package io.camunda.identity.sdk.impl.keycloak;

import com.auth0.jwk.JwkProvider;
import com.auth0.jwk.JwkProviderBuilder;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import io.camunda.identity.sdk.IdentityConfiguration;
import io.camunda.identity.sdk.authentication.AuthorizeUriBuilder;
import io.camunda.identity.sdk.authentication.Tokens;
import io.camunda.identity.sdk.authentication.dto.AuthCodeDto;
import io.camunda.identity.sdk.authentication.exception.CodeExchangeException;
import io.camunda.identity.sdk.impl.dto.AccessTokenDto;
import io.camunda.identity.sdk.impl.generic.GenericAuthentication;
import io.camunda.identity.sdk.impl.rest.RestClient;
import io.camunda.identity.sdk.impl.rest.request.ClientTokenRequest;
import io.camunda.identity.sdk.impl.rest.request.ExchangeAuthCodeRequest;
import io.camunda.identity.sdk.impl.rest.request.RenewTokenRequest;
import io.camunda.identity.sdk.impl.rest.request.RevokeTokenRequest;
import io.camunda.identity.sdk.utility.UrlUtility;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.Validate;

/* loaded from: input_file:BOOT-INF/lib/identity-sdk-8.4.3.jar:io/camunda/identity/sdk/impl/keycloak/KeycloakAuthentication.class */
public class KeycloakAuthentication extends GenericAuthentication {
    public static final String AUTHORIZE_PATH = "/protocol/openid-connect/auth";
    public static final String TOKEN_PATH = "/protocol/openid-connect/token";
    public static final String LOGOUT_PATH = "/protocol/openid-connect/logout";
    public static final String JWKS_PATH = "/protocol/openid-connect/certs";

    public KeycloakAuthentication(IdentityConfiguration identityConfiguration, RestClient restClient) {
        super(identityConfiguration, restClient);
    }

    @Override // io.camunda.identity.sdk.impl.generic.GenericAuthentication, io.camunda.identity.sdk.authentication.Authentication
    public AuthorizeUriBuilder authorizeUriBuilder(String str) {
        return new KeycloakAuthorizeUriBuilder(this.configuration, UrlUtility.combinePaths(this.configuration.getIssuer(), AUTHORIZE_PATH), str);
    }

    @Override // io.camunda.identity.sdk.impl.generic.GenericAuthentication, io.camunda.identity.sdk.authentication.Authentication
    public Tokens exchangeAuthCode(AuthCodeDto authCodeDto, String str) throws CodeExchangeException {
        Validate.notNull(authCodeDto, "authCodeDto must not be null", new Object[0]);
        Validate.notNull(str, "redirectUri must not be null", new Object[0]);
        if (authCodeDto.getError() != null && !authCodeDto.getError().isBlank()) {
            throw new CodeExchangeException(authCodeDto.getError());
        }
        Validate.notEmpty(authCodeDto.getCode(), "code must not be null", new Object[0]);
        return fromAccessTokenDto((AccessTokenDto) this.restClient.request(new ExchangeAuthCodeRequest(this.configuration, UrlUtility.combinePaths(this.configuration.getIssuerBackendUrl(), TOKEN_PATH), str, authCodeDto.getCode())));
    }

    @Override // io.camunda.identity.sdk.impl.generic.GenericAuthentication, io.camunda.identity.sdk.authentication.AbstractAuthentication
    protected Tokens requestFreshToken(String str) {
        return fromAccessTokenDto((AccessTokenDto) this.restClient.request(new ClientTokenRequest(this.configuration, UrlUtility.combinePaths(this.configuration.getIssuerBackendUrl(), TOKEN_PATH), str, null)));
    }

    @Override // io.camunda.identity.sdk.impl.generic.GenericAuthentication, io.camunda.identity.sdk.authentication.Authentication
    public Tokens renewToken(String str) {
        Validate.notEmpty(str, "refreshToken can not be empty", new Object[0]);
        return fromAccessTokenDto((AccessTokenDto) this.restClient.request(new RenewTokenRequest(this.configuration, UrlUtility.combinePaths(this.configuration.getIssuerBackendUrl(), TOKEN_PATH), str)));
    }

    @Override // io.camunda.identity.sdk.impl.generic.GenericAuthentication, io.camunda.identity.sdk.authentication.Authentication
    public void revokeToken(String str) {
        Validate.notEmpty(str, "refreshToken can not be empty", new Object[0]);
        this.restClient.request(new RevokeTokenRequest(this.configuration, UrlUtility.combinePaths(this.configuration.getIssuerBackendUrl(), LOGOUT_PATH), str));
    }

    @Override // io.camunda.identity.sdk.impl.generic.GenericAuthentication, io.camunda.identity.sdk.authentication.AbstractAuthentication
    public List<String> getPermissions(DecodedJWT decodedJWT, String str) {
        if (str == null) {
            return Collections.emptyList();
        }
        Claim claim = decodedJWT.getClaim("permissions");
        return claim.isMissing() ? Collections.emptyList() : (List) claim.asMap().getOrDefault(str, new ArrayList());
    }

    @Override // io.camunda.identity.sdk.impl.generic.GenericAuthentication, io.camunda.identity.sdk.authentication.AbstractAuthentication
    protected List<String> getGroups(DecodedJWT decodedJWT) {
        Claim claim = decodedJWT.getClaim("groups");
        return claim.isMissing() ? Collections.emptyList() : claim.asList(String.class);
    }

    @Override // io.camunda.identity.sdk.impl.generic.GenericAuthentication, io.camunda.identity.sdk.authentication.Authentication
    public boolean isM2MToken(String str) {
        return !decodeJWT(str).getClaim("client_id").isMissing();
    }

    @Override // io.camunda.identity.sdk.impl.generic.GenericAuthentication, io.camunda.identity.sdk.authentication.Authentication
    public String getClientId(String str) {
        return decodeJWT(str).getClaim("client_id").asString();
    }

    @Override // io.camunda.identity.sdk.impl.generic.GenericAuthentication, io.camunda.identity.sdk.authentication.AbstractAuthentication
    protected JwkProvider jwkProvider() {
        if (this.jwkProvider == null) {
            try {
                this.jwkProvider = new JwkProviderBuilder(new URL(UrlUtility.combinePaths(this.configuration.getIssuerBackendUrl(), JWKS_PATH))).cached(5L, 7L, TimeUnit.DAYS).build();
            } catch (MalformedURLException e) {
                throw new IllegalStateException("invalid issuer url", e);
            }
        }
        return this.jwkProvider;
    }

    private Tokens fromAccessTokenDto(AccessTokenDto accessTokenDto) {
        return new Tokens(accessTokenDto.getAccessToken(), accessTokenDto.getRefreshToken(), accessTokenDto.getExpiresIn(), accessTokenDto.getScope(), accessTokenDto.getTokenType());
    }
}
