package net.bluemind.keycloak.utils;

import com.google.common.base.Strings;
import io.vertx.core.json.JsonObject;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.StringTokenizer;
import net.bluemind.core.api.auth.AuthDomainProperties;
import net.bluemind.core.api.auth.AuthTypes;
import net.bluemind.core.api.fault.ServerFault;
import net.bluemind.core.container.model.ItemValue;
import net.bluemind.core.context.SecurityContext;
import net.bluemind.core.rest.ServerSideServiceProvider;
import net.bluemind.domain.api.Domain;
import net.bluemind.domain.api.DomainSettingsKeys;
import net.bluemind.domain.api.IDomainSettings;
import net.bluemind.domain.api.IDomains;
import net.bluemind.domain.api.IInCoreDomains;
import net.bluemind.keycloak.api.IKeycloakAdmin;
import net.bluemind.keycloak.api.IKeycloakBluemindProviderAdmin;
import net.bluemind.keycloak.api.IKeycloakClientAdmin;
import net.bluemind.keycloak.api.IKeycloakFlowAdmin;
import net.bluemind.keycloak.api.IKeycloakKerberosAdmin;
import net.bluemind.keycloak.api.IKeycloakUids;
import net.bluemind.keycloak.api.KerberosComponent;
import net.bluemind.keycloak.api.OidcClient;
import net.bluemind.keycloak.utils.adapters.BlueMindComponentAdapter;
import net.bluemind.system.api.ISystemConfiguration;
import net.bluemind.system.api.SysConfKeys;
import net.bluemind.system.api.SystemConf;
import net.bluemind.utils.SyncHttpClient;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/bluemind/keycloak/utils/KeycloakHelper.class */
public class KeycloakHelper {
    private static final Logger logger = LoggerFactory.getLogger(KeycloakHelper.class);
    private static final int KEYCLOAK_WAIT_MAX_RETRIES = 8;
    private static final String GLOBAL_VIRT = "global.virt";
    private static final String HTTPS = "https://";
    private static final String NO_REDIRECT_URI = "https://configure_external_url_in_bluemind";

    private KeycloakHelper() {
    }

    private static void initKeycloakForDomain(ItemValue<Domain> itemValue) {
        logger.info("Init Keycloak for domain {}", itemValue.uid);
        ServerSideServiceProvider provider = ServerSideServiceProvider.getProvider(SecurityContext.SYSTEM);
        IKeycloakAdmin iKeycloakAdmin = (IKeycloakAdmin) provider.instance(IKeycloakAdmin.class, new String[0]);
        String clientId = IKeycloakUids.clientId(IKeycloakUids.realmId(itemValue.uid));
        iKeycloakAdmin.createRealm(itemValue.uid);
        ((IKeycloakFlowAdmin) provider.instance(IKeycloakFlowAdmin.class, new String[]{itemValue.uid})).createByCopying("browser", "browser-bluemind");
        ((IKeycloakBluemindProviderAdmin) provider.instance(IKeycloakBluemindProviderAdmin.class, new String[]{itemValue.uid})).create(BlueMindComponentAdapter.build(itemValue.uid).component);
        if (Strings.isNullOrEmpty((String) ((Domain) itemValue.value).properties.get(AuthDomainProperties.AUTH_TYPE.name()))) {
            ((Domain) itemValue.value).properties.put(AuthDomainProperties.AUTH_TYPE.name(), AuthTypes.INTERNAL.name());
        }
        IKeycloakClientAdmin iKeycloakClientAdmin = (IKeycloakClientAdmin) provider.instance(IKeycloakClientAdmin.class, new String[]{itemValue.uid});
        iKeycloakClientAdmin.create(clientId);
        String secret = iKeycloakClientAdmin.getSecret(clientId);
        Map hashMap = ((Domain) itemValue.value).properties != null ? ((Domain) itemValue.value).properties : new HashMap();
        hashMap.put(AuthDomainProperties.OPENID_CLIENT_SECRET.name(), secret);
        ((IInCoreDomains) provider.instance(IInCoreDomains.class, new String[0])).setProperties(itemValue.uid, hashMap);
        if (AuthTypes.KERBEROS.name().equals(((Domain) itemValue.value).properties.get(AuthDomainProperties.AUTH_TYPE.name()))) {
            KerberosConfigHelper.createKeycloakKerberosConf(itemValue);
            KerberosConfigHelper.updateKrb5Conf();
        }
    }

    private static void initExternalForDomain(ItemValue<Domain> itemValue) {
        logger.info("Init external authentication config for domain {}", itemValue.uid);
        JsonObject openIdConfiguration = getOpenIdConfiguration((String) ((Domain) itemValue.value).properties.get(AuthDomainProperties.OPENID_HOST.name()));
        if (hasValueChanged(itemValue, hasValueChanged(itemValue, hasValueChanged(itemValue, hasValueChanged(itemValue, hasValueChanged(itemValue, false, AuthDomainProperties.OPENID_AUTHORISATION_ENDPOINT.name(), openIdConfiguration.getString("authorization_endpoint")), AuthDomainProperties.OPENID_TOKEN_ENDPOINT.name(), openIdConfiguration.getString("token_endpoint")), AuthDomainProperties.OPENID_JWKS_URI.name(), openIdConfiguration.getString("jwks_uri")), AuthDomainProperties.OPENID_ISSUER.name(), (String) Optional.ofNullable(openIdConfiguration.getString("access_token_issuer")).orElse(openIdConfiguration.getString("issuer"))), AuthDomainProperties.OPENID_END_SESSION_ENDPOINT.name(), openIdConfiguration.getString("end_session_endpoint"))) {
            ((IInCoreDomains) ServerSideServiceProvider.getProvider(SecurityContext.SYSTEM).instance(IInCoreDomains.class, new String[0])).setProperties(itemValue.uid, ((Domain) itemValue.value).properties);
        }
    }

    private static JsonObject getOpenIdConfiguration(String str) {
        return new JsonObject(SyncHttpClient.getInstance().get(str));
    }

    private static boolean hasValueChanged(ItemValue<Domain> itemValue, boolean z, String str, String str2) {
        if (str2 == null && ((Domain) itemValue.value).properties.get(str) != null) {
            ((Domain) itemValue.value).properties.remove(str);
            z = true;
        } else if (str2 != null && !str2.equals(((Domain) itemValue.value).properties.get(str))) {
            ((Domain) itemValue.value).properties.put(str, str2);
            z = true;
        }
        return z;
    }

    public static void onDomainUpdate(String str) {
        try {
            ItemValue itemValue = ((IDomains) ServerSideServiceProvider.getProvider(SecurityContext.SYSTEM).instance(IDomains.class, new String[0])).get(str);
            if (((Domain) itemValue.value).properties == null || AuthTypes.OPENID != AuthTypes.get((String) ((Domain) itemValue.value).properties.get(AuthDomainProperties.AUTH_TYPE.name()))) {
                updateKeycloakForDomain(itemValue);
            } else {
                initExternalForDomain(itemValue);
                ((IKeycloakAdmin) ServerSideServiceProvider.getProvider(SecurityContext.SYSTEM).instance(IKeycloakAdmin.class, new String[0])).deleteRealm(str);
                KerberosConfigHelper.updateGlobalRealmKerb();
                KerberosConfigHelper.updateKrb5Conf();
            }
        } catch (Exception e) {
            logger.error("Unable to get OpenId configuration for domain {}", str, e);
        }
    }

    private static void updateKeycloakForDomain(ItemValue<Domain> itemValue) {
        logger.info("Update keycloak config for domain {}", itemValue.uid);
        ServerSideServiceProvider provider = ServerSideServiceProvider.getProvider(SecurityContext.SYSTEM);
        String clientId = IKeycloakUids.clientId(IKeycloakUids.realmId(itemValue.uid));
        IKeycloakClientAdmin iKeycloakClientAdmin = (IKeycloakClientAdmin) provider.instance(IKeycloakClientAdmin.class, new String[]{itemValue.uid});
        OidcClient oidcClient = iKeycloakClientAdmin.getOidcClient(clientId);
        if (oidcClient != null && (((Domain) itemValue.value).properties == null || !oidcClient.secret.equals(((Domain) itemValue.value).properties.get(AuthDomainProperties.OPENID_CLIENT_SECRET.name())))) {
            oidcClient = null;
        }
        if (oidcClient == null) {
            IKeycloakKerberosAdmin iKeycloakKerberosAdmin = (IKeycloakKerberosAdmin) provider.instance(IKeycloakKerberosAdmin.class, new String[]{GLOBAL_VIRT});
            KerberosComponent kerberosComponent = null;
            if (GLOBAL_VIRT.equals(itemValue.uid)) {
                kerberosComponent = iKeycloakKerberosAdmin.getKerberosProvider(IKeycloakUids.kerberosComponentName(GLOBAL_VIRT));
            }
            ((IKeycloakAdmin) provider.instance(IKeycloakAdmin.class, new String[0])).deleteRealm(itemValue.uid);
            initKeycloakForDomain(itemValue);
            oidcClient = iKeycloakClientAdmin.getOidcClient(clientId);
            if (kerberosComponent != null) {
                iKeycloakKerberosAdmin.create(kerberosComponent);
            }
        }
        Set<String> domainUrls = getDomainUrls(itemValue.uid);
        if (oidcClient.redirectUris.containsAll(domainUrls) && domainUrls.containsAll(oidcClient.redirectUris)) {
            logger.debug("Domain {} update : Urls did not change (no need to update oidc client)", itemValue.uid);
        } else {
            oidcClient.redirectUris = domainUrls;
            oidcClient.baseUrl = getExternalUrl(itemValue.uid);
            iKeycloakClientAdmin.updateClient(clientId, oidcClient);
            logger.info("Domain {} update : Urls changed : updated oidc client", itemValue.uid);
        }
        KerberosConfigHelper.updateKeycloakKerberosConf(itemValue);
    }

    public static Set<String> getDomainUrls(String str) {
        HashSet hashSet = new HashSet();
        SystemConf values = ((ISystemConfiguration) ServerSideServiceProvider.getProvider(SecurityContext.SYSTEM).instance(ISystemConfiguration.class, new String[0])).getValues();
        if (GLOBAL_VIRT.equals(str)) {
            if (values.stringValue(SysConfKeys.external_url.name()) != null) {
                hashSet.add(getOpenIdUrl(values.stringValue(SysConfKeys.external_url.name())));
            }
            addOtherUrls(hashSet, values.stringValue(SysConfKeys.other_urls.name()));
            if (hashSet.isEmpty()) {
                hashSet.add(NO_REDIRECT_URI);
            }
            return hashSet;
        }
        Map map = ((IDomainSettings) ServerSideServiceProvider.getProvider(SecurityContext.SYSTEM).instance(IDomainSettings.class, new String[]{str})).get();
        if (map == null) {
            hashSet.add(NO_REDIRECT_URI);
            return hashSet;
        }
        String str2 = (String) map.get(DomainSettingsKeys.external_url.name());
        if (str2 != null && !str2.isEmpty()) {
            hashSet.add(getOpenIdUrl((String) map.get(DomainSettingsKeys.external_url.name())));
        }
        addOtherUrls(hashSet, (String) map.get(DomainSettingsKeys.other_urls.name()));
        if (hashSet.isEmpty()) {
            hashSet.add(NO_REDIRECT_URI);
        }
        return hashSet;
    }

    private static void addOtherUrls(Set<String> set, String str) {
        if (str != null) {
            StringTokenizer stringTokenizer = new StringTokenizer(str.trim(), " ");
            while (stringTokenizer.hasMoreElements()) {
                set.add(getOpenIdUrl(stringTokenizer.nextToken()));
            }
        }
    }

    private static String getOpenIdUrl(String str) {
        return "https://" + str + "/auth/openid";
    }

    public static String getExternalUrl(String str) {
        String str2;
        String str3 = NO_REDIRECT_URI;
        if (GLOBAL_VIRT.equals(str)) {
            String stringValue = ((ISystemConfiguration) ServerSideServiceProvider.getProvider(SecurityContext.SYSTEM).instance(ISystemConfiguration.class, new String[0])).getValues().stringValue(SysConfKeys.external_url.name());
            if (!Strings.isNullOrEmpty(stringValue)) {
                str3 = "https://" + stringValue;
            }
        } else {
            Map map = ((IDomainSettings) ServerSideServiceProvider.getProvider(SecurityContext.SYSTEM).instance(IDomainSettings.class, new String[]{str})).get();
            if (map != null && (str2 = (String) map.get(DomainSettingsKeys.external_url.name())) != null && !str2.isEmpty()) {
                str3 = "https://" + str2;
            }
        }
        return str3;
    }

    public static void initForDomain(String str, boolean z) {
        ServerSideServiceProvider provider = ServerSideServiceProvider.getProvider(SecurityContext.SYSTEM);
        if (z) {
            ((IKeycloakAdmin) provider.instance(IKeycloakAdmin.class, new String[0])).deleteRealm(str);
        }
        ItemValue itemValue = ((IDomains) provider.instance(IDomains.class, new String[0])).get(str);
        if (itemValue == null || itemValue.value == null) {
            throw ServerFault.notFound("Domain " + str + " not found");
        }
        waitForKeycloak();
        if (((Domain) itemValue.value).properties == null || !AuthTypes.OPENID.name().equals(((Domain) itemValue.value).properties.get(AuthDomainProperties.AUTH_TYPE.name()))) {
            initKeycloakForDomain(itemValue);
        } else {
            initExternalForDomain(itemValue);
        }
    }

    public static void waitForKeycloak() {
        IKeycloakAdmin iKeycloakAdmin = (IKeycloakAdmin) ServerSideServiceProvider.getProvider(SecurityContext.SYSTEM).instance(IKeycloakAdmin.class, new String[0]);
        for (int i = 0; i < KEYCLOAK_WAIT_MAX_RETRIES; i++) {
            try {
                iKeycloakAdmin.getRealm("master");
                return;
            } catch (Exception unused) {
                try {
                    Thread.sleep(5000L);
                } catch (InterruptedException unused2) {
                }
            }
        }
        throw new ServerFault("Wait for keycloak timed out (keycloak still not responding)");
    }
}
