package org.keycloak.protocol.oidc;

import com.fasterxml.jackson.databind.node.ObjectNode;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.TokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.keys.Attributes;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ImpersonationSessionNote;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.Urls;
import org.keycloak.services.util.DefaultClientSessionContext;
import org.keycloak.services.util.UserSessionUtil;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.class */
public class AccessTokenIntrospectionProvider implements TokenIntrospectionProvider {
    private final KeycloakSession session;
    private final TokenManager tokenManager = new TokenManager();
    private final RealmModel realm;
    private static final Logger logger = Logger.getLogger(AccessTokenIntrospectionProvider.class);

    public AccessTokenIntrospectionProvider(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        this.realm = keycloakSession.getContext().getRealm();
    }

    public Response introspect(String str, EventBuilder eventBuilder) {
        ObjectNode createObjectNode;
        UserSessionModel userSession;
        String note;
        AccessToken accessToken = null;
        try {
            accessToken = transformAccessToken(verifyAccessToken(str, eventBuilder));
            if (accessToken != null) {
                createObjectNode = JsonSerialization.createObjectNode(accessToken);
                createObjectNode.put("client_id", accessToken.getIssuedFor());
                String scope = accessToken.getScope();
                if (scope != null && scope.trim().isEmpty()) {
                    createObjectNode.remove("scope");
                }
                if (!createObjectNode.has("username")) {
                    if (accessToken.getPreferredUsername() != null) {
                        createObjectNode.put("username", accessToken.getPreferredUsername());
                    } else {
                        UserModel userById = this.session.users().getUserById(this.realm, accessToken.getSubject());
                        if (userById != null) {
                            createObjectNode.put("username", userById.getUsername());
                        }
                    }
                }
                String sessionState = accessToken.getSessionState();
                if (sessionState != null && (userSession = this.session.sessions().getUserSession(this.realm, sessionState)) != null && (note = userSession.getNote(ImpersonationSessionNote.IMPERSONATOR_USERNAME.toString())) != null) {
                    createObjectNode.putObject("act").put("sub", note);
                }
                createObjectNode.put("token_type", accessToken.getType());
            } else {
                createObjectNode = JsonSerialization.createObjectNode();
                logger.debug("Keycloak token introspection return false");
                eventBuilder.error("token_introspection_failed");
            }
            createObjectNode.put(Attributes.ACTIVE_KEY, accessToken != null);
            return Response.ok(JsonSerialization.writeValueAsBytes(createObjectNode)).type(MediaType.APPLICATION_JSON_TYPE).build();
        } catch (Exception e) {
            logger.debugf(e, "Exception during Keycloak introspection for %s client in realm %s", accessToken != null ? accessToken.getIssuedFor() : "unknown", this.realm.getName());
            eventBuilder.detail("reason", e.getMessage());
            eventBuilder.error("token_introspection_failed");
            throw new RuntimeException("Error creating token introspection response.", e);
        }
    }

    public AccessToken transformAccessToken(AccessToken accessToken) {
        if (accessToken == null) {
            return null;
        }
        ClientModel clientByClientId = this.realm.getClientByClientId(accessToken.getIssuedFor());
        try {
            UserSessionModel findValidSession = UserSessionUtil.findValidSession(this.session, this.realm, accessToken, new EventBuilder(this.realm, this.session, this.session.getContext().getConnection()).event(EventType.INTROSPECT_TOKEN).detail("auth_method", "validate_access_token"), clientByClientId);
            if (findValidSession.getUser() == null) {
                logger.debugf("User not found", new Object[0]);
                return accessToken;
            }
            DefaultClientSessionContext fromClientSessionAndScopeParameter = DefaultClientSessionContext.fromClientSessionAndScopeParameter(findValidSession.getAuthenticatedClientSessionByClient(clientByClientId.getId()), accessToken.getScope(), this.session);
            return this.tokenManager.transformIntrospectionAccessToken(this.session, getAccessTokenFromStoredData(accessToken, findValidSession), findValidSession, fromClientSessionAndScopeParameter);
        } catch (Exception e) {
            logger.debugf("Can not get user session: %s", e.getMessage());
            return accessToken;
        }
    }

    private AccessToken getAccessTokenFromStoredData(AccessToken accessToken, UserSessionModel userSessionModel) {
        AccessToken accessToken2 = new AccessToken();
        accessToken2.id(accessToken.getId());
        accessToken2.type(accessToken.getType());
        accessToken2.subject(accessToken.getSubject() != null ? accessToken.getSubject() : userSessionModel.getUser().getId());
        accessToken2.iat(accessToken.getIat());
        accessToken2.exp(accessToken.getExp());
        accessToken2.issuedFor(accessToken.getIssuedFor());
        accessToken2.issuer(accessToken.getIssuer());
        accessToken2.setNonce(accessToken.getNonce());
        accessToken2.setScope(accessToken.getScope());
        accessToken2.setAuth_time(accessToken.getAuth_time());
        accessToken2.setSessionState(accessToken.getSessionState());
        accessToken2.audience(accessToken.getAudience());
        accessToken2.setConfirmation(accessToken.getConfirmation());
        return accessToken2;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AccessToken verifyAccessToken(String str, EventBuilder eventBuilder) {
        try {
            TokenVerifier realmUrl = TokenVerifier.create(str, AccessToken.class).realmUrl(Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
            realmUrl.verifierContext(this.session.getProvider(SignatureProvider.class, realmUrl.getHeader().getAlgorithm().name()).verifier(realmUrl.getHeader().getKeyId()));
            AccessToken token = realmUrl.verify().getToken();
            if (this.tokenManager.checkTokenValidForIntrospection(this.session, this.session.getContext().getRealm(), token, false, eventBuilder)) {
                return token;
            }
            return null;
        } catch (VerificationException e) {
            logger.debugf("Introspection access token : JWT check failed: %s", e.getMessage());
            eventBuilder.detail("reason", "Access token JWT check failed");
            return null;
        }
    }

    public void close() {
    }
}
