package dev.rusatom.keycloak.modules.esia;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import dev.rusatom.keycloak.modules.CliSigner;
import dev.rusatom.keycloak.modules.MessageUtils;
import dev.rusatom.keycloak.modules.StringUtils;
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Date;
import java.util.Iterator;
import java.util.UUID;
import java.util.stream.Collectors;
import javax.ws.rs.GET;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.UriBuilder;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.broker.oidc.mappers.AbstractJsonUserAttributeMapper;
import org.keycloak.broker.provider.AuthenticationRequest;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.broker.social.SocialIdentityProvider;
import org.keycloak.events.EventBuilder;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserModel;

/* loaded from: input_file:dev/rusatom/keycloak/modules/esia/EsiaIdentityProvider.class */
public class EsiaIdentityProvider extends AbstractOAuth2IdentityProvider<EsiaIdentityProviderConfig> implements SocialIdentityProvider<EsiaIdentityProviderConfig> {
    private static final String ESIA_DEFAULT_PHONE_DOMAIN = "phone.esia.gosuslugi.ru";
    private static final String HEADER_IF_NONE_MATCH = "If-None-Match";
    public static final String OAUTH2_GRANT_TYPE_CLIENT_CREDENTIALS = "client_credentials";
    public static final String ESIA_PREFIX = "esia.";
    public static final String ESIA_JSON_PREFIX = "esia._JSON.";
    public static final String ESIA_PREFIX_JSON = "esia._JSON.";
    private static final String AUTH_PATH = "/aas/oauth2/ac";
    private static final String TOKEN_PATH = "/aas/oauth2/te";
    public static final String OAUTH2_PARAMETER_TIMESTAMP = "timestamp";
    public static final String OAUTH2_PARAMETER_TOKEN_TYPE = "token_type";
    public static final String OAUTH2_PARAMETER_TOKEN_TYPE_VALUE = "Bearer";
    protected static final String timestampFormat = "yyyy.MM.dd HH:mm:ss Z";
    private static final String OIDC_PARAMETER_ACCESS_TYPE = "access_type";
    private static final String ACCESS_TYPE_ONLINE = "online";
    private static final String SCOPE_OPENID = "openid";
    private static final String ESIA_OID = "urn:esia:sbj_id";
    public static final String PROVIDER_NAME = "Esia";
    static final String ESIA_LAST_NAME = "lastName";
    static final String ESIA_FIRST_NAME = "firstName";
    static final String HEADER_ACCEPT = "Accept";
    private static final String ESIA_ETAG_PREFIX = "esia._ETAG.";
    private static final String ESIA_SERVICE_PREFIX = "esia._INT.";
    protected ObjectMapper oM;
    public static final String ESIA_AUTH_CODE = "ESIA_AUTH_CODE";
    public static final String ESIA_STATE = "ESIA_STATE";

    /* loaded from: input_file:dev/rusatom/keycloak/modules/esia/EsiaIdentityProvider$Endpoint.class */
    protected class Endpoint extends AbstractOAuth2IdentityProvider<EsiaIdentityProviderConfig>.Endpoint {
        public Endpoint(IdentityProvider.AuthenticationCallback authenticationCallback, RealmModel realmModel, EventBuilder eventBuilder) {
            super(EsiaIdentityProvider.this, authenticationCallback, realmModel, eventBuilder);
        }

        @GET
        public Response authResponse(@QueryParam("kState") String str, @QueryParam("state") String str2, @QueryParam("code") String str3, @QueryParam("error") String str4) {
            this.session.setAttribute(EsiaIdentityProvider.ESIA_AUTH_CODE, str3);
            this.session.setAttribute(EsiaIdentityProvider.ESIA_STATE, str2);
            return super.authResponse(str, str3, str4);
        }

        public SimpleHttp generateTokenRequest(String str) {
            String state = EsiaIdentityProvider.this.getState();
            String personScopes = ((EsiaIdentityProviderConfig) EsiaIdentityProvider.this.getConfig()).getPersonScopes();
            String timestampString = EsiaIdentityProvider.this.getTimestampString();
            return SimpleHttp.doPost(((EsiaIdentityProviderConfig) EsiaIdentityProvider.this.getConfig()).getTokenUrl(), this.session).param("client_id", ((EsiaIdentityProviderConfig) EsiaIdentityProvider.this.getConfig()).getClientId()).param("code", str).param("grant_type", "authorization_code").param("client_secret", EsiaIdentityProvider.this.getClientSecret(personScopes, timestampString, ((EsiaIdentityProviderConfig) EsiaIdentityProvider.this.getConfig()).getClientId(), state)).param("state", state).param("redirect_uri", this.session.getContext().getUri().getAbsolutePath().toString()).param("scope", personScopes).param(EsiaIdentityProvider.OAUTH2_PARAMETER_TIMESTAMP, timestampString).param(EsiaIdentityProvider.OAUTH2_PARAMETER_TOKEN_TYPE, EsiaIdentityProvider.OAUTH2_PARAMETER_TOKEN_TYPE_VALUE);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:dev/rusatom/keycloak/modules/esia/EsiaIdentityProvider$OrgEndpoint.class */
    public class OrgEndpoint {
        String type;
        String path;
        String scope;
        String acceptHeader = "application/json";

        OrgEndpoint() {
        }

        public boolean checkScope(String str, String str2) {
            for (String str3 : this.scope.split(" ")) {
                if (str.contains(String.format("http://esia.gosuslugi.ru/%s?org_oid=%s", str3, str2))) {
                    return true;
                }
            }
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:dev/rusatom/keycloak/modules/esia/EsiaIdentityProvider$OrgTools.class */
    public class OrgTools {
        static final String ESIA_ORG_SCOPE_TEMPLATE = "http://esia.gosuslugi.ru/%s?org_oid=%s";

        private OrgTools() {
        }

        private String getOrgScopes(String str, String[] strArr) {
            String str2 = (String) Arrays.stream(str.split(" ")).map(str3 -> {
                return (String) Arrays.stream(strArr).map(str3 -> {
                    return String.format(ESIA_ORG_SCOPE_TEMPLATE, str3, str3);
                }).collect(Collectors.joining(" "));
            }).collect(Collectors.joining(" "));
            EsiaIdentityProvider.logger.debug(str2);
            return str2;
        }

        public boolean checkOrgScopes(String str, String[] strArr, String str2) {
            String[] split = getOrgScopes(str, strArr).split(" ");
            String[] split2 = str2.split(" ");
            Arrays.sort(split);
            Arrays.sort(split2);
            EsiaIdentityProvider.logger.debug("requested Org Scopes " + String.join(" ", split));
            EsiaIdentityProvider.logger.debug("returned Org Scopes " + String.join(" ", split2));
            return String.join(" ", split).equalsIgnoreCase(String.join(" ", split2));
        }

        public SimpleHttp generateOrgTokenRequest(String[] strArr, String str) {
            String str2 = (String) EsiaIdentityProvider.this.getSession().getAttribute(EsiaIdentityProvider.ESIA_STATE, String.class);
            String str3 = (String) EsiaIdentityProvider.this.getSession().getAttribute(EsiaIdentityProvider.ESIA_AUTH_CODE, String.class);
            String timestampString = EsiaIdentityProvider.this.getTimestampString();
            String orgScopes = getOrgScopes(str, strArr);
            String clientId = ((EsiaIdentityProviderConfig) EsiaIdentityProvider.this.getConfig()).getClientId();
            return SimpleHttp.doPost(((EsiaIdentityProviderConfig) EsiaIdentityProvider.this.getConfig()).getTokenUrl(), EsiaIdentityProvider.this.getSession()).param("client_id", clientId).param("code", str3).param("grant_type", EsiaIdentityProvider.OAUTH2_GRANT_TYPE_CLIENT_CREDENTIALS).param("state", str2).param("scope", orgScopes).param(EsiaIdentityProvider.OAUTH2_PARAMETER_TIMESTAMP, timestampString).param(EsiaIdentityProvider.OAUTH2_PARAMETER_TOKEN_TYPE, EsiaIdentityProvider.OAUTH2_PARAMETER_TOKEN_TYPE_VALUE).param("client_secret", EsiaIdentityProvider.this.getClientSecret(orgScopes, timestampString, clientId, str2));
        }

        public ArrayList<OrgEndpoint> getPaths() {
            ArrayList<OrgEndpoint> arrayList = new ArrayList<>();
            arrayList.add(new OrgEndpoint() { // from class: dev.rusatom.keycloak.modules.esia.EsiaIdentityProvider.OrgTools.1
                {
                    EsiaIdentityProvider esiaIdentityProvider = EsiaIdentityProvider.this;
                    this.type = "profile";
                    this.path = "/rs/orgs/%s";
                    this.scope = "org_shortname org_fullname org_type org_ogrn org_inn org_leg org_kpp org_agencyterrange org_agencytype org_oktmo";
                }
            });
            arrayList.add(new OrgEndpoint() { // from class: dev.rusatom.keycloak.modules.esia.EsiaIdentityProvider.OrgTools.2
                {
                    EsiaIdentityProvider esiaIdentityProvider = EsiaIdentityProvider.this;
                    this.type = "contacts";
                    this.path = "/rs/orgs/%s/ctts?embed=(contacts.elements)";
                    this.scope = "org_ctts";
                    this.acceptHeader = "application/json; schema=\"https://esia-portal1.test.gosuslugi.ru/rs/model/ctts/Contacts-1\"";
                }
            });
            arrayList.add(new OrgEndpoint() { // from class: dev.rusatom.keycloak.modules.esia.EsiaIdentityProvider.OrgTools.3
                {
                    EsiaIdentityProvider esiaIdentityProvider = EsiaIdentityProvider.this;
                    this.type = "addresses";
                    this.path = "/rs/orgs/%s/addrs?embed=(elements)";
                    this.scope = "org_addrs";
                    this.acceptHeader = "application/json; schema=\"https://esia-portal1.test.gosuslugi.ru/rs/model/addrs/Addresses-1\"";
                }
            });
            arrayList.add(new OrgEndpoint() { // from class: dev.rusatom.keycloak.modules.esia.EsiaIdentityProvider.OrgTools.4
                {
                    EsiaIdentityProvider esiaIdentityProvider = EsiaIdentityProvider.this;
                    this.type = "vehicles";
                    this.path = "/rs/orgs/%s/vhls?embed=(vehicles.elements)";
                    this.scope = "org_vhls";
                    this.acceptHeader = "application/json; schema=\"https://esia-portal1.test.gosuslugi.ru/rs/model/vhls/Vehicles-1\"";
                }
            });
            arrayList.add(new OrgEndpoint() { // from class: dev.rusatom.keycloak.modules.esia.EsiaIdentityProvider.OrgTools.5
                {
                    EsiaIdentityProvider esiaIdentityProvider = EsiaIdentityProvider.this;
                    this.type = "branches";
                    this.path = "/rs/orgs/%s/brhs?embed=(branches.elements)";
                    this.scope = "org_brhs org_brhs_ctts org_brhs_addrs";
                }
            });
            return arrayList;
        }
    }

    public EsiaIdentityProvider(KeycloakSession keycloakSession, EsiaIdentityProviderConfig esiaIdentityProviderConfig) {
        super(keycloakSession, esiaIdentityProviderConfig);
        this.oM = new ObjectMapper();
        esiaIdentityProviderConfig.setAuthorizationUrl(esiaIdentityProviderConfig.getEsiaUrl() + AUTH_PATH);
        esiaIdentityProviderConfig.setTokenUrl(esiaIdentityProviderConfig.getEsiaUrl() + TOKEN_PATH);
        String allScopes = esiaIdentityProviderConfig.getAllScopes();
        if (allScopes.contains(SCOPE_OPENID)) {
            return;
        }
        esiaIdentityProviderConfig.setDefaultScope(("openid " + allScopes).trim());
    }

    public KeycloakSession getSession() {
        return this.session;
    }

    private String getClientSecret(String str) {
        return getClientSecret(((EsiaIdentityProviderConfig) getConfig()).getDefaultScope(), getTimestampString(), ((EsiaIdentityProviderConfig) getConfig()).getClientId(), str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getClientSecret(String str, String str2, String str3, String str4) {
        try {
            CliSigner cliSigner = new CliSigner();
            logger.debug(str + str2 + str3 + str4);
            return cliSigner.signString(str + str2 + str3 + str4);
        } catch (Exception e) {
            logger.error("Signature failed! " + e.getMessage());
            throw new RuntimeException(e);
        }
    }

    public String getTimestampString() {
        return new SimpleDateFormat(timestampFormat).format(new Date());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String getState() {
        return UUID.randomUUID().toString();
    }

    protected UriBuilder createAuthorizationUrl(AuthenticationRequest authenticationRequest) {
        String defaultScope = ((EsiaIdentityProviderConfig) getConfig()).getDefaultScope();
        String timestampString = getTimestampString();
        String clientId = ((EsiaIdentityProviderConfig) getConfig()).getClientId();
        String state = getState();
        String clientSecret = getClientSecret(defaultScope, timestampString, clientId, state);
        String str = authenticationRequest.getRedirectUri() + "?kState=" + authenticationRequest.getState().getEncoded();
        UriBuilder createAuthorizationUrl = super.createAuthorizationUrl(authenticationRequest);
        createAuthorizationUrl.replaceQueryParam("redirect_uri", new Object[]{str});
        createAuthorizationUrl.queryParam(OAUTH2_PARAMETER_TIMESTAMP, new Object[]{timestampString});
        createAuthorizationUrl.queryParam("client_secret", new Object[]{clientSecret});
        createAuthorizationUrl.queryParam(OIDC_PARAMETER_ACCESS_TYPE, new Object[]{ACCESS_TYPE_ONLINE});
        createAuthorizationUrl.replaceQueryParam("state", new Object[]{state});
        return createAuthorizationUrl;
    }

    protected String getDefaultScopes() {
        return SCOPE_OPENID;
    }

    public Object callback(RealmModel realmModel, IdentityProvider.AuthenticationCallback authenticationCallback, EventBuilder eventBuilder) {
        return new Endpoint(authenticationCallback, realmModel, eventBuilder);
    }

    public SimpleHttp fetchJson(String str, String str2) {
        return buildUserInfoRequest(str, str2);
    }

    protected String[] checkScopes(String str, String str2) {
        ArrayList arrayList = new ArrayList();
        for (String str3 : str2.split(" ")) {
            for (String str4 : str.split(" ")) {
                if (str4.equals(str3) || str3.startsWith(str4 + "?")) {
                    arrayList.add(str4);
                }
            }
        }
        logger.debug("My Scopes is : " + arrayList.toString());
        return (String[]) arrayList.toArray(new String[0]);
    }

    public String getAttribute(BrokeredIdentityContext brokeredIdentityContext, String str, String str2) {
        return brokeredIdentityContext.getUserAttribute(str2 + str.toUpperCase());
    }

    public void setAttribute(BrokeredIdentityContext brokeredIdentityContext, String str, String str2, String str3) {
        brokeredIdentityContext.setUserAttribute(str3 + str.toUpperCase(), str2);
    }

    String getUrl(String str, Object... objArr) {
        return String.format(((EsiaIdentityProviderConfig) getConfig()).getEsiaUrl() + str, objArr);
    }

    void setEmailFromPhone(BrokeredIdentityContext brokeredIdentityContext, String str) {
        String replaceAll = str.replaceAll("[^0-9]", "");
        String str2 = System.getenv("ESIA_PHONE_DOMAIN");
        if (StringUtils.isNullOrEmpty(str2)) {
            str2 = ESIA_DEFAULT_PHONE_DOMAIN;
        }
        brokeredIdentityContext.setEmail(replaceAll + "@" + str2);
    }

    String prepareAcceptHeader(String str) {
        return str.replace("https://esia-portal1.test.gosuslugi.ru", ((EsiaIdentityProviderConfig) getConfig()).getEsiaUrl());
    }

    String getEtag(BrokeredIdentityContext brokeredIdentityContext, String str) {
        logger.debug("Searching etag esia._ETAG." + str.toUpperCase());
        return brokeredIdentityContext.getUserAttribute(ESIA_ETAG_PREFIX + str.toUpperCase());
    }

    void setEtag(BrokeredIdentityContext brokeredIdentityContext, String str, String str2) {
        if (str2 == null || str2.equals("")) {
            return;
        }
        setAttribute(brokeredIdentityContext, str, str2, ESIA_ETAG_PREFIX);
    }

    private JsonNode fetchJson(String str, String str2, BrokeredIdentityContext brokeredIdentityContext, String str3, String str4) throws IOException {
        SimpleHttp header = fetchJson(str, str2).header(HEADER_ACCEPT, prepareAcceptHeader(str4));
        int status = header.asResponse().getStatus();
        logger.debug(String.format("Response http code is  %s", Integer.valueOf(status)));
        if (status == 304 || status >= 299 || status < 200) {
            return null;
        }
        try {
            String firstHeader = header.asResponse().getFirstHeader("Etag");
            logger.debug("Remote eTag is " + firstHeader);
            setEtag(brokeredIdentityContext, "esia._JSON.".replace(ESIA_PREFIX, "") + str3, firstHeader);
        } catch (Exception e) {
            logger.debug(e.getLocalizedMessage());
            logger.info(String.format("No etag for %s", str3));
        }
        JsonNode asJson = header.asJson();
        setAttribute(brokeredIdentityContext, str3, this.oM.writeValueAsString(asJson), "esia._JSON.");
        logger.debug(String.format("Response for %s is %s", str3, this.oM.writeValueAsString(asJson)));
        return asJson;
    }

    private BrokeredIdentityContext createBrokeredIdentityContext(String str, String str2, String str3) throws IOException {
        JsonNode fetchJson;
        BrokeredIdentityContext brokeredIdentityContext = new BrokeredIdentityContext(str);
        setAttribute(brokeredIdentityContext, "scopes", str3, ESIA_SERVICE_PREFIX);
        setAttribute(brokeredIdentityContext, "subject_id", str, ESIA_PREFIX);
        JsonNode jsonNode = null;
        if (checkScopes("fullname birthdate gender birthplace snils inn", str3).length > 0) {
            jsonNode = fetchJson(str2, getUrl("/rs/prns/%s", str), brokeredIdentityContext, "PROFILE", "application/json; schema=\"https://esia-portal1.test.gosuslugi.ru/rs/model/prn/Person-1\"");
            if (jsonNode != null) {
                String jsonProperty = getJsonProperty(jsonNode, "eTag");
                brokeredIdentityContext.setLastName(getJsonProperty(jsonNode, ESIA_LAST_NAME));
                brokeredIdentityContext.setFirstName(getJsonProperty(jsonNode, ESIA_FIRST_NAME));
                for (String str4 : "snils inn gender birthDate middleName citizenship lastName firstName".split(" ")) {
                    setAttribute(brokeredIdentityContext, str4, getJsonProperty(jsonNode, str4), ESIA_PREFIX);
                    setEtag(brokeredIdentityContext, str4, jsonProperty);
                    logger.debug(str4 + " = " + getJsonProperty(jsonNode, str4));
                }
            }
        }
        if (checkScopes("id_doc contacts", str3).length > 0) {
            jsonNode = fetchJson(str2, getUrl("/esia-rs/api/public/v5/prns/%s?embed=(addresses.elements)", str), brokeredIdentityContext, "ADDRS", "application/json; schema=\"https://esia-portal1.test.gosuslugi.ru/rs/model/addrs/Addresses-1\"");
            if (jsonNode == null) {
            }
        }
        if (checkScopes("contacts email mobile", str3).length > 0) {
            jsonNode = fetchJson(str2, getUrl("/rs/prns/%s/ctts?embed=(elements)", str), brokeredIdentityContext, "CONTACTS", "application/json; schema=\"https://esia-portal1.test.gosuslugi.ru/rs/model/ctts/Contacts-1\"");
            if (jsonNode != null) {
                getJsonProperty(jsonNode, "eTag");
                jsonNode.get("elements").forEach(jsonNode2 -> {
                    String jsonProperty2 = getJsonProperty(jsonNode2, "type");
                    boolean z = -1;
                    switch (jsonProperty2.hashCode()) {
                        case 68772:
                            if (jsonProperty2.equals("EML")) {
                                z = false;
                                break;
                            }
                            break;
                        case 76127:
                            if (jsonProperty2.equals("MBT")) {
                                z = true;
                                break;
                            }
                            break;
                        case 79190:
                            if (jsonProperty2.equals("PHN")) {
                                z = 2;
                                break;
                            }
                            break;
                    }
                    switch (z) {
                        case false:
                            brokeredIdentityContext.setEmail(getJsonProperty(jsonNode2, "value"));
                            setAttribute(brokeredIdentityContext, "email", getJsonProperty(jsonNode2, "value"), ESIA_PREFIX);
                            setEtag(brokeredIdentityContext, "email", getJsonProperty(jsonNode2, "eTag"));
                            return;
                        case true:
                            setAttribute(brokeredIdentityContext, "mobile", getJsonProperty(jsonNode2, "value"), ESIA_PREFIX);
                            setEtag(brokeredIdentityContext, "mobile", getJsonProperty(jsonNode2, "eTag"));
                            return;
                        case true:
                            setAttribute(brokeredIdentityContext, "phone", getJsonProperty(jsonNode2, "value"), ESIA_PREFIX);
                            setEtag(brokeredIdentityContext, "phone", getJsonProperty(jsonNode2, "eTag"));
                            return;
                        default:
                            return;
                    }
                });
                if (StringUtils.isNullOrEmpty(brokeredIdentityContext.getEmail())) {
                    if (!StringUtils.isNullOrEmpty(getAttribute(brokeredIdentityContext, "mobile", ESIA_PREFIX))) {
                        setEmailFromPhone(brokeredIdentityContext, getAttribute(brokeredIdentityContext, "mobile", ESIA_PREFIX));
                        logger.warn("User " + brokeredIdentityContext.getId() + " was identified with email " + brokeredIdentityContext.getEmail());
                    } else {
                        if (StringUtils.isNullOrEmpty(getAttribute(brokeredIdentityContext, "phone", ESIA_PREFIX))) {
                            throw new IllegalArgumentException(MessageUtils.email(PROVIDER_NAME));
                        }
                        setEmailFromPhone(brokeredIdentityContext, getAttribute(brokeredIdentityContext, "phone", ESIA_PREFIX));
                        logger.warn("User " + brokeredIdentityContext.getId() + " was identified with email " + brokeredIdentityContext.getEmail());
                    }
                }
                logger.debug("User " + brokeredIdentityContext.getId() + " was identified with email " + brokeredIdentityContext.getEmail());
                AbstractJsonUserAttributeMapper.storeUserProfileForMapper(brokeredIdentityContext, jsonNode, ((EsiaIdentityProviderConfig) getConfig()).getAlias());
            }
        }
        if (checkScopes("docs id_doc medical_doc military_doc foreign_passport_doc drivers_licence_doc birth_cert_doc residence_doc temporary_residence_doc", str3).length > 0) {
            jsonNode = fetchJson(str2, getUrl("/rs/prns/%s/docs?embed=(elements)", str), brokeredIdentityContext, "DOCS", "application/json; schema=\"https://esia-portal1.test.gosuslugi.ru/rs/model/docs/Documents-1\"");
            if (jsonNode != null) {
                String jsonProperty2 = getJsonProperty(jsonNode, "eTag");
                jsonNode.get("elements").forEach(jsonNode3 -> {
                    if ("RF_PASSPORT".equals(getJsonProperty(jsonNode3, "type"))) {
                        setAttribute(brokeredIdentityContext, "rf_passport", String.format("%s %s", getJsonProperty(jsonNode3, "series"), getJsonProperty(jsonNode3, "number")), ESIA_PREFIX);
                        setEtag(brokeredIdentityContext, "rf_passport", jsonProperty2);
                    }
                });
            }
        }
        if (checkScopes("vehicles", str3).length > 0) {
            jsonNode = fetchJson(str2, getUrl("/rs/prns/%s/vhls?embed=(elements)", str), brokeredIdentityContext, "VEHICLES", "application/json; schema=\"https://esia-portal1.test.gosuslugi.ru/rs/model/vhls/Vehicles-1\"");
            if (jsonNode == null) {
            }
        }
        if (checkScopes("kids kid_fullname kid_birthdate kid_gender kid_snils kid_inn kid_birth_cert_doc", str3).length > 0) {
            jsonNode = fetchJson(str2, getUrl("/rs/prns/%s/kids?embed=(elements)", str), brokeredIdentityContext, "KIDS", "application/json; schema=\"https://esia-portal1.test.gosuslugi.ru/rs/model/kids/Kids-1\"");
            if (jsonNode == null) {
            }
        }
        if (checkScopes("usr_org", str3).length > 0) {
            try {
                jsonNode = fetchJson(str2, getUrl("/rs/prns/%s/roles?embed=(elements)", str)).header(HEADER_ACCEPT, prepareAcceptHeader("application/json; schema=\"https://esia-portal1.test.gosuslugi.ru/rs/model/roles/Roles-1\"")).asJson();
                setAttribute(brokeredIdentityContext, "ORG-ROLES", this.oM.writeValueAsString(jsonNode), "esia._JSON.");
            } catch (Exception e) {
                logger.warn("Person roles failed");
                logger.debug(jsonNode);
            }
        }
        if (checkScopes("usr_org", str3).length > 0 && (fetchJson = fetchJson(str2, getUrl("/rs/prns/%s/orgs?embed=(elements)", str), brokeredIdentityContext, "ORGS", "application/json; schema=\"https://esia-portal1.test.gosuslugi.ru/rs/model/orgs/Organizations-1\"")) != null) {
            if (getJsonProperty(fetchJson, "error") != null) {
                logger.warn("Some error occured with user organizations");
                logger.debug(fetchJson);
            } else {
                String[] strArr = (String[]) fetchJson.findValuesAsText("oid").toArray(new String[0]);
                if (strArr == null || strArr.length >= 1) {
                    OrgTools orgTools = new OrgTools();
                    String orgScopes = ((EsiaIdentityProviderConfig) getConfig()).getOrgScopes();
                    if (orgScopes == null || orgScopes.split(" ").length >= 1) {
                        SimpleHttp generateOrgTokenRequest = orgTools.generateOrgTokenRequest(strArr, orgScopes);
                        String asString = generateOrgTokenRequest.asString();
                        if (generateOrgTokenRequest.asStatus() != 200) {
                            logger.warn("Invalid scopes for org scopes '" + orgScopes + "' and " + String.join(",", strArr));
                            logger.debug(asString);
                        } else {
                            String extractTokenFromResponse = extractTokenFromResponse(asString);
                            JsonNode parseAccessToken = parseAccessToken(asString);
                            if (getJsonProperty(parseAccessToken, "scope") == null) {
                                logger.warn("No scopes returned for us");
                                logger.debug(parseAccessToken);
                            } else {
                                String jsonProperty3 = getJsonProperty(parseAccessToken, "scope");
                                orgTools.checkOrgScopes(orgScopes, strArr, jsonProperty3);
                                logger.debug(jsonProperty3);
                                for (String str5 : strArr) {
                                    Iterator<OrgEndpoint> it = orgTools.getPaths().iterator();
                                    while (it.hasNext()) {
                                        OrgEndpoint next = it.next();
                                        if (next.checkScope(jsonProperty3, str5)) {
                                            String url = getUrl(next.path, str5);
                                            String format = String.format("%s.%s.%s", "ORGS", str5, next.type);
                                            try {
                                                JsonNode fetchJson2 = fetchJson(extractTokenFromResponse, url, brokeredIdentityContext, format, next.acceptHeader);
                                                if (fetchJson2 == null) {
                                                    logger.warn(format);
                                                    logger.warn(fetchJson2);
                                                }
                                            } catch (Exception e2) {
                                                logger.warn("Org " + str5 + " request failed " + url);
                                                logger.warn(e2);
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    } else {
                        logger.info("No org scopes defined in default scope");
                        logger.debug(orgScopes);
                    }
                } else {
                    logger.info("No orgs are there for user");
                    logger.debug(fetchJson);
                }
            }
        }
        if (checkScopes("usr_avt", str3).length > 0) {
            try {
                JsonNode fetchJson3 = fetchJson(str2, getUrl("/esia-rs/api/public/v1/pso/%s/avt/%s", str, "square"), brokeredIdentityContext, "AVATAR", "application/json");
                if (fetchJson3 != null) {
                    String str6 = ((EsiaIdentityProviderConfig) getConfig()).getEsiaUrl() + getJsonProperty(fetchJson3, "url");
                    logger.info("Avatar was found in " + str6);
                    setAttribute(brokeredIdentityContext, "AVATAR.square", str6, ESIA_PREFIX);
                }
            } catch (Exception e3) {
                logger.warn("Avatar was not found - " + str);
                logger.debug(e3);
            }
        }
        brokeredIdentityContext.setUsername(brokeredIdentityContext.getEmail());
        return brokeredIdentityContext;
    }

    public JsonNode parseAccessToken(String str) throws IOException {
        logger.debug("Access token is " + str);
        String[] split = str.split("\\.");
        if (split.length < 2) {
            throw new RuntimeException("Invalid AccessToken value.");
        }
        return new ObjectMapper().readTree(new String(Base64.getUrlDecoder().decode(split[1])));
    }

    public void updateBrokeredUser(KeycloakSession keycloakSession, RealmModel realmModel, UserModel userModel, BrokeredIdentityContext brokeredIdentityContext) {
        logger.debug("Called updateBrokeredUser with" + brokeredIdentityContext.getUsername());
        brokeredIdentityContext.getContextData().entrySet().stream().filter(entry -> {
            return ((String) entry.getKey()).startsWith("user.attributes.esia.") && !((String) entry.getKey()).startsWith("user.attributes.esia._ETAG.");
        }).forEach(entry2 -> {
            String replaceFirst = ((String) entry2.getKey()).replaceFirst("user.attributes.", "");
            String replace = replaceFirst.replace(ESIA_PREFIX, ESIA_ETAG_PREFIX);
            String firstAttribute = userModel.getFirstAttribute(replace);
            String userAttribute = brokeredIdentityContext.getUserAttribute(replace);
            if (userAttribute != null && firstAttribute != null && userAttribute.equalsIgnoreCase(firstAttribute)) {
                logger.debug(String.format("Not updating %s - etag is the same %s", replaceFirst, firstAttribute));
                return;
            }
            logger.debug(String.format("Etag do not match for %s - %s - %s ", replaceFirst, firstAttribute, userAttribute));
            userModel.setSingleAttribute(replaceFirst, brokeredIdentityContext.getUserAttribute(replaceFirst));
            userModel.setSingleAttribute(replace, userAttribute);
            if (replaceFirst.equals("esia.lastName")) {
                userModel.setLastName(brokeredIdentityContext.getLastName());
            }
            if (replaceFirst.equals("esia.firstName")) {
                userModel.setFirstName(brokeredIdentityContext.getFirstName());
            }
        });
    }

    protected BrokeredIdentityContext doGetFederatedIdentity(String str) {
        try {
            JsonNode parseAccessToken = parseAccessToken(str);
            logger.debug("doGetFederatedIdentity - userInfo");
            logger.debug(parseAccessToken.toString());
            String jsonProperty = getJsonProperty(parseAccessToken, ESIA_OID);
            logger.info("Returned scopes : " + getJsonProperty(parseAccessToken, "scope"));
            BrokeredIdentityContext createBrokeredIdentityContext = createBrokeredIdentityContext(jsonProperty, str, getJsonProperty(parseAccessToken, "scope"));
            logger.debug("doGetFederatedIdentity - user");
            logger.debug(createBrokeredIdentityContext.toString());
            return createBrokeredIdentityContext;
        } catch (IOException e) {
            logger.error("Unable to get esia user id" + e.getMessage());
            throw new RuntimeException(e);
        }
    }

    public String extractTokenFromResponse(String str) {
        logger.debug("Token response : " + str);
        return extractTokenFromResponse(str, "access_token");
    }
}
