package org.webswing.server.services.security.modules.keycloak;

import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.webswing.server.common.util.CommonUtil;
import org.webswing.server.services.security.api.AbstractWebswingUser;
import org.webswing.server.services.security.api.SecurityContext;
import org.webswing.server.services.security.api.WebswingAuthenticationException;
import org.webswing.server.services.security.extension.api.WebswingExtendableSecurityModuleConfig;
import org.webswing.server.services.security.modules.AbstractExtendableSecurityModule;
import org.webswing.server.services.security.modules.openidconnect.OpenIdConnectClient;
import org.webswing.server.services.security.modules.property.PropertySecurityModule;
import org.webswing.server.services.security.modules.property.PropertySecurityModuleConfig;

/* loaded from: input_file:WEB-INF/lib/webswing-server-security-2.5.jar:org/webswing/server/services/security/modules/keycloak/KeycloakSecurityModule.class */
public class KeycloakSecurityModule extends AbstractExtendableSecurityModule<KeycloakSecurityModuleConfig> {
    private static final Logger log = LoggerFactory.getLogger(KeycloakSecurityModule.class);
    public static final String REALM_PARAM = "realm";
    private Map<String, OpenIdConnectClient> clients;
    private String defaultClient;
    private PropertySecurityModule fallback;

    /* loaded from: input_file:WEB-INF/lib/webswing-server-security-2.5.jar:org/webswing/server/services/security/modules/keycloak/KeycloakSecurityModule$FallbackPropertyConfig.class */
    private class FallbackPropertyConfig implements PropertySecurityModuleConfig {
        private WebswingExtendableSecurityModuleConfig c;
        private String file;

        public FallbackPropertyConfig(WebswingExtendableSecurityModuleConfig webswingExtendableSecurityModuleConfig, String str) {
            this.c = webswingExtendableSecurityModuleConfig;
            this.file = str;
        }

        @Override // org.webswing.server.common.model.Config
        public <T> T getValueAs(String str, Class<T> cls) {
            return (T) this.c.getValueAs(str, cls);
        }

        @Override // org.webswing.server.common.model.Config
        public Map<String, Object> asMap() {
            return this.c.asMap();
        }

        @Override // org.webswing.server.services.security.api.WebswingSecurityModuleConfig
        public SecurityContext getContext() {
            return this.c.getContext();
        }

        @Override // org.webswing.server.services.security.modules.property.PropertySecurityModuleConfig
        public String getFile() {
            return this.file;
        }

        @Override // org.webswing.server.services.security.extension.api.WebswingExtendableSecurityModuleConfig
        public List<String> getExtensions() {
            return this.c.getExtensions();
        }
    }

    public KeycloakSecurityModule(KeycloakSecurityModuleConfig keycloakSecurityModuleConfig) {
        super(keycloakSecurityModuleConfig);
        this.clients = new HashMap();
    }

    @Override // org.webswing.server.services.security.modules.AbstractExtendableSecurityModule, org.webswing.server.services.security.modules.AbstractSecurityModule, org.webswing.server.services.security.api.WebswingSecurityModule
    public void init() {
        super.init();
        try {
            URL url = new URL(replaceVar(((KeycloakSecurityModuleConfig) getConfig()).getCallbackUrl()));
            String replaceVar = replaceVar(((KeycloakSecurityModuleConfig) getConfig()).getClientId());
            String replaceVar2 = replaceVar(((KeycloakSecurityModuleConfig) getConfig()).getClientSecret());
            String replaceVar3 = replaceVar(((KeycloakSecurityModuleConfig) getConfig()).getTrustedPemFile());
            File resolveFile = ((KeycloakSecurityModuleConfig) getConfig()).getContext().resolveFile(replaceVar3);
            boolean equals = "DISABLED".equals(replaceVar3);
            String replaceVar4 = replaceVar(((KeycloakSecurityModuleConfig) getConfig()).getRolesAttributeName());
            String replaceVar5 = replaceVar(((KeycloakSecurityModuleConfig) getConfig()).getUsernameAttributeName());
            String replaceVar6 = replaceVar(((KeycloakSecurityModuleConfig) getConfig()).getKeycloakUrl());
            List<RealmEntry> realms = ((KeycloakSecurityModuleConfig) getConfig()).getRealms();
            if (realms.size() <= 0) {
                throw new RuntimeException("No Keycloak realms defined. At least one has to be defined");
            }
            this.defaultClient = replaceVar(realms.get(0).getRealm());
            for (RealmEntry realmEntry : realms) {
                String replaceVar7 = replaceVar(realmEntry.getRealm());
                OpenIdConnectClient openIdConnectClient = new OpenIdConnectClient(new URL(String.format("%1s/realms/%2s/.well-known/openid-configuration", replaceVar6, replaceVar7)), new URL(CommonUtil.addParam(url.toString(), "realm=" + replaceVar7)), replaceVar, replaceVar2, equals, resolveFile, replaceVar4, replaceVar5);
                openIdConnectClient.setLogoutUrl(replaceVar(realmEntry.getLogoutUrl()));
                this.clients.put(replaceVar7, openIdConnectClient);
            }
            if (StringUtils.isNotBlank(((KeycloakSecurityModuleConfig) getConfig()).getFallbackFile())) {
                this.fallback = new PropertySecurityModule(new FallbackPropertyConfig((WebswingExtendableSecurityModuleConfig) getConfig(), ((KeycloakSecurityModuleConfig) getConfig()).getFallbackFile()));
            }
        } catch (Exception e) {
            log.error("Initializing of OpenID Connect client failed.", (Throwable) e);
            throw new RuntimeException("Initializing of OpenID Connect client failed.", e);
        }
    }

    @Override // org.webswing.server.services.security.modules.AbstractExtendableSecurityModule, org.webswing.server.services.security.modules.AbstractSecurityModule, org.webswing.server.services.security.api.WebswingSecurityModule
    public AbstractWebswingUser doLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        return (this.clients.get(resolveRealmName(httpServletRequest)).isInitialized() || this.fallback == null) ? super.doLogin(httpServletRequest, httpServletResponse) : this.fallback.doLogin(httpServletRequest, httpServletResponse);
    }

    private String resolveRealmName(HttpServletRequest httpServletRequest) {
        Map<String, Object> loginRequest = getLoginRequest(httpServletRequest);
        String str = null;
        if (loginRequest != null) {
            str = (String) loginRequest.get(REALM_PARAM);
        }
        return (str == null || this.clients.get(str) == null) ? this.defaultClient : str;
    }

    @Override // org.webswing.server.services.security.modules.AbstractSecurityModule
    protected void serveLoginPartial(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebswingAuthenticationException webswingAuthenticationException) throws IOException {
        OpenIdConnectClient openIdConnectClient = this.clients.get(resolveRealmName(httpServletRequest));
        if (!openIdConnectClient.isInitialized()) {
            sendPartialHtml(httpServletRequest, httpServletResponse, "errorPartial.html", new Exception("Authentication server is not available."));
        } else if (webswingAuthenticationException != null) {
            sendPartialHtml(httpServletRequest, httpServletResponse, "errorPartial.html", webswingAuthenticationException);
        } else {
            sendRedirect(httpServletRequest, httpServletResponse, openIdConnectClient.getOpenIDRedirectUrl());
        }
    }

    @Override // org.webswing.server.services.security.modules.AbstractSecurityModule
    protected AbstractWebswingUser authenticate(HttpServletRequest httpServletRequest) throws WebswingAuthenticationException {
        String code = OpenIdConnectClient.getCode(httpServletRequest);
        if (StringUtils.isEmpty(code)) {
            return null;
        }
        try {
            String resolveRealmName = resolveRealmName(httpServletRequest);
            OpenIdConnectClient openIdConnectClient = this.clients.get(resolveRealmName);
            HashMap hashMap = new HashMap();
            hashMap.put(REALM_PARAM, resolveRealmName);
            AbstractWebswingUser user = openIdConnectClient.getUser(code, hashMap);
            logSuccess(httpServletRequest, user.getUserId());
            return user;
        } catch (Exception e) {
            logFailure(httpServletRequest, null, "Failed to authenticate." + e.getMessage());
            log.error("Failed to authenticate", (Throwable) e);
            throw new WebswingAuthenticationException("Failed to authenticate. " + e.getMessage(), WebswingAuthenticationException.FAILED_TO_AUTHENTICATE, e);
        }
    }

    @Override // org.webswing.server.services.security.modules.AbstractSecurityModule, org.webswing.server.services.security.api.WebswingSecurityModule
    public void doLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AbstractWebswingUser abstractWebswingUser) throws ServletException, IOException {
        String str = null;
        String str2 = (String) abstractWebswingUser.getUserAttributes().get(REALM_PARAM);
        if (str2 != null && this.clients.get(str2) != null && this.clients.get(str2).isInitialized()) {
            str = replaceVar(this.clients.get(str2).getLogoutUrl());
        }
        logoutRedirect(httpServletRequest, httpServletResponse, str);
    }
}
