package org.keycloak.quarkus.runtime.configuration.mappers;

import java.net.MalformedURLException;
import java.net.URL;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.function.Consumer;
import java.util.stream.Stream;
import org.keycloak.common.Profile;
import org.keycloak.config.HostnameV2Options;
import org.keycloak.config.Option;
import org.keycloak.config.ProxyOptions;
import org.keycloak.quarkus.runtime.Environment;
import org.keycloak.quarkus.runtime.cli.Picocli;
import org.keycloak.quarkus.runtime.configuration.Configuration;
import org.keycloak.quarkus.runtime.configuration.mappers.PropertyMapper;
import org.keycloak.utils.SecureContextResolver;

/* loaded from: input_file:org/keycloak/quarkus/runtime/configuration/mappers/HostnameV2PropertyMappers.class */
public final class HostnameV2PropertyMappers {
    private static final String CONTEXT_WARNING = "the server is running in an insecure context. Secure contexts are required for full functionality, including cross-origin cookies.";
    private static final List<String> REMOVED_OPTIONS = Arrays.asList("hostname-admin-url", "hostname-path", "hostname-port", "hostname-strict-backchannel", "hostname-url", "proxy", "hostname-strict-https");

    private HostnameV2PropertyMappers() {
    }

    public static PropertyMapper<?>[] getHostnamePropertyMappers() {
        return (PropertyMapper[]) Stream.of((Object[]) new PropertyMapper.Builder[]{PropertyMapper.fromOption(HostnameV2Options.HOSTNAME).to("kc.spi-hostname--v2--hostname").paramLabel("hostname|URL"), PropertyMapper.fromOption(HostnameV2Options.HOSTNAME_ADMIN).to("kc.spi-hostname--v2--hostname-admin").paramLabel("URL"), PropertyMapper.fromOption(HostnameV2Options.HOSTNAME_BACKCHANNEL_DYNAMIC).to("kc.spi-hostname--v2--hostname-backchannel-dynamic"), PropertyMapper.fromOption(HostnameV2Options.HOSTNAME_STRICT).to("kc.spi-hostname--v2--hostname-strict"), PropertyMapper.fromOption(HostnameV2Options.HOSTNAME_DEBUG)}).map(builder -> {
            return builder.isEnabled(() -> {
                return Profile.isFeatureEnabled(Profile.Feature.HOSTNAME_V2);
            }, "hostname:v2 feature is enabled").build();
        }).toArray(i -> {
            return new PropertyMapper[i];
        });
    }

    public static void validateConfig(Picocli picocli) {
        Objects.requireNonNull(picocli);
        validateConfig((Consumer<String>) picocli::warn);
    }

    public static void validateConfig(Consumer<String> consumer) {
        List<String> list = REMOVED_OPTIONS.stream().filter(str -> {
            return Configuration.getOptionalKcValue(str).isPresent();
        }).toList();
        if (!list.isEmpty()) {
            consumer.accept("Hostname v1 options %s are still in use, please review your configuration".formatted(list));
        }
        boolean equals = Environment.PROD_PROFILE_VALUE.equals(org.keycloak.common.util.Environment.getProfile());
        boolean isHttpsEnabled = HttpPropertyMappers.isHttpsEnabled();
        String value = Configuration.getConfigValue((Option<?>) HostnameV2Options.HOSTNAME).getValue();
        String value2 = Configuration.getConfigValue((Option<?>) ProxyOptions.PROXY_HEADERS).getValue();
        if ((value == null || !validateFullHostname(isHttpsEnabled, equals, value, value2, consumer)) && !isHttpsEnabled && value2 == null && equals) {
            if (value == null) {
                consumer.accept("With HTTPS not enabled, `proxy-headers` unset, and `hostname-strict=false`, " + "the server is running in an insecure context. Secure contexts are required for full functionality, including cross-origin cookies. Also if you are using a proxy, requests from the proxy to the server will fail CORS checks with 403s because the wrong origin will be determined. Make sure `proxy-headers` are configured properly.");
            } else {
                if (SecureContextResolver.isLocal(value)) {
                    return;
                }
                consumer.accept("Likely misconfiguration detected. With HTTPS not enabled, `proxy-headers` unset, and a non-URL `hostname`, " + "the server is running in an insecure context. Secure contexts are required for full functionality, including cross-origin cookies. Also if you are using a proxy, requests from the proxy to the server will fail CORS checks with 403s because the wrong origin will be determined. Make sure `proxy-headers` are configured properly.");
            }
        }
    }

    static boolean validateFullHostname(boolean z, boolean z2, String str, String str2, Consumer<String> consumer) {
        try {
            URL url = new URL(str);
            if (url.getProtocol().toUpperCase().equals("HTTPS")) {
                if (str2 != null || z) {
                    return true;
                }
                consumer.accept("Likely misconfiguration detected. When using an edge proxy, you must use `proxy-headers`.");
                return true;
            }
            if (!z2) {
                return true;
            }
            if (!SecureContextResolver.isLocal(url.getHost())) {
                consumer.accept("Likely misconfiguration detected. `hostname` is configured to use HTTP instead of HTTPS, the server is running in an insecure context. Secure contexts are required for full functionality, including cross-origin cookies.");
            }
            if (!z) {
                return true;
            }
            consumer.accept("Likely misconfiguration detected. HTTPS is enabled on the server, but `hostname` specifies HTTP.");
            return true;
        } catch (MalformedURLException e) {
            return false;
        }
    }
}
