package org.keycloak.email;

import com.fasterxml.jackson.databind.JsonNode;
import jakarta.mail.AuthenticationFailedException;
import jakarta.mail.MessagingException;
import jakarta.mail.Transport;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.time.LocalDateTime;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import org.jboss.logging.Logger;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.models.KeycloakSession;
import org.keycloak.userprofile.config.UPConfigUtils;
import org.keycloak.utils.KeycloakSessionUtil;
import org.keycloak.vault.VaultStringSecret;

/* loaded from: input_file:org/keycloak/email/TokenAuthEmailAuthenticator.class */
public class TokenAuthEmailAuthenticator implements EmailAuthenticator {
    private static final Logger logger = Logger.getLogger(TokenAuthEmailAuthenticator.class);
    public static final int FALLBACK_EXPIRES_AT_IN_SECONDS = 60;
    private final Map<String, TokenStoreEntry> tokenStore = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry.class */
    public static final class TokenStoreEntry extends Record {
        private final LocalDateTime expiration_at;
        private final String url;
        private final String scope;
        private final String clientId;
        private final int clientSecretHash;
        private final String token;

        TokenStoreEntry(LocalDateTime localDateTime, String str, String str2, String str3, int i, String str4) {
            this.expiration_at = localDateTime;
            this.url = str;
            this.scope = str2;
            this.clientId = str3;
            this.clientSecretHash = i;
            this.token = str4;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, TokenStoreEntry.class), TokenStoreEntry.class, "expiration_at;url;scope;clientId;clientSecretHash;token", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->expiration_at:Ljava/time/LocalDateTime;", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->url:Ljava/lang/String;", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->scope:Ljava/lang/String;", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->clientId:Ljava/lang/String;", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->clientSecretHash:I", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->token:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, TokenStoreEntry.class), TokenStoreEntry.class, "expiration_at;url;scope;clientId;clientSecretHash;token", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->expiration_at:Ljava/time/LocalDateTime;", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->url:Ljava/lang/String;", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->scope:Ljava/lang/String;", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->clientId:Ljava/lang/String;", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->clientSecretHash:I", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->token:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, TokenStoreEntry.class, Object.class), TokenStoreEntry.class, "expiration_at;url;scope;clientId;clientSecretHash;token", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->expiration_at:Ljava/time/LocalDateTime;", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->url:Ljava/lang/String;", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->scope:Ljava/lang/String;", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->clientId:Ljava/lang/String;", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->clientSecretHash:I", "FIELD:Lorg/keycloak/email/TokenAuthEmailAuthenticator$TokenStoreEntry;->token:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public LocalDateTime expiration_at() {
            return this.expiration_at;
        }

        public String url() {
            return this.url;
        }

        public String scope() {
            return this.scope;
        }

        public String clientId() {
            return this.clientId;
        }

        public int clientSecretHash() {
            return this.clientSecretHash;
        }

        public String token() {
            return this.token;
        }
    }

    @Override // org.keycloak.email.EmailAuthenticator
    public void connect(KeycloakSession keycloakSession, Map<String, String> map, Transport transport) throws EmailException {
        try {
            transport.connect(map.get(UPConfigUtils.ROLE_USER), gatherValidToken(keycloakSession, map));
        } catch (MessagingException e) {
            throw new EmailException("Connect failed for SMTP " + KeycloakSessionUtil.getRealmNameFromContext(keycloakSession), e);
        } catch (AuthenticationFailedException e2) {
            this.tokenStore.remove(keycloakSession.getContext().getRealm().getId());
            logger.debugf("AuthenticationFailed-Exception for SMTP in realm %s failed response was %s, will try again", KeycloakSessionUtil.getRealmNameFromContext(keycloakSession), e2.getMessage());
            try {
                transport.connect(map.get(UPConfigUtils.ROLE_USER), gatherValidToken(keycloakSession, map));
            } catch (MessagingException e3) {
                logger.warnf("Retry after AuthenticationFailed-Exception for SMTP in realm %s failed response was %s", KeycloakSessionUtil.getRealmNameFromContext(keycloakSession), e3);
                throw new EmailException("Retry after AuthenticationFailed-Exception for SMTP failed.", e3);
            }
        }
    }

    private String gatherValidToken(KeycloakSession keycloakSession, Map<String, String> map) throws EmailException {
        try {
            VaultStringSecret stringSecret = keycloakSession.vault().getStringSecret(map.get("authTokenClientSecret"));
            try {
                String str = (String) stringSecret.get().orElse(map.get("authTokenClientSecret"));
                String str2 = map.get("authTokenUrl");
                String str3 = map.get("authTokenClientId");
                String str4 = map.get("authTokenScope");
                int hashCode = str.hashCode();
                TokenStoreEntry tokenStoreEntry = this.tokenStore.get(keycloakSession.getContext().getRealm().getId());
                if (isValidAuthToken(str2, str4, str3, hashCode, tokenStoreEntry)) {
                    String str5 = tokenStoreEntry.token;
                    if (stringSecret != null) {
                        stringSecret.close();
                    }
                    return str5;
                }
                synchronized (this.tokenStore) {
                    if (isValidAuthToken(str2, str4, str3, hashCode, tokenStoreEntry)) {
                        String str6 = tokenStoreEntry.token;
                        if (stringSecret != null) {
                            stringSecret.close();
                        }
                        return str6;
                    }
                    JsonNode fetchTokenViaHTTP = fetchTokenViaHTTP(keycloakSession, str2, str4, str3, str);
                    Optional<String> accessToken = getAccessToken(keycloakSession, fetchTokenViaHTTP);
                    Optional<LocalDateTime> expiresIn = getExpiresIn(keycloakSession, fetchTokenViaHTTP);
                    if (!accessToken.isPresent()) {
                        throw new EmailException("No access token found in token-response for SMTP");
                    }
                    String str7 = accessToken.get();
                    this.tokenStore.put(keycloakSession.getContext().getRealm().getId(), new TokenStoreEntry(expiresIn.orElse(LocalDateTime.now().plusSeconds(60L)), str2, str4, str3, hashCode, str7));
                    if (stringSecret != null) {
                        stringSecret.close();
                    }
                    return str7;
                }
            } finally {
            }
        } catch (IOException e) {
            throw new EmailException("Failed to gather valid token for SMTP", e);
        }
    }

    private static boolean isValidAuthToken(String str, String str2, String str3, int i, TokenStoreEntry tokenStoreEntry) {
        return tokenStoreEntry != null && str != null && str.equals(tokenStoreEntry.url) && str2 != null && str2.equals(tokenStoreEntry.scope) && str3 != null && str3.equals(tokenStoreEntry.clientId) && i == tokenStoreEntry.clientSecretHash && tokenStoreEntry.expiration_at.plusSeconds(30L).isAfter(LocalDateTime.now());
    }

    private Optional<String> getAccessToken(KeycloakSession keycloakSession, JsonNode jsonNode) {
        if (jsonNode.has("access_token")) {
            return Optional.of(jsonNode.get("access_token").asText());
        }
        logger.warnf("Got no access_token from response for SMTP auth in realm %s, response was %s", KeycloakSessionUtil.getRealmNameFromContext(keycloakSession), jsonNode);
        return Optional.empty();
    }

    private Optional<LocalDateTime> getExpiresIn(KeycloakSession keycloakSession, JsonNode jsonNode) {
        if (jsonNode.has("expires_in")) {
            return Optional.of(LocalDateTime.now().plusSeconds(Long.parseLong(jsonNode.get("expires_in").asText())));
        }
        logger.warnf("Got no expires_in from response for SMTP auth in realm %s, response was %s", KeycloakSessionUtil.getRealmNameFromContext(keycloakSession), jsonNode.asText());
        return Optional.of(LocalDateTime.now().plusSeconds(60L));
    }

    private JsonNode fetchTokenViaHTTP(KeycloakSession keycloakSession, String str, String str2, String str3, String str4) throws IOException {
        return SimpleHttp.doPost(str, keycloakSession).param("client_id", str3).param(AbstractOAuth2IdentityProvider.OAUTH2_PARAMETER_CLIENT_SECRET, str4).param("scope", str2).param("grant_type", "client_credentials").asJson();
    }
}
