package org.keycloak.social.bitbucket;

import com.fasterxml.jackson.databind.JsonNode;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import org.keycloak.WebAuthnConstants;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.broker.oidc.OAuth2IdentityProviderConfig;
import org.keycloak.broker.oidc.mappers.AbstractJsonUserAttributeMapper;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.broker.social.SocialIdentityProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.KeycloakSession;
import org.keycloak.services.ErrorResponseException;
import org.keycloak.services.resources.Cors;
import org.keycloak.userprofile.config.UPConfigUtils;

/* loaded from: input_file:org/keycloak/social/bitbucket/BitbucketIdentityProvider.class */
public class BitbucketIdentityProvider extends AbstractOAuth2IdentityProvider implements SocialIdentityProvider {
    public static final String AUTH_URL = "https://bitbucket.org/site/oauth2/authorize";
    public static final String TOKEN_URL = "https://bitbucket.org/site/oauth2/access_token";
    public static final String USER_URL = "https://api.bitbucket.org/2.0/user";
    public static final String USER_EMAIL_URL = "https://api.bitbucket.org/2.0/user/emails";
    public static final String EMAIL_SCOPE = "email";
    public static final String ACCOUNT_SCOPE = "account";
    public static final String DEFAULT_SCOPE = "account";

    public BitbucketIdentityProvider(KeycloakSession keycloakSession, OAuth2IdentityProviderConfig oAuth2IdentityProviderConfig) {
        super(keycloakSession, oAuth2IdentityProviderConfig);
        oAuth2IdentityProviderConfig.setAuthorizationUrl(AUTH_URL);
        oAuth2IdentityProviderConfig.setTokenUrl(TOKEN_URL);
        String defaultScope = oAuth2IdentityProviderConfig.getDefaultScope();
        if (defaultScope == null || defaultScope.trim().equals("")) {
            oAuth2IdentityProviderConfig.setDefaultScope("account email");
        }
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected boolean supportsExternalExchange() {
        return true;
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected String getProfileEndpointForValidation(EventBuilder eventBuilder) {
        return USER_URL;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    public BrokeredIdentityContext validateExternalTokenThroughUserInfo(EventBuilder eventBuilder, String str, String str2) {
        eventBuilder.detail("validation_method", "user info");
        SimpleHttp.Response response = null;
        int i = 0;
        try {
            response = buildUserInfoRequest(str, getProfileEndpointForValidation(eventBuilder)).asResponse();
            i = response.getStatus();
        } catch (IOException e) {
            logger.debug("Failed to invoke user info for external exchange", e);
        }
        if (i != 200) {
            logger.debug("Failed to invoke user info status: " + i);
            eventBuilder.detail("reason", "user info call failure");
            eventBuilder.error("invalid_token");
            throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
        }
        try {
            JsonNode asJson = response.asJson();
            String jsonProperty = getJsonProperty(asJson, "type");
            if (jsonProperty == null) {
                eventBuilder.detail("reason", "no type data in user info response");
                eventBuilder.error("invalid_token");
                throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
            }
            if (jsonProperty.equals(WebAuthnConstants.ERROR)) {
                JsonNode jsonNode = asJson.get(WebAuthnConstants.ERROR);
                if (jsonNode == null) {
                    eventBuilder.detail("reason", "user info call failure");
                    eventBuilder.error("invalid_token");
                    throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
                }
                eventBuilder.detail("reason", "user info call failure: " + getJsonProperty(jsonNode, "message"));
                eventBuilder.error("invalid_token");
                throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
            }
            if (!jsonProperty.equals(UPConfigUtils.ROLE_USER)) {
                eventBuilder.detail("reason", "no user info in response");
                eventBuilder.error("invalid_token");
                throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
            }
            if (getJsonProperty(asJson, "account_id") != null) {
                return extractUserInfo(str, asJson);
            }
            eventBuilder.detail("reason", "user info call failure");
            eventBuilder.error("invalid_token");
            throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
        } catch (IOException e2) {
            eventBuilder.detail("reason", "user info call failure");
            eventBuilder.error("invalid_token");
            throw new ErrorResponseException("invalid_token", "invalid token", Response.Status.BAD_REQUEST);
        }
    }

    private BrokeredIdentityContext extractUserInfo(String str, JsonNode jsonNode) {
        BrokeredIdentityContext brokeredIdentityContext = new BrokeredIdentityContext(getJsonProperty(jsonNode, "account_id"));
        brokeredIdentityContext.setUsername(getJsonProperty(jsonNode, "username"));
        brokeredIdentityContext.setName(getJsonProperty(jsonNode, "display_name"));
        brokeredIdentityContext.setIdpConfig(m146getConfig());
        brokeredIdentityContext.setIdp(this);
        AbstractJsonUserAttributeMapper.storeUserProfileForMapper(brokeredIdentityContext, jsonNode, m146getConfig().getAlias());
        try {
            JsonNode jsonNode2 = SimpleHttp.doGet(USER_EMAIL_URL, this.session).header(Cors.AUTHORIZATION_HEADER, "Bearer " + str).asJson().get("values");
            if (jsonNode2 != null) {
                if (jsonNode2.isArray()) {
                    jsonNode2 = jsonNode2.get(0);
                }
                if (jsonNode2 != null && "email".equals(getJsonProperty(jsonNode2, "type"))) {
                    brokeredIdentityContext.setEmail(getJsonProperty(jsonNode2, "email"));
                }
            }
        } catch (Exception e) {
            logger.debug("failed to get email from BitBucket", e);
        }
        return brokeredIdentityContext;
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected BrokeredIdentityContext doGetFederatedIdentity(String str) {
        try {
            JsonNode asJson = SimpleHttp.doGet(USER_URL, this.session).header(Cors.AUTHORIZATION_HEADER, "Bearer " + str).asJson();
            String jsonProperty = getJsonProperty(asJson, "type");
            if (jsonProperty == null) {
                throw new IdentityBrokerException("Could not obtain account information from bitbucket.");
            }
            if (!jsonProperty.equals(WebAuthnConstants.ERROR)) {
                if (jsonProperty.equals(UPConfigUtils.ROLE_USER)) {
                    return extractUserInfo(str, asJson);
                }
                logger.debug("Unknown object type: " + jsonProperty);
                throw new IdentityBrokerException("Could not obtain account information from bitbucket.");
            }
            JsonNode jsonNode = asJson.get(WebAuthnConstants.ERROR);
            if (jsonNode == null) {
                throw new IdentityBrokerException("Could not obtain account information from bitbucket.");
            }
            throw new IdentityBrokerException("Could not obtain account information from bitbucket.  Error: " + getJsonProperty(jsonNode, "message"));
        } catch (Exception e) {
            if (e instanceof IdentityBrokerException) {
                throw e;
            }
            throw new IdentityBrokerException("Could not obtain user profile from bitbucket.", e);
        }
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected String getDefaultScopes() {
        return "account";
    }
}
