package io.phasetwo.service.util;

import jakarta.ws.rs.NotFoundException;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.keycloak.authentication.AuthenticationProcessor;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientProvider;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.AccessTokenResponse;
import org.keycloak.services.Urls;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.util.MtlsHoKTokenUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:io/phasetwo/service/util/TokenManager.class */
public class TokenManager {
    private final KeycloakSession session;
    private final AccessToken accessToken;
    private final RealmModel realm;
    private final ClientModel targetClient;
    private final OIDCAdvancedConfigWrapper targetClientConfig;
    private final UserModel user;

    public TokenManager(KeycloakSession keycloakSession, AccessToken accessToken, RealmModel realmModel, UserModel userModel) {
        this.accessToken = accessToken;
        this.realm = realmModel;
        this.targetClient = keycloakSession.getProvider(ClientProvider.class).getClientByClientId(realmModel, accessToken.getIssuedFor());
        this.targetClientConfig = OIDCAdvancedConfigWrapper.fromClientModel(this.targetClient);
        this.user = userModel;
        this.session = keycloakSession;
        this.session.getContext().setClient(this.targetClient);
    }

    public AccessTokenResponse generateTokens() {
        AuthenticationSessionModel authSession = getAuthSession(getScopeIds());
        EventBuilder eventBuilder = new EventBuilder(this.session.getContext().getRealm(), this.session, this.session.getContext().getConnection());
        ClientSessionContext attachSession = AuthenticationProcessor.attachSession(authSession, (UserSessionModel) null, this.session, this.realm, this.session.getContext().getConnection(), eventBuilder);
        TokenManager.AccessTokenResponseBuilder generateAccessToken = new org.keycloak.protocol.oidc.TokenManager().responseBuilder(this.realm, this.targetClient, eventBuilder, this.session, attachSession.getClientSession().getUserSession(), attachSession).generateAccessToken();
        generateAccessToken.getAccessToken().audience(this.accessToken.getAudience());
        generateAccessToken.getAccessToken().setAllowedOrigins(this.accessToken.getAllowedOrigins());
        boolean isUseRefreshToken = this.targetClientConfig.isUseRefreshToken();
        if (isUseRefreshToken) {
            generateAccessToken.generateRefreshToken();
        }
        if (TokenUtil.isOIDCRequest(attachSession.getClientSession().getNote("scope"))) {
            generateAccessToken.generateIDToken().generateAccessTokenHash();
        }
        checkAndBindMtlsHoKToken(eventBuilder, generateAccessToken, isUseRefreshToken);
        return generateAccessToken.build();
    }

    private void checkAndBindMtlsHoKToken(EventBuilder eventBuilder, TokenManager.AccessTokenResponseBuilder accessTokenResponseBuilder, boolean z) {
        if (this.targetClientConfig.isUseMtlsHokToken()) {
            AccessToken.Confirmation bindTokenWithClientCertificate = MtlsHoKTokenUtil.bindTokenWithClientCertificate(this.session.getContext().getHttpRequest(), this.session);
            if (bindTokenWithClientCertificate == null) {
                eventBuilder.error("invalid_request");
                throw new NotFoundException("Client Certification missing for MTLS HoK Token Binding");
            }
            accessTokenResponseBuilder.getAccessToken().setConfirmation(bindTokenWithClientCertificate);
            if (z) {
                accessTokenResponseBuilder.getRefreshToken().setConfirmation(bindTokenWithClientCertificate);
            }
        }
    }

    private Set<String> getScopeIds() {
        Map clientScopes = this.targetClient.getClientScopes(true);
        Map clientScopes2 = this.targetClient.getClientScopes(false);
        Set<String> set = (Set) clientScopes.values().stream().map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toSet());
        Set of = Set.of((Object[]) this.accessToken.getScope().split(" "));
        Stream map = clientScopes2.values().stream().filter(clientScopeModel -> {
            return of.contains(clientScopeModel.getName());
        }).map((v0) -> {
            return v0.getId();
        });
        Objects.requireNonNull(set);
        map.forEach((v1) -> {
            r1.add(v1);
        });
        return set;
    }

    private AuthenticationSessionModel getAuthSession(Set<String> set) {
        AuthenticationSessionModel createAuthenticationSession = new AuthenticationSessionManager(this.session).createAuthenticationSession(this.realm, false).createAuthenticationSession(this.targetClient);
        createAuthenticationSession.setAuthenticatedUser(this.user);
        createAuthenticationSession.setProtocol("openid-connect");
        createAuthenticationSession.setClientNote("iss", Urls.realmIssuer(this.session.getContext().getUri().getBaseUri(), this.realm.getName()));
        createAuthenticationSession.setClientNote("scope", this.accessToken.getScope());
        createAuthenticationSession.setClientScopes(set);
        return createAuthenticationSession;
    }
}
