package ru.playa.keycloak.modules;

import jakarta.ws.rs.GET;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Response;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.broker.oidc.OAuth2IdentityProviderConfig;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.util.IdentityBrokerState;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.KeycloakContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.ClientSessionCode;
import org.keycloak.sessions.AuthenticationSessionModel;

/* loaded from: input_file:ru/playa/keycloak/modules/AbstractRussianOAuth2IdentityProvider.class */
public abstract class AbstractRussianOAuth2IdentityProvider<C extends OAuth2IdentityProviderConfig> extends AbstractOAuth2IdentityProvider<C> {

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:ru/playa/keycloak/modules/AbstractRussianOAuth2IdentityProvider$AbstractRussianEndpoint.class */
    public static class AbstractRussianEndpoint<T extends AbstractOAuth2IdentityProvider> extends AbstractOAuth2IdentityProvider.Endpoint {
        private final T provider;

        public AbstractRussianEndpoint(IdentityProvider.AuthenticationCallback authenticationCallback, RealmModel realmModel, EventBuilder eventBuilder, T t) {
            super(authenticationCallback, realmModel, eventBuilder, t);
            this.provider = t;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public T getProvider() {
            return this.provider;
        }

        @GET
        public Response authResponse(@QueryParam("state") String str, @QueryParam("code") String str2, @QueryParam("error") String str3) {
            OAuth2IdentityProviderConfig config = this.provider.getConfig();
            if (str == null) {
                logErroneousRedirectUrlError("Redirection URL does not contain a state parameter", config);
                return errorIdentityProviderLogin("identityProviderMissingStateMessage");
            }
            try {
                AuthenticationSessionModel andVerifyAuthenticationSession = this.callback.getAndVerifyAuthenticationSession(str);
                this.session.getContext().setAuthenticationSession(andVerifyAuthenticationSession);
                if (str3 != null) {
                    logErroneousRedirectUrlError("Redirection URL contains an error", config);
                    return str3.equals("access_denied") ? this.callback.cancelled(config) : (str3.equals("login_required") || str3.equals("interaction_required")) ? this.callback.error(str3) : this.callback.error("identityProviderUnexpectedErrorMessage");
                }
                if (str2 == null) {
                    logErroneousRedirectUrlError("Redirection URL neither contains a code nor error parameter", config);
                    return errorIdentityProviderLogin("identityProviderMissingCodeOrErrorMessage");
                }
                SimpleHttp generateTokenRequest = generateTokenRequest(str2);
                AbstractRussianOAuth2IdentityProvider.logger.infof("SimpleHttp %s", generateTokenRequest);
                SimpleHttp.Response asResponse = generateTokenRequest.asResponse();
                try {
                    int status = asResponse.getStatus();
                    boolean z = status >= 200 && status < 400;
                    String asString = asResponse.asString();
                    if (!z) {
                        AbstractRussianOAuth2IdentityProvider.logger.errorf("Unexpected response from token endpoint %s. status=%s, response=%s", generateTokenRequest.getUrl(), Integer.valueOf(status), asString);
                        Response errorIdentityProviderLogin = errorIdentityProviderLogin("identityProviderUnexpectedErrorMessage");
                        if (asResponse != null) {
                            asResponse.close();
                        }
                        return errorIdentityProviderLogin;
                    }
                    if (asResponse != null) {
                        asResponse.close();
                    }
                    BrokeredIdentityContext federatedIdentity = this.provider.getFederatedIdentity(asString);
                    if (config.isStoreToken() && federatedIdentity.getToken() == null) {
                        federatedIdentity.setToken(asString);
                    }
                    federatedIdentity.setIdp(this.provider);
                    federatedIdentity.setAuthenticationSession(andVerifyAuthenticationSession);
                    return this.callback.authenticated(federatedIdentity);
                } catch (Throwable th) {
                    if (asResponse != null) {
                        try {
                            asResponse.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (IdentityBrokerException e) {
                if (e.getMessageCode() != null) {
                    return errorIdentityProviderLogin(e.getMessageCode());
                }
                AbstractRussianOAuth2IdentityProvider.logger.error("Failed to make identity provider oauth callback", e);
                return errorIdentityProviderLogin("identityProviderUnexpectedErrorMessage");
            } catch (IllegalArgumentException e2) {
                AbstractRussianOAuth2IdentityProvider.logger.error("Failed to make identity provider oauth callback illegal argument exception", e2);
                this.event.event(EventType.LOGIN);
                this.event.error("identity_provider_login_failure");
                return ErrorPage.error(this.session, (AuthenticationSessionModel) null, Response.Status.BAD_GATEWAY, MessageUtils.EMAIL, new Object[0]);
            } catch (WebApplicationException e3) {
                return e3.getResponse();
            } catch (Exception e4) {
                AbstractRussianOAuth2IdentityProvider.logger.error("Failed to make identity provider oauth callback", e4);
                return errorIdentityProviderLogin("identityProviderUnexpectedErrorMessage");
            }
        }

        private void logErroneousRedirectUrlError(String str, OAuth2IdentityProviderConfig oAuth2IdentityProviderConfig) {
            AbstractRussianOAuth2IdentityProvider.logger.errorf("%s. providerId=%s, redirectionUrl=%s", str, oAuth2IdentityProviderConfig.getProviderId(), this.session.getContext().getUri().getRequestUri().toString());
        }

        private Response errorIdentityProviderLogin(String str) {
            this.event.event(EventType.IDENTITY_PROVIDER_LOGIN);
            this.event.error("identity_provider_login_failure");
            return ErrorPage.error(this.session, (AuthenticationSessionModel) null, Response.Status.BAD_GATEWAY, str, new Object[0]);
        }

        public SimpleHttp generateTokenRequest(String str) {
            KeycloakContext context = this.session.getContext();
            OAuth2IdentityProviderConfig config = this.provider.getConfig();
            SimpleHttp param = SimpleHttp.doPost(config.getTokenUrl(), this.session).param("code", str).param("redirect_uri", Urls.identityProviderAuthnResponse(context.getUri().getBaseUri(), config.getAlias(), context.getRealm().getName()).toString()).param("grant_type", "authorization_code");
            if (config.isPkceEnabled()) {
                String str2 = (String) this.session.getContext().getUri().getQueryParameters().getFirst("state");
                if (str2 == null) {
                    AbstractRussianOAuth2IdentityProvider.logger.warn("Cannot lookup PKCE code_verifier: state param is missing.");
                    return param;
                }
                RealmModel realm = context.getRealm();
                IdentityBrokerState encoded = IdentityBrokerState.encoded(str2, realm);
                AuthenticationSessionModel clientSession = ClientSessionCode.getClientSession(encoded.getEncoded(), encoded.getTabId(), this.session, realm, realm.getClientByClientId(encoded.getClientId()), this.event, AuthenticationSessionModel.class);
                if (clientSession == null) {
                    AbstractRussianOAuth2IdentityProvider.logger.warnf("Cannot lookup PKCE code_verifier: authSession not found. state=%s", str2);
                    return param;
                }
                String clientNote = clientSession.getClientNote("BROKER_CODE_CHALLENGE_PARAM");
                if (clientNote == null) {
                    AbstractRussianOAuth2IdentityProvider.logger.warnf("Cannot lookup PKCE code_verifier: brokerCodeChallenge not found. state=%s", str2);
                    return param;
                }
                param.param("code_verifier", clientNote);
            }
            return this.provider.authenticateTokenRequest(param);
        }
    }

    public AbstractRussianOAuth2IdentityProvider(KeycloakSession keycloakSession, C c) {
        super(keycloakSession, c);
        logger.infof("Config %s", c.getConfig());
    }

    public Object callback(RealmModel realmModel, IdentityProvider.AuthenticationCallback authenticationCallback, EventBuilder eventBuilder) {
        return new AbstractRussianEndpoint(authenticationCallback, realmModel, eventBuilder, this);
    }
}
