package org.keycloak.broker.oidc;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.ws.rs.GET;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.jboss.logging.Logger;
import org.keycloak.broker.oidc.OAuth2IdentityProviderConfig;
import org.keycloak.broker.provider.AbstractIdentityProvider;
import org.keycloak.broker.provider.AuthenticationRequest;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.common.ClientConnection;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.FederatedIdentityModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.messages.Messages;

/* loaded from: input_file:org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider.class */
public abstract class AbstractOAuth2IdentityProvider<C extends OAuth2IdentityProviderConfig> extends AbstractIdentityProvider<C> {
    public static final String OAUTH2_GRANT_TYPE_REFRESH_TOKEN = "refresh_token";
    public static final String OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE = "authorization_code";
    public static final String FEDERATED_ACCESS_TOKEN = "FEDERATED_ACCESS_TOKEN";
    public static final String FEDERATED_REFRESH_TOKEN = "FEDERATED_REFRESH_TOKEN";
    public static final String FEDERATED_TOKEN_EXPIRATION = "FEDERATED_TOKEN_EXPIRATION";
    public static final String ACCESS_DENIED = "access_denied";
    public static final String OAUTH2_PARAMETER_ACCESS_TOKEN = "access_token";
    public static final String OAUTH2_PARAMETER_SCOPE = "scope";
    public static final String OAUTH2_PARAMETER_STATE = "state";
    public static final String OAUTH2_PARAMETER_RESPONSE_TYPE = "response_type";
    public static final String OAUTH2_PARAMETER_REDIRECT_URI = "redirect_uri";
    public static final String OAUTH2_PARAMETER_CODE = "code";
    public static final String OAUTH2_PARAMETER_CLIENT_ID = "client_id";
    public static final String OAUTH2_PARAMETER_CLIENT_SECRET = "client_secret";
    public static final String OAUTH2_PARAMETER_GRANT_TYPE = "grant_type";
    protected static final Logger logger = Logger.getLogger(AbstractOAuth2IdentityProvider.class);
    protected static ObjectMapper mapper = new ObjectMapper();

    /* loaded from: input_file:org/keycloak/broker/oidc/AbstractOAuth2IdentityProvider$Endpoint.class */
    protected class Endpoint {
        protected IdentityProvider.AuthenticationCallback callback;
        protected RealmModel realm;
        protected EventBuilder event;

        @Context
        protected KeycloakSession session;

        @Context
        protected ClientConnection clientConnection;

        @Context
        protected HttpHeaders headers;

        @Context
        protected UriInfo uriInfo;

        public Endpoint(IdentityProvider.AuthenticationCallback authenticationCallback, RealmModel realmModel, EventBuilder eventBuilder) {
            this.callback = authenticationCallback;
            this.realm = realmModel;
            this.event = eventBuilder;
        }

        @GET
        public Response authResponse(@QueryParam("state") String str, @QueryParam("code") String str2, @QueryParam("error") String str3) {
            if (str3 != null) {
                if (str3.equals(AbstractOAuth2IdentityProvider.ACCESS_DENIED)) {
                    AbstractOAuth2IdentityProvider.logger.error("access_denied for broker login " + AbstractOAuth2IdentityProvider.this.m89getConfig().getProviderId());
                    return this.callback.cancelled(str);
                }
                AbstractOAuth2IdentityProvider.logger.error(str3 + " for broker login " + AbstractOAuth2IdentityProvider.this.m89getConfig().getProviderId());
                return this.callback.error(str, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR);
            }
            if (str2 != null) {
                try {
                    String asString = generateTokenRequest(str2).asString();
                    BrokeredIdentityContext federatedIdentity = AbstractOAuth2IdentityProvider.this.getFederatedIdentity(asString);
                    if (AbstractOAuth2IdentityProvider.this.m89getConfig().isStoreToken()) {
                        federatedIdentity.setToken(asString);
                    }
                    federatedIdentity.setIdpConfig(AbstractOAuth2IdentityProvider.this.m89getConfig());
                    federatedIdentity.setIdp(AbstractOAuth2IdentityProvider.this);
                    federatedIdentity.setCode(str);
                    return this.callback.authenticated(federatedIdentity);
                } catch (Exception e) {
                    AbstractOAuth2IdentityProvider.logger.error("Failed to make identity provider oauth callback", e);
                }
            }
            this.event.event(EventType.LOGIN);
            this.event.error("identity_provider_login_failure");
            return ErrorPage.error(this.session, Messages.IDENTITY_PROVIDER_UNEXPECTED_ERROR, new Object[0]);
        }

        public SimpleHttp generateTokenRequest(String str) {
            return SimpleHttp.doPost(AbstractOAuth2IdentityProvider.this.m89getConfig().getTokenUrl(), this.session).param("code", str).param("client_id", AbstractOAuth2IdentityProvider.this.m89getConfig().getClientId()).param(AbstractOAuth2IdentityProvider.OAUTH2_PARAMETER_CLIENT_SECRET, AbstractOAuth2IdentityProvider.this.m89getConfig().getClientSecret()).param("redirect_uri", this.uriInfo.getAbsolutePath().toString()).param("grant_type", AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE);
        }
    }

    public AbstractOAuth2IdentityProvider(KeycloakSession keycloakSession, C c) {
        super(keycloakSession, c);
        if (c.getDefaultScope() == null || c.getDefaultScope().isEmpty()) {
            c.setDefaultScope(getDefaultScopes());
        }
    }

    public Object callback(RealmModel realmModel, IdentityProvider.AuthenticationCallback authenticationCallback, EventBuilder eventBuilder) {
        return new Endpoint(authenticationCallback, realmModel, eventBuilder);
    }

    public Response performLogin(AuthenticationRequest authenticationRequest) {
        try {
            return Response.seeOther(createAuthorizationUrl(authenticationRequest).build(new Object[0])).build();
        } catch (Exception e) {
            throw new IdentityBrokerException("Could not create authentication request.", e);
        }
    }

    public Response retrieveToken(KeycloakSession keycloakSession, FederatedIdentityModel federatedIdentityModel) {
        return Response.ok(federatedIdentityModel.getToken()).build();
    }

    /* renamed from: getConfig, reason: merged with bridge method [inline-methods] */
    public C m89getConfig() {
        return (C) super.getConfig();
    }

    protected String extractTokenFromResponse(String str, String str2) {
        String textValue;
        if (str == null) {
            return null;
        }
        if (!str.startsWith("{")) {
            Matcher matcher = Pattern.compile(str2 + "=([^&]+)").matcher(str);
            if (matcher.find()) {
                return matcher.group(1);
            }
            return null;
        }
        try {
            JsonNode readTree = mapper.readTree(str);
            if (!readTree.has(str2) || (textValue = readTree.get(str2).textValue()) == null) {
                return null;
            }
            if (textValue.trim().isEmpty()) {
                return null;
            }
            return textValue;
        } catch (IOException e) {
            throw new IdentityBrokerException("Could not extract token [" + str2 + "] from response [" + str + "] due: " + e.getMessage(), e);
        }
    }

    public BrokeredIdentityContext getFederatedIdentity(String str) {
        String extractTokenFromResponse = extractTokenFromResponse(str, "access_token");
        if (extractTokenFromResponse == null) {
            throw new IdentityBrokerException("No access token available in OAuth server response: " + str);
        }
        return doGetFederatedIdentity(extractTokenFromResponse);
    }

    protected BrokeredIdentityContext doGetFederatedIdentity(String str) {
        return null;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public UriBuilder createAuthorizationUrl(AuthenticationRequest authenticationRequest) {
        return UriBuilder.fromUri(m89getConfig().getAuthorizationUrl()).queryParam("scope", new Object[]{m89getConfig().getDefaultScope()}).queryParam("state", new Object[]{authenticationRequest.getState()}).queryParam("response_type", new Object[]{"code"}).queryParam("client_id", new Object[]{m89getConfig().getClientId()}).queryParam("redirect_uri", new Object[]{authenticationRequest.getRedirectUri()});
    }

    public String getJsonProperty(JsonNode jsonNode, String str) {
        String asText;
        if (!jsonNode.has(str) || jsonNode.get(str).isNull() || (asText = jsonNode.get(str).asText()) == null || asText.isEmpty()) {
            return null;
        }
        return asText;
    }

    public JsonNode asJsonNode(String str) throws IOException {
        return mapper.readTree(str);
    }

    protected abstract String getDefaultScopes();
}
