package org.keycloak.protocol.oidc;

import com.fasterxml.jackson.databind.node.ObjectNode;
import io.opentelemetry.api.trace.Span;
import jakarta.ws.rs.core.Response;
import org.jboss.logging.Logger;
import org.keycloak.TokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.keys.Attributes;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ImpersonationSessionNote;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oid4vc.model.ProofType;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.Urls;
import org.keycloak.services.util.DefaultClientSessionContext;
import org.keycloak.services.util.UserSessionUtil;
import org.keycloak.tracing.TracingAttributes;
import org.keycloak.tracing.TracingProvider;
import org.keycloak.util.JsonSerialization;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/oidc/AccessTokenIntrospectionProvider.class */
public class AccessTokenIntrospectionProvider<T extends AccessToken> implements TokenIntrospectionProvider {
    protected final KeycloakSession session;
    protected final TokenManager tokenManager = new TokenManager();
    protected final RealmModel realm;
    private static final Logger logger = Logger.getLogger(AccessTokenIntrospectionProvider.class);
    protected EventBuilder eventBuilder;
    protected T token;
    protected ClientModel client;
    protected UserSessionModel userSession;
    protected UserModel user;

    public AccessTokenIntrospectionProvider(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        this.realm = keycloakSession.getContext().getRealm();
    }

    public Response introspect(String str, EventBuilder eventBuilder) {
        ObjectNode createObjectNode;
        this.eventBuilder = eventBuilder;
        AccessToken accessToken = null;
        try {
            ClientModel client = this.session.getContext().getClient();
            if (introspectionChecks(str)) {
                accessToken = transformAccessToken(this.token, this.userSession);
                createObjectNode = JsonSerialization.createObjectNode(accessToken);
                createObjectNode.put("client_id", accessToken.getIssuedFor());
                String scope = accessToken.getScope();
                if (scope != null && scope.trim().isEmpty()) {
                    createObjectNode.remove("scope");
                }
                if (!createObjectNode.has("username")) {
                    if (accessToken.getPreferredUsername() != null) {
                        createObjectNode.put("username", accessToken.getPreferredUsername());
                    } else {
                        UserModel user = this.userSession.getUser();
                        if (user != null) {
                            createObjectNode.put("username", user.getUsername());
                            eventBuilder.user(user);
                        }
                    }
                }
                String note = this.userSession.getNote(ImpersonationSessionNote.IMPERSONATOR_USERNAME.toString());
                if (note != null) {
                    createObjectNode.putObject("act").put("sub", note);
                }
                createObjectNode.put("token_type", accessToken.getType());
                createObjectNode.put(Attributes.ACTIVE_KEY, true);
                eventBuilder.success();
            } else {
                createObjectNode = JsonSerialization.createObjectNode();
                logger.debug("Keycloak token introspection return false");
                createObjectNode.put(Attributes.ACTIVE_KEY, false);
            }
            if (accessToken != null && MediaType.APPLICATION_JWT.equals(this.session.getContext().getRequestHeaders().getHeaderString("Accept")) && Boolean.parseBoolean(client.getAttribute("client.introspection.response.allow.jwt.claim.enabled"))) {
                createObjectNode.put(ProofType.JWT, this.session.tokens().encode(accessToken));
            }
            return Response.ok(JsonSerialization.writeValueAsBytes(createObjectNode)).type(jakarta.ws.rs.core.MediaType.APPLICATION_JSON_TYPE).build();
        } catch (Exception e) {
            logger.debugf(e, "Exception during Keycloak introspection for %s client in realm %s", accessToken != null ? accessToken.getIssuedFor() : "unknown", this.realm.getName());
            eventBuilder.detail("reason", e.getMessage());
            eventBuilder.error("token_introspection_failed");
            throw new RuntimeException("Error creating token introspection response.", e);
        }
    }

    public AccessToken transformAccessToken(AccessToken accessToken, UserSessionModel userSessionModel) {
        AuthenticatedClientSessionModel authenticatedClientSessionByClient = userSessionModel.getAuthenticatedClientSessionByClient(this.realm.getClientByClientId(accessToken.getIssuedFor()).getId());
        if (authenticatedClientSessionByClient == null) {
            return accessToken;
        }
        DefaultClientSessionContext fromClientSessionAndScopeParameter = DefaultClientSessionContext.fromClientSessionAndScopeParameter(authenticatedClientSessionByClient, accessToken.getScope(), this.session);
        return this.tokenManager.transformIntrospectionAccessToken(this.session, getAccessTokenFromStoredData(accessToken), userSessionModel, fromClientSessionAndScopeParameter);
    }

    private AccessToken getAccessTokenFromStoredData(AccessToken accessToken) {
        AccessToken accessToken2 = new AccessToken();
        accessToken2.id(accessToken.getId());
        accessToken2.type(accessToken.getType());
        accessToken2.subject(accessToken.getSubject());
        accessToken2.iat(accessToken.getIat());
        accessToken2.exp(accessToken.getExp());
        accessToken2.issuedFor(accessToken.getIssuedFor());
        accessToken2.issuer(accessToken.getIssuer());
        accessToken2.setNonce(accessToken.getNonce());
        accessToken2.setScope(accessToken.getScope());
        accessToken2.setSessionId(accessToken.getSessionId());
        accessToken2.audience(accessToken.getAudience());
        accessToken2.setConfirmation(accessToken.getConfirmation());
        return accessToken2;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean introspectionChecks(String str) {
        if (!verifyToken(str) || !verifyClient()) {
            return false;
        }
        this.eventBuilder.session(this.token.getSessionId());
        UserSessionUtil.UserSessionValidationResult verifyUserSession = verifyUserSession();
        if (verifyUserSession.getError() != null) {
            logger.debugf("Introspection access token for " + this.token.getIssuedFor() + " client: " + verifyUserSession.getError(), new Object[0]);
            this.eventBuilder.detail("reason", "Introspection access token for " + this.token.getIssuedFor() + " client: " + verifyUserSession.getError());
            this.eventBuilder.error(verifyUserSession.getError());
            return false;
        }
        this.userSession = verifyUserSession.getUserSession();
        this.user = this.userSession.getUser();
        this.eventBuilder.user(this.user);
        if (TokenManager.isUserValid(this.session, this.realm, this.token, this.userSession.getUser())) {
            return verifyTokenReuse();
        }
        logger.debugf("Could not find valid user from user session " + this.userSession.getId(), new Object[0]);
        this.eventBuilder.detail("reason", "Could not find valid user from user session " + this.userSession.getId());
        this.eventBuilder.error(this.user == null ? "user_not_found" : "user_disabled");
        return false;
    }

    protected boolean verifyToken(String str) {
        try {
            TokenVerifier realmUrl = TokenVerifier.create(str, getTokenClass()).realmUrl(Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
            realmUrl.verifierContext(((SignatureProvider) this.session.getProvider(SignatureProvider.class, realmUrl.getHeader().getAlgorithm().name())).verifier(realmUrl.getHeader().getKeyId()));
            this.token = realmUrl.verify().getToken();
            this.eventBuilder.detail("token_id", this.token.getId());
            this.eventBuilder.detail("token_type", this.token.getType());
            Span currentSpan = ((TracingProvider) this.session.getProvider(TracingProvider.class)).getCurrentSpan();
            if (!currentSpan.isRecording()) {
                return true;
            }
            currentSpan.setAttribute(TracingAttributes.TOKEN_ISSUER, this.token.getIssuer());
            currentSpan.setAttribute(TracingAttributes.TOKEN_SID, this.token.getSessionId());
            currentSpan.setAttribute(TracingAttributes.TOKEN_ID, this.token.getId());
            return true;
        } catch (VerificationException e) {
            logger.debugf("Introspection access token : JWT check failed: %s", e.getMessage());
            this.eventBuilder.detail("reason", "Access token JWT check failed");
            this.eventBuilder.error("invalid_token");
            return false;
        }
    }

    protected Class<T> getTokenClass() {
        return AccessToken.class;
    }

    protected boolean verifyClient() {
        this.eventBuilder.detail("token_issued_for", this.token.getIssuedFor());
        ClientModel clientByClientId = this.realm.getClientByClientId(this.token.getIssuedFor());
        if (clientByClientId == null) {
            logger.debugf("Introspection access token : client with clientId %s does not exist", this.token.getIssuedFor());
            this.eventBuilder.detail("reason", String.format("Could not find client for %s", this.token.getIssuedFor()));
            this.eventBuilder.error("client_not_found");
            return false;
        }
        if (!clientByClientId.isEnabled()) {
            logger.debugf("Introspection access token : client with clientId %s is disabled", this.token.getIssuedFor());
            this.eventBuilder.detail("reason", String.format("Client with clientId %s is disabled", this.token.getIssuedFor()));
            this.eventBuilder.error("client_disabled");
            return false;
        }
        try {
            TokenVerifier.createWithoutSignature(this.token).withChecks(new TokenVerifier.Predicate[]{TokenManager.NotBeforeCheck.forModel(clientByClientId), TokenVerifier.IS_ACTIVE, new TokenManager.TokenRevocationCheck(this.session)}).verify();
            this.client = clientByClientId;
            return true;
        } catch (VerificationException e) {
            logger.debugf("Introspection access token for %s client: JWT check failed: %s", this.token.getIssuedFor(), e.getMessage());
            this.eventBuilder.detail("reason", "Introspection access token for " + this.token.getIssuedFor() + " client: JWT check failed");
            this.eventBuilder.error("invalid_token");
            return false;
        }
    }

    protected UserSessionUtil.UserSessionValidationResult verifyUserSession() {
        return UserSessionUtil.findValidSessionForAccessToken(this.session, this.realm, this.token, this.client, userSessionModel -> {
        });
    }

    protected boolean verifyTokenReuse() {
        return true;
    }

    public void close() {
    }
}
