package org.keycloak.social.openshift;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.openshift.internal.restclient.model.properties.ResourcePropertyKeys;
import java.io.IOException;
import java.io.InputStream;
import java.util.Map;
import java.util.Optional;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.broker.oidc.mappers.AbstractJsonUserAttributeMapper;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityBrokerException;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.broker.social.SocialIdentityProvider;
import org.keycloak.connections.httpclient.HttpClientProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.LDAPConstants;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-8.0.0.jar:org/keycloak/social/openshift/OpenshiftV4IdentityProvider.class */
public class OpenshiftV4IdentityProvider extends AbstractOAuth2IdentityProvider<OpenshiftV4IdentityProviderConfig> implements SocialIdentityProvider<OpenshiftV4IdentityProviderConfig> {
    public static final String BASE_URL = "https://api.preview.openshift.com";
    public static final String OPENSHIFT_OAUTH_METADATA_ENDPOINT = "/.well-known/oauth-authorization-server";
    public static final String PROFILE_RESOURCE = "/apis/user.openshift.io/v1/users/~";
    public static final String DEFAULT_SCOPE = "user:info";

    public OpenshiftV4IdentityProvider(KeycloakSession keycloakSession, OpenshiftV4IdentityProviderConfig openshiftV4IdentityProviderConfig) {
        super(keycloakSession, openshiftV4IdentityProviderConfig);
        String str = (String) Optional.ofNullable(openshiftV4IdentityProviderConfig.getBaseUrl()).orElse("https://api.preview.openshift.com");
        Map<String, Object> authJson = getAuthJson(keycloakSession, openshiftV4IdentityProviderConfig.getBaseUrl());
        logger.debugv("Openshift v4 OAuth descriptor: {0}", authJson);
        openshiftV4IdentityProviderConfig.setAuthorizationUrl((String) authJson.get("authorization_endpoint"));
        openshiftV4IdentityProviderConfig.setTokenUrl((String) authJson.get("token_endpoint"));
        openshiftV4IdentityProviderConfig.setUserInfoUrl(str + PROFILE_RESOURCE);
    }

    Map<String, Object> getAuthJson(KeycloakSession keycloakSession, String str) {
        try {
            return mapMetadata(getOauthMetadataInputStream(keycloakSession, str));
        } catch (Exception e) {
            throw new IdentityBrokerException("Could not initialize oAuth metadata", e);
        }
    }

    InputStream getOauthMetadataInputStream(KeycloakSession keycloakSession, String str) throws IOException {
        HttpClient httpClient = ((HttpClientProvider) keycloakSession.getProvider(HttpClientProvider.class)).getHttpClient();
        HttpGet httpGet = new HttpGet(str + OPENSHIFT_OAUTH_METADATA_ENDPOINT);
        httpGet.addHeader("accept", "application/json");
        HttpResponse execute = httpClient.execute(httpGet);
        if (execute.getStatusLine().getStatusCode() != 200) {
            throw new RuntimeException("Failed : HTTP error code : " + execute.getStatusLine().getStatusCode());
        }
        return execute.getEntity().getContent();
    }

    Map mapMetadata(InputStream inputStream) throws IOException {
        return (Map) new ObjectMapper().readValue(inputStream, Map.class);
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected String getDefaultScopes() {
        return DEFAULT_SCOPE;
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected BrokeredIdentityContext doGetFederatedIdentity(String str) {
        try {
            JsonNode fetchProfile = fetchProfile(str);
            BrokeredIdentityContext extractUserContext = extractUserContext(fetchProfile);
            AbstractJsonUserAttributeMapper.storeUserProfileForMapper(extractUserContext, fetchProfile, getConfig().getAlias());
            return extractUserContext;
        } catch (Exception e) {
            throw new IdentityBrokerException("Could not obtain user profile from Openshift.", e);
        }
    }

    private BrokeredIdentityContext extractUserContext(JsonNode jsonNode) {
        JsonNode jsonNode2 = jsonNode.get(ResourcePropertyKeys.METADATA);
        logger.debugv("extractUserContext: metadata = {0}", jsonNode2);
        BrokeredIdentityContext brokeredIdentityContext = new BrokeredIdentityContext(getJsonProperty(jsonNode2, LDAPConstants.UID));
        brokeredIdentityContext.setUsername(getJsonProperty(jsonNode2, "name"));
        brokeredIdentityContext.setName(getJsonProperty(jsonNode, "fullName"));
        brokeredIdentityContext.setIdpConfig(getConfig());
        brokeredIdentityContext.setIdp(this);
        return brokeredIdentityContext;
    }

    private JsonNode fetchProfile(String str) throws IOException {
        return SimpleHttp.doGet(getConfig().getUserInfoUrl(), this.session).header("Authorization", "Bearer " + str).asJson();
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected boolean supportsExternalExchange() {
        return true;
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected String getProfileEndpointForValidation(EventBuilder eventBuilder) {
        return getConfig().getUserInfoUrl();
    }

    @Override // org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider
    protected BrokeredIdentityContext extractIdentityFromProfile(EventBuilder eventBuilder, JsonNode jsonNode) {
        BrokeredIdentityContext extractUserContext = extractUserContext(jsonNode);
        AbstractJsonUserAttributeMapper.storeUserProfileForMapper(extractUserContext, jsonNode, getConfig().getAlias());
        return extractUserContext;
    }
}
