package io.gravitee.resource.oauth2.keycloak;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
import io.gravitee.common.utils.UUID;
import io.gravitee.gateway.api.handler.Handler;
import io.gravitee.node.api.Node;
import io.gravitee.node.api.utils.NodeUtils;
import io.gravitee.resource.oauth2.api.OAuth2Resource;
import io.gravitee.resource.oauth2.api.OAuth2Response;
import io.gravitee.resource.oauth2.api.openid.UserInfoResponse;
import io.gravitee.resource.oauth2.keycloak.configuration.OAuth2KeycloakResourceConfiguration;
import io.vertx.core.AsyncResult;
import io.vertx.core.Vertx;
import io.vertx.core.http.HttpClient;
import io.vertx.core.http.HttpClientOptions;
import io.vertx.core.http.HttpClientRequest;
import io.vertx.core.http.HttpClientResponse;
import io.vertx.core.http.HttpMethod;
import io.vertx.core.http.RequestOptions;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.rotation.AdapterTokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.keycloak.util.JsonSerialization;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.BeansException;
import org.springframework.context.ApplicationContext;
import org.springframework.context.ApplicationContextAware;

/* loaded from: input_file:io/gravitee/resource/oauth2/keycloak/OAuth2KeycloakResource.class */
public class OAuth2KeycloakResource extends OAuth2Resource<OAuth2KeycloakResourceConfiguration> implements ApplicationContextAware {
    private static final String KEYCLOAK_INTROSPECTION_ENDPOINT = "/protocol/openid-connect/token/introspect";
    private static final String KEYCLOAK_USERINFO_ENDPOINT = "/protocol/openid-connect/userinfo";
    private static final String HTTPS_SCHEME = "https";
    private static final String AUTHORIZATION_HEADER_BASIC_SCHEME = "Basic ";
    private static final String AUTHORIZATION_HEADER_BEARER_SCHEME = "Bearer ";
    private static final char AUTHORIZATION_HEADER_VALUE_BASE64_SEPARATOR = ':';
    private ApplicationContext applicationContext;
    private HttpClientOptions httpClientOptions;
    private Vertx vertx;
    private String introspectionEndpointURI;
    private String introspectionEndpointAuthorization;
    private String userInfoEndpointURI;
    private static final ObjectMapper MAPPER = new ObjectMapper();
    private String realmUrl;
    private KeycloakDeployment keycloakDeployment;
    private boolean checkTokenLocally;
    private String userAgent;
    private final Logger logger = LoggerFactory.getLogger(OAuth2KeycloakResource.class);
    private final Map<Thread, HttpClient> httpClients = new ConcurrentHashMap();

    protected void doStart() throws Exception {
        super.doStart();
        this.logger.info("Starting a Keycloak Adapter resource");
        this.checkTokenLocally = ((OAuth2KeycloakResourceConfiguration) configuration()).isValidateTokenLocally();
        AdapterConfig loadAdapterConfig = KeycloakDeploymentBuilder.loadAdapterConfig(new ByteArrayInputStream(((OAuth2KeycloakResourceConfiguration) configuration()).getKeycloakConfiguration().getBytes(StandardCharsets.UTF_8)));
        this.keycloakDeployment = KeycloakDeploymentBuilder.build(loadAdapterConfig);
        this.realmUrl = loadAdapterConfig.getAuthServerUrl() + "/realms/" + loadAdapterConfig.getRealm();
        URI create = URI.create(this.realmUrl);
        this.httpClientOptions = new HttpClientOptions().setDefaultPort(create.getPort() != -1 ? create.getPort() : HTTPS_SCHEME.equals(create.getScheme()) ? 443 : 80).setDefaultHost(create.getHost());
        if (HTTPS_SCHEME.equalsIgnoreCase(create.getScheme())) {
            this.httpClientOptions.setSsl(true).setVerifyHost(((OAuth2KeycloakResourceConfiguration) configuration()).isVerifyHost()).setTrustAll(((OAuth2KeycloakResourceConfiguration) configuration()).isTrustAll());
        }
        this.introspectionEndpointAuthorization = "Basic " + Base64.getEncoder().encodeToString((loadAdapterConfig.getResource() + ":" + loadAdapterConfig.getCredentials().get("secret")).getBytes());
        this.userInfoEndpointURI = create.getPath() + "/protocol/openid-connect/userinfo";
        this.introspectionEndpointURI = create.getPath() + "/protocol/openid-connect/token/introspect";
        this.userAgent = NodeUtils.userAgent((Node) this.applicationContext.getBean(Node.class));
        this.vertx = (Vertx) this.applicationContext.getBean(Vertx.class);
    }

    protected void doStop() throws Exception {
        super.doStop();
        this.httpClients.values().forEach(httpClient -> {
            try {
                httpClient.close();
            } catch (IllegalStateException e) {
                this.logger.warn(e.getMessage());
            }
        });
    }

    public void introspect(final String str, final Handler<OAuth2Response> handler) {
        if (!this.checkTokenLocally) {
            HttpClient computeIfAbsent = this.httpClients.computeIfAbsent(Thread.currentThread(), thread -> {
                return this.vertx.createHttpClient(this.httpClientOptions);
            });
            this.logger.debug("Introspect access token by requesting {}", this.introspectionEndpointURI);
            computeIfAbsent.request(new RequestOptions().setMethod(HttpMethod.POST).setURI(this.introspectionEndpointURI).putHeader("User-Agent", this.userAgent).putHeader("X-Gravitee-Request-Id", UUID.toString(UUID.random())).putHeader("Authorization", this.introspectionEndpointAuthorization).putHeader("Accept", "application/json").putHeader("Content-Type", "application/x-www-form-urlencoded")).onFailure(new io.vertx.core.Handler<Throwable>() { // from class: io.gravitee.resource.oauth2.keycloak.OAuth2KeycloakResource.2
                public void handle(Throwable th) {
                    OAuth2KeycloakResource.this.logger.error("An error occurs while introspecting access token", th);
                    handler.handle(new OAuth2Response(false, th.getMessage()));
                }
            }).onSuccess(new io.vertx.core.Handler<HttpClientRequest>() { // from class: io.gravitee.resource.oauth2.keycloak.OAuth2KeycloakResource.1
                public void handle(HttpClientRequest httpClientRequest) {
                    httpClientRequest.response(new io.vertx.core.Handler<AsyncResult<HttpClientResponse>>() { // from class: io.gravitee.resource.oauth2.keycloak.OAuth2KeycloakResource.1.2
                        public void handle(AsyncResult<HttpClientResponse> asyncResult) {
                            if (asyncResult.failed()) {
                                OAuth2KeycloakResource.this.logger.error("An error occurs while introspecting access token", asyncResult.cause());
                                handler.handle(new OAuth2Response(false, asyncResult.cause().getMessage()));
                            } else {
                                HttpClientResponse httpClientResponse = (HttpClientResponse) asyncResult.result();
                                Handler handler2 = handler;
                                httpClientResponse.bodyHandler(buffer -> {
                                    OAuth2KeycloakResource.this.logger.debug("Keycloak introspection endpoint returns a response with a {} status code", Integer.valueOf(httpClientResponse.statusCode()));
                                    String buffer = buffer.toString();
                                    if (httpClientResponse.statusCode() != 200) {
                                        handler2.handle(new OAuth2Response(false, buffer));
                                        return;
                                    }
                                    JsonNode readPayload = OAuth2KeycloakResource.this.readPayload(buffer);
                                    if (readPayload != null && readPayload.path("active").asBoolean(false)) {
                                        handler2.handle(new OAuth2Response(true, buffer));
                                    } else {
                                        handler2.handle(new OAuth2Response(false, "{\"error\": \"access_denied\"}"));
                                    }
                                });
                            }
                        }
                    }).exceptionHandler(new io.vertx.core.Handler<Throwable>() { // from class: io.gravitee.resource.oauth2.keycloak.OAuth2KeycloakResource.1.1
                        public void handle(Throwable th) {
                            OAuth2KeycloakResource.this.logger.error("An error occurs while introspecting access token", th);
                            handler.handle(new OAuth2Response(false, th.getMessage()));
                        }
                    }).end("token=" + str);
                }
            });
            return;
        }
        try {
            AccessToken verifyToken = AdapterTokenVerifier.verifyToken(str, this.keycloakDeployment);
            ObjectNode createObjectNode = JsonSerialization.createObjectNode(verifyToken);
            createObjectNode.put("client_id", verifyToken.getIssuedFor());
            createObjectNode.put("username", verifyToken.getPreferredUsername());
            handler.handle(new OAuth2Response(true, MAPPER.writeValueAsString(createObjectNode)));
        } catch (VerificationException e) {
            this.logger.error("Unable to verify access token", e);
            handler.handle(new OAuth2Response(false, "{\"error\": \"access_denied\"}"));
        } catch (IOException e2) {
            this.logger.error("Unable to transform access token", e2);
        }
    }

    public void userInfo(String str, final Handler<UserInfoResponse> handler) {
        HttpClient computeIfAbsent = this.httpClients.computeIfAbsent(Thread.currentThread(), thread -> {
            return this.vertx.createHttpClient(this.httpClientOptions);
        });
        this.logger.debug("Get userinfo from {}", this.userInfoEndpointURI);
        computeIfAbsent.request(new RequestOptions().setMethod(HttpMethod.GET).setURI(this.userInfoEndpointURI).putHeader("User-Agent", this.userAgent).putHeader("X-Gravitee-Request-Id", UUID.toString(UUID.random())).putHeader("Authorization", "Bearer " + str).putHeader("Accept", "application/json")).onFailure(new io.vertx.core.Handler<Throwable>() { // from class: io.gravitee.resource.oauth2.keycloak.OAuth2KeycloakResource.4
            public void handle(Throwable th) {
                OAuth2KeycloakResource.this.logger.error("An error occurs while getting userinfo from access token", th);
                handler.handle(new UserInfoResponse(false, th.getMessage()));
            }
        }).onSuccess(new io.vertx.core.Handler<HttpClientRequest>() { // from class: io.gravitee.resource.oauth2.keycloak.OAuth2KeycloakResource.3
            public void handle(HttpClientRequest httpClientRequest) {
                httpClientRequest.response(new io.vertx.core.Handler<AsyncResult<HttpClientResponse>>() { // from class: io.gravitee.resource.oauth2.keycloak.OAuth2KeycloakResource.3.2
                    public void handle(AsyncResult<HttpClientResponse> asyncResult) {
                        if (asyncResult.failed()) {
                            OAuth2KeycloakResource.this.logger.error("An error occurs while introspecting access token", asyncResult.cause());
                            handler.handle(new UserInfoResponse(false, asyncResult.cause().getMessage()));
                        } else {
                            HttpClientResponse httpClientResponse = (HttpClientResponse) asyncResult.result();
                            Handler handler2 = handler;
                            httpClientResponse.bodyHandler(buffer -> {
                                OAuth2KeycloakResource.this.logger.debug("Userinfo endpoint returns a response with a {} status code", Integer.valueOf(httpClientResponse.statusCode()));
                                if (httpClientResponse.statusCode() == 200) {
                                    handler2.handle(new UserInfoResponse(true, buffer.toString()));
                                } else {
                                    handler2.handle(new UserInfoResponse(false, buffer.toString()));
                                }
                            });
                        }
                    }
                }).exceptionHandler(new io.vertx.core.Handler<Throwable>() { // from class: io.gravitee.resource.oauth2.keycloak.OAuth2KeycloakResource.3.1
                    public void handle(Throwable th) {
                        OAuth2KeycloakResource.this.logger.error("An error occurs while introspecting access token", th);
                        handler.handle(new UserInfoResponse(false, th.getMessage()));
                    }
                }).end();
            }
        });
    }

    private JsonNode readPayload(String str) {
        try {
            return MAPPER.readTree(str);
        } catch (IOException e) {
            this.logger.error("Unable to check required scope from introspection endpoint payload: {}", str);
            return null;
        }
    }

    public String getUserClaim() {
        return ((OAuth2KeycloakResourceConfiguration) configuration()).getUserClaim();
    }

    public void setApplicationContext(ApplicationContext applicationContext) throws BeansException {
        this.applicationContext = applicationContext;
    }
}
