package org.alfresco.rest.authn;

import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import org.alfresco.rest.authn.config.IdentityServiceConfig;
import org.alfresco.rest.authn.exception.AuthenticationException;
import org.apache.http.client.HttpClient;
import org.jboss.logging.Logger;
import org.keycloak.adapters.HttpClientBuilder;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.KeycloakDeploymentBuilder;
import org.keycloak.adapters.rotation.AdapterTokenVerifier;
import org.keycloak.authorization.client.AuthzClient;
import org.keycloak.authorization.client.Configuration;
import org.keycloak.authorization.client.util.HttpResponseException;
import org.keycloak.common.VerificationException;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;

/* loaded from: input_file:org/alfresco/rest/authn/TokenProvider.class */
public class TokenProvider {
    private static final Logger LOGGER = Logger.getLogger(TokenProvider.class);
    private final IdentityServiceConfig config;
    private final KeycloakDeployment deployment;
    private final AuthzClient authzClient;

    public TokenProvider(AuthnConfigBuilder authnConfigBuilder) {
        this.config = authnConfigBuilder.getIdentityServiceConfig();
        this.deployment = KeycloakDeploymentBuilder.build(this.config);
        HttpClient createHttpClient = createHttpClient(this.config);
        this.deployment.setClient(createHttpClient);
        this.authzClient = createAuthzClient(this.config, createHttpClient);
    }

    private HttpClient createHttpClient(IdentityServiceConfig identityServiceConfig) {
        return new HttpClientBuilder().establishConnectionTimeout(identityServiceConfig.getClientConnectionTimeoutInMillis(), TimeUnit.MILLISECONDS).socketTimeout(identityServiceConfig.getClientSocketTimeoutInMillis(), TimeUnit.MILLISECONDS).build(identityServiceConfig);
    }

    private AuthzClient createAuthzClient(IdentityServiceConfig identityServiceConfig, HttpClient httpClient) {
        AuthzClient create = AuthzClient.create(new Configuration(identityServiceConfig.getAuthServerUrl(), identityServiceConfig.getRealm(), identityServiceConfig.getResource(), identityServiceConfig.getCredentials(), httpClient));
        if (LOGGER.isDebugEnabled()) {
            LOGGER.debug("Created Keycloak AuthzClient:");
            LOGGER.debug("    Keycloak AuthzClient server URL: " + create.getConfiguration().getAuthServerUrl());
            LOGGER.debug("    Keycloak AuthzClient realm: " + create.getConfiguration().getRealm());
            LOGGER.debug("    Keycloak AuthzClient resource: " + create.getConfiguration().getResource());
        }
        return create;
    }

    public AccessTokenResponse getAccessToken() {
        String grantType = this.config.getGrantType();
        if ("password".equals(grantType)) {
            return getAccessToken(this.config.getUsername(), this.config.getPassword());
        }
        if (!"client_credentials".equals(grantType)) {
            throw new AuthenticationException(grantType + " is an unsupported grant type. Supported grant types are: password and client_credentials");
        }
        AuthzClient authzClient = this.authzClient;
        authzClient.getClass();
        return execute(authzClient::obtainAccessToken);
    }

    public AccessTokenResponse getAccessToken(String str, String str2) {
        return execute(() -> {
            return this.authzClient.obtainAccessToken(str, str2);
        });
    }

    private AccessTokenResponse execute(Supplier<AccessTokenResponse> supplier) {
        try {
            AccessTokenResponse accessTokenResponse = supplier.get();
            verifyToken(accessTokenResponse.getToken());
            return accessTokenResponse;
        } catch (HttpResponseException e) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("Failed to authenticate user against Keycloak. Status: " + e.getStatusCode() + " Reason: " + e.getReasonPhrase());
            }
            throw new AuthenticationException("Failed to authenticate user against Keycloak.", e);
        }
    }

    public AccessToken verifyToken(String str) {
        if (!this.config.isValidateToken()) {
            return null;
        }
        try {
            return AdapterTokenVerifier.verifyToken(str, this.deployment);
        } catch (VerificationException e) {
            throw new AuthenticationException("Failed token verification.", e);
        }
    }
}
