package de.governikus.autent.eudiwallet.keycloak.endpoints;

import com.fasterxml.jackson.core.JsonProcessingException;
import de.governikus.autent.eudiwallet.keycloak.constants.Constants;
import de.governikus.autent.eudiwallet.keycloak.database.ClientScopeRepository;
import de.governikus.autent.eudiwallet.keycloak.provider.authflow.preauthcode.ElsterPreAuthcodeParserFactory;
import de.governikus.autent.eudiwallet.keycloak.provider.signingservices.JwtJsonSigningProvider;
import jakarta.ws.rs.ForbiddenException;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.net.URI;
import java.util.Map;
import org.apache.commons.lang3.RandomStringUtils;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.UserModel;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.util.JsonSerialization;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/endpoints/PushCredentialHandler.class */
public class PushCredentialHandler {
    private static final Logger log = LoggerFactory.getLogger(PushCredentialHandler.class);
    private final KeycloakSession keycloakSession;

    public PushCredentialHandler(KeycloakSession keycloakSession, AuthenticationManager.AuthResult authResult) {
        this.keycloakSession = keycloakSession;
        authenticateClientAccess(authResult);
    }

    private void authenticateClientAccess(AuthenticationManager.AuthResult authResult) {
        RealmModel realm = this.keycloakSession.getContext().getRealm();
        ClientModel client = authResult.getClient();
        RoleModel realmRole = this.keycloakSession.roles().getRealmRole(realm, "push-credential");
        if (realmRole == null) {
            throw new ForbiddenException(String.format("Cannot perform authentication. RealmRole '%s' is missing.", "push-credential"));
        }
        UserModel serviceAccount = this.keycloakSession.users().getServiceAccount(client);
        if (serviceAccount == null) {
            throw new ForbiddenException(String.format("Client '%s' is not a service account client (ClientCredentialsGrant).", client.getClientId()));
        }
        if (!serviceAccount.hasRole(realmRole)) {
            throw new ForbiddenException(String.format("Client '%s' does not have the role '%s'", client.getClientId(), "push-credential"));
        }
    }

    @POST
    public Response handleCredentialPush(String str) {
        String randomAlphanumeric = RandomStringUtils.randomAlphanumeric(43, 50);
        try {
            JsonWebToken jsonWebToken = (JsonWebToken) JsonSerialization.mapper.readValue(str, JsonWebToken.class);
            jsonWebToken.type(Constants.Scopes.LPID_SCOPE);
            this.keycloakSession.singleUseObjects().put(randomAlphanumeric, 300L, Map.of("push-credential", new JwtJsonSigningProvider(this.keycloakSession).signCredential(ClientScopeRepository.getClientScopeByName(this.keycloakSession, Constants.Scopes.LPID_SCOPE), jsonWebToken), Constants.ProtocolAttributes.PRE_AUTH_CODE_TYPE, ElsterPreAuthcodeParserFactory.PROVIDER_ID));
            return Response.created((URI) null).entity(randomAlphanumeric).type(MediaType.TEXT_PLAIN_TYPE).build();
        } catch (JsonProcessingException e) {
            log.debug(e.getMessage(), e);
            return Response.status(400).type(MediaType.TEXT_PLAIN_TYPE).entity("Failed to parse request-body into appropriate JSON").build();
        }
    }
}
