package fish.payara.security.openid.controller;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.ImmutableSecret;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWEDecryptionKeySelector;
import com.nimbusds.jose.proc.JWEKeySelector;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
import fish.payara.security.openid.OpenIdUtil;
import fish.payara.security.openid.api.IdentityToken;
import fish.payara.security.openid.api.OpenIdConstant;
import fish.payara.security.openid.api.RefreshToken;
import fish.payara.security.openid.domain.AccessTokenImpl;
import fish.payara.security.openid.domain.IdentityTokenImpl;
import fish.payara.security.openid.domain.OpenIdConfiguration;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.security.enterprise.authentication.mechanism.http.HttpMessageContext;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.Entity;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;

@ApplicationScoped
/* loaded from: input_file:fish/payara/security/openid/controller/TokenController.class */
public class TokenController {

    @Inject
    private NonceController nonceController;

    public Response getTokens(OpenIdConfiguration openIdConfiguration, HttpServletRequest httpServletRequest) {
        return ClientBuilder.newClient().target(openIdConfiguration.getProviderMetadata().getTokenEndpoint()).request().accept(MediaType.APPLICATION_JSON).post(Entity.form(new Form().param(OpenIdConstant.CLIENT_ID, openIdConfiguration.getClientId()).param(OpenIdConstant.CLIENT_SECRET, new String(openIdConfiguration.getClientSecret())).param(OpenIdConstant.GRANT_TYPE, OpenIdConstant.AUTHORIZATION_CODE).param("code", httpServletRequest.getParameter("code")).param(OpenIdConstant.REDIRECT_URI, openIdConfiguration.buildRedirectURI(httpServletRequest))));
    }

    public Map<String, Object> validateIdToken(IdentityTokenImpl identityTokenImpl, HttpMessageContext httpMessageContext, OpenIdConfiguration openIdConfiguration) {
        String str = null;
        if (openIdConfiguration.isUseNonce()) {
            str = this.nonceController.getNonceHash(this.nonceController.get(openIdConfiguration, httpMessageContext));
        }
        try {
            JWTClaimsSet validateBearerToken = validateBearerToken(identityTokenImpl.getTokenJWT(), new IdTokenClaimsSetVerifier(str, openIdConfiguration), openIdConfiguration);
            this.nonceController.remove(openIdConfiguration, httpMessageContext);
            return validateBearerToken.getClaims();
        } catch (Throwable th) {
            this.nonceController.remove(openIdConfiguration, httpMessageContext);
            throw th;
        }
    }

    public Map<String, Object> validateRefreshedIdToken(IdentityToken identityToken, IdentityTokenImpl identityTokenImpl, HttpMessageContext httpMessageContext, OpenIdConfiguration openIdConfiguration) {
        return validateBearerToken(identityTokenImpl.getTokenJWT(), new RefreshedIdTokenClaimsSetVerifier(identityToken, openIdConfiguration), openIdConfiguration).getClaims();
    }

    public Map<String, Object> validateAccessToken(AccessTokenImpl accessTokenImpl, Algorithm algorithm, Map<String, Object> map, OpenIdConfiguration openIdConfiguration) {
        Map<String, Object> emptyMap = Collections.emptyMap();
        new AccessTokenClaimsSetVerifier(accessTokenImpl, algorithm, map, openIdConfiguration).validateAccessToken();
        return emptyMap;
    }

    public Response refreshTokens(OpenIdConfiguration openIdConfiguration, RefreshToken refreshToken) {
        return ClientBuilder.newClient().target(openIdConfiguration.getProviderMetadata().getTokenEndpoint()).request().accept(MediaType.APPLICATION_JSON).post(Entity.form(new Form().param(OpenIdConstant.CLIENT_ID, openIdConfiguration.getClientId()).param(OpenIdConstant.CLIENT_SECRET, new String(openIdConfiguration.getClientSecret())).param(OpenIdConstant.GRANT_TYPE, OpenIdConstant.REFRESH_TOKEN).param(OpenIdConstant.REFRESH_TOKEN, refreshToken.getToken())));
    }

    private JWTClaimsSet validateBearerToken(JWT jwt, JWTClaimsSetVerifier jWTClaimsSetVerifier, OpenIdConfiguration openIdConfiguration) {
        JWTClaimsSet process;
        try {
            if (jwt instanceof PlainJWT) {
                process = ((PlainJWT) jwt).getJWTClaimsSet();
                jWTClaimsSetVerifier.verify(process, null);
            } else if (jwt instanceof SignedJWT) {
                SignedJWT signedJWT = (SignedJWT) jwt;
                String name = signedJWT.getHeader().getAlgorithm().getName();
                if (Objects.isNull(name)) {
                    name = OpenIdUtil.DEFAULT_JWT_SIGNED_ALGORITHM;
                }
                DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
                defaultJWTProcessor.setJWSKeySelector(getJWSKeySelector(openIdConfiguration, name));
                defaultJWTProcessor.setJWTClaimsSetVerifier(jWTClaimsSetVerifier);
                process = defaultJWTProcessor.process(signedJWT, (SignedJWT) null);
            } else {
                if (!(jwt instanceof EncryptedJWT)) {
                    throw new IllegalStateException("Unexpected JWT type : " + jwt.getClass());
                }
                EncryptedJWT encryptedJWT = (EncryptedJWT) jwt;
                String name2 = encryptedJWT.getHeader().getAlgorithm().getName();
                DefaultJWTProcessor defaultJWTProcessor2 = new DefaultJWTProcessor();
                defaultJWTProcessor2.setJWSKeySelector(getJWSKeySelector(openIdConfiguration, name2));
                defaultJWTProcessor2.setJWEKeySelector(getJWEKeySelector(openIdConfiguration));
                defaultJWTProcessor2.setJWTClaimsSetVerifier(jWTClaimsSetVerifier);
                process = defaultJWTProcessor2.process(encryptedJWT, (EncryptedJWT) null);
            }
            return process;
        } catch (JOSEException | BadJOSEException | ParseException e) {
            throw new IllegalStateException(e);
        }
    }

    private JWSKeySelector getJWSKeySelector(OpenIdConfiguration openIdConfiguration, String str) {
        JWKSource remoteJWKSet;
        JWSAlgorithm jWSAlgorithm = new JWSAlgorithm(str);
        if (Algorithm.NONE.equals(jWSAlgorithm)) {
            throw new IllegalStateException("Unsupported JWS algorithm : " + jWSAlgorithm);
        }
        if (JWSAlgorithm.Family.RSA.contains(jWSAlgorithm) || JWSAlgorithm.Family.EC.contains(jWSAlgorithm)) {
            remoteJWKSet = new RemoteJWKSet(openIdConfiguration.getProviderMetadata().getJwksURL(), new DefaultResourceRetriever(openIdConfiguration.getJwksConnectTimeout(), openIdConfiguration.getJwksReadTimeout(), RemoteJWKSet.DEFAULT_HTTP_SIZE_LIMIT));
        } else {
            if (!JWSAlgorithm.Family.HMAC_SHA.contains(jWSAlgorithm)) {
                throw new IllegalStateException("Unsupported JWS algorithm : " + jWSAlgorithm);
            }
            byte[] bytes = new String(openIdConfiguration.getClientSecret()).getBytes(StandardCharsets.UTF_8);
            if (Objects.isNull(bytes)) {
                throw new IllegalStateException("Missing client secret");
            }
            remoteJWKSet = new ImmutableSecret(bytes);
        }
        return new JWSVerificationKeySelector(jWSAlgorithm, remoteJWKSet);
    }

    private JWEKeySelector getJWEKeySelector(OpenIdConfiguration openIdConfiguration) {
        JWEAlgorithm encryptionAlgorithm = openIdConfiguration.getEncryptionMetadata().getEncryptionAlgorithm();
        EncryptionMethod encryptionMethod = openIdConfiguration.getEncryptionMetadata().getEncryptionMethod();
        JWKSource privateKeySource = openIdConfiguration.getEncryptionMetadata().getPrivateKeySource();
        if (Objects.isNull(encryptionAlgorithm)) {
            throw new IllegalStateException("Missing JWE encryption algorithm ");
        }
        if (!openIdConfiguration.getProviderMetadata().getIdTokenEncryptionAlgorithmsSupported().contains(encryptionAlgorithm.getName())) {
            throw new IllegalStateException("Unsupported ID tokens algorithm :" + encryptionAlgorithm.getName());
        }
        if (Objects.isNull(encryptionMethod)) {
            throw new IllegalStateException("Missing JWE encryption method");
        }
        if (openIdConfiguration.getProviderMetadata().getIdTokenEncryptionMethodsSupported().contains(encryptionMethod.getName())) {
            return new JWEDecryptionKeySelector(encryptionAlgorithm, encryptionMethod, privateKeySource);
        }
        throw new IllegalStateException("Unsupported ID tokens encryption method :" + encryptionMethod.getName());
    }
}
