package it.geosolutions.geostore.services.rest.security.keycloak;

import it.geosolutions.geostore.core.model.User;
import it.geosolutions.geostore.core.security.password.SecurityUtils;
import it.geosolutions.geostore.services.UserService;
import it.geosolutions.geostore.services.rest.RESTSessionService;
import it.geosolutions.geostore.services.rest.SessionServiceDelegate;
import it.geosolutions.geostore.services.rest.exception.NotFoundWebEx;
import it.geosolutions.geostore.services.rest.model.SessionToken;
import it.geosolutions.geostore.services.rest.security.TokenAuthenticationCache;
import it.geosolutions.geostore.services.rest.security.oauth2.OAuth2Utils;
import it.geosolutions.geostore.services.rest.utils.GeoStoreContext;
import java.util.Date;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.log4j.Logger;
import org.keycloak.OAuth2Constants;
import org.keycloak.adapters.AdapterTokenStore;
import org.keycloak.adapters.KeycloakDeployment;
import org.keycloak.adapters.authorization.util.KeycloakSecurityContextPlaceHolderResolver;
import org.keycloak.adapters.springsecurity.facade.SimpleHttpFacade;
import org.keycloak.adapters.springsecurity.token.SpringSecurityAdapterTokenStoreFactory;
import org.keycloak.authorization.client.util.Http;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.representations.adapters.config.AdapterConfig;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:WEB-INF/lib/geostore-rest-impl-1.9.0.jar:it/geosolutions/geostore/services/rest/security/keycloak/KeycloakSessionServiceDelegate.class */
public class KeycloakSessionServiceDelegate implements SessionServiceDelegate {
    private static final Logger LOGGER = Logger.getLogger(KeycloakSessionServiceDelegate.class);
    private UserService userService;

    public KeycloakSessionServiceDelegate(RESTSessionService rESTSessionService, UserService userService) {
        rESTSessionService.registerDelegate(KeycloakSecurityContextPlaceHolderResolver.NAME, this);
        this.userService = userService;
    }

    @Override // it.geosolutions.geostore.services.rest.SessionServiceDelegate
    public SessionToken refresh(String str, String str2) {
        HttpServletRequest request = OAuth2Utils.getRequest();
        if (str2 == null) {
            str2 = OAuth2Utils.tokenFromParamsOrBearer("access_token", request);
        }
        if (str2 == null) {
            throw new NotFoundWebEx("The accessToken is missing");
        }
        if (str == null) {
            str = OAuth2Utils.getParameterValue("refresh_token", request);
        }
        TokenAuthenticationCache cache = cache();
        Date date = tokenExpirationTime(str2, cache);
        return (str == null || !(date == null || OAuth2Utils.fiveMinutesFromNow().after(date))) ? sessionToken(str2, str, null) : doRefresh(str2, str, cache);
    }

    private SessionToken doRefresh(String str, String str2, TokenAuthenticationCache tokenAuthenticationCache) {
        AdapterConfig readAdapterConfig = ((KeyCloakConfiguration) GeoStoreContext.bean(KeyCloakConfiguration.class)).readAdapterConfig();
        KeyCloakHelper keyCloakHelper = (KeyCloakHelper) GeoStoreContext.bean(KeyCloakHelper.class);
        AccessTokenResponse refreshToken = keyCloakHelper.refreshToken(readAdapterConfig, str2);
        String token = refreshToken.getToken();
        long expiresIn = refreshToken.getExpiresIn();
        String refreshToken2 = refreshToken.getRefreshToken();
        Authentication updateAuthentication = keyCloakHelper.updateAuthentication(tokenAuthenticationCache, str, token, refreshToken2, expiresIn);
        SimpleHttpFacade simpleHttpFacade = new SimpleHttpFacade(OAuth2Utils.getRequest(), OAuth2Utils.getResponse());
        KeycloakCookieUtils.setTokenCookie(keyCloakHelper.getDeployment(simpleHttpFacade), simpleHttpFacade, (KeycloakTokenDetails) updateAuthentication.getDetails());
        return sessionToken(token, refreshToken2);
    }

    private Date tokenExpirationTime(String str, TokenAuthenticationCache tokenAuthenticationCache) {
        Date date = null;
        Authentication authentication = tokenAuthenticationCache.get(str);
        if (authentication != null && (authentication.getDetails() instanceof KeycloakTokenDetails)) {
            date = ((KeycloakTokenDetails) authentication.getDetails()).getExpiration();
        }
        return date;
    }

    private SessionToken sessionToken(String str, String str2) {
        return sessionToken(str, str2, null);
    }

    private SessionToken sessionToken(String str, String str2, Date date) {
        SessionToken sessionToken = new SessionToken();
        sessionToken.setAccessToken(str);
        sessionToken.setRefreshToken(str2);
        if (date != null) {
            sessionToken.setExpires(Long.valueOf(date.getTime()));
        }
        sessionToken.setTokenType("bearer");
        return sessionToken;
    }

    @Override // it.geosolutions.geostore.services.rest.SessionServiceDelegate
    public void doLogout(String str) {
        HttpServletRequest request = OAuth2Utils.getRequest();
        HttpServletResponse response = OAuth2Utils.getResponse();
        KeyCloakHelper keyCloakHelper = (KeyCloakHelper) GeoStoreContext.bean(KeyCloakHelper.class);
        KeycloakDeployment deployment = keyCloakHelper.getDeployment(request, response);
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        String str2 = null;
        if (authentication.getDetails() instanceof KeycloakTokenDetails) {
            str2 = ((KeycloakTokenDetails) authentication.getDetails()).getRefreshToken();
        }
        String uri = deployment.getLogoutUrl().build(new Object[0]).toString();
        AdapterConfig readAdapterConfig = ((KeyCloakConfiguration) GeoStoreContext.bean(KeyCloakConfiguration.class)).readAdapterConfig();
        Http http = new Http(keyCloakHelper.getClientConfiguration(readAdapterConfig), (map, map2) -> {
        });
        try {
            http.post(uri).form().param("client_id", readAdapterConfig.getResource()).param(OAuth2Constants.CLIENT_SECRET, (String) readAdapterConfig.getCredentials().get("secret")).param("refresh_token", str2).execute();
        } catch (Exception e) {
            LOGGER.error("Error while performing global logout.", e);
        }
        AdapterTokenStore createAdapterTokenStore = new SpringSecurityAdapterTokenStoreFactory().createAdapterTokenStore(deployment, OAuth2Utils.getRequest(), OAuth2Utils.getResponse());
        if (createAdapterTokenStore != null) {
            createAdapterTokenStore.logout();
        }
        internalLogout(str, request, response);
    }

    private void internalLogout(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        TokenAuthenticationCache tokenAuthenticationCache = (TokenAuthenticationCache) GeoStoreContext.bean(KeyCloakSecurityConfiguration.CACHE_BEAN_NAME, TokenAuthenticationCache.class);
        if (tokenAuthenticationCache.get(str) != null) {
            tokenAuthenticationCache.removeEntry(str);
        }
        SecurityContextHolder.clearContext();
        try {
            HttpSession session = httpServletRequest.getSession(false);
            if (session != null) {
                session.invalidate();
            }
            httpServletRequest.logout();
        } catch (ServletException e) {
            if (LOGGER.isDebugEnabled()) {
                LOGGER.warn("Error while logging out from servlet request.", e);
            }
        }
    }

    protected TokenAuthenticationCache cache() {
        return (TokenAuthenticationCache) GeoStoreContext.bean(KeyCloakSecurityConfiguration.CACHE_BEAN_NAME, TokenAuthenticationCache.class);
    }

    @Override // it.geosolutions.geostore.services.rest.SessionServiceDelegate
    public User getUser(String str, boolean z, boolean z2) {
        User user;
        String userName = getUserName(str, z, z2);
        if (userName == null) {
            return null;
        }
        try {
            user = this.userService.get(userName);
        } catch (Exception e) {
            LOGGER.warn("Issue while retrieving user. Will return just the username.", e);
            user = new User();
            user.setName(userName);
        }
        return user;
    }

    @Override // it.geosolutions.geostore.services.rest.SessionServiceDelegate
    public String getUserName(String str, boolean z, boolean z2) {
        TokenAuthenticationCache cache = cache();
        Authentication authentication = cache.get(str);
        if (authentication == null) {
            return null;
        }
        if (z && z2) {
            KeycloakTokenDetails keycloakTokenDetails = (KeycloakTokenDetails) authentication.getDetails();
            doRefresh(keycloakTokenDetails.getAccessToken(), keycloakTokenDetails.getRefreshToken(), cache);
        }
        Object principal = authentication.getPrincipal();
        if (principal != null) {
            return SecurityUtils.getUsername(principal);
        }
        return null;
    }
}
