package dk.grinn.keycloak.migration.boundary;

import dk.grinn.keycloak.migration.entities.CreateRealmKey;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.util.Base64;
import javax.persistence.EntityManager;
import org.jboss.logging.Logger;
import org.keycloak.common.util.CertificateUtils;
import org.keycloak.common.util.KeyUtils;
import org.keycloak.common.util.MultivaluedHashMap;
import org.keycloak.common.util.PemUtils;
import org.keycloak.component.ComponentModel;
import org.keycloak.models.RealmModel;

/* loaded from: input_file:dk/grinn/keycloak/migration/boundary/RealmKeyController.class */
public class RealmKeyController {
    private static final Logger LOG = Logger.getLogger(RealmKeyController.class);
    protected static final String PRIVATE_KEY_CONFIG_KEY = "privateKey";
    protected static final String CERTIFICATE_CONFIG_KEY = "certificate";
    private EntityManager em;
    private GkcadmRealmAttributeController controller;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:dk/grinn/keycloak/migration/boundary/RealmKeyController$CertAndKeyPair.class */
    public static class CertAndKeyPair {
        static final CertAndKeyPair EMPTY = new CertAndKeyPair(null, null);
        private String certificate;
        private String privateKey;

        CertAndKeyPair(String str, String str2) {
            this.certificate = str;
            this.privateKey = str2;
        }

        String getCertificate() {
            return this.certificate;
        }

        String getPrivateKey() {
            return this.privateKey;
        }

        boolean isEmpty() {
            return RealmKeyController.isNullOrEmpty(this.certificate) || RealmKeyController.isNullOrEmpty(this.privateKey);
        }
    }

    public RealmKeyController(EntityManager entityManager) {
        this.em = entityManager;
        this.controller = new GkcadmRealmAttributeController(entityManager);
    }

    public static void disableRsaGenerated(RealmModel realmModel) {
        realmModel.getComponents().stream().filter(componentModel -> {
            return componentModel.getName().equals("rsa-generated");
        }).forEach(componentModel2 -> {
            componentModel2.getConfig().putSingle("active", "false");
            componentModel2.getConfig().putSingle("enabled", "false");
            realmModel.updateComponent(componentModel2);
        });
    }

    public void setRealmKey(RealmModel realmModel, CreateRealmKey createRealmKey) {
        String name = realmModel.getName();
        CertAndKeyPair certAndKeyPairFromEnvironment = getCertAndKeyPairFromEnvironment(createRealmKey);
        if (certAndKeyPairFromEnvironment.isEmpty()) {
            certAndKeyPairFromEnvironment = getCertAndKeyPairFromPath(createRealmKey);
        }
        if (createRealmKey.isReuse() && certAndKeyPairFromEnvironment.isEmpty()) {
            certAndKeyPairFromEnvironment = getCertAndKeyPairFromRealm(name);
        }
        if (certAndKeyPairFromEnvironment.isEmpty()) {
            certAndKeyPairFromEnvironment = generateNewCertAndKeyPair(createRealmKey);
        }
        createReusableRSACertificate(realmModel, createRealmKey, name, certAndKeyPairFromEnvironment);
    }

    private CertAndKeyPair generateNewCertAndKeyPair(CreateRealmKey createRealmKey) {
        LOG.info("Generating new realm key");
        KeyPair generateRsaKeyPair = KeyUtils.generateRsaKeyPair(2048);
        return new CertAndKeyPair(PemUtils.encodeCertificate(CertificateUtils.generateV1SelfSignedCertificate(generateRsaKeyPair, createRealmKey.getSubject())), PemUtils.encodeKey(generateRsaKeyPair.getPrivate()));
    }

    private CertAndKeyPair getCertAndKeyPairFromRealm(String str) {
        LOG.info("Signaled re-using realm key");
        return new CertAndKeyPair(this.controller.getAttribute(str, CERTIFICATE_CONFIG_KEY), this.controller.getAttribute(str, PRIVATE_KEY_CONFIG_KEY));
    }

    private CertAndKeyPair getCertAndKeyPairFromPath(CreateRealmKey createRealmKey) {
        char[] password = createRealmKey.getPassword();
        String alias = createRealmKey.getAlias();
        if (isNullOrEmpty(createRealmKey.getPath()) || password == null || isNullOrEmpty(alias)) {
            return CertAndKeyPair.EMPTY;
        }
        Path path = Paths.get(createRealmKey.getPath(), new String[0]);
        LOG.info("Using realm key from path = " + path.toString());
        return getCertAndKeyPairFromKeystore(getKeyStore(path, password), password, alias);
    }

    private CertAndKeyPair getCertAndKeyPairFromKeystore(KeyStore keyStore, char[] cArr, String str) {
        try {
            return new CertAndKeyPair(Base64.getEncoder().encodeToString(keyStore.getCertificate(str).getEncoded()), Base64.getEncoder().encodeToString(((PrivateKey) keyStore.getKey(str, cArr)).getEncoded()));
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateEncodingException e) {
            throw new RuntimeException("Could not load certificate.");
        }
    }

    private CertAndKeyPair getCertAndKeyPairFromEnvironment(CreateRealmKey createRealmKey) {
        CertAndKeyPair certAndKeyPair = new CertAndKeyPair(createRealmKey.getCertificate(), createRealmKey.getPrivateKey());
        if (!certAndKeyPair.isEmpty()) {
            LOG.info("Using realm key from ENV");
        }
        return certAndKeyPair;
    }

    private void createReusableRSACertificate(RealmModel realmModel, CreateRealmKey createRealmKey, String str, CertAndKeyPair certAndKeyPair) {
        this.controller.putAttribute(str, PRIVATE_KEY_CONFIG_KEY, certAndKeyPair.getPrivateKey());
        this.controller.putAttribute(str, CERTIFICATE_CONFIG_KEY, certAndKeyPair.getCertificate());
        realmModel.addComponentModel(createRsaComponent(createRealmKey.getName(), realmModel.getId(), certAndKeyPair.getPrivateKey(), certAndKeyPair.getCertificate(), createRealmKey.getPriority()));
    }

    private ComponentModel createRsaComponent(String str, String str2, String str3, String str4, long j) {
        ComponentModel componentModel = new ComponentModel();
        componentModel.setName(str);
        componentModel.setParentId(str2);
        componentModel.setProviderId("rsa");
        componentModel.setProviderType("org.keycloak.keys.KeyProvider");
        componentModel.setConfig(new MultivaluedHashMap());
        componentModel.getConfig().putSingle("active", "true");
        componentModel.getConfig().putSingle("enabled", "true");
        componentModel.getConfig().putSingle("priority", String.valueOf(j));
        componentModel.getConfig().putSingle(PRIVATE_KEY_CONFIG_KEY, str3);
        componentModel.getConfig().putSingle(CERTIFICATE_CONFIG_KEY, str4);
        componentModel.getConfig().putSingle("algorithm", "RS256");
        return componentModel;
    }

    private KeyStore getKeyStore(Path path, char[] cArr) {
        if (Files.exists(path, new LinkOption[0])) {
            return loadKeyStore(path, getType(path), cArr);
        }
        throw new IllegalArgumentException("The specified certificate file does not exist.");
    }

    private String getType(Path path) {
        if (path.getFileName().toString().toLowerCase().endsWith(".p12")) {
            return "PKCS12";
        }
        if (path.getFileName().toString().toLowerCase().endsWith(".jks")) {
            return KeyStore.getDefaultType();
        }
        throw new IllegalArgumentException("Invalid certificate type. Allowed types: [pkcs12, jks]");
    }

    private KeyStore loadKeyStore(Path path, String str, char[] cArr) {
        try {
            InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
            try {
                KeyStore keyStore = KeyStore.getInstance(str);
                keyStore.load(newInputStream, cArr);
                if (newInputStream != null) {
                    newInputStream.close();
                }
                return keyStore;
            } finally {
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new RuntimeException("Could not load certificate " + path, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isNullOrEmpty(String str) {
        return str == null || str.trim().isEmpty();
    }
}
