package de.adorsys.sts.keycloack.secret.adapter.embedded;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.DirectDecrypter;
import com.nimbusds.jose.crypto.DirectEncrypter;
import de.adorsys.keycloack.secret.adapter.common.SecretAndAudModel;
import de.adorsys.keycloack.secret.adapter.common.UserSecretAdapter;
import de.adorsys.sts.resourceserver.model.ResourceServer;
import de.adorsys.sts.resourceserver.service.EncryptionService;
import de.adorsys.sts.resourceserver.service.ResourceServerService;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.spec.InvalidKeySpecException;
import java.text.ParseException;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.keycloak.models.RealmModel;
import org.keycloak.models.UserCredentialModel;
import org.keycloak.models.UserModel;

/* loaded from: input_file:de/adorsys/sts/keycloack/secret/adapter/embedded/UserSecretAdapterEmbedded.class */
public class UserSecretAdapterEmbedded implements UserSecretAdapter {
    private static String userMainSecretAttrName = "UserSecretStorage-UserMainSecret";
    ResourceServerService resourceServerService;
    EncryptionService encryptionService;
    SecureRandom random = new SecureRandom();
    public static final String PBKDF2_ALGORITHM = "PBKDF2WithHmacSHA1";
    public static final int PBKDF2_ITERATIONS = 512;
    public static final int HASH_BYTES = 16;

    public UserSecretAdapterEmbedded(ResourceServerService resourceServerService, EncryptionService encryptionService) {
        this.resourceServerService = resourceServerService;
        this.encryptionService = encryptionService;
    }

    public String retrieveMainSecret(RealmModel realmModel, UserModel userModel, UserCredentialModel userCredentialModel) {
        List attribute = userModel.getAttribute(userMainSecretAttrName);
        byte[] pbkdf2 = pbkdf2(userCredentialModel.getValue().toCharArray(), userModel.getId().getBytes(), PBKDF2_ITERATIONS, 16);
        return (attribute == null || attribute.isEmpty()) ? generateUserMainSecret(userModel, userMainSecretAttrName, pbkdf2) : decrypt((String) attribute.iterator().next(), pbkdf2);
    }

    public Map<String, String> retrieveResourceSecrets(SecretAndAudModel secretAndAudModel, RealmModel realmModel, UserModel userModel) {
        try {
            return readUserSecret(userModel, secretAndAudModel.getUserSecret(), secretAndAudModel.getAudiances());
        } catch (UnsupportedEncodingException | JOSEException | ParseException e) {
            throw new IllegalStateException(e);
        }
    }

    private String generateUserMainSecret(UserModel userModel, String str, byte[] bArr) {
        String randomGraph = RandomStringUtils.randomGraph(16);
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A128GCM).build(), new Payload(randomGraph));
        try {
            jWEObject.encrypt(new DirectEncrypter(bArr));
            userModel.setAttribute(str, Arrays.asList(jWEObject.serialize()));
            return randomGraph;
        } catch (JOSEException e) {
            throw new IllegalStateException((Throwable) e);
        }
    }

    private Map<String, String> readUserSecret(UserModel userModel, String str, List<String> list) throws JOSEException, UnsupportedEncodingException, ParseException {
        ResourceServer forAudience;
        String randomNumeric;
        HashMap hashMap = new HashMap();
        for (String str2 : list) {
            if (!StringUtils.isBlank(str2) && (forAudience = this.resourceServerService.getForAudience(str2)) != null) {
                String userSecretClaimName = forAudience.getUserSecretClaimName();
                if (!hashMap.containsKey(userSecretClaimName)) {
                    List attribute = userModel.getAttribute(userSecretClaimName);
                    byte[] pbkdf2 = pbkdf2(str.toCharArray(), userModel.getId().getBytes(), PBKDF2_ITERATIONS, 16);
                    if (attribute == null || attribute.isEmpty()) {
                        randomNumeric = RandomStringUtils.randomNumeric(16);
                        userModel.setAttribute(userSecretClaimName, Arrays.asList(encrypt(randomNumeric, pbkdf2)));
                    } else {
                        randomNumeric = decrypt((String) attribute.iterator().next(), pbkdf2);
                    }
                    hashMap.put(userSecretClaimName, this.encryptionService.encryptFor(str2, randomNumeric));
                }
            }
        }
        return hashMap;
    }

    private String encrypt(String str, byte[] bArr) {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A128GCM).build(), new Payload(str));
        try {
            jWEObject.encrypt(new DirectEncrypter(bArr));
            return jWEObject.serialize();
        } catch (JOSEException e) {
            throw new IllegalStateException((Throwable) e);
        }
    }

    private String decrypt(String str, byte[] bArr) {
        try {
            JWEObject parse = JWEObject.parse(str);
            parse.decrypt(new DirectDecrypter(bArr));
            return parse.getPayload().toString();
        } catch (JOSEException | ParseException e) {
            throw new IllegalStateException((Throwable) e);
        }
    }

    public void close() {
    }

    private static byte[] pbkdf2(char[] cArr, byte[] bArr, int i, int i2) {
        try {
            return SecretKeyFactory.getInstance(PBKDF2_ALGORITHM).generateSecret(new PBEKeySpec(cArr, bArr, i, i2 * 8)).getEncoded();
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new IllegalStateException(e);
        }
    }
}
