDEN);
        }
    }

    private void checkRealm() {
        if (!this.realm.isEnabled()) {
            throw new ErrorResponseException(AbstractOAuth2IdentityProvider.ACCESS_DENIED, "Realm not enabled", Response.Status.FORBIDDEN);
        }
    }

    private ErrorResponseException throwErrorResponseException(String str, String str2, Response.Status status) {
        this.event.detail("detail", str2).error(str);
        return new ErrorResponseException(str, str2, status);
    }
}
