package io.jans.kc.api.admin.client;

import io.jans.kc.api.admin.client.model.AuthenticationFlow;
import io.jans.kc.api.admin.client.model.ManagedSamlClient;
import io.jans.kc.api.admin.client.model.ProtocolMapper;
import io.jans.saml.metadata.model.EntityDescriptor;
import io.jans.saml.metadata.model.KeyDescriptor;
import io.jans.saml.metadata.model.SAMLBinding;
import io.jans.saml.metadata.model.SPSSODescriptor;
import io.jans.saml.metadata.model.ds.X509Data;
import jakarta.ws.rs.client.Client;
import jakarta.ws.rs.client.ClientBuilder;
import jakarta.ws.rs.core.Response;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.jboss.resteasy.client.jaxrs.engines.ApacheHttpClient43Engine;
import org.keycloak.admin.client.Keycloak;
import org.keycloak.admin.client.KeycloakBuilder;
import org.keycloak.admin.client.resource.ClientResource;
import org.keycloak.admin.client.resource.ClientsResource;
import org.keycloak.admin.client.resource.RealmResource;
import org.keycloak.representations.idm.AuthenticationFlowRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/jans/kc/api/admin/client/KeycloakApi.class */
public class KeycloakApi {
    private static final String SAML_PROTOCOL = "saml";
    private static final String MANAGED_SAML_CLIENT_NAME_FORMAT = "managed_saml_client_%s";
    private static final String MANAGED_SAML_CLIENT_DESC_FORMAT = "#REF %s.\r\n!!! DO NOT ALTER THIS CLIENT MANUALLY!!!";
    private static final String BROWSER_AUTHN_FLOW_KEY = "browser";
    private Keycloak keycloak;
    private static final Integer DEFAULT_CONNPOOL_SIZE = 5;
    private static final Integer DEFAULT_MAX_CONN_PER_ROUTE = 100;
    private static final Pattern MANAGED_SAML_CLIENT_NAME_REGEX = Pattern.compile("^managed_saml_client_([a-zA-Z0-9\\-]+)$");
    private static final Logger log = LoggerFactory.getLogger(KeycloakApi.class);

    private KeycloakApi(Keycloak keycloak) {
        this.keycloak = keycloak;
    }

    public AuthenticationFlow getAuthenticationFlowFromAlias(String str, String str2) {
        try {
            Optional findFirst = realmByName(str).flows().getFlows().stream().filter(authenticationFlowRepresentation -> {
                return authenticationFlowRepresentation.getAlias() != null && authenticationFlowRepresentation.getAlias().equals(str2);
            }).findFirst();
            if (findFirst.isPresent()) {
                return new AuthenticationFlow((AuthenticationFlowRepresentation) findFirst.get());
            }
            return null;
        } catch (Exception e) {
            throw new KeycloakAdminClientApiError("Could not find authentication flow with alias " + str2, e);
        }
    }

    public List<ManagedSamlClient> findAllManagedSamlClients(String str) {
        try {
            List findAll = realmByName(str).clients().findAll();
            log.debug("Clients from realm count : {}", Integer.valueOf(findAll.size()));
            return (List) findAll.stream().filter(KeycloakApi::isManagedSamlClientRepresentation).map(KeycloakApi::toManagedSamlClient).collect(Collectors.toList());
        } catch (Exception e) {
            throw new KeycloakAdminClientApiError("Could not get managed clients", e);
        }
    }

    public void deleteManagedSamlClient(String str, ManagedSamlClient managedSamlClient) {
        try {
            ClientResource clientResource = realmByName(str).clients().get(managedSamlClient.keycloakId());
            if (clientResource != null) {
                clientResource.remove();
            }
        } catch (Exception e) {
            throw new KeycloakAdminClientApiError("Could not delete managed saml client", e);
        }
    }

    public ManagedSamlClient createManagedSamlClient(String str, String str2, AuthenticationFlow authenticationFlow, EntityDescriptor entityDescriptor) {
        try {
            ClientsResource clients = realmByName(str).clients();
            ClientRepresentation clientRepresentation = new ClientRepresentation();
            ManagedSamlClient managedSamlClient = new ManagedSamlClient(clientRepresentation, str2);
            configureBasicManagedClientProperties(managedSamlClientName(str2), managedSamlClientDescription(str2), entityDescriptor.getEntityId(), managedSamlClient);
            configureSamlRedirectUris(entityDescriptor, managedSamlClient);
            configureSamlEncryptionAndSigning(entityDescriptor, managedSamlClient);
            configureKeycloakAuthentication(authenticationFlow, managedSamlClient);
            Response create = clients.create(clientRepresentation);
            int status = create.getStatus();
            if (status != Response.Status.CREATED.getStatusCode()) {
                throw new KeycloakAdminClientApiError(String.format("Could not create managed saml client(http code %d). %s.", Integer.valueOf(status), (String) create.readEntity(String.class)));
            }
            managedSamlClient.setKeycloakId(((ClientRepresentation) clients.findByClientId(managedSamlClient.clientId()).get(0)).getId());
            return managedSamlClient;
        } catch (Exception e) {
            throw new KeycloakAdminClientApiError("Could not create managed saml client", e);
        }
    }

    public void updateManagedSamlClient(String str, ManagedSamlClient managedSamlClient, EntityDescriptor entityDescriptor) {
        try {
            ClientResource clientResource = realmByName(str).clients().get(managedSamlClient.keycloakId());
            managedSamlClient.externalRef();
            configureBasicManagedClientProperties(null, managedSamlClientDescription(managedSamlClient.externalRef()), entityDescriptor.getEntityId(), managedSamlClient);
            configureSamlRedirectUris(entityDescriptor, managedSamlClient);
            configureSamlEncryptionAndSigning(entityDescriptor, managedSamlClient);
            clientResource.update(managedSamlClient.clientRepresentation());
        } catch (Exception e) {
            throw new KeycloakAdminClientApiError("Could not create update managed saml client", e);
        }
    }

    public void addProtocolMappersToManagedSamlClient(String str, ManagedSamlClient managedSamlClient, List<ProtocolMapper> list) {
        try {
            realmByName(str).clients().get(managedSamlClient.keycloakId()).getProtocolMappers().createMapper(list.stream().map(protocolMapper -> {
                return protocolMapper.representation();
            }).toList());
        } catch (Exception e) {
            e.printStackTrace();
            throw new KeycloakAdminClientApiError("Could not add protocol mapper to managed saml client", e);
        }
    }

    public void updateManagedSamlClientProtocolMapper(String str, ManagedSamlClient managedSamlClient, ProtocolMapper protocolMapper) {
        try {
            realmByName(str).clients().get(managedSamlClient.keycloakId()).getProtocolMappers().update(protocolMapper.getId(), protocolMapper.representation());
        } catch (Exception e) {
            throw new KeycloakAdminClientApiError("Could not update protocol mapper for managed saml client", e);
        }
    }

    public List<ProtocolMapper> getManagedSamlClientProtocolMappers(String str, ManagedSamlClient managedSamlClient) {
        try {
            return realmByName(str).clients().get(managedSamlClient.keycloakId()).getProtocolMappers().getMappersPerProtocol(ProtocolMapper.Protocol.SAML.value()).stream().map(protocolMapperRepresentation -> {
                return new ProtocolMapper(protocolMapperRepresentation);
            }).toList();
        } catch (Exception e) {
            throw new KeycloakAdminClientApiError("Could not get managed saml client protocol mappers", e);
        }
    }

    public void deleteManagedSamlClientProtocolMapper(String str, ManagedSamlClient managedSamlClient, ProtocolMapper protocolMapper) {
        try {
            realmByName(str).clients().get(managedSamlClient.keycloakId()).getProtocolMappers().delete(protocolMapper.getId());
        } catch (Exception e) {
            throw new KeycloakAdminClientApiError("Could not delete managed saml client protocol mapper", e);
        }
    }

    private void configureBasicManagedClientProperties(String str, String str2, String str3, ManagedSamlClient managedSamlClient) {
        if (str != null) {
            managedSamlClient.setName(str);
        }
        if (str2 != null) {
            managedSamlClient.setDescription(str2);
        }
        if (str3 != null) {
            managedSamlClient.setClientId(str3);
        }
    }

    private void configureSamlRedirectUris(EntityDescriptor entityDescriptor, ManagedSamlClient managedSamlClient) {
        SPSSODescriptor firstSpssoDescriptor = entityDescriptor.getFirstSpssoDescriptor();
        if (firstSpssoDescriptor != null) {
            List assertionConsumerServices = firstSpssoDescriptor.getAssertionConsumerServices();
            managedSamlClient.setSamlRedirectUris(assertionConsumerServices.stream().filter(indexedEndpoint -> {
                return indexedEndpoint.getBinding() == SAMLBinding.HTTP_REDIRECT || indexedEndpoint.getBinding() == SAMLBinding.HTTP_POST;
            }).map(indexedEndpoint2 -> {
                return indexedEndpoint2.getLocation();
            }).toList());
            managedSamlClient.samlForcePostBinding(Boolean.valueOf(assertionConsumerServices.size() > 0 && ((assertionConsumerServices.stream().filter(indexedEndpoint3 -> {
                return indexedEndpoint3.getBinding() == SAMLBinding.HTTP_REDIRECT;
            }).count() > 0L ? 1 : (assertionConsumerServices.stream().filter(indexedEndpoint32 -> {
                return indexedEndpoint32.getBinding() == SAMLBinding.HTTP_REDIRECT;
            }).count() == 0L ? 0 : -1)) == 0)));
        }
    }

    private void configureSamlEncryptionAndSigning(EntityDescriptor entityDescriptor, ManagedSamlClient managedSamlClient) {
        SPSSODescriptor firstSpssoDescriptor = entityDescriptor.getFirstSpssoDescriptor();
        if (firstSpssoDescriptor != null) {
            managedSamlClient.samlClientSignatureRequired(firstSpssoDescriptor.getAuthnRequestsSigned());
            managedSamlClient.samlSignAssertions(firstSpssoDescriptor.getWantAssertionsSigned());
            List signingKeys = firstSpssoDescriptor.getSigningKeys();
            if (!signingKeys.isEmpty()) {
                configureSamlSigningKey((KeyDescriptor) signingKeys.get(0), managedSamlClient);
            }
            List encryptionKeys = firstSpssoDescriptor.getEncryptionKeys();
            if (encryptionKeys.isEmpty()) {
                return;
            }
            configureSamlEncryptionKey((KeyDescriptor) encryptionKeys.get(0), managedSamlClient);
        }
    }

    private void configureSamlSigningKey(KeyDescriptor keyDescriptor, ManagedSamlClient managedSamlClient) {
        List datalist = keyDescriptor.getKeyInfo().getDatalist();
        if (datalist.isEmpty()) {
            return;
        }
        managedSamlClient.samlClientSignatureRequired(true);
        managedSamlClient.samlClientSigningCertificate(((X509Data) datalist.get(0)).getFirstX509Certificate());
    }

    private void configureSamlEncryptionKey(KeyDescriptor keyDescriptor, ManagedSamlClient managedSamlClient) {
        List datalist = keyDescriptor.getKeyInfo().getDatalist();
        if (datalist.isEmpty()) {
            return;
        }
        managedSamlClient.samlEncryptAssertions(true);
        managedSamlClient.samlClientEncryptionCertificate(((X509Data) datalist.get(0)).getFirstX509Certificate());
    }

    private void configureKeycloakAuthentication(AuthenticationFlow authenticationFlow, ManagedSamlClient managedSamlClient) {
        managedSamlClient.setBrowserFlow(authenticationFlow.getId());
    }

    private Optional<AuthenticationFlowRepresentation> authnFlowFromAlias(RealmResource realmResource, String str) {
        return realmResource.flows().getFlows().stream().filter(authenticationFlowRepresentation -> {
            return authenticationFlowRepresentation.getAlias().equalsIgnoreCase(str);
        }).findFirst();
    }

    private RealmResource realmByName(String str) {
        return this.keycloak.realm(str);
    }

    private Optional<AuthenticationFlowRepresentation> authnFlowByName(String str, String str2) {
        RealmResource realm = this.keycloak.realm(str);
        if (realm == null) {
            return null;
        }
        return realm.flows().getFlows().stream().filter(authenticationFlowRepresentation -> {
            return authenticationFlowRepresentation.getAlias().equalsIgnoreCase(str2);
        }).findFirst();
    }

    public static final KeycloakApi createInstance(KeycloakConfiguration keycloakConfiguration) {
        try {
            Keycloak createKeycloakInstance = createKeycloakInstance(keycloakConfiguration);
            createKeycloakInstance.serverInfo().getInfo();
            return new KeycloakApi(createKeycloakInstance);
        } catch (IllegalStateException e) {
            throw new KeycloakConfigurationError("Could not create keycloak instance", e);
        }
    }

    private static final Keycloak createKeycloakInstance(KeycloakConfiguration keycloakConfiguration) throws IllegalStateException {
        return KeycloakBuilder.builder().serverUrl(keycloakConfiguration.serverUrl()).realm(keycloakConfiguration.realm()).username(keycloakConfiguration.username()).password(keycloakConfiguration.password()).clientId(keycloakConfiguration.clientId()).grantType("password").resteasyClient(createResteasyClient(keycloakConfiguration)).build();
    }

    private static final Client createResteasyClient(KeycloakConfiguration keycloakConfiguration) {
        Integer num = DEFAULT_CONNPOOL_SIZE;
        Integer connPoolSize = (keycloakConfiguration.connPoolSize() == null || keycloakConfiguration.connPoolSize().intValue() == 0) ? DEFAULT_CONNPOOL_SIZE : keycloakConfiguration.connPoolSize();
        PoolingHttpClientConnectionManager poolingHttpClientConnectionManager = new PoolingHttpClientConnectionManager();
        CloseableHttpClient build = HttpClients.custom().setConnectionManager(poolingHttpClientConnectionManager).build();
        poolingHttpClientConnectionManager.setMaxTotal(connPoolSize.intValue());
        poolingHttpClientConnectionManager.setDefaultMaxPerRoute(DEFAULT_MAX_CONN_PER_ROUTE.intValue());
        return ClientBuilder.newBuilder().httpEngine(new ApacheHttpClient43Engine(build)).build();
    }

    private static boolean isManagedSamlClientRepresentation(ClientRepresentation clientRepresentation) {
        if (SAML_PROTOCOL.equalsIgnoreCase(clientRepresentation.getProtocol())) {
            return MANAGED_SAML_CLIENT_NAME_REGEX.matcher(clientRepresentation.getName()).matches();
        }
        return false;
    }

    private static ManagedSamlClient toManagedSamlClient(ClientRepresentation clientRepresentation) {
        Matcher matcher = MANAGED_SAML_CLIENT_NAME_REGEX.matcher(clientRepresentation.getName());
        if (matcher.matches()) {
            return new ManagedSamlClient(clientRepresentation, matcher.group(1));
        }
        return null;
    }

    private static String managedSamlClientName(String str) {
        return String.format(MANAGED_SAML_CLIENT_NAME_FORMAT, str);
    }

    private static String managedSamlClientDescription(String str) {
        return String.format(MANAGED_SAML_CLIENT_DESC_FORMAT, str);
    }

    private static Map<String, String> authnFlowBindingOverrides(final AuthenticationFlowRepresentation authenticationFlowRepresentation) {
        return new HashMap<String, String>() { // from class: io.jans.kc.api.admin.client.KeycloakApi.1
            {
                put(KeycloakApi.BROWSER_AUTHN_FLOW_KEY, authenticationFlowRepresentation.getId());
            }
        };
    }
}
