package io.helidon.security.providers.oidc.common;

import io.helidon.common.Base64Value;
import io.helidon.common.context.Context;
import io.helidon.common.context.Contexts;
import io.helidon.common.crypto.SymmetricCipher;
import io.helidon.common.reactive.Single;
import io.helidon.security.Security;
import io.helidon.security.spi.EncryptionProvider;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.PosixFilePermission;
import java.util.Set;
import java.util.UUID;
import java.util.logging.Logger;

/* loaded from: input_file:io/helidon/security/providers/oidc/common/OidcEncryption.class */
final class OidcEncryption {
    private static final Logger LOGGER = Logger.getLogger(OidcEncryption.class.getName());

    private OidcEncryption() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static EncryptionProvider.EncryptionSupport create(String str, String str2, char[] cArr) {
        EncryptionProvider.EncryptionSupport encryptionSupport = null;
        if (str2 != null) {
            encryptionSupport = nameBasedCipher(str2);
        }
        char[] cArr2 = cArr;
        if (cArr == null && encryptionSupport == null) {
            cArr2 = generateMasterPassword();
        }
        if (encryptionSupport == null || cArr2 == null) {
            return symmetricCipher(cArr2);
        }
        throw new SecurityException("Cannot define both name based encryption and password based encryption for " + str);
    }

    private static EncryptionProvider.EncryptionSupport symmetricCipher(char[] cArr) {
        SymmetricCipher create = SymmetricCipher.create(cArr);
        return EncryptionProvider.EncryptionSupport.create(bArr -> {
            return Single.just(create.encrypt(Base64Value.create(bArr)).toBase64());
        }, str -> {
            return Single.just(create.decrypt(Base64Value.createFromEncoded(str)).toBytes());
        });
    }

    private static EncryptionProvider.EncryptionSupport nameBasedCipher(String str) {
        return EncryptionProvider.EncryptionSupport.create(bArr -> {
            return securityFromContext().encrypt(str, bArr);
        }, str2 -> {
            return securityFromContext().decrypt(str, str2);
        });
    }

    private static char[] generateMasterPassword() {
        Path path = Paths.get(".helidon-oidc-secret", new String[0]);
        if (!Files.exists(path, new LinkOption[0])) {
            try {
                Files.writeString(path, UUID.randomUUID().toString(), StandardCharsets.UTF_8, new OpenOption[]{StandardOpenOption.CREATE_NEW});
                Files.setPosixFilePermissions(path, Set.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE));
                LOGGER.warning("OIDC requires encryption configuration which was not provided. We will generate a password that will only work for the current service instance. To disable encryption, use cookie-encryption-enabled: false configuration, to configure master password, use cookie-encryption-password: my-master-password (must be configured to same value on all instances that share the cookie), to configure encryption using security (support for vaults), use cookie-encryption-name: name (must have corresponding encryption provider and configuration with the provided name in security), this also requires Security to be registered with current or global Context (this works automatically in Helidon MP). This message is logged just once, before generating the master password");
            } catch (IOException e) {
                throw new SecurityException("Failed to create OIDC secret " + path.toAbsolutePath(), e);
            }
        }
        try {
            return Files.readString(path, StandardCharsets.UTF_8).toCharArray();
        } catch (IOException e2) {
            throw new SecurityException("Cannot read OIDC secret file: " + path.toAbsolutePath(), e2);
        }
    }

    private static Security securityFromContext() {
        return (Security) ((Context) Contexts.context().orElseGet(Contexts::globalContext)).get(Security.class).orElseThrow(() -> {
            return new SecurityException("When using encryption configuration name for OIDC, Security must be registered with current or global context");
        });
    }
}
