package io.quarkus.oidc.runtime;

import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.AuthorizationCodeTokens;
import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.RefreshToken;
import io.quarkus.oidc.TokenIntrospection;
import io.quarkus.oidc.UserInfo;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.credential.TokenCredential;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.smallrye.jwt.auth.principal.DefaultJWTCallerPrincipal;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.RoutingContext;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.StringTokenizer;
import java.util.regex.Pattern;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;

/* loaded from: input_file:io/quarkus/oidc/runtime/OidcUtils.class */
public final class OidcUtils {
    public static final String CONFIG_METADATA_ATTRIBUTE = "configuration-metadata";
    public static final String USER_INFO_ATTRIBUTE = "userinfo";
    public static final String INTROSPECTION_ATTRIBUTE = "introspection";
    public static final String TENANT_ID_ATTRIBUTE = "tenant-id";
    public static final String QUARKUS_IDENTITY_EXPIRE_TIME = "quarkus.identity.expire-time";
    private static final Logger LOG = Logger.getLogger(OidcUtils.class);
    private static final Pattern CLAIM_PATH_PATTERN = Pattern.compile("\\/(?=(?:(?:[^\"]*\"){2})*[^\"]*$)");

    private OidcUtils() {
    }

    public static boolean isOpaqueToken(String str) {
        return new StringTokenizer(str, ".").countTokens() != 3;
    }

    public static JsonObject decodeJwtContent(String str) {
        StringTokenizer stringTokenizer = new StringTokenizer(str, ".");
        stringTokenizer.nextToken();
        if (!stringTokenizer.hasMoreTokens()) {
            return null;
        }
        String nextToken = stringTokenizer.nextToken();
        if (stringTokenizer.countTokens() != 1) {
            return null;
        }
        try {
            return new JsonObject(new String(Base64.getUrlDecoder().decode(nextToken), StandardCharsets.UTF_8));
        } catch (IllegalArgumentException e) {
            return null;
        }
    }

    public static List<String> findRoles(String str, OidcTenantConfig.Roles roles, JsonObject jsonObject) {
        if (roles.getRoleClaimPath().isPresent()) {
            return findClaimWithRoles(roles, roles.getRoleClaimPath().get(), jsonObject);
        }
        List<String> findClaimWithRoles = findClaimWithRoles(roles, Claims.groups.name(), jsonObject);
        if (!findClaimWithRoles.isEmpty()) {
            return findClaimWithRoles;
        }
        LinkedList linkedList = new LinkedList();
        linkedList.addAll(findClaimWithRoles(roles, "realm_access/roles", jsonObject));
        if (str != null) {
            linkedList.addAll(findClaimWithRoles(roles, "resource_access/" + str + "/roles", jsonObject));
        }
        return linkedList;
    }

    private static List<String> findClaimWithRoles(OidcTenantConfig.Roles roles, String str, JsonObject jsonObject) {
        Object findClaimValue = findClaimValue(str, jsonObject, splitClaimPath(str), 0);
        if (findClaimValue instanceof JsonArray) {
            return convertJsonArrayToList((JsonArray) findClaimValue);
        }
        if (findClaimValue != null) {
            return Arrays.asList(findClaimValue.toString().split(roles.getRoleClaimSeparator().isPresent() ? roles.getRoleClaimSeparator().get() : " "));
        }
        return Collections.emptyList();
    }

    private static String[] splitClaimPath(String str) {
        return str.indexOf(47) > 0 ? CLAIM_PATH_PATTERN.split(str) : new String[]{str};
    }

    private static Object findClaimValue(String str, JsonObject jsonObject, String[] strArr, int i) {
        Object value = jsonObject.getValue(strArr[i].replace("\"", ""));
        if (value == null) {
            LOG.debugf("No claim exists at the path '%s' at the path segment '%s'", str, strArr[i]);
        } else if (i + 1 < strArr.length) {
            if (value instanceof JsonObject) {
                return findClaimValue(str, (JsonObject) value, strArr, i + 1);
            }
            LOG.debugf("Claim value at the path '%s' is not a json object", str);
        }
        return value;
    }

    private static List<String> convertJsonArrayToList(JsonArray jsonArray) {
        ArrayList arrayList = new ArrayList(jsonArray.size());
        for (int i = 0; i < jsonArray.size(); i++) {
            arrayList.add(jsonArray.getString(i));
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static QuarkusSecurityIdentity validateAndCreateIdentity(RoutingContext routingContext, TokenCredential tokenCredential, TenantConfigContext tenantConfigContext, JsonObject jsonObject, JsonObject jsonObject2, UserInfo userInfo) {
        OidcTenantConfig oidcTenantConfig = tenantConfigContext.oidcConfig;
        QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
        builder.addCredential(tokenCredential);
        AuthorizationCodeTokens authorizationCodeTokens = routingContext != null ? (AuthorizationCodeTokens) routingContext.get(AuthorizationCodeTokens.class.getName()) : null;
        if (authorizationCodeTokens != null) {
            RefreshToken refreshToken = new RefreshToken(authorizationCodeTokens.getRefreshToken());
            builder.addCredential(refreshToken);
            builder.addCredential(new AccessTokenCredential(authorizationCodeTokens.getAccessToken(), refreshToken, routingContext));
        }
        try {
            JwtClaims parse = JwtClaims.parse(jsonObject.encode());
            parse.setClaim(Claims.raw_token.name(), tokenCredential.getToken());
            DefaultJWTCallerPrincipal oidcJwtCallerPrincipal = new OidcJwtCallerPrincipal(parse, tokenCredential, oidcTenantConfig.token.principalClaim.isPresent() ? oidcTenantConfig.token.principalClaim.get() : null);
            builder.addAttribute(QUARKUS_IDENTITY_EXPIRE_TIME, Long.valueOf(oidcJwtCallerPrincipal.getExpirationTime()));
            builder.setPrincipal(oidcJwtCallerPrincipal);
            setSecurityIdentityRoles(builder, oidcTenantConfig, jsonObject2);
            setSecurityIdentityUserInfo(builder, userInfo);
            setSecurityIdentityConfigMetadata(builder, tenantConfigContext);
            setBlockinApiAttribute(builder, routingContext);
            setTenantIdAttribute(builder, oidcTenantConfig);
            return builder.build();
        } catch (InvalidJwtException e) {
            throw new AuthenticationFailedException(e);
        }
    }

    public static void setSecurityIdentityRoles(QuarkusSecurityIdentity.Builder builder, OidcTenantConfig oidcTenantConfig, JsonObject jsonObject) {
        Iterator<String> it = findRoles(oidcTenantConfig.getClientId().isPresent() ? (String) oidcTenantConfig.getClientId().get() : null, oidcTenantConfig.getRoles(), jsonObject).iterator();
        while (it.hasNext()) {
            builder.addRole(it.next());
        }
    }

    public static void setBlockinApiAttribute(QuarkusSecurityIdentity.Builder builder, RoutingContext routingContext) {
        if (routingContext != null) {
            builder.addAttribute(AuthenticationRequestContext.class.getName(), routingContext.get(AuthenticationRequestContext.class.getName()));
        }
    }

    public static void setTenantIdAttribute(QuarkusSecurityIdentity.Builder builder, OidcTenantConfig oidcTenantConfig) {
        builder.addAttribute(TENANT_ID_ATTRIBUTE, oidcTenantConfig.tenantId.orElse("Default"));
    }

    public static void setSecurityIdentityUserInfo(QuarkusSecurityIdentity.Builder builder, UserInfo userInfo) {
        if (userInfo != null) {
            builder.addAttribute(USER_INFO_ATTRIBUTE, userInfo);
        }
    }

    public static void setSecurityIdentityIntrospecton(QuarkusSecurityIdentity.Builder builder, TokenIntrospection tokenIntrospection) {
        builder.addAttribute(INTROSPECTION_ATTRIBUTE, tokenIntrospection);
    }

    public static void setSecurityIdentityConfigMetadata(QuarkusSecurityIdentity.Builder builder, TenantConfigContext tenantConfigContext) {
        if (tenantConfigContext.provider.client != null) {
            builder.addAttribute(CONFIG_METADATA_ATTRIBUTE, tenantConfigContext.provider.client.getMetadata());
        }
    }

    public static void validatePrimaryJwtTokenType(OidcTenantConfig.Token token, JsonObject jsonObject) {
        if (jsonObject.containsKey("typ")) {
            String string = jsonObject.getString("typ");
            if (token.getTokenType().isPresent() && !token.getTokenType().get().equals(string)) {
                throw new OIDCException("Invalid token type");
            }
            if ("Refresh".equals(string)) {
                throw new OIDCException("Refresh token can only be used with the refresh token grant");
            }
        }
    }
}
