package org.keycloak.protocol.openshift;

import java.util.List;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.PathParam;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Response;
import org.keycloak.TokenVerifier;
import org.keycloak.common.Profile;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.ext.OIDCExtProvider;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.protocol.openshift.OpenShiftTokenReviewResponseRepresentation;
import org.keycloak.provider.EnvironmentDependentProviderFactory;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.Urls;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/openshift/OpenShiftTokenReviewEndpoint.class */
public class OpenShiftTokenReviewEndpoint implements OIDCExtProvider, EnvironmentDependentProviderFactory {
    private KeycloakSession session;
    private TokenManager tokenManager = new TokenManager();
    private EventBuilder event;

    public OpenShiftTokenReviewEndpoint(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    @Override // org.keycloak.protocol.oidc.ext.OIDCExtProvider
    public void setEvent(EventBuilder eventBuilder) {
        this.event = eventBuilder;
    }

    @Path("/")
    @Consumes({MediaType.APPLICATION_JSON})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public Response tokenReview(OpenShiftTokenReviewRequestRepresentation openShiftTokenReviewRequestRepresentation) throws Exception {
        return tokenReview(null, openShiftTokenReviewRequestRepresentation);
    }

    @Path("/{client_id}")
    @Consumes({MediaType.APPLICATION_JSON})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public Response tokenReview(@PathParam("client_id") String str, OpenShiftTokenReviewRequestRepresentation openShiftTokenReviewRequestRepresentation) throws Exception {
        this.event.event(EventType.INTROSPECT_TOKEN);
        if (str != null) {
            this.session.setAttribute("client_id", str);
        }
        checkSsl();
        checkRealm();
        authorizeClient();
        RealmModel realm = this.session.getContext().getRealm();
        AccessToken accessToken = null;
        try {
            TokenVerifier realmUrl = TokenVerifier.create(openShiftTokenReviewRequestRepresentation.getSpec().getToken(), AccessToken.class).realmUrl(Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), realm.getName()));
            realmUrl.verifierContext(this.session.getProvider(SignatureProvider.class, realmUrl.getHeader().getAlgorithm().name()).verifier(realmUrl.getHeader().getKeyId()));
            realmUrl.verify();
            accessToken = (AccessToken) realmUrl.getToken();
        } catch (VerificationException e) {
            error(401, "invalid_token", "Token verification failure");
        }
        if (!this.tokenManager.checkTokenValidForIntrospection(this.session, realm, accessToken)) {
            error(401, "invalid_token", "Token verification failure");
        }
        OpenShiftTokenReviewResponseRepresentation openShiftTokenReviewResponseRepresentation = new OpenShiftTokenReviewResponseRepresentation();
        openShiftTokenReviewResponseRepresentation.getStatus().setAuthenticated(true);
        openShiftTokenReviewResponseRepresentation.getStatus().setUser(new OpenShiftTokenReviewResponseRepresentation.User());
        OpenShiftTokenReviewResponseRepresentation.User user = openShiftTokenReviewResponseRepresentation.getStatus().getUser();
        user.setUid(accessToken.getSubject());
        user.setUsername(accessToken.getPreferredUsername());
        if (accessToken.getScope() != null && !accessToken.getScope().isEmpty()) {
            OpenShiftTokenReviewResponseRepresentation.Extra extra = new OpenShiftTokenReviewResponseRepresentation.Extra();
            extra.setScopes(accessToken.getScope().split(" "));
            user.setExtra(extra);
        }
        if (accessToken.getOtherClaims() != null && accessToken.getOtherClaims().get("groups") != null) {
            user.setGroups((List) accessToken.getOtherClaims().get("groups"));
        }
        this.event.success();
        return Response.ok(openShiftTokenReviewResponseRepresentation, MediaType.APPLICATION_JSON).build();
    }

    private void checkSsl() {
        if (this.session.getContext().getUri().getBaseUri().getScheme().equals("https") || !this.session.getContext().getRealm().getSslRequired().isRequired(this.session.getContext().getConnection())) {
            return;
        }
        error(401, "ssl_required", null);
    }

    private void checkRealm() {
        if (this.session.getContext().getRealm().isEnabled()) {
            return;
        }
        error(401, "realm_disabled", null);
    }

    private void authorizeClient() {
        try {
            ClientModel client = AuthorizeClientUtil.authorizeClient(this.session, this.event).getClient();
            this.event.client(client);
            if (client == null || client.isPublicClient()) {
                error(401, "invalid_client", "Public client is not permitted to invoke token review endpoint");
            }
        } catch (Exception e) {
            error(401, "invalid_client_credentials", null);
        } catch (ErrorResponseException e2) {
            error(401, "invalid_client_credentials", e2.getErrorDescription());
        }
    }

    private void error(int i, String str, String str2) {
        OpenShiftTokenReviewResponseRepresentation openShiftTokenReviewResponseRepresentation = new OpenShiftTokenReviewResponseRepresentation();
        openShiftTokenReviewResponseRepresentation.getStatus().setAuthenticated(false);
        Response build = Response.status(i).entity(openShiftTokenReviewResponseRepresentation).type(javax.ws.rs.core.MediaType.APPLICATION_JSON_TYPE).build();
        this.event.error(str);
        this.event.detail("reason", str2);
        throw new ErrorResponseException(build);
    }

    public boolean isSupported() {
        return Profile.isFeatureEnabled(Profile.Feature.OPENSHIFT_INTEGRATION);
    }
}
