package org.keycloak.adapters.installed;

import com.fasterxml.jackson.annotation.JsonProperty;
import io.undertow.Handlers;
import io.undertow.Undertow;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.AllowedMethodsHandler;
import io.undertow.server.handlers.GracefulShutdownHandler;
import io.undertow.server.handlers.builder.PredicatedHandlersParser;
import io.undertow.util.Headers;
import io.undertow.util.Methods;
import java.awt.Desktop;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.PrintStream;
import java.io.PrintWriter;
import java.io.Reader;
import java.net.InetSocketAddress;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.util.Deque;
import java.util.Locale;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.ForkJoinPool;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.Response;
import org.jboss.resteasy.client.jaxrs.ResteasyClient;
import org.jboss.resteasy.client.jaxrs.ResteasyClientBuilder;
import org.keycloak.OAuth2Constants;
import org.keycloak.OAuthErrorException;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.ServerRequest;
import org.keycloak.adapters.rotation.AdapterTokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.Base64Url;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.common.util.RandomString;
import org.keycloak.jose.jwk.ECPublicJWK;
import org.keycloak.jose.jwk.RSAPublicJWK;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.IDToken;

/* loaded from: input_file:org/keycloak/adapters/installed/KeycloakInstalled.class */
public class KeycloakInstalled {
    private static final String KEYCLOAK_JSON = "META-INF/keycloak.json";
    private KeycloakDeployment deployment;
    private AccessTokenResponse tokenResponse;
    private String tokenString;
    private String idTokenString;
    private IDToken idToken;
    private AccessToken token;
    private String refreshToken;
    private Status status;
    private Locale locale;
    private ResteasyClient resteasyClient;
    Pattern callbackPattern;
    Pattern paramPattern;
    Pattern codePattern;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/keycloak/adapters/installed/KeycloakInstalled$CallbackListener.class */
    public class CallbackListener implements HttpHandler {
        private final CountDownLatch shutdownSignal = new CountDownLatch(1);
        private String code;
        private String error;
        private String errorDescription;
        private String state;
        private Undertow server;
        private GracefulShutdownHandler gracefulShutdownHandler;

        CallbackListener() {
        }

        public void start() {
            this.gracefulShutdownHandler = Handlers.gracefulShutdown(new AllowedMethodsHandler(Handlers.path().addExactPath("/", this), Methods.GET));
            this.server = Undertow.builder().setIoThreads(1).setWorkerThreads(1).addHttpListener(0, "localhost").setHandler(this.gracefulShutdownHandler).build();
            this.server.start();
        }

        public void stop() {
            try {
                this.server.stop();
            } catch (Exception e) {
            }
        }

        public int getLocalPort() {
            return ((InetSocketAddress) this.server.getListenerInfo().get(0).getAddress()).getPort();
        }

        public void await() throws InterruptedException {
            this.shutdownSignal.await();
        }

        @Override // io.undertow.server.HttpHandler
        public void handleRequest(HttpServerExchange httpServerExchange) throws Exception {
            this.gracefulShutdownHandler.shutdown();
            if (!httpServerExchange.getQueryParameters().isEmpty()) {
                readQueryParameters(httpServerExchange);
            }
            httpServerExchange.setStatusCode(302);
            httpServerExchange.getResponseHeaders().add(Headers.LOCATION, getRedirectUrl());
            httpServerExchange.endExchange();
            this.shutdownSignal.countDown();
            ForkJoinPool.commonPool().execute(this::stop);
        }

        private void readQueryParameters(HttpServerExchange httpServerExchange) {
            this.code = getQueryParameterIfPresent(httpServerExchange, OAuth2Constants.CODE);
            this.error = getQueryParameterIfPresent(httpServerExchange, OAuth2Constants.ERROR);
            this.errorDescription = getQueryParameterIfPresent(httpServerExchange, OAuth2Constants.ERROR_DESCRIPTION);
            this.state = getQueryParameterIfPresent(httpServerExchange, OAuth2Constants.STATE);
        }

        private String getQueryParameterIfPresent(HttpServerExchange httpServerExchange, String str) {
            Map<String, Deque<String>> queryParameters = httpServerExchange.getQueryParameters();
            if (queryParameters.containsKey(str)) {
                return queryParameters.get(str).getFirst();
            }
            return null;
        }

        private String getRedirectUrl() {
            String replace = KeycloakInstalled.this.deployment.getTokenUrl().replace("/token", "/delegated");
            if (this.error != null) {
                replace = replace + "?error=true";
            }
            return replace;
        }
    }

    /* loaded from: input_file:org/keycloak/adapters/installed/KeycloakInstalled$Console.class */
    public static class Console {
        protected java.io.Console console = System.console();
        protected PrintWriter writer;
        protected BufferedReader reader;
        static Console SINGLETON = new Console();

        private Console() {
        }

        public PrintWriter writer() {
            if (this.console != null) {
                return this.console.writer();
            }
            if (this.writer == null) {
                this.writer = new PrintWriter((OutputStream) System.err, true);
            }
            return this.writer;
        }

        public Reader reader() {
            return this.console == null ? getReader() : this.console.reader();
        }

        protected BufferedReader getReader() {
            if (this.reader != null) {
                return this.reader;
            }
            this.reader = new BufferedReader(new BufferedReader(new InputStreamReader(System.in)));
            return this.reader;
        }

        public Console format(String str, Object... objArr) {
            if (this.console == null) {
                writer().format(str, objArr);
                return this;
            }
            this.console.format(str, objArr);
            return this;
        }

        public Console printf(String str, Object... objArr) {
            if (this.console == null) {
                writer().printf(str, objArr);
                return this;
            }
            this.console.printf(str, objArr);
            return this;
        }

        public String readLine(String str, Object... objArr) {
            if (this.console != null) {
                return this.console.readLine(str, objArr);
            }
            format(str, objArr);
            return readLine();
        }

        public boolean confirm(String str, Object... objArr) {
            String str2;
            String str3 = JsonProperty.USE_DEFAULT_NAME;
            while (true) {
                str2 = str3;
                if (ECPublicJWK.Y.equals(str2) || RSAPublicJWK.MODULUS.equals(str2)) {
                    break;
                }
                str3 = readLine(str, objArr);
            }
            return ECPublicJWK.Y.equals(str2);
        }

        public String prompt(String str, Object... objArr) {
            String str2 = JsonProperty.USE_DEFAULT_NAME;
            while (true) {
                String str3 = str2;
                if (!str3.equals(JsonProperty.USE_DEFAULT_NAME)) {
                    return str3;
                }
                str2 = readLine(str, objArr).trim();
            }
        }

        public String passwordPrompt(String str, Object... objArr) {
            String str2 = JsonProperty.USE_DEFAULT_NAME;
            while (true) {
                String str3 = str2;
                if (!str3.equals(JsonProperty.USE_DEFAULT_NAME)) {
                    return str3;
                }
                str2 = new String(readPassword(str, objArr)).trim();
            }
        }

        public String readLine() {
            if (this.console != null) {
                return this.console.readLine();
            }
            try {
                return getReader().readLine();
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        }

        public char[] readPassword(String str, Object... objArr) {
            return this.console == null ? readLine(str, objArr).toCharArray() : this.console.readPassword(str, objArr);
        }

        public char[] readPassword() {
            return this.console == null ? readLine().toCharArray() : this.console.readPassword();
        }

        public void flush() {
            if (this.console == null) {
                System.err.flush();
            } else {
                this.console.flush();
            }
        }

        public void stderrOutput() {
            this.console = null;
        }
    }

    /* loaded from: input_file:org/keycloak/adapters/installed/KeycloakInstalled$Pkce.class */
    public static class Pkce {
        public static final int PKCE_CODE_VERIFIER_MAX_LENGTH = 128;
        private final String codeChallenge;
        private final String codeVerifier;

        public Pkce(String str, String str2) {
            this.codeChallenge = str2;
            this.codeVerifier = str;
        }

        public String getCodeChallenge() {
            return this.codeChallenge;
        }

        public String getCodeVerifier() {
            return this.codeVerifier;
        }

        public static Pkce generatePkce() {
            try {
                String nextString = new RandomString(128, new SecureRandom()).nextString();
                return new Pkce(nextString, generateS256CodeChallenge(nextString));
            } catch (Exception e) {
                throw new RuntimeException("Could not generate PKCE", e);
            }
        }

        private static String generateS256CodeChallenge(String str) throws Exception {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(str.getBytes(StandardCharsets.ISO_8859_1));
            return Base64Url.encode(messageDigest.digest());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/adapters/installed/KeycloakInstalled$Status.class */
    public enum Status {
        LOGGED_MANUAL,
        LOGGED_DESKTOP
    }

    public KeycloakInstalled() {
        this.callbackPattern = Pattern.compile("callback\\s*=\\s*\"([^\"]+)\"");
        this.paramPattern = Pattern.compile("param=\"([^\"]+)\"\\s+label=\"([^\"]+)\"\\s+mask=(\\S+)");
        this.codePattern = Pattern.compile("code=([^&]+)");
        this.deployment = KeycloakDeploymentBuilder.build(Thread.currentThread().getContextClassLoader().getResourceAsStream(KEYCLOAK_JSON));
    }

    public KeycloakInstalled(InputStream inputStream) {
        this.callbackPattern = Pattern.compile("callback\\s*=\\s*\"([^\"]+)\"");
        this.paramPattern = Pattern.compile("param=\"([^\"]+)\"\\s+label=\"([^\"]+)\"\\s+mask=(\\S+)");
        this.codePattern = Pattern.compile("code=([^&]+)");
        this.deployment = KeycloakDeploymentBuilder.build(inputStream);
    }

    public KeycloakInstalled(KeycloakDeployment keycloakDeployment) {
        this.callbackPattern = Pattern.compile("callback\\s*=\\s*\"([^\"]+)\"");
        this.paramPattern = Pattern.compile("param=\"([^\"]+)\"\\s+label=\"([^\"]+)\"\\s+mask=(\\S+)");
        this.codePattern = Pattern.compile("code=([^&]+)");
        this.deployment = keycloakDeployment;
    }

    public void setResteasyClient(ResteasyClient resteasyClient) {
        this.resteasyClient = resteasyClient;
    }

    public Locale getLocale() {
        return this.locale;
    }

    public void setLocale(Locale locale) {
        this.locale = locale;
    }

    public void login() throws IOException, ServerRequest.HttpFailure, VerificationException, InterruptedException, OAuthErrorException, URISyntaxException {
        if (isDesktopSupported()) {
            loginDesktop();
        } else {
            loginManual();
        }
    }

    public void login(PrintStream printStream, Reader reader) throws IOException, ServerRequest.HttpFailure, VerificationException, InterruptedException, OAuthErrorException, URISyntaxException {
        if (isDesktopSupported()) {
            loginDesktop();
        } else {
            loginManual(printStream, reader);
        }
    }

    public void logout() throws IOException, InterruptedException, URISyntaxException {
        if (this.status == Status.LOGGED_DESKTOP) {
            logoutDesktop();
        }
        this.tokenString = null;
        this.token = null;
        this.idTokenString = null;
        this.idToken = null;
        this.refreshToken = null;
        this.status = null;
    }

    public void loginDesktop() throws IOException, VerificationException, OAuthErrorException, URISyntaxException, ServerRequest.HttpFailure, InterruptedException {
        CallbackListener callbackListener = new CallbackListener();
        callbackListener.start();
        String str = "http://localhost:" + callbackListener.getLocalPort();
        String uuid = UUID.randomUUID().toString();
        Pkce generatePkce = this.deployment.isPkce() ? generatePkce() : null;
        Desktop.getDesktop().browse(new URI(createAuthUrl(str, uuid, generatePkce)));
        try {
            callbackListener.await();
            if (callbackListener.error != null) {
                throw new OAuthErrorException(callbackListener.error, callbackListener.errorDescription);
            }
            if (!uuid.equals(callbackListener.state)) {
                throw new VerificationException("Invalid state");
            }
            processCode(callbackListener.code, str, generatePkce);
            this.status = Status.LOGGED_DESKTOP;
        } catch (InterruptedException e) {
            callbackListener.stop();
            throw e;
        }
    }

    protected String createAuthUrl(String str, String str2, Pkce pkce) {
        KeycloakUriBuilder queryParam = this.deployment.getAuthUrl().m1488clone().queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE).queryParam(OAuth2Constants.CLIENT_ID, this.deployment.getResourceName()).queryParam(OAuth2Constants.REDIRECT_URI, str).queryParam("scope", OAuth2Constants.SCOPE_OPENID);
        if (str2 != null) {
            queryParam.queryParam(OAuth2Constants.STATE, str2);
        }
        if (this.locale != null) {
            queryParam.queryParam(OAuth2Constants.UI_LOCALES_PARAM, this.locale.getLanguage());
        }
        if (pkce != null) {
            queryParam.queryParam(OAuth2Constants.CODE_CHALLENGE, pkce.getCodeChallenge());
            queryParam.queryParam(OAuth2Constants.CODE_CHALLENGE_METHOD, OAuth2Constants.PKCE_METHOD_S256);
        }
        return queryParam.build(new Object[0]).toString();
    }

    protected Pkce generatePkce() {
        return Pkce.generatePkce();
    }

    private void logoutDesktop() throws IOException, URISyntaxException, InterruptedException {
        CallbackListener callbackListener = new CallbackListener();
        callbackListener.start();
        Desktop.getDesktop().browse(new URI(this.deployment.getLogoutUrl().queryParam(OAuth2Constants.REDIRECT_URI, "http://localhost:" + callbackListener.getLocalPort()).build(new Object[0]).toString()));
        try {
            callbackListener.await();
        } catch (InterruptedException e) {
            callbackListener.stop();
            throw e;
        }
    }

    public void loginManual() throws IOException, ServerRequest.HttpFailure, VerificationException {
        loginManual(System.out, new InputStreamReader(System.in));
    }

    public void loginManual(PrintStream printStream, Reader reader) throws IOException, ServerRequest.HttpFailure, VerificationException {
        Pkce generatePkce = generatePkce();
        String createAuthUrl = createAuthUrl("urn:ietf:wg:oauth:2.0:oob", null, generatePkce);
        printStream.println("Open the following URL in a browser. After login copy/paste the code back and press <enter>");
        printStream.println(createAuthUrl);
        printStream.println();
        printStream.print("Code: ");
        processCode(readCode(reader), "urn:ietf:wg:oauth:2.0:oob", generatePkce);
        this.status = Status.LOGGED_MANUAL;
    }

    public static Console console() {
        return Console.SINGLETON;
    }

    public boolean loginCommandLine() throws IOException, ServerRequest.HttpFailure, VerificationException {
        return loginCommandLine("urn:ietf:wg:oauth:2.0:oob");
    }

    public boolean loginCommandLine(String str) throws IOException, ServerRequest.HttpFailure, VerificationException {
        String uri = this.deployment.getAuthUrl().m1488clone().queryParam(OAuth2Constants.RESPONSE_TYPE, OAuth2Constants.CODE).queryParam(OAuth2Constants.CLIENT_ID, this.deployment.getResourceName()).queryParam(OAuth2Constants.REDIRECT_URI, str).queryParam(OAuth2Constants.DISPLAY, OAuth2Constants.DISPLAY_CONSOLE).queryParam("scope", OAuth2Constants.SCOPE_OPENID).build(new Object[0]).toString();
        ResteasyClient createResteasyClient = createResteasyClient();
        try {
            try {
                Response response = createResteasyClient.target(uri).request().get();
                while (response.getStatus() != 403) {
                    if (response.getStatus() == 401) {
                        String headerString = response.getHeaderString("WWW-Authenticate");
                        if (headerString == null) {
                            System.err.println("Failure:  Invalid protocol.  No WWW-Authenticate header");
                            createResteasyClient.close();
                            return false;
                        }
                        if (!headerString.contains("X-Text-Form-Challenge")) {
                            System.err.println("Failure:  Invalid WWW-Authenticate header.");
                            createResteasyClient.close();
                            return false;
                        }
                        if (response.getMediaType() != null) {
                            console().writer().println((String) response.readEntity(String.class));
                        } else {
                            response.close();
                        }
                        Matcher matcher = this.callbackPattern.matcher(headerString);
                        if (!matcher.find()) {
                            System.err.println("Failure: Invalid WWW-Authenticate header.");
                            createResteasyClient.close();
                            return false;
                        }
                        String group = matcher.group(1);
                        Matcher matcher2 = this.paramPattern.matcher(headerString);
                        Form form = new Form();
                        while (matcher2.find()) {
                            String group2 = matcher2.group(1);
                            String group3 = matcher2.group(2);
                            form.param(group2, matcher2.group(3).trim().equals(PredicatedHandlersParser.TRUE) ? new String(console().readPassword(group3, new Object[0])) : console().readLine(group3, new Object[0]));
                        }
                        response.close();
                        createResteasyClient.close();
                        createResteasyClient = createResteasyClient();
                        response = createResteasyClient.target(group).request().post(Entity.form(form));
                    } else {
                        if (response.getStatus() != 302) {
                            System.err.println("Unknown response from server: " + response.getStatus());
                            createResteasyClient.close();
                            return false;
                        }
                        int i = 0;
                        do {
                            String uri2 = response.getLocation().toString();
                            Matcher matcher3 = this.codePattern.matcher(uri2);
                            if (matcher3.find()) {
                                response.close();
                                createResteasyClient.close();
                                processCode(matcher3.group(1), str, null);
                                createResteasyClient.close();
                                return true;
                            }
                            response.close();
                            createResteasyClient.close();
                            createResteasyClient = createResteasyClient();
                            response = createResteasyClient.target(uri2).request().get();
                            if (response.getStatus() == 302) {
                                int i2 = i;
                                i++;
                                if (i2 > 4) {
                                    System.err.println("Too many redirects.  Aborting");
                                    createResteasyClient.close();
                                    return false;
                                }
                            }
                        } while (response.getStatus() == 302);
                    }
                }
                if (response.getMediaType() != null) {
                    console().writer().println((String) response.readEntity(String.class));
                } else {
                    System.err.println("Forbidden to login");
                }
                createResteasyClient = createResteasyClient;
                return false;
            } catch (Exception e) {
                throw e;
            }
        } finally {
            createResteasyClient.close();
        }
    }

    protected ResteasyClient getResteasyClient() {
        if (this.resteasyClient == null) {
            this.resteasyClient = createResteasyClient();
        }
        return this.resteasyClient;
    }

    protected ResteasyClient createResteasyClient() {
        return new ResteasyClientBuilder().connectionCheckoutTimeout(1L, TimeUnit.HOURS).connectionTTL(1L, TimeUnit.HOURS).socketTimeout(1L, TimeUnit.HOURS).disableTrustManager().build();
    }

    public String getTokenString() {
        return this.tokenString;
    }

    public String getTokenString(long j, TimeUnit timeUnit) throws VerificationException, IOException, ServerRequest.HttpFailure {
        if ((this.token.getExpiration() * 1000) - timeUnit.toMillis(j) < System.currentTimeMillis()) {
            refreshToken();
        }
        return this.tokenString;
    }

    public void refreshToken() throws IOException, ServerRequest.HttpFailure, VerificationException {
        parseAccessToken(ServerRequest.invokeRefresh(this.deployment, this.refreshToken));
    }

    public void refreshToken(String str) throws IOException, ServerRequest.HttpFailure, VerificationException {
        parseAccessToken(ServerRequest.invokeRefresh(this.deployment, str));
    }

    private void parseAccessToken(AccessTokenResponse accessTokenResponse) throws VerificationException {
        this.tokenResponse = accessTokenResponse;
        this.tokenString = accessTokenResponse.getToken();
        this.refreshToken = accessTokenResponse.getRefreshToken();
        this.idTokenString = accessTokenResponse.getIdToken();
        AdapterTokenVerifier.VerifiedTokens verifyTokens = AdapterTokenVerifier.verifyTokens(this.tokenString, this.idTokenString, this.deployment);
        this.token = verifyTokens.getAccessToken();
        this.idToken = verifyTokens.getIdToken();
    }

    public AccessToken getToken() {
        return this.token;
    }

    public IDToken getIdToken() {
        return this.idToken;
    }

    public String getIdTokenString() {
        return this.idTokenString;
    }

    public String getRefreshToken() {
        return this.refreshToken;
    }

    public AccessTokenResponse getTokenResponse() {
        return this.tokenResponse;
    }

    public boolean isDesktopSupported() {
        return Desktop.isDesktopSupported();
    }

    public KeycloakDeployment getDeployment() {
        return this.deployment;
    }

    private void processCode(String str, String str2, Pkce pkce) throws IOException, ServerRequest.HttpFailure, VerificationException {
        parseAccessToken(ServerRequest.invokeAccessCodeToToken(this.deployment, str, str2, null, pkce == null ? null : pkce.getCodeVerifier()));
    }

    private String readCode(Reader reader) throws IOException {
        char c;
        StringBuilder sb = new StringBuilder();
        char[] cArr = new char[1];
        while (reader.read(cArr) != -1 && (c = cArr[0]) != ' ' && c != '\n' && c != '\r') {
            sb.append(c);
        }
        return sb.toString();
    }
}
