package org.keycloak.services.resources.admin;

import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.NotAcceptableException;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.MultivaluedMap;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriInfo;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Set;
import java.util.stream.Collectors;
import org.eclipse.microprofile.openapi.annotations.Operation;
import org.eclipse.microprofile.openapi.annotations.extensions.Extension;
import org.eclipse.microprofile.openapi.annotations.parameters.Parameter;
import org.eclipse.microprofile.openapi.annotations.tags.Tag;
import org.jboss.resteasy.reactive.NoCache;
import org.keycloak.common.crypto.CryptoIntegration;
import org.keycloak.common.util.KeystoreUtil;
import org.keycloak.common.util.PemUtils;
import org.keycloak.common.util.StreamUtil;
import org.keycloak.events.admin.OperationType;
import org.keycloak.events.admin.ResourceType;
import org.keycloak.http.FormPartValue;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeyManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.KeyStoreConfig;
import org.keycloak.representations.idm.CertificateRepresentation;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.resources.KeycloakOpenAPI;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.services.util.CertificateInfoHelper;
import org.keycloak.utils.MediaType;

@Extension(name = KeycloakOpenAPI.Profiles.ADMIN, value = "")
/* loaded from: input_file:org/keycloak/services/resources/admin/ClientAttributeCertificateResource.class */
public class ClientAttributeCertificateResource {
    public static final String CERTIFICATE_PEM = "Certificate PEM";
    public static final String PUBLIC_KEY_PEM = "Public Key PEM";
    public static final String JSON_WEB_KEY_SET = "JSON Web Key Set";
    protected final RealmModel realm;
    private final AdminPermissionEvaluator auth;
    protected final ClientModel client;
    protected final KeycloakSession session;
    protected final AdminEventBuilder adminEvent;
    protected final String attributePrefix;

    public ClientAttributeCertificateResource(AdminPermissionEvaluator adminPermissionEvaluator, ClientModel clientModel, KeycloakSession keycloakSession, String str, AdminEventBuilder adminEventBuilder) {
        this.realm = keycloakSession.getContext().getRealm();
        this.auth = adminPermissionEvaluator;
        this.client = clientModel;
        this.session = keycloakSession;
        this.attributePrefix = str;
        this.adminEvent = adminEventBuilder.resource(ResourceType.CLIENT);
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.CLIENT_ATTRIBUTE_CERTIFICATE)
    @Operation(summary = "Get key info")
    @GET
    public CertificateRepresentation getKeyInfo() {
        this.auth.clients().requireView(this.client);
        return CertificateInfoHelper.getCertificateFromClient(this.client, this.attributePrefix);
    }

    @NoCache
    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.CLIENT_ATTRIBUTE_CERTIFICATE)
    @Operation(summary = "Generate a new certificate with new key pair")
    @POST
    @Path("generate")
    public CertificateRepresentation generate() {
        this.auth.clients().requireConfigure(this.client);
        CertificateRepresentation generateKeyPairCertificate = KeycloakModelUtils.generateKeyPairCertificate(this.client.getClientId());
        CertificateInfoHelper.updateClientModelCertificateInfo(this.client, generateKeyPairCertificate, this.attributePrefix);
        this.adminEvent.operation(OperationType.ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).representation(generateKeyPairCertificate).success();
        return generateKeyPairCertificate;
    }

    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.CLIENT_ATTRIBUTE_CERTIFICATE)
    @Operation(summary = "Upload certificate and eventually private key")
    @POST
    @Path("upload")
    @Consumes({"multipart/form-data"})
    public CertificateRepresentation uploadJks() throws IOException {
        this.auth.clients().requireConfigure(this.client);
        try {
            CertificateRepresentation updateCertFromRequest = updateCertFromRequest();
            this.adminEvent.operation(OperationType.ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).representation(updateCertFromRequest).success();
            return updateCertFromRequest;
        } catch (IllegalStateException e) {
            throw new ErrorResponseException("certificate-not-found", "Certificate or key with given alias not found in the keystore", Response.Status.BAD_REQUEST);
        }
    }

    @Produces({MediaType.APPLICATION_JSON})
    @Tag(name = KeycloakOpenAPI.Admin.Tags.CLIENT_ATTRIBUTE_CERTIFICATE)
    @Operation(summary = "Upload only certificate, not private key")
    @POST
    @Path("upload-certificate")
    @Consumes({"multipart/form-data"})
    public CertificateRepresentation uploadJksCertificate() throws IOException {
        this.auth.clients().requireConfigure(this.client);
        try {
            CertificateRepresentation updateCertFromRequest = updateCertFromRequest();
            this.adminEvent.operation(OperationType.ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).representation(updateCertFromRequest).success();
            return updateCertFromRequest;
        } catch (IllegalStateException e) {
            throw new ErrorResponseException("certificate-not-found", "Certificate or key with given alias not found in the keystore", Response.Status.BAD_REQUEST);
        }
    }

    private CertificateRepresentation updateCertFromRequest() throws IOException {
        this.auth.clients().requireManage(this.client);
        CertificateRepresentation certificateRepresentation = new CertificateRepresentation();
        MultivaluedMap multiPartFormParameters = this.session.getContext().getHttpRequest().getMultiPartFormParameters();
        FormPartValue formPartValue = (FormPartValue) multiPartFormParameters.getFirst("keystoreFormat");
        if (formPartValue == null) {
            throw new BadRequestException("keystoreFormat cannot be null");
        }
        String asString = formPartValue.asString();
        FormPartValue formPartValue2 = (FormPartValue) multiPartFormParameters.getFirst("file");
        if (asString.equals(CERTIFICATE_PEM)) {
            String removeBeginEnd = PemUtils.removeBeginEnd(StreamUtil.readString(formPartValue2.asInputStream(), StandardCharsets.UTF_8));
            KeycloakModelUtils.getCertificate(removeBeginEnd);
            certificateRepresentation.setCertificate(removeBeginEnd);
            CertificateInfoHelper.updateClientModelCertificateInfo(this.client, certificateRepresentation, this.attributePrefix);
            return certificateRepresentation;
        }
        if (asString.equals(PUBLIC_KEY_PEM)) {
            String readString = StreamUtil.readString(formPartValue2.asInputStream(), StandardCharsets.UTF_8);
            KeycloakModelUtils.getPublicKey(readString);
            certificateRepresentation.setPublicKey(readString);
            CertificateInfoHelper.updateClientModelCertificateInfo(this.client, certificateRepresentation, this.attributePrefix);
            return certificateRepresentation;
        }
        if (asString.equals(JSON_WEB_KEY_SET)) {
            String readString2 = StreamUtil.readString(formPartValue2.asInputStream(), StandardCharsets.UTF_8);
            CertificateRepresentation jwksStringToSigCertificateRepresentation = CertificateInfoHelper.jwksStringToSigCertificateRepresentation(readString2);
            if ("openid-connect".equals(this.client.getProtocol())) {
                CertificateInfoHelper.updateClientModelJwksString(this.client, this.attributePrefix, readString2);
            } else {
                CertificateInfoHelper.updateClientModelCertificateInfo(this.client, jwksStringToSigCertificateRepresentation, this.attributePrefix);
            }
            return jwksStringToSigCertificateRepresentation;
        }
        String asString2 = ((FormPartValue) multiPartFormParameters.getFirst("keyAlias")).asString();
        FormPartValue formPartValue3 = (FormPartValue) multiPartFormParameters.getFirst("keyPassword");
        char[] charArray = formPartValue3 != null ? formPartValue3.asString().toCharArray() : null;
        FormPartValue formPartValue4 = (FormPartValue) multiPartFormParameters.getFirst("storePassword");
        char[] charArray2 = formPartValue4 != null ? formPartValue4.asString().toCharArray() : null;
        PrivateKey privateKey = null;
        try {
            KeyStore keyStore = CryptoIntegration.getProvider().getKeyStore(KeystoreUtil.KeystoreFormat.valueOf(asString));
            keyStore.load(formPartValue2.asInputStream(), charArray2);
            try {
                privateKey = (PrivateKey) keyStore.getKey(asString2, charArray);
            } catch (Exception e) {
            }
            X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(asString2);
            if (privateKey != null) {
                certificateRepresentation.setPrivateKey(KeycloakModelUtils.getPemFromKey(privateKey));
            }
            if (x509Certificate != null) {
                certificateRepresentation.setCertificate(KeycloakModelUtils.getPemFromCertificate(x509Certificate));
            }
            CertificateInfoHelper.updateClientModelCertificateInfo(this.client, certificateRepresentation, this.attributePrefix);
            return certificateRepresentation;
        } catch (Exception e2) {
            throw new RuntimeException(e2);
        }
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.CLIENT_ATTRIBUTE_CERTIFICATE)
    @Path("/download")
    @Consumes({MediaType.APPLICATION_JSON})
    @Produces({"application/octet-stream"})
    @Operation(summary = "Get a keystore file for the client, containing private key and public certificate")
    @POST
    public byte[] getKeystore(@Parameter(description = "Keystore configuration as JSON") KeyStoreConfig keyStoreConfig) {
        this.auth.clients().requireView(this.client);
        checkKeystoreFormat(keyStoreConfig);
        CertificateRepresentation certificateFromClient = CertificateInfoHelper.getCertificateFromClient(this.client, this.attributePrefix);
        String privateKey = certificateFromClient.getPrivateKey();
        String certificate = certificateFromClient.getCertificate();
        if (privateKey == null && certificate == null) {
            throw new NotFoundException("keypair not generated for client");
        }
        if (privateKey != null && keyStoreConfig.getKeyPassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a key password for jks download", Response.Status.BAD_REQUEST);
        }
        if (keyStoreConfig.getStorePassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a store password for jks download", Response.Status.BAD_REQUEST);
        }
        return getKeystore(keyStoreConfig, privateKey, certificate);
    }

    @NoCache
    @Tag(name = KeycloakOpenAPI.Admin.Tags.CLIENT_ATTRIBUTE_CERTIFICATE)
    @Path("/generate-and-download")
    @Consumes({MediaType.APPLICATION_JSON})
    @Produces({"application/octet-stream"})
    @Operation(summary = "Generate a new keypair and certificate, and get the private key file\n\nGenerates a keypair and certificate and serves the private key in a specified keystore format.\nOnly generated public certificate is saved in Keycloak DB - the private key is not.")
    @POST
    public byte[] generateAndGetKeystore(@Parameter(description = "Keystore configuration as JSON") KeyStoreConfig keyStoreConfig) {
        this.auth.clients().requireConfigure(this.client);
        checkKeystoreFormat(keyStoreConfig);
        if (keyStoreConfig.getKeyPassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a key password for jks generation and download", Response.Status.BAD_REQUEST);
        }
        if (keyStoreConfig.getStorePassword() == null) {
            throw new ErrorResponseException("password-missing", "Need to specify a store password for jks generation and download", Response.Status.BAD_REQUEST);
        }
        CertificateRepresentation generateKeyPairCertificate = KeycloakModelUtils.generateKeyPairCertificate(this.client.getClientId());
        byte[] keystore = getKeystore(keyStoreConfig, generateKeyPairCertificate.getPrivateKey(), generateKeyPairCertificate.getCertificate());
        generateKeyPairCertificate.setPrivateKey((String) null);
        CertificateInfoHelper.updateClientModelCertificateInfo(this.client, generateKeyPairCertificate, this.attributePrefix);
        this.adminEvent.operation(OperationType.ACTION).resourcePath((UriInfo) this.session.getContext().getUri()).representation(generateKeyPairCertificate).success();
        return keystore;
    }

    private byte[] getKeystore(KeyStoreConfig keyStoreConfig, String str, String str2) {
        try {
            KeyStore keyStore = CryptoIntegration.getProvider().getKeyStore(KeystoreUtil.KeystoreFormat.valueOf(keyStoreConfig.getFormat()));
            keyStore.load(null, null);
            String keyAlias = keyStoreConfig.getKeyAlias();
            if (keyAlias == null) {
                keyAlias = this.client.getClientId();
            }
            if (str != null) {
                keyStore.setKeyEntry(keyAlias, PemUtils.decodePrivateKey(str), keyStoreConfig.getKeyPassword().trim().toCharArray(), new Certificate[]{PemUtils.decodeCertificate(str2)});
            } else {
                keyStore.setCertificateEntry(keyAlias, PemUtils.decodeCertificate(str2));
            }
            if (keyStoreConfig.isRealmCertificate() == null || keyStoreConfig.isRealmCertificate().booleanValue()) {
                KeyManager keys = this.session.keys();
                Certificate rsaCertificate = keys.getRsaCertificate(this.realm, keys.getActiveRsaKey(this.realm).getKid());
                String realmAlias = keyStoreConfig.getRealmAlias();
                if (realmAlias == null) {
                    realmAlias = this.realm.getName();
                }
                keyStore.setCertificateEntry(realmAlias, rsaCertificate);
            }
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            keyStore.store(byteArrayOutputStream, keyStoreConfig.getStorePassword().trim().toCharArray());
            byteArrayOutputStream.flush();
            byteArrayOutputStream.close();
            return byteArrayOutputStream.toByteArray();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private void checkKeystoreFormat(KeyStoreConfig keyStoreConfig) throws NotAcceptableException {
        if (keyStoreConfig.getFormat() != null) {
            Set set = (Set) CryptoIntegration.getProvider().getSupportedKeyStoreTypes().collect(Collectors.toSet());
            try {
                KeystoreUtil.KeystoreFormat valueOf = Enum.valueOf(KeystoreUtil.KeystoreFormat.class, keyStoreConfig.getFormat().toUpperCase());
                if (keyStoreConfig.getFormat() == null || set.contains(valueOf)) {
                } else {
                    throw new NotAcceptableException("Not supported keystore format. Supported keystore formats: " + set);
                }
            } catch (IllegalArgumentException e) {
                throw new NotAcceptableException("Not supported keystore format. Supported keystore formats: " + set);
            }
        }
    }
}
