package org.gcube.common.keycloak;

import java.io.UnsupportedEncodingException;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLEncoder;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.stream.Collectors;
import org.gcube.common.gxrest.request.GXHTTPStringRequest;
import org.gcube.common.gxrest.response.inbound.GXInboundResponse;
import org.gcube.common.keycloak.model.ModelUtils;
import org.gcube.common.keycloak.model.OIDCConstants;
import org.gcube.common.keycloak.model.TokenResponse;
import org.gcube.common.resources.gcore.ServiceEndpoint;
import org.gcube.common.scope.api.ScopeProvider;
import org.gcube.resources.discovery.client.api.DiscoveryClient;
import org.gcube.resources.discovery.client.queries.impl.XQuery;
import org.gcube.resources.discovery.icclient.ICFactory;

/* loaded from: input_file:org/gcube/common/keycloak/DefaultKeycloakClient.class */
public class DefaultKeycloakClient implements KeycloakClient {
    @Override // org.gcube.common.keycloak.KeycloakClient
    public URL findTokenEndpointURL() throws KeycloakClientException {
        logger.debug("Checking ScopeProvider's scope presence and format");
        String str = ScopeProvider.instance.get();
        if (str == null || !str.startsWith("/") || str.length() < 2) {
            throw new KeycloakClientException(str == null ? "Scope not found in ScopeProvider" : "Bad scope name found: " + str);
        }
        logger.debug("Assuring use the rootVO to query the endpoint simple query. Actual scope is: {}", str);
        String str2 = "/" + str.split("/")[1];
        logger.debug("Setting rootVO scope into provider as: {}", str2);
        ScopeProvider.instance.set(str2);
        logger.debug("Creating simple query");
        XQuery queryFor = ICFactory.queryFor(ServiceEndpoint.class);
        queryFor.addCondition(String.format("$resource/Profile/Category/text() eq '%s'", KeycloakClient.CATEGORY)).addCondition(String.format("$resource/Profile/Name/text() eq '%s'", KeycloakClient.NAME)).setResult(String.format("$resource/Profile/AccessPoint[Description/text() eq '%s']", KeycloakClient.DESCRIPTION));
        logger.debug("Creating client for AccessPoint");
        DiscoveryClient clientFor = ICFactory.clientFor(ServiceEndpoint.AccessPoint.class);
        logger.trace("Submitting query: {}", queryFor);
        List submit = clientFor.submit(queryFor);
        logger.debug("Restting scope into provider to the original value: {}", str);
        ScopeProvider.instance.set(str);
        if (submit.size() == 0) {
            throw new KeycloakClientException("Service endpoint not found");
        }
        if (submit.size() > 1) {
            throw new KeycloakClientException("Found more than one endpoint with query");
        }
        String address = ((ServiceEndpoint.AccessPoint) submit.iterator().next()).address();
        logger.debug("Found address: {}", address);
        try {
            return new URL(address);
        } catch (MalformedURLException e) {
            throw new KeycloakClientException("Cannot create URL from address: " + address, e);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(String str, String str2, List<String> list) throws KeycloakClientException {
        return queryUMAToken(str, str2, ScopeProvider.instance.get(), list);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(String str, String str2, String str3, List<String> list) throws KeycloakClientException {
        return queryUMAToken(findTokenEndpointURL(), str, str2, str3, list);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(URL url, String str, String str2, String str3, List<String> list) throws KeycloakClientException {
        return queryUMAToken(url, "Basic " + Base64.getEncoder().encodeToString((str + ":" + str2).getBytes()), str3, list);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse queryUMAToken(URL url, String str, String str2, List<String> list) throws KeycloakClientException {
        if (url == null) {
            throw new KeycloakClientException("Token URL must be not null");
        }
        if (str == null || "".equals(str)) {
            throw new KeycloakClientException("Authorization must be not null nor empty");
        }
        if (str2 == null || "".equals(str2)) {
            throw new KeycloakClientException("Audience must be not null nor empty");
        }
        logger.debug("Querying token from Keycloak server with URL: {}", url);
        try {
            HashMap hashMap = new HashMap();
            hashMap.put(OIDCConstants.GRANT_TYPE_PARAMETER, Arrays.asList(OIDCConstants.UMA_TOKEN_GRANT_TYPE));
            hashMap.put(OIDCConstants.AUDIENCE_PARAMETER, Arrays.asList(URLEncoder.encode(checkAudience(str2), "UTF-8")));
            if (list != null && !list.isEmpty()) {
                hashMap.put(OIDCConstants.PERMISSION_PARAMETER, list.stream().map(str3 -> {
                    try {
                        return URLEncoder.encode(str3, "UTF-8");
                    } catch (UnsupportedEncodingException e) {
                        return "";
                    }
                }).collect(Collectors.toList()));
            }
            GXHTTPStringRequest withBody = GXHTTPStringRequest.newRequest(url.toString()).header("Content-Type", "application/x-www-form-urlencoded").withBody((String) hashMap.entrySet().stream().flatMap(entry -> {
                return ((List) entry.getValue()).stream().map(str4 -> {
                    return ((String) entry.getKey()) + "=" + str4;
                });
            }).reduce((str4, str5) -> {
                return str4 + "&" + str5;
            }).orElse(""));
            withBody.isExternalCall(true);
            if (str != null) {
                logger.debug("Adding authorization header as: {}", str);
                withBody = withBody.header("Authorization", str);
            }
            try {
                GXInboundResponse post = withBody.post();
                if (!post.isSuccessResponse()) {
                    throw KeycloakClientException.create("Unable to get token", post.getHTTPCode(), (String) ((List) post.getHeaderFields().getOrDefault("content-type", Collections.singletonList("unknown/unknown"))).get(0), post.getMessage());
                }
                try {
                    return (TokenResponse) post.tryConvertStreamedContentFromJson(TokenResponse.class);
                } catch (Exception e) {
                    throw new KeycloakClientException("Cannot construct token response object correctly", e);
                }
            } catch (Exception e2) {
                throw new KeycloakClientException("Cannot send request correctly", e2);
            }
        } catch (Exception e3) {
            throw new KeycloakClientException("Cannot construct the request object correctly", e3);
        }
    }

    private static String checkAudience(String str) {
        if (str.startsWith("/")) {
            try {
                logger.trace("Audience was provided in non URL encoded form, encoding it");
                return URLEncoder.encode(str, "UTF-8");
            } catch (UnsupportedEncodingException e) {
                logger.error("Cannot URL encode 'audience'", e);
            }
        }
        return str;
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(TokenResponse tokenResponse) throws KeycloakClientException {
        return refreshToken((String) null, tokenResponse);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(URL url, TokenResponse tokenResponse) throws KeycloakClientException {
        return refreshToken(url, (String) null, (String) null, tokenResponse);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(String str, TokenResponse tokenResponse) throws KeycloakClientException {
        return refreshToken(str, (String) null, tokenResponse);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(String str, String str2, TokenResponse tokenResponse) throws KeycloakClientException {
        return refreshToken(findTokenEndpointURL(), str, str2, tokenResponse);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(URL url, String str, String str2, TokenResponse tokenResponse) throws KeycloakClientException {
        if (str == null) {
            logger.debug("Client id not set, trying to get it from access token info");
            try {
                str = ModelUtils.getClientIdFromToken(ModelUtils.getAccessTokenFrom(tokenResponse));
            } catch (Exception e) {
                throw new KeycloakClientException("Cannot construct access token object from token response", e);
            }
        }
        return refreshToken(url, str, str2, tokenResponse.getRefreshToken());
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(String str) throws KeycloakClientException {
        try {
            return refreshToken(ModelUtils.getClientIdFromToken(ModelUtils.getRefreshTokenFrom(str)), str);
        } catch (Exception e) {
            throw new KeycloakClientException("Cannot construct access token object from token response", e);
        }
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(String str, String str2) throws KeycloakClientException {
        return refreshToken(str, (String) null, str2);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(String str, String str2, String str3) throws KeycloakClientException {
        return refreshToken(findTokenEndpointURL(), str, str2, str3);
    }

    @Override // org.gcube.common.keycloak.KeycloakClient
    public TokenResponse refreshToken(URL url, String str, String str2, String str3) throws KeycloakClientException {
        if (url == null) {
            throw new KeycloakClientException("Token URL must be not null");
        }
        if (str == null || "".equals(str)) {
            throw new KeycloakClientException("Client id must be not null nor empty");
        }
        if (str3 == null || "".equals(str)) {
            throw new KeycloakClientException("Refresh token JWT encoded string must be not null nor empty");
        }
        logger.debug("Refreshing token from Keycloak server with URL: {}", url);
        try {
            HashMap hashMap = new HashMap();
            hashMap.put(OIDCConstants.GRANT_TYPE_PARAMETER, "refresh_token");
            hashMap.put("refresh_token", str3);
            hashMap.put(OIDCConstants.CLIENT_ID_PARAMETER, URLEncoder.encode(str, "UTF-8"));
            if (str2 != null && !"".equals(str2)) {
                hashMap.put(OIDCConstants.CLIENT_SECRET_PARAMETER, URLEncoder.encode(str2, "UTF-8"));
            }
            GXHTTPStringRequest withBody = GXHTTPStringRequest.newRequest(url.toString()).header("Content-Type", "application/x-www-form-urlencoded").withBody((String) hashMap.entrySet().stream().map(entry -> {
                return ((String) entry.getKey()) + "=" + ((String) entry.getValue());
            }).reduce((str4, str5) -> {
                return str4 + "&" + str5;
            }).orElse(""));
            withBody.isExternalCall(true);
            try {
                GXInboundResponse post = withBody.post();
                if (!post.isSuccessResponse()) {
                    throw KeycloakClientException.create("Unable to get token", post.getHTTPCode(), (String) ((List) post.getHeaderFields().getOrDefault("content-type", Collections.singletonList("unknown/unknown"))).get(0), post.getMessage());
                }
                try {
                    return (TokenResponse) post.tryConvertStreamedContentFromJson(TokenResponse.class);
                } catch (Exception e) {
                    throw new KeycloakClientException("Cannot construct token response object correctly", e);
                }
            } catch (Exception e2) {
                throw new KeycloakClientException("Cannot send request correctly", e2);
            }
        } catch (Exception e3) {
            throw new KeycloakClientException("Cannot construct the request object correctly", e3);
        }
    }
}
