package de.governikus.autent.eudiwallet.keycloak.provider.granttypes;

import de.governikus.autent.eudiwallet.keycloak.constants.UtilityMethods;
import de.governikus.autent.eudiwallet.keycloak.database.AuthenticationFlowRepository;
import de.governikus.autent.eudiwallet.keycloak.endpoints.WebAppExceptionHandler;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.keycloak.authentication.AuthenticationFlowException;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.events.EventType;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.protocol.oidc.grants.OAuth2GrantType;
import org.keycloak.protocol.oidc.grants.OAuth2GrantTypeBase;
import org.keycloak.rar.AuthorizationRequestContext;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.Urls;
import org.keycloak.services.cors.Cors;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.util.BasicAuthHelper;
import org.keycloak.utils.OAuth2Error;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/provider/granttypes/SeedCredentialGrantType.class */
public class SeedCredentialGrantType extends OAuth2GrantTypeBase implements WebAppExceptionHandler {
    private static final Logger log = LoggerFactory.getLogger(SeedCredentialGrantType.class);
    private OAuth2Error oAuth2Error;

    /* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/provider/granttypes/SeedCredentialGrantType$ClientSessionCredentialContextWrapper.class */
    public class ClientSessionCredentialContextWrapper implements ClientSessionContext {
        private final ClientSessionContext clientSessionContext;
        private final String scope;

        public String getScopeString() {
            return this.scope;
        }

        public ClientSessionCredentialContextWrapper(SeedCredentialGrantType seedCredentialGrantType, ClientSessionContext clientSessionContext, String str) {
            this.clientSessionContext = clientSessionContext;
            this.scope = str;
        }

        public AuthenticatedClientSessionModel getClientSession() {
            return this.clientSessionContext.getClientSession();
        }

        public Set<String> getClientScopeIds() {
            return this.clientSessionContext.getClientScopeIds();
        }

        public Stream<ClientScopeModel> getClientScopesStream() {
            return this.clientSessionContext.getClientScopesStream();
        }

        public Stream<RoleModel> getRolesStream() {
            return this.clientSessionContext.getRolesStream();
        }

        public Stream<ProtocolMapperModel> getProtocolMappersStream() {
            return this.clientSessionContext.getProtocolMappersStream();
        }

        public String getScopeString(boolean z) {
            return this.clientSessionContext.getScopeString(z);
        }

        public void setAttribute(String str, Object obj) {
            this.clientSessionContext.setAttribute(str, obj);
        }

        public <T> T getAttribute(String str, Class<T> cls) {
            return (T) this.clientSessionContext.getAttribute(str, cls);
        }

        public AuthorizationRequestContext getAuthorizationRequestContext() {
            return this.clientSessionContext.getAuthorizationRequestContext();
        }
    }

    /* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/provider/granttypes/SeedCredentialGrantType$TokenManagerWrapper.class */
    public class TokenManagerWrapper extends TokenManager {
        public AccessToken createClientAccessToken(KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, UserModel userModel, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
            AccessToken createClientAccessToken = super.createClientAccessToken(keycloakSession, realmModel, clientModel, userModel, userSessionModel, clientSessionContext);
            createClientAccessToken.getOtherClaims().put("grant_type", "urn:ietf:params:oauth:grant-type:seed_credential");
            return createClientAccessToken;
        }

        public TokenManagerWrapper(SeedCredentialGrantType seedCredentialGrantType) {
        }
    }

    @Override // de.governikus.autent.eudiwallet.keycloak.endpoints.WebAppExceptionHandler
    public Cors getCors() {
        return this.context.getCors();
    }

    @Override // de.governikus.autent.eudiwallet.keycloak.endpoints.WebAppExceptionHandler
    public OAuth2Error getOAuth2Error() {
        if (this.oAuth2Error == null) {
            this.oAuth2Error = new OAuth2Error().json(false).realm(this.context.getSession().getContext().getRealm());
            this.oAuth2Error.cors(this.cors).json(true);
        }
        return this.oAuth2Error;
    }

    public EventType getEventType() {
        return EventType.LOGIN;
    }

    public Response process(OAuth2GrantType.Context context) {
        setContext(context);
        try {
            return processGrantType(context);
        } catch (AuthenticationFlowException e) {
            log.error(e.getMessage(), e);
            return getUnauthorizedException(e).getResponse();
        } catch (WebApplicationException e2) {
            log.error(e2.getMessage(), e2);
            return e2.getResponse();
        } catch (Exception e3) {
            log.info(e3.getMessage(), e3);
            return getInternalServerException(e3.getMessage()).getResponse();
        }
    }

    private Response processGrantType(OAuth2GrantType.Context context) {
        this.event.detail("auth_method", "urn:ietf:params:oauth:grant-type:seed_credential");
        context.setClient(this.session.clients().getClientByClientId(this.realm, (String) Optional.ofNullable((String) this.formParams.getFirst("client_id")).orElseGet(() -> {
            return (String) Optional.ofNullable(context.getHeaders().getHeaderString("Authorization")).map(BasicAuthHelper.RFC6749::parseHeader).map(strArr -> {
                return strArr[0];
            }).orElse(null);
        })));
        this.tokenManager = getTokenManagerWrapper(this.tokenManager);
        AuthenticationSessionModel createAuthenticationSession = new AuthenticationSessionManager(this.session).createAuthenticationSession(this.realm, false).createAuthenticationSession(this.client);
        createAuthenticationSession.setClientNote("seed_credential", (String) this.formParams.getFirst("seed_credential"));
        createAuthenticationSession.setProtocol("openid-connect");
        createAuthenticationSession.setAction(CommonClientSessionModel.Action.AUTHENTICATE.name());
        createAuthenticationSession.setClientNote("iss", Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
        String id = AuthenticationFlowRepository.getAuthFlowByAlias(UtilityMethods.getEntityManager(this.session), this.realm, "credential-authentication-flow").orElseThrow(() -> {
            return new IllegalArgumentException(String.format("No AuthenticationFlowModel found with name '%s'", "credential-authentication-flow"));
        }).getId();
        AuthenticationProcessor authenticationProcessor = new AuthenticationProcessor();
        authenticationProcessor.setAuthenticationSession(createAuthenticationSession).setFlowId(id).setFlowPath("token").setConnection(this.clientConnection).setEventBuilder(this.event).setRealm(this.realm).setSession(this.session).setUriInfo(this.session.getContext().getUri()).setRequest(this.request);
        Response authenticateOnly = authenticationProcessor.authenticateOnly();
        if (authenticateOnly != null) {
            new AuthenticationSessionManager(this.session).removeAuthenticationSession(this.realm, createAuthenticationSession, false);
            this.cors.add();
            return authenticateOnly;
        }
        AuthenticationManager.setClientScopesInSession(this.session, createAuthenticationSession);
        ClientSessionContext attachSession = authenticationProcessor.attachSession();
        UserSessionModel userSession = authenticationProcessor.getUserSession();
        updateUserSessionFromClientAuth(userSession);
        String str = (String) authenticationProcessor.getUserSession().getUser().getAttributeStream("VerifiableCredential").collect(Collectors.joining(" "));
        TokenManager.AccessTokenResponseBuilder responseBuilder = this.tokenManager.responseBuilder(this.realm, this.client, this.event, this.session, userSession, new ClientSessionCredentialContextWrapper(this, attachSession, str));
        responseBuilder.generateAccessToken();
        AccessTokenResponse build = responseBuilder.build();
        build.setScope(str);
        this.event.success();
        AuthenticationManager.logSuccess(this.session, createAuthenticationSession);
        return this.cors.add(Response.ok(build, MediaType.APPLICATION_JSON_TYPE));
    }

    public TokenManager getTokenManagerWrapper(TokenManager tokenManager) {
        return !(tokenManager instanceof TokenManagerWrapper) ? new TokenManagerWrapper(this) : tokenManager;
    }
}
