package io.helidon.security.providers.oidc.common;

import io.helidon.common.Errors;
import io.helidon.common.configurable.Resource;
import io.helidon.config.Config;
import io.helidon.security.jwt.jwk.JwkKeys;
import io.helidon.security.util.TokenHandler;
import java.net.URI;
import java.util.Collections;
import java.util.logging.Logger;
import javax.json.Json;
import javax.json.JsonObject;
import javax.json.JsonReaderFactory;
import javax.ws.rs.client.Client;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.WebTarget;
import org.glassfish.jersey.client.authentication.HttpAuthenticationFeature;

/* loaded from: input_file:io/helidon/security/providers/oidc/common/OidcConfig.class */
public final class OidcConfig {
    public static final String PARAM_HEADER_NAME = "X_OIDC_TOKEN_HEADER";
    private static final Logger LOGGER = Logger.getLogger(OidcConfig.class.getName());
    private static final JsonReaderFactory JSON = Json.createReaderFactory(Collections.emptyMap());
    static final int DEFAULT_PROXY_PORT = 80;
    static final String DEFAULT_OIDC_METADATA_URI = "/.well-known/openid-configuration";
    static final String DEFAULT_REDIRECT_URI = "/oidc/redirect";
    static final String DEFAULT_COOKIE_NAME = "JSESSIONID";
    static final boolean DEFAULT_COOKIE_USE = true;
    static final String DEFAULT_COOKIE_PATH = "/";
    static final boolean DEFAULT_COOKIE_HTTP_ONLY = true;
    static final boolean DEFAULT_COOKIE_SECURE = false;
    static final String DEFAULT_COOKIE_SAME_SITE = "Lax";
    static final String DEFAULT_PARAM_NAME = "accessToken";
    static final boolean DEFAULT_PARAM_USE = false;
    static final boolean DEFAULT_HEADER_USE = false;
    static final String DEFAULT_PROXY_PROTOCOL = "http";
    static final String DEFAULT_BASE_SCOPES = "openid";
    static final boolean DEFAULT_JWT_VALIDATE_JWK = true;
    static final boolean DEFAULT_REDIRECT = true;
    static final String DEFAULT_REALM = "helidon";
    static final String DEFAULT_ATTEMPT_PARAM = "h_ra";
    static final int DEFAULT_MAX_REDIRECTS = 5;
    private final String redirectUri;
    private final boolean useCookie;
    private final String cookieName;
    private final String cookieOptions;
    private final boolean useParam;
    private final String paramName;
    private final URI identityUri;
    private final WebTarget tokenEndpoint;
    private final String cookieValuePrefix;
    private final String scopeAudience;
    private final String redirectUriWithHost;
    private final boolean useHeader;
    private final TokenHandler headerHandler;
    private final String authorizationEndpointUri;
    private final String clientId;
    private final JwkKeys signJwk;
    private final String baseScopes;
    private final boolean validateJwtWithJwk;
    private final WebTarget introspectEndpoint;
    private final String issuer;
    private final String audience;
    private final Client appClient;
    private final Client generalClient;
    private final boolean redirect;
    private final String realm;
    private final String redirectAttemptParam;
    private final int maxRedirects;

    /* loaded from: input_file:io/helidon/security/providers/oidc/common/OidcConfig$Builder.class */
    public static class Builder implements io.helidon.common.Builder<OidcConfig> {
        private static final String DEFAULT_SERVER_TYPE = "@default";
        private String issuer;
        private String audience;
        private String proxyUri;
        private URI identityUri;
        private String clientId;
        private String clientSecret;
        private String cookieDomain;
        private Long cookieMaxAge;
        private String proxyHost;
        private String scopeAudience;
        private JsonObject oidcMetadata;
        private String frontendUri;
        private URI tokenEndpointUri;
        private URI authorizationEndpointUri;
        private JwkKeys signJwk;
        private URI introspectUri;
        private String serverType;
        private Client generalClient;
        private WebTarget tokenEndpoint;
        private Client appClient;
        private String baseScopes = OidcConfig.DEFAULT_BASE_SCOPES;
        private String redirectUri = OidcConfig.DEFAULT_REDIRECT_URI;
        private boolean useCookie = true;
        private String cookieName = OidcConfig.DEFAULT_COOKIE_NAME;
        private String cookiePath = OidcConfig.DEFAULT_COOKIE_PATH;
        private boolean cookieHttpOnly = true;
        private boolean cookieSecure = false;
        private String cookieSameSite = OidcConfig.DEFAULT_COOKIE_SAME_SITE;
        private boolean useParam = false;
        private String paramName = OidcConfig.DEFAULT_PARAM_NAME;
        private String proxyProtocol = OidcConfig.DEFAULT_PROXY_PROTOCOL;
        private int proxyPort = OidcConfig.DEFAULT_PROXY_PORT;
        private boolean useHeader = false;
        private TokenHandler headerHandler = TokenHandler.builder().tokenHeader("Authorization").tokenPrefix("bearer ").build();
        private boolean oidcMetadataWellKnown = true;
        private boolean validateJwtWithJwk = true;
        private boolean redirect = true;
        private String realm = OidcConfig.DEFAULT_REALM;
        private String redirectAttemptParam = OidcConfig.DEFAULT_ATTEMPT_PARAM;
        private int maxRedirects = OidcConfig.DEFAULT_MAX_REDIRECTS;
        private boolean cookieSameSiteDefault = true;

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public OidcConfig m1build() {
            URI oidcEndpoint;
            if (null == this.serverType) {
                this.serverType = DEFAULT_SERVER_TYPE;
            } else if (!"idcs".equals(this.serverType) && !DEFAULT_SERVER_TYPE.equals(this.serverType)) {
                OidcConfig.LOGGER.warning("OIDC server-type is configured to " + this.serverType + ", currently only \"idcs\", and \"@default\" are supported");
                this.serverType = DEFAULT_SERVER_TYPE;
            }
            if (null == this.proxyUri && null != this.proxyHost) {
                this.proxyUri = this.proxyProtocol + "://" + this.proxyHost + ":" + this.proxyPort;
            }
            Errors.Collector collector = Errors.collector();
            if (null == this.clientId) {
                collector.fatal("Client Id must be configured (\"client-id\" key in config)");
            }
            if (null == this.clientSecret) {
                collector.fatal("Client Secret must be configured (\"client-secret\" key in config)");
            }
            if (null == this.identityUri) {
                collector.fatal("Identity URI must be configured  (\"identity-uri\" key in config)");
            }
            collector.collect().checkValid();
            Errors.Collector collector2 = Errors.collector();
            loadOidcMetadata(collector2);
            this.tokenEndpointUri = getOidcEndpoint(collector2, this.tokenEndpointUri, "token_endpoint", "/oauth2/v1/token");
            this.authorizationEndpointUri = getOidcEndpoint(collector2, this.authorizationEndpointUri, "authorization_endpoint", "/oauth2/v1/authorize");
            if (null == this.issuer && null != this.oidcMetadata) {
                this.issuer = this.oidcMetadata.getString("issuer");
            }
            if (null == this.audience && null != this.identityUri) {
                this.audience = this.identityUri.toString();
            }
            collector2.collect().checkValid();
            if (this.cookieSameSiteDefault && this.useCookie && null != this.identityUri) {
                String host = this.identityUri.getHost();
                if (null != this.frontendUri && host.equals(URI.create(this.frontendUri).getHost())) {
                    OidcConfig.LOGGER.info("As frontend host and identity host are equal, setting Same-Site policy to Strict this can be overridden using configuration option of OIDC: \"cookie-same-site\"");
                    this.cookieSameSite = "Strict";
                }
            }
            ClientBuilder newBuilder = ClientBuilder.newBuilder();
            newBuilder.property("io.helidon.security.client.disable", Boolean.TRUE);
            if (this.proxyHost != null) {
                newBuilder.property("jersey.config.client.proxy.uri", this.proxyUri);
            }
            this.generalClient = newBuilder.build();
            this.appClient = newBuilder.register(HttpAuthenticationFeature.basicBuilder().credentials(this.clientId, this.clientSecret).build()).build();
            this.tokenEndpoint = this.appClient.target(this.tokenEndpointUri);
            if (!this.validateJwtWithJwk) {
                this.introspectUri = getOidcEndpoint(collector2, this.introspectUri, "introspection_endpoint", "/oauth2/v1/introspect");
            } else if (null == this.signJwk && null != (oidcEndpoint = getOidcEndpoint(collector2, null, "jwks_uri", null))) {
                if ("idcs".equals(this.serverType)) {
                    this.signJwk = IdcsSupport.signJwk(this.generalClient, this.tokenEndpoint, collector2, oidcEndpoint);
                } else {
                    this.signJwk = JwkKeys.builder().resource(Resource.create(oidcEndpoint)).build();
                }
            }
            return new OidcConfig(this);
        }

        private URI getOidcEndpoint(Errors.Collector collector, URI uri, String str, String str2) {
            if (null != uri) {
                OidcConfig.LOGGER.finest(() -> {
                    return str + " explicitly configured: " + uri;
                });
                return uri;
            }
            if (null == this.oidcMetadata) {
                collector.fatal("When " + str + " is not explicitly defined, the OIDC metadata must exist");
            } else {
                String string = this.oidcMetadata.getString(str);
                if (null != string) {
                    URI create = URI.create(string);
                    OidcConfig.LOGGER.finest(() -> {
                        return str + " loaded from well known metadata: " + create;
                    });
                    return create;
                }
                if (null == this.identityUri) {
                    collector.fatal(str + " URI is not defined in well known configuration");
                } else {
                    if (null != str2) {
                        return URI.create(this.identityUri + str2);
                    }
                    collector.fatal(str + " default URI is not defined and URI was not in OIDC metadata");
                }
            }
            return uri;
        }

        private void loadOidcMetadata(Errors.Collector collector) {
            if (null == this.oidcMetadata && this.oidcMetadataWellKnown) {
                try {
                    String str = this.identityUri + "/.well-known/openid-configuration";
                    this.oidcMetadata = OidcConfig.JSON.createReader(Resource.create(URI.create(str)).stream()).readObject();
                    OidcConfig.LOGGER.finest(() -> {
                        return "OIDC Metadata loaded from well known URI: " + str;
                    });
                } catch (Exception e) {
                    collector.fatal(e, "Failed to load metadata: " + e.getClass().getName() + ": " + e.getMessage());
                }
            }
        }

        public Builder config(Config config) {
            config.get("client-id").asString().ifPresent(this::clientId);
            config.get("client-secret").asString().ifPresent(this::clientSecret);
            config.get("identity-uri").as(URI.class).ifPresent(this::identityUri);
            config.get("frontend-uri").asString().ifPresent(this::frontendUri);
            config.get("proxy-protocol").asString().ifPresent(this::proxyProtocol);
            config.get("proxy-host").asString().ifPresent(this::proxyHost);
            config.get("proxy-port").asInt().ifPresent((v1) -> {
                proxyPort(v1);
            });
            config.get("redirect-uri").asString().ifPresent(this::redirectUri);
            config.get("scope-audience").asString().ifPresent(this::scopeAudience);
            config.get("cookie-use").asBoolean().ifPresent(this::useCookie);
            config.get("cookie-name").asString().ifPresent(this::cookieName);
            config.get("cookie-domain").asString().ifPresent(this::cookieDomain);
            config.get("cookie-path").asString().ifPresent(this::cookiePath);
            config.get("cookie-max-age-seconds").asLong().ifPresent((v1) -> {
                cookieMaxAgeSeconds(v1);
            });
            config.get("cookie-http-only").asBoolean().ifPresent(this::cookieHttpOnly);
            config.get("cookie-secure").asBoolean().ifPresent(this::cookieSecure);
            config.get("cookie-same-site").asString().ifPresent(this::cookieSameSite);
            config.get("query-param-use").asBoolean().ifPresent(this::useParam);
            config.get("query-param-name").asString().ifPresent(this::paramName);
            config.get("header-use").asBoolean().ifPresent(this::useHeader);
            config.get("header-token").as(TokenHandler.class).ifPresent(this::headerTokenHandler);
            config.get("base-scopes").asString().ifPresent(this::baseScopes);
            config.get("oidc-metadata.resource").as(Resource::create).ifPresent(this::oidcMetadata);
            Resource.create(config, "oidc-metadata").ifPresent(this::oidcMetadata);
            config.get("oidc-metadata-well-known").asBoolean().ifPresent(this::oidcMetadataWellKnown);
            config.get("sign-jwk.resource").as(Resource::create).ifPresent(this::signJwk);
            Resource.create(config, "sign-jwk").ifPresent(this::signJwk);
            config.get("token-endpoint-uri").as(URI.class).ifPresent(this::tokenEndpointUri);
            config.get("authorization-endpoint-uri").as(URI.class).ifPresent(this::authorizationEndpointUri);
            config.get("introspect-endpoint-uri").as(URI.class).ifPresent(this::introspectEndpointUri);
            config.get("validate-with-jwk").asBoolean().ifPresent(this::validateJwtWithJwk);
            config.get("issuer").asString().ifPresent(this::issuer);
            config.get("audience").asString().ifPresent(this::audience);
            config.get("redirect").asBoolean().ifPresent((v1) -> {
                redirect(v1);
            });
            config.get("redirect-attempt-param").asString().ifPresent(this::redirectAttemptParam);
            config.get("max-redirects").asInt().ifPresent((v1) -> {
                maxRedirects(v1);
            });
            config.get("server-type").asString().ifPresent(this::serverType);
            return this;
        }

        public Builder redirect(boolean z) {
            this.redirect = z;
            return this;
        }

        public Builder realm(String str) {
            this.realm = str;
            return this;
        }

        public Builder audience(String str) {
            this.audience = str;
            return this;
        }

        public Builder issuer(String str) {
            this.issuer = str;
            return this;
        }

        public Builder validateJwtWithJwk(Boolean bool) {
            this.validateJwtWithJwk = bool.booleanValue();
            return this;
        }

        public Builder introspectEndpointUri(URI uri) {
            validateJwtWithJwk(false);
            this.introspectUri = uri;
            return this;
        }

        public Builder baseScopes(String str) {
            this.baseScopes = str;
            return this;
        }

        public Builder oidcMetadataWellKnown(Boolean bool) {
            this.oidcMetadataWellKnown = bool.booleanValue();
            return this;
        }

        public Builder signJwk(Resource resource) {
            validateJwtWithJwk(true);
            this.signJwk = JwkKeys.builder().resource(resource).build();
            return this;
        }

        public Builder signJwk(JwkKeys jwkKeys) {
            validateJwtWithJwk(true);
            this.signJwk = jwkKeys;
            return this;
        }

        public Builder oidcMetadata(Resource resource) {
            this.oidcMetadata = OidcConfig.JSON.createReader(resource.stream()).readObject();
            return this;
        }

        public Builder oidcMetadata(JsonObject jsonObject) {
            this.oidcMetadata = jsonObject;
            return this;
        }

        public Builder headerTokenHandler(TokenHandler tokenHandler) {
            this.headerHandler = tokenHandler;
            return this;
        }

        public Builder useHeader(Boolean bool) {
            this.useHeader = bool.booleanValue();
            return this;
        }

        public Builder scopeAudience(String str) {
            this.scopeAudience = str;
            return this;
        }

        public Builder cookieSameSite(String str) {
            this.cookieSameSite = str;
            this.cookieSameSiteDefault = false;
            return this;
        }

        public Builder cookieSecure(Boolean bool) {
            this.cookieSecure = bool.booleanValue();
            return this;
        }

        public Builder cookieHttpOnly(Boolean bool) {
            this.cookieHttpOnly = bool.booleanValue();
            return this;
        }

        public Builder cookieMaxAgeSeconds(long j) {
            this.cookieMaxAge = Long.valueOf(j);
            return this;
        }

        public Builder cookiePath(String str) {
            this.cookiePath = str;
            return this;
        }

        public Builder cookieDomain(String str) {
            this.cookieDomain = str;
            return this;
        }

        public Builder frontendUri(String str) {
            this.frontendUri = str;
            return this;
        }

        public Builder tokenEndpointUri(URI uri) {
            this.tokenEndpointUri = uri;
            return this;
        }

        public Builder authorizationEndpointUri(URI uri) {
            this.authorizationEndpointUri = uri;
            return this;
        }

        public Builder cookieName(String str) {
            this.cookieName = str;
            return this;
        }

        public Builder useCookie(Boolean bool) {
            this.useCookie = bool.booleanValue();
            return this;
        }

        public Builder paramName(String str) {
            this.paramName = str;
            return this;
        }

        public Builder useParam(Boolean bool) {
            this.useParam = bool.booleanValue();
            return this;
        }

        public Builder identityUri(URI uri) {
            this.identityUri = uri;
            return this;
        }

        public Builder proxyProtocol(String str) {
            this.proxyProtocol = str;
            return this;
        }

        public Builder proxyHost(String str) {
            if (null == str || str.isEmpty()) {
                this.proxyHost = null;
            } else {
                this.proxyHost = str;
            }
            return this;
        }

        public Builder proxyPort(int i) {
            this.proxyPort = i;
            return this;
        }

        public Builder clientId(String str) {
            this.clientId = str;
            return this;
        }

        public Builder clientSecret(String str) {
            this.clientSecret = str;
            return this;
        }

        public Builder redirectUri(String str) {
            this.redirectUri = str;
            return this;
        }

        public Builder redirectAttemptParam(String str) {
            this.redirectAttemptParam = str;
            return this;
        }

        public Builder maxRedirects(int i) {
            this.maxRedirects = i;
            return this;
        }

        public Builder serverType(String str) {
            this.serverType = str;
            return this;
        }
    }

    private OidcConfig(Builder builder) {
        this.clientId = builder.clientId;
        this.useCookie = builder.useCookie;
        this.cookieName = builder.cookieName;
        this.cookieValuePrefix = this.cookieName + "=";
        this.useParam = builder.useParam;
        this.paramName = builder.paramName;
        this.redirectUri = builder.redirectUri;
        this.useHeader = builder.useHeader;
        this.headerHandler = builder.headerHandler;
        this.authorizationEndpointUri = builder.authorizationEndpointUri.toString();
        this.baseScopes = builder.baseScopes;
        this.validateJwtWithJwk = builder.validateJwtWithJwk;
        this.issuer = builder.issuer;
        this.audience = builder.audience;
        this.identityUri = builder.identityUri;
        this.redirect = builder.redirect;
        this.realm = builder.realm;
        this.redirectAttemptParam = builder.redirectAttemptParam;
        this.maxRedirects = builder.maxRedirects;
        this.appClient = builder.appClient;
        this.tokenEndpoint = builder.tokenEndpoint;
        this.generalClient = builder.generalClient;
        if (null == builder.signJwk) {
            this.signJwk = JwkKeys.builder().build();
        } else {
            this.signJwk = builder.signJwk;
        }
        if (this.validateJwtWithJwk) {
            this.introspectEndpoint = null;
        } else {
            this.introspectEndpoint = this.appClient.target(builder.introspectUri);
        }
        StringBuilder sb = new StringBuilder();
        sb.append(";Path=").append(builder.cookiePath);
        if (builder.cookieHttpOnly) {
            sb.append(";HttpOnly");
        }
        if (!builder.cookieSameSite.isEmpty()) {
            sb.append(";SameSite=").append(builder.cookieSameSite);
        }
        if (builder.cookieMaxAge != null) {
            sb.append(";Max-Age=").append(builder.cookieMaxAge);
        }
        if (builder.cookieDomain != null) {
            sb.append(";Domain=").append(builder.cookieDomain);
        }
        if (builder.cookieSecure) {
            sb.append(";Secure");
        }
        this.cookieOptions = sb.toString();
        LOGGER.finest(() -> {
            return "OIDC Cookie options: " + this.cookieOptions;
        });
        if (builder.scopeAudience == null || builder.scopeAudience.trim().isEmpty()) {
            this.scopeAudience = "";
        } else {
            String trim = builder.scopeAudience.trim();
            if (trim.endsWith(DEFAULT_COOKIE_PATH)) {
                this.scopeAudience = trim;
            } else {
                this.scopeAudience = trim + "/";
            }
        }
        LOGGER.finest(() -> {
            return "OIDC Scope audience: " + this.scopeAudience;
        });
        this.redirectUriWithHost = builder.frontendUri + builder.redirectUri;
        LOGGER.finest(() -> {
            return "Redirect URI with host: " + this.redirectUriWithHost;
        });
    }

    public static Builder builder() {
        return new Builder();
    }

    public static OidcConfig create(Config config) {
        return builder().config(config).m1build();
    }

    public JwkKeys signJwk() {
        return this.signJwk;
    }

    public String redirectUri() {
        return this.redirectUri;
    }

    public WebTarget tokenEndpoint() {
        return this.tokenEndpoint;
    }

    public boolean useParam() {
        return this.useParam;
    }

    public String paramName() {
        return this.paramName;
    }

    public boolean useCookie() {
        return this.useCookie;
    }

    public String cookieName() {
        return this.cookieName;
    }

    public String cookieOptions() {
        return this.cookieOptions;
    }

    public boolean useHeader() {
        return this.useHeader;
    }

    public TokenHandler headerHandler() {
        return this.headerHandler;
    }

    public String cookieValuePrefix() {
        return this.cookieValuePrefix;
    }

    public String scopeAudience() {
        return this.scopeAudience;
    }

    public String authorizationEndpointUri() {
        return this.authorizationEndpointUri;
    }

    public String clientId() {
        return this.clientId;
    }

    public String redirectUriWithHost() {
        return this.redirectUriWithHost;
    }

    public String baseScopes() {
        return this.baseScopes;
    }

    public boolean validateJwtWithJwk() {
        return this.validateJwtWithJwk;
    }

    public WebTarget introspectEndpoint() {
        return this.introspectEndpoint;
    }

    public String issuer() {
        return this.issuer;
    }

    public String audience() {
        return this.audience;
    }

    public URI identityUri() {
        return this.identityUri;
    }

    public Client generalClient() {
        return this.generalClient;
    }

    public Client appClient() {
        return this.appClient;
    }

    public boolean shouldRedirect() {
        return this.redirect;
    }

    public String realm() {
        return this.realm;
    }

    public String redirectAttemptParam() {
        return this.redirectAttemptParam;
    }

    public int maxRedirects() {
        return this.maxRedirects;
    }
}
