package de.adorsys.keycloak.mapper;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEEncrypter;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.DirectDecrypter;
import com.nimbusds.jose.crypto.DirectEncrypter;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import org.adorsys.envutils.EnvProperties;
import org.adorsys.jjwk.selector.JWEEncryptedSelector;
import org.adorsys.jjwk.selector.KeyExtractionException;
import org.adorsys.jjwk.selector.UnsupportedEncAlgorithmException;
import org.adorsys.jjwk.selector.UnsupportedKeyLengthException;
import org.apache.commons.lang3.CharEncoding;
import org.apache.commons.lang3.RandomStringUtils;
import org.keycloak.broker.oidc.util.JsonSimpleHttp;
import org.keycloak.models.ClientSessionModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.oidc.mappers.AbstractOIDCProtocolMapper;
import org.keycloak.protocol.oidc.mappers.OIDCAccessTokenMapper;
import org.keycloak.protocol.oidc.mappers.OIDCIDTokenMapper;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.representations.AccessToken;

/* loaded from: input_file:de/adorsys/keycloak/mapper/SecretTokenMapper.class */
public class SecretTokenMapper extends AbstractOIDCProtocolMapper implements OIDCAccessTokenMapper, OIDCIDTokenMapper {
    private static final List<ProviderConfigProperty> configProperties = new ArrayList();
    public static final String PROVIDER_ID = "secret-token-mapper";
    private byte[] secretEncryptionPassword;
    private static final String CREDENTIAL_TYPE = "custom_secret";

    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
        try {
            this.secretEncryptionPassword = EnvProperties.getEnvOrSysProp("SECRET_ENCRYPTION_PASSWORD", false).getBytes(CharEncoding.UTF_8);
            super.postInit(keycloakSessionFactory);
        } catch (UnsupportedEncodingException e) {
            throw new IllegalStateException(e);
        }
    }

    public String getDisplayCategory() {
        return "Token mapper";
    }

    public String getDisplayType() {
        return "User Attribute";
    }

    public String getHelpText() {
        return "Map a db user sercret attribute to token.";
    }

    public List<ProviderConfigProperty> getConfigProperties() {
        return configProperties;
    }

    public String getId() {
        return PROVIDER_ID;
    }

    public AccessToken transformAccessToken(AccessToken accessToken, ProtocolMapperModel protocolMapperModel, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionModel clientSessionModel) {
        List attribute = userSessionModel.getUser().getAttribute(CREDENTIAL_TYPE);
        String wrapSecretForResourceServer = wrapSecretForResourceServer((attribute == null || attribute.isEmpty()) ? generateUserSecret(userSessionModel) : (String) attribute.iterator().next(), userSessionModel, keycloakSession);
        if (wrapSecretForResourceServer != null) {
            accessToken.getOtherClaims().put(CREDENTIAL_TYPE, wrapSecretForResourceServer);
        }
        return accessToken;
    }

    private String wrapSecretForResourceServer(String str, UserSessionModel userSessionModel, KeycloakSession keycloakSession) {
        try {
            JWEObject parse = JWEObject.parse(str);
            parse.decrypt(new DirectDecrypter(this.secretEncryptionPassword));
            Payload payload = parse.getPayload();
            String envOrSysProp = EnvProperties.getEnvOrSysProp(userSessionModel.getRealm().getName().toUpperCase() + "_PUBLIC_KEY_URL", true);
            if (envOrSysProp == null) {
                return null;
            }
            JWK next = JWKSet.parse(JsonSimpleHttp.asJson(JsonSimpleHttp.doGet(envOrSysProp, keycloakSession)).toString()).getKeys().iterator().next();
            JWEEncrypter geEncrypter = JWEEncryptedSelector.geEncrypter(next, (JWEAlgorithm) null, (EncryptionMethod) null);
            JWEObject jWEObject = new JWEObject(getHeader(next), payload);
            jWEObject.encrypt(geEncrypter);
            return jWEObject.serialize();
        } catch (JOSEException | IOException | ParseException | KeyExtractionException | UnsupportedEncAlgorithmException | UnsupportedKeyLengthException e) {
            throw new IllegalStateException(e);
        }
    }

    private JWEHeader getHeader(JWK jwk) throws JOSEException {
        JWEHeader jWEHeader;
        if (jwk instanceof RSAKey) {
            jWEHeader = new JWEHeader(JWEAlgorithm.RSA_OAEP, EncryptionMethod.A128GCM);
        } else {
            if (!(jwk instanceof ECKey)) {
                return null;
            }
            jWEHeader = new JWEHeader(JWEAlgorithm.ECDH_ES_A128KW, EncryptionMethod.A192GCM);
        }
        return new JWEHeader.Builder(jWEHeader).keyID(jwk.getKeyID()).build();
    }

    private String generateUserSecret(UserSessionModel userSessionModel) {
        JWEObject jWEObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A128GCM).build(), new Payload(RandomStringUtils.randomGraph(16)));
        try {
            jWEObject.encrypt(new DirectEncrypter(this.secretEncryptionPassword));
            String serialize = jWEObject.serialize();
            userSessionModel.getUser().setAttribute(CREDENTIAL_TYPE, Arrays.asList(serialize));
            return serialize;
        } catch (JOSEException e) {
            throw new IllegalStateException(e);
        }
    }
}
