package io.phasetwo.keycloak.resources;

import jakarta.ws.rs.NotAuthorizedException;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.core.HttpHeaders;
import org.jboss.logging.Logger;
import org.keycloak.common.ClientConnection;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.managers.RealmManager;
import org.keycloak.services.resources.admin.AdminAuth;
import org.keycloak.services.resources.admin.AdminEventBuilder;
import org.keycloak.services.resources.admin.permissions.AdminPermissionEvaluator;
import org.keycloak.services.resources.admin.permissions.AdminPermissions;
import org.keycloak.services.resources.admin.permissions.ManagementPermissions;

/* loaded from: input_file:io/phasetwo/keycloak/resources/AbstractAdminResource.class */
public abstract class AbstractAdminResource {
    private static final Logger log = Logger.getLogger(AbstractAdminResource.class);
    protected final ClientConnection connection;
    protected final HttpHeaders headers;
    protected final KeycloakSession session;
    protected final RealmModel realm;
    protected AdminAuth auth;
    protected AdminEventBuilder adminEvent;
    protected AdminPermissionEvaluator permissions;

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractAdminResource(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        this.realm = keycloakSession.getContext().getRealm();
        this.headers = keycloakSession.getContext().getRequestHeaders();
        this.connection = keycloakSession.getContext().getConnection();
    }

    public void setup() {
        setupAuth();
        setupEvents();
        setupPermissions();
        setupCors();
    }

    public void requireAdminRole(String str) {
        if (!hasAdminRole(str)) {
            throw new NotAuthorizedException(String.format("%s role is required", str), new Object[0]);
        }
    }

    public boolean hasAdminRole(String str) {
        return ManagementPermissions.hasOneAdminRole(this.session, this.realm, this.auth, str);
    }

    private void setupCors() {
        CorsResource.setupCors(this.session, this.auth);
    }

    private void setupAuth() {
        this.auth = authenticateRealmAdminRequest(this.headers);
    }

    private void setupEvents() {
        this.adminEvent = new AdminEventBuilder(this.realm, this.auth, this.session, this.session.getContext().getConnection()).realm(this.realm);
    }

    private void setupPermissions() {
        this.permissions = AdminPermissions.evaluator(this.session, this.realm, this.auth);
    }

    private AdminAuth authenticateRealmAdminRequest(HttpHeaders httpHeaders) {
        String extractAuthorizationHeaderToken = AppAuthManager.extractAuthorizationHeaderToken(httpHeaders);
        if (extractAuthorizationHeaderToken == null) {
            throw new NotAuthorizedException("Bearer", new Object[0]);
        }
        try {
            AccessToken accessToken = (AccessToken) new JWSInput(extractAuthorizationHeaderToken).readJsonContent(AccessToken.class);
            RealmModel realmByName = new RealmManager(this.session).getRealmByName(accessToken.getIssuer().substring(accessToken.getIssuer().lastIndexOf(47) + 1));
            if (realmByName == null) {
                throw new NotAuthorizedException("Unknown realm in token", new Object[0]);
            }
            this.session.getContext().setRealm(realmByName);
            AuthenticationManager.AuthResult authenticate = new AppAuthManager.BearerTokenAuthenticator(this.session).setRealm(realmByName).setConnection(this.connection).setHeaders(httpHeaders).authenticate();
            if (authenticate == null) {
                log.debug("Token not valid");
                throw new NotAuthorizedException("Bearer", new Object[0]);
            }
            ClientModel clientByClientId = realmByName.getClientByClientId(accessToken.getIssuedFor());
            if (clientByClientId == null) {
                throw new NotFoundException("Could not find client for authorization");
            }
            return new AdminAuth(realmByName, authenticate.getToken(), authenticate.getUser(), clientByClientId);
        } catch (JWSInputException e) {
            throw new NotAuthorizedException("Bearer token format error", new Object[0]);
        }
    }
}
