package be.atbash.ee.security.octopus.keycloak.servlet;

import be.atbash.ee.security.octopus.session.usage.ActiveSessionRegistry;
import be.atbash.ee.security.octopus.subject.UserPrincipal;
import be.atbash.util.exception.AtbashUnexpectedException;
import java.io.IOException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.common.util.StreamUtil;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.representations.VersionRepresentation;
import org.keycloak.representations.adapters.action.AdminAction;
import org.keycloak.representations.adapters.action.LogoutAction;
import org.keycloak.representations.adapters.action.PushNotBeforeAction;
import org.keycloak.representations.adapters.action.TestAvailabilityAction;
import org.keycloak.util.JsonSerialization;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:be/atbash/ee/security/octopus/keycloak/servlet/OIDCActions.class */
class OIDCActions {
    private Logger logger = LoggerFactory.getLogger(OIDCActions.class);
    private KeycloakDeployment deployment;
    private HttpServletRequest request;
    private HttpServletResponse response;
    private ActiveSessionRegistry activeSessionRegistry;

    public OIDCActions(KeycloakDeployment keycloakDeployment, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, ActiveSessionRegistry activeSessionRegistry) {
        this.deployment = keycloakDeployment;
        this.request = httpServletRequest;
        this.response = httpServletResponse;
        this.activeSessionRegistry = activeSessionRegistry;
    }

    public boolean preflightCors() {
        if (!this.deployment.isCors()) {
            return false;
        }
        this.logger.debug("checkCorsPreflight " + this.request.getRequestURI());
        if ("OPTIONS".equalsIgnoreCase(this.request.getMethod())) {
            return false;
        }
        if (this.request.getHeader("Origin") == null) {
            this.logger.debug("checkCorsPreflight: no origin header");
            return false;
        }
        this.logger.debug("Preflight request returning");
        this.response.setStatus(200);
        this.response.setHeader("Access-Control-Allow-Origin", this.request.getHeader("Origin"));
        this.response.setHeader("Access-Control-Allow-Credentials", "true");
        String header = this.request.getHeader("Access-Control-Request-Method");
        if (header != null) {
            if (this.deployment.getCorsAllowedMethods() != null) {
                header = this.deployment.getCorsAllowedMethods();
            }
            this.response.setHeader("Access-Control-Allow-Methods", header);
        }
        String header2 = this.request.getHeader("Access-Control-Request-Headers");
        if (header2 != null) {
            if (this.deployment.getCorsAllowedHeaders() != null) {
                header2 = this.deployment.getCorsAllowedHeaders();
            }
            this.response.setHeader("Access-Control-Allow-Headers", header2);
        }
        if (this.deployment.getCorsMaxAge() <= -1) {
            return true;
        }
        this.response.setHeader("Access-Control-Max-Age", Integer.toString(this.deployment.getCorsMaxAge()));
        return true;
    }

    public void handleLogout() {
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("K_LOGOUT sent");
        }
        try {
            JWSInput verifyAdminRequest = verifyAdminRequest();
            if (verifyAdminRequest == null) {
                return;
            }
            LogoutAction logoutAction = (LogoutAction) JsonSerialization.readValue(verifyAdminRequest.getContent(), LogoutAction.class);
            if (validateAction(logoutAction)) {
                for (final String str : logoutAction.getKeycloakSessionIds()) {
                    this.activeSessionRegistry.invalidateSession(new ActiveSessionRegistry.UserSessionFinder() { // from class: be.atbash.ee.security.octopus.keycloak.servlet.OIDCActions.1
                        public boolean isCorrectPrincipal(UserPrincipal userPrincipal, String str2) {
                            return str.equals(userPrincipal.getUserInfo("externalSession"));
                        }
                    });
                }
            }
        } catch (Exception e) {
            throw new AtbashUnexpectedException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void handlePushNotBefore() {
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("K_PUSH_NOT_BEFORE sent");
        }
        try {
            JWSInput verifyAdminRequest = verifyAdminRequest();
            if (verifyAdminRequest == null) {
                return;
            }
            PushNotBeforeAction pushNotBeforeAction = (PushNotBeforeAction) JsonSerialization.readValue(verifyAdminRequest.getContent(), PushNotBeforeAction.class);
            if (validateAction(pushNotBeforeAction)) {
                this.deployment.setNotBefore(pushNotBeforeAction.getNotBefore());
            }
        } catch (Exception e) {
            throw new AtbashUnexpectedException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void handleTestAvailable() {
        if (this.logger.isTraceEnabled()) {
            this.logger.trace("K_TEST_AVAILABLE sent");
        }
        try {
            JWSInput verifyAdminRequest = verifyAdminRequest();
            if (verifyAdminRequest == null) {
                return;
            }
            validateAction((TestAvailabilityAction) JsonSerialization.readValue(verifyAdminRequest.getContent(), TestAvailabilityAction.class));
        } catch (Exception e) {
            throw new AtbashUnexpectedException(e);
        }
    }

    protected JWSInput verifyAdminRequest() throws Exception {
        if (!this.request.isSecure() && this.deployment.getSslRequired().isRequired(this.request.getRemoteAddr())) {
            this.logger.warn("SSL is required for adapter admin action");
            this.response.sendError(403, "ssl required");
            return null;
        }
        String readString = StreamUtil.readString(this.request.getInputStream());
        if (readString == null) {
            this.logger.warn("admin request failed, no token");
            this.response.sendError(403, "no token");
            return null;
        }
        try {
            JWSInput jWSInput = new JWSInput(readString);
            if (RSAProvider.verify(jWSInput, this.deployment.getRealmKey())) {
                return jWSInput;
            }
        } catch (JWSInputException e) {
        }
        this.logger.warn("admin request failed, unable to verify token");
        this.response.sendError(403, "no token");
        return null;
    }

    protected boolean validateAction(AdminAction adminAction) throws IOException {
        if (!adminAction.validate()) {
            this.logger.warn("admin request failed, not validated" + adminAction.getAction());
            this.response.sendError(400, "Not validated");
            return false;
        }
        if (adminAction.isExpired()) {
            this.logger.warn("admin request failed, expired token");
            this.response.sendError(400, "Expired token");
            return false;
        }
        if (this.deployment.getResourceName().equals(adminAction.getResource())) {
            return true;
        }
        this.logger.warn("Resource name does not match");
        this.response.sendError(400, "Resource name does not match");
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void handleVersion() {
        try {
            this.response.setStatus(200);
            this.response.setHeader("Content-Type", "application/json");
            JsonSerialization.writeValueToStream(this.response.getOutputStream(), VersionRepresentation.SINGLETON);
        } catch (Exception e) {
            throw new AtbashUnexpectedException(e);
        }
    }

    public String getURI() {
        return this.request.getRequestURI();
    }
}
