package org.keycloak.services.resources.account;

import jakarta.ws.rs.InternalServerErrorException;
import jakarta.ws.rs.NotAuthorizedException;
import jakarta.ws.rs.NotFoundException;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.MediaType;
import java.io.IOException;
import java.util.List;
import org.jboss.logging.Logger;
import org.keycloak.common.enums.AccountRestApiVersion;
import org.keycloak.events.EventBuilder;
import org.keycloak.http.HttpRequest;
import org.keycloak.http.HttpResponse;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakUriInfo;
import org.keycloak.models.RealmModel;
import org.keycloak.protocol.oidc.TokenIntrospectionProvider;
import org.keycloak.representations.AccessToken;
import org.keycloak.services.cors.Cors;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.Auth;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.resource.AccountResourceProvider;
import org.keycloak.theme.Theme;

/* loaded from: input_file:org/keycloak/services/resources/account/AccountLoader.class */
public class AccountLoader {
    private final KeycloakSession session;
    private final EventBuilder event;
    private final HttpRequest request;
    private final HttpResponse response;
    private static final Logger logger = Logger.getLogger(AccountLoader.class);

    public AccountLoader(KeycloakSession keycloakSession, EventBuilder eventBuilder) {
        this.session = keycloakSession;
        this.event = eventBuilder;
        this.request = keycloakSession.getContext().getHttpRequest();
        this.response = keycloakSession.getContext().getHttpResponse();
    }

    @Path("/")
    public Object getAccountService() {
        ClientModel accountManagementClient = getAccountManagementClient(this.session.getContext().getRealm());
        HttpRequest httpRequest = this.session.getContext().getHttpRequest();
        HttpHeaders requestHeaders = this.session.getContext().getRequestHeaders();
        MediaType mediaType = requestHeaders.getMediaType();
        List acceptableMediaTypes = requestHeaders.getAcceptableMediaTypes();
        Theme theme = getTheme(this.session);
        KeycloakUriInfo uri = this.session.getContext().getUri();
        AccountResourceProvider accountResourceProvider = getAccountResourceProvider(theme);
        if (httpRequest.getHttpMethod().equals("OPTIONS")) {
            return new CorsPreflightService(httpRequest);
        }
        if ((acceptableMediaTypes.contains(MediaType.APPLICATION_JSON_TYPE) || MediaType.APPLICATION_JSON_TYPE.equals(mediaType)) && !uri.getPath().endsWith("keycloak.json")) {
            return getAccountRestService(accountManagementClient, null);
        }
        if (accountResourceProvider != null) {
            return accountResourceProvider.getResource();
        }
        throw new NotFoundException();
    }

    @Produces({org.keycloak.utils.MediaType.APPLICATION_JSON})
    @Path("{version : v\\d[0-9a-zA-Z_\\-]*}")
    public Object getVersionedAccountRestService(@PathParam("version") String str) {
        return this.request.getHttpMethod().equals("OPTIONS") ? new CorsPreflightService(this.request) : getAccountRestService(getAccountManagementClient(this.session.getContext().getRealm()), str);
    }

    private Theme getTheme(KeycloakSession keycloakSession) {
        try {
            return keycloakSession.theme().getTheme(Theme.Type.ACCOUNT);
        } catch (IOException e) {
            throw new InternalServerErrorException(e);
        }
    }

    private AccountRestService getAccountRestService(ClientModel clientModel, String str) {
        AccountRestApiVersion accountRestApiVersion;
        AuthenticationManager.AuthResult authenticate = new AppAuthManager.BearerTokenAuthenticator(this.session).authenticate();
        if (authenticate == null) {
            throw new NotAuthorizedException("Bearer token required", new Object[0]);
        }
        AccessToken token = authenticate.getToken();
        if (token.getAudience() == null || token.getResourceAccess(clientModel.getClientId()) == null) {
            token = this.session.getProvider(TokenIntrospectionProvider.class, "access_token").transformAccessToken(token);
        }
        if (!token.hasAudience(clientModel.getClientId())) {
            throw new NotAuthorizedException("Invalid audience for client " + clientModel.getClientId(), new Object[0]);
        }
        Auth auth = new Auth(this.session.getContext().getRealm(), token, authenticate.getUser(), clientModel, authenticate.getSession(), false);
        Cors.add(this.request).allowedOrigins(auth.getToken()).allowedMethods(new String[]{"GET", "PUT", "POST", "DELETE"}).auth().build(this.response);
        if (authenticate.getUser().getServiceAccountClientLink() != null) {
            throw new NotAuthorizedException("Service accounts are not allowed to access this service", new Object[0]);
        }
        if (str == null) {
            accountRestApiVersion = AccountRestApiVersion.DEFAULT;
        } else {
            accountRestApiVersion = AccountRestApiVersion.get(str);
            if (accountRestApiVersion == null) {
                throw new NotFoundException("API version not found");
            }
        }
        return new AccountRestService(this.session, auth, this.event, accountRestApiVersion);
    }

    private ClientModel getAccountManagementClient(RealmModel realmModel) {
        ClientModel clientByClientId = realmModel.getClientByClientId("account");
        if (clientByClientId != null && clientByClientId.isEnabled()) {
            return clientByClientId;
        }
        logger.debug("account management not enabled");
        throw new NotFoundException("account management not enabled");
    }

    private AccountResourceProvider getAccountResourceProvider(Theme theme) {
        try {
            if (theme.getProperties().containsKey("accountResourceProvider")) {
                return this.session.getProvider(AccountResourceProvider.class, theme.getProperties().getProperty("accountResourceProvider"));
            }
        } catch (IOException e) {
        }
        return this.session.getProvider(AccountResourceProvider.class);
    }
}
