package io.quarkus.devservices.oidc;

import io.quarkus.deployment.IsNormal;
import io.quarkus.deployment.annotations.BuildProducer;
import io.quarkus.deployment.annotations.BuildStep;
import io.quarkus.deployment.annotations.BuildSteps;
import io.quarkus.deployment.bean.JavaBeanUtil;
import io.quarkus.deployment.builditem.CuratedApplicationShutdownBuildItem;
import io.quarkus.deployment.builditem.DevServicesResultBuildItem;
import io.quarkus.deployment.builditem.DockerStatusBuildItem;
import io.quarkus.deployment.dev.devservices.DevServicesConfig;
import io.quarkus.runtime.configuration.ConfigUtils;
import io.smallrye.jwt.build.Jwt;
import io.vertx.core.http.HttpServerOptions;
import io.vertx.core.json.JsonObject;
import io.vertx.mutiny.core.Vertx;
import io.vertx.mutiny.core.http.HttpServer;
import io.vertx.mutiny.ext.web.Router;
import io.vertx.mutiny.ext.web.RoutingContext;
import io.vertx.mutiny.ext.web.handler.BodyHandler;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey;
import java.time.Duration;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import java.util.UUID;
import java.util.stream.Collectors;
import org.eclipse.microprofile.config.ConfigProvider;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;
import org.jose4j.base64url.Base64Url;

@BuildSteps(onlyIfNot = {IsNormal.class}, onlyIf = {DevServicesConfig.Enabled.class})
/* loaded from: input_file:io/quarkus/devservices/oidc/OidcDevServicesProcessor.class */
public class OidcDevServicesProcessor {
    private static final Logger LOG = Logger.getLogger(OidcDevServicesProcessor.class);
    private static final String CONFIG_PREFIX = "quarkus.oidc.";
    private static final String OIDC_ENABLED = "quarkus.oidc.enabled";
    private static final String TENANT_ENABLED_CONFIG_KEY = "quarkus.oidc.tenant-enabled";
    private static final String AUTH_SERVER_URL_CONFIG_KEY = "quarkus.oidc.auth-server-url";
    private static final String PROVIDER_CONFIG_KEY = "quarkus.oidc.provider";
    private static final String APPLICATION_TYPE_CONFIG_KEY = "quarkus.oidc.application-type";
    private static final String CLIENT_ID_CONFIG_KEY = "quarkus.oidc.client-id";
    private static final String CLIENT_SECRET_CONFIG_KEY = "quarkus.oidc.credentials.secret";
    private static volatile KeyPair kp;
    private static volatile String kid;
    private static volatile String baseURI;
    private static volatile String clientId;
    private static volatile String clientSecret;
    private static volatile String applicationType;
    private static volatile Map<String, String> configProperties;
    private static volatile Map<String, List<String>> userToDefaultRoles;
    private static volatile Runnable closeDevServiceTask;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/quarkus/devservices/oidc/OidcDevServicesProcessor$UserAndRoles.class */
    public static final class UserAndRoles extends Record {
        private final String user;
        private final String roles;

        private UserAndRoles(String str, String str2) {
            this.user = str;
            this.roles = str2;
        }

        private String encode() {
            return Base64.getUrlEncoder().encodeToString((this.user + "|" + this.roles).getBytes(StandardCharsets.UTF_8));
        }

        private Set<String> getRolesAsSet() {
            return (this.roles == null || this.roles.isEmpty()) ? Set.of() : new HashSet(Arrays.asList(this.roles.split("[,\\s]+")));
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, UserAndRoles.class), UserAndRoles.class, "user;roles", "FIELD:Lio/quarkus/devservices/oidc/OidcDevServicesProcessor$UserAndRoles;->user:Ljava/lang/String;", "FIELD:Lio/quarkus/devservices/oidc/OidcDevServicesProcessor$UserAndRoles;->roles:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, UserAndRoles.class), UserAndRoles.class, "user;roles", "FIELD:Lio/quarkus/devservices/oidc/OidcDevServicesProcessor$UserAndRoles;->user:Ljava/lang/String;", "FIELD:Lio/quarkus/devservices/oidc/OidcDevServicesProcessor$UserAndRoles;->roles:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, UserAndRoles.class, Object.class), UserAndRoles.class, "user;roles", "FIELD:Lio/quarkus/devservices/oidc/OidcDevServicesProcessor$UserAndRoles;->user:Ljava/lang/String;", "FIELD:Lio/quarkus/devservices/oidc/OidcDevServicesProcessor$UserAndRoles;->roles:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public String user() {
            return this.user;
        }

        public String roles() {
            return this.roles;
        }
    }

    @BuildStep
    DevServicesResultBuildItem startServer(CuratedApplicationShutdownBuildItem curatedApplicationShutdownBuildItem, OidcDevServicesConfig oidcDevServicesConfig, DockerStatusBuildItem dockerStatusBuildItem, BuildProducer<OidcDevServicesConfigBuildItem> buildProducer) {
        if (shouldNotStartServer(oidcDevServicesConfig, dockerStatusBuildItem)) {
            closeDevSvcIfNecessary();
            return null;
        }
        userToDefaultRoles = oidcDevServicesConfig.roles();
        if (closeDevServiceTask == null) {
            LOG.info("Starting Dev Services for OIDC");
            final Vertx vertx = Vertx.vertx();
            HttpServerOptions httpServerOptions = new HttpServerOptions();
            httpServerOptions.setPort(0);
            final HttpServer createHttpServer = vertx.createHttpServer(httpServerOptions);
            Router router = Router.router(vertx);
            createHttpServer.requestHandler(router);
            registerRoutes(router);
            createHttpServer.listenAndAwait();
            baseURI = "http://localhost:" + createHttpServer.actualPort();
            closeDevServiceTask = new Runnable() { // from class: io.quarkus.devservices.oidc.OidcDevServicesProcessor.1
                private volatile boolean closed = false;

                @Override // java.lang.Runnable
                public void run() {
                    if (this.closed) {
                        return;
                    }
                    this.closed = true;
                    io.vertx.core.http.HttpServer delegate = createHttpServer.getDelegate();
                    Vertx vertx2 = vertx;
                    delegate.close(asyncResult -> {
                        if (asyncResult != null && asyncResult.failed()) {
                            OidcDevServicesProcessor.LOG.error("Failed to close HTTP Server", asyncResult.cause());
                        }
                        vertx2.getDelegate().close(asyncResult -> {
                            if (asyncResult == null || !asyncResult.failed()) {
                                return;
                            }
                            OidcDevServicesProcessor.LOG.error("Failed to close Vertx instance", asyncResult.cause());
                        });
                    });
                }
            };
            curatedApplicationShutdownBuildItem.addCloseTask(OidcDevServicesProcessor::closeDevSvcIfNecessary, true);
            updateDevSvcConfigProperties();
            LOG.infof("Dev Services for OIDC started on %s", baseURI);
        } else if (!getOidcClientId().equals(clientId) || !getOidcApplicationType().equals(applicationType)) {
            updateDevSvcConfigProperties();
        }
        buildProducer.produce(new OidcDevServicesConfigBuildItem(configProperties));
        return new DevServicesResultBuildItem.RunningDevService("oidc-dev-services", (String) null, () -> {
        }, configProperties).toBuildItem();
    }

    private static void closeDevSvcIfNecessary() {
        if (closeDevServiceTask != null) {
            closeDevServiceTask.run();
            closeDevServiceTask = null;
        }
    }

    private static boolean shouldNotStartServer(OidcDevServicesConfig oidcDevServicesConfig, DockerStatusBuildItem dockerStatusBuildItem) {
        if (oidcDevServicesConfig.enabled().isPresent() && !oidcDevServicesConfig.enabled().get().booleanValue()) {
            LOG.debug("Not starting Dev Services for OIDC as it has been disabled in the config");
            return true;
        }
        if (oidcDevServicesConfig.enabled().isEmpty() && dockerStatusBuildItem.isContainerRuntimeAvailable()) {
            LOG.debug("Not starting Dev Services for OIDC as detected support the container functionality");
            return true;
        }
        if (!isOidcEnabled()) {
            LOG.debug("Not starting Dev Services for OIDC as OIDC extension has been disabled in the config");
            return true;
        }
        if (!isOidcTenantEnabled()) {
            LOG.debug("Not starting Dev Services for OIDC as 'quarkus.oidc.tenant.enabled' is false");
            return true;
        }
        if (ConfigUtils.isPropertyPresent(AUTH_SERVER_URL_CONFIG_KEY)) {
            LOG.debug("Not starting Dev Services for OIDC as 'quarkus.oidc.auth-server-url' has been provided");
            return true;
        }
        if (!ConfigUtils.isPropertyPresent(PROVIDER_CONFIG_KEY)) {
            return false;
        }
        LOG.debug("Not starting Dev Services for OIDC as 'quarkus.oidc.provider' has been provided");
        return true;
    }

    private static void updateDevSvcConfigProperties() {
        clientId = getOidcClientId();
        clientSecret = getOidcClientSecret();
        applicationType = getOidcApplicationType();
        HashMap hashMap = new HashMap();
        hashMap.put(AUTH_SERVER_URL_CONFIG_KEY, baseURI);
        hashMap.put(APPLICATION_TYPE_CONFIG_KEY, applicationType);
        hashMap.put(CLIENT_ID_CONFIG_KEY, clientId);
        hashMap.put(CLIENT_SECRET_CONFIG_KEY, clientSecret);
        configProperties = Map.copyOf(hashMap);
    }

    private static void registerRoutes(Router router) {
        BodyHandler create = BodyHandler.create();
        router.get("/").handler(OidcDevServicesProcessor::mainRoute);
        router.get("/.well-known/openid-configuration").handler(OidcDevServicesProcessor::configuration);
        router.get("/authorize").handler(OidcDevServicesProcessor::authorize);
        router.post("/login").handler(create).handler(OidcDevServicesProcessor::login);
        router.post("/token").handler(create).handler(OidcDevServicesProcessor::token);
        router.get("/keys").handler(OidcDevServicesProcessor::getKeys);
        router.get("/logout").handler(OidcDevServicesProcessor::logout);
        router.get("/userinfo").handler(OidcDevServicesProcessor::userInfo);
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(2048);
            kp = keyPairGenerator.generateKeyPair();
            kid = createKeyId();
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    private static List<String> getUsers() {
        if (userToDefaultRoles.isEmpty()) {
            return Arrays.asList("alice", "bob");
        }
        ArrayList arrayList = new ArrayList(userToDefaultRoles.keySet());
        Collections.sort(arrayList);
        return arrayList;
    }

    private static List<String> getUserRoles(String str) {
        List<String> list = userToDefaultRoles.get(str);
        return list == null ? "alice".equals(str) ? List.of("admin", "user") : List.of("user") : list;
    }

    private static boolean isOidcEnabled() {
        return ((Boolean) ConfigProvider.getConfig().getValue(OIDC_ENABLED, Boolean.class)).booleanValue();
    }

    private static boolean isOidcTenantEnabled() {
        return ((Boolean) ConfigProvider.getConfig().getOptionalValue(TENANT_ENABLED_CONFIG_KEY, Boolean.class).orElse(true)).booleanValue();
    }

    private static String getOidcApplicationType() {
        return (String) ConfigProvider.getConfig().getOptionalValue(APPLICATION_TYPE_CONFIG_KEY, String.class).orElse("service");
    }

    private static String getOidcClientId() {
        return (String) ConfigProvider.getConfig().getOptionalValue(CLIENT_ID_CONFIG_KEY, String.class).orElse("quarkus-app");
    }

    private static String getOidcClientSecret() {
        return (String) ConfigProvider.getConfig().getOptionalValue(CLIENT_SECRET_CONFIG_KEY, String.class).orElseGet(() -> {
            return UUID.randomUUID().toString();
        });
    }

    private static void mainRoute(RoutingContext routingContext) {
        routingContext.response().endAndForget("OIDC server up and running");
    }

    private static void configuration(RoutingContext routingContext) {
        String formatted = "{\n   \"token_endpoint\":\"%1$s/token\",\n   \"token_endpoint_auth_methods_supported\":[\n      \"client_secret_post\",\n      \"private_key_jwt\",\n      \"client_secret_basic\"\n   ],\n   \"jwks_uri\":\"%1$s/keys\",\n   \"response_modes_supported\":[\n      \"query\"\n   ],\n   \"subject_types_supported\":[\n      \"pairwise\"\n   ],\n   \"id_token_signing_alg_values_supported\":[\n      \"RS256\"\n   ],\n   \"response_types_supported\":[\n      \"code\",\n      \"id_token\",\n      \"code id_token\",\n      \"id_token token\",\n      \"code id_token token\"\n   ],\n   \"scopes_supported\":[\n      \"openid\",\n      \"profile\",\n      \"email\",\n      \"offline_access\"\n   ],\n   \"issuer\":\"%1$s\",\n   \"request_uri_parameter_supported\":false,\n   \"userinfo_endpoint\":\"%1$s/userinfo\",\n   \"authorization_endpoint\":\"%1$s/authorize\",\n   \"device_authorization_endpoint\":\"%1$s/devicecode\",\n   \"http_logout_supported\":true,\n   \"frontchannel_logout_supported\":true,\n   \"end_session_endpoint\":\"%1$s/logout\",\n   \"claims_supported\":[\n      \"sub\",\n      \"iss\",\n      \"aud\",\n      \"exp\",\n      \"iat\",\n      \"auth_time\",\n      \"acr\",\n      \"nonce\",\n      \"preferred_username\",\n      \"name\",\n      \"tid\",\n      \"ver\",\n      \"at_hash\",\n      \"c_hash\",\n      \"email\"\n   ]\n}\n".formatted(baseURI);
        routingContext.response().putHeader("Content-Type", "application/json");
        routingContext.endAndForget(formatted);
    }

    private static void authorize(RoutingContext routingContext) {
        String str = routingContext.request().params().get("response_type");
        String str2 = routingContext.request().params().get("client_id");
        String str3 = routingContext.request().params().get("scope");
        try {
            URI uri = new URI(routingContext.request().params().get("redirect_uri") + "?state=" + routingContext.request().params().get("state"));
            StringBuilder sb = new StringBuilder();
            for (String str4 : getUsers()) {
                sb.append("   <button name='predefined-" + str4 + "' class='link' type='submit' value='").append(str4).append("' title='Log in as ").append(str4).append(" with roles: ").append(String.join(",", getUserRoles(str4))).append("'>").append(str4).append("</button>\n");
            }
            routingContext.response().endAndForget("<html>\n <head>\n  <title>Login</title>\n  <style>\n        body {\n        display: flex;\n        flex-direction: column;\n        background-color: hsla(210, 10%, 23%, 1.0);\n        color: hsla(214, 96%, 96%, 0.9);\n        height: 100vh;\n        align-items: center;\n        justify-content: center;\n        margin: 0px;\n        font-family: -apple-system, BlinkMacSystemFont, 'Roboto', 'Segoe UI', Helvetica, Arial, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol';\n      }\n      .card {\n        display: flex;\n        flex-direction: column;\n        justify-content: space-between;\n        border: 1px solid hsla(214, 60%, 80%, 0.14);\n        border-radius: 4px;\n        width: 400px;\n        filter: brightness(90%);\n      }\n      .card-header {\n        font-size: 1.125rem;\n        line-height: 1;\n        height: 25px;\n        display: flex;\n        flex-direction: row;\n        justify-content: space-between;\n        align-items: center;\n        padding: 10px 10px;\n        background-color: hsla(214, 65%, 85%, 0.06);\n        border-bottom: 1px solid hsla(214, 60%, 80%, 0.14);\n      }\n      .card-body {\n        line-height: 1;\n        display: flex;\n        flex-direction: column;\n        justify-content: space-between;\n        padding: 10px 10px;\n        gap: 10px;\n      }\n      .card:hover {\n        box-shadow: 0 4px 8px 0 rgba(0,0,0,0.2);\n      }\n      .predefined-form {\n        display: flex;\n        flex-direction: column;\n        align-items: flex-start;\n        gap: 10px;\n      }\n      .link {\n        background: none!important;\n        border: none;\n        color: hsla(214, 96%, 96%, 0.9);\n        padding: 0!important;\n        text-decoration: none;\n        cursor: pointer;\n        font-size: large;\n      }\n      .link:hover {\n        filter: brightness(90%);\n      }\n      .custom-link{\n        display: flex;\n        font-size: large;\n        padding-top: 4px;\n        cursor: pointer;\n      }\n      .custom-form {\n        display: flex;\n        flex-direction: column;\n        gap: 5px;\n        padding-top: 5px;\n      }\n      .custom-button {\n        background: hsla(145, 65%, 42%, 0.5);\n        border: unset;\n        color: hsla(214, 96%, 96%, 0.9);\n        font-size: large;\n        cursor: pointer;\n      }\n      .custom-button:hover {\n        filter: brightness(90%);\n      }\n  </style>\n </head>\n <body>\n  <div class='card'>\n   <div class='card-header'>\n    <div>Login</div>\n   </div>\n   <div class='card-body'>\n    <form class='predefined-form' action='/login' method='post'>\n" + "    <input type='hidden' name='redirect_uri' value='%1$s'>\n    <input type='hidden' name='response_type' value='%3$s'>\n    <input type='hidden' name='client_id' value='%4$s'>\n    <input type='hidden' name='scope' value='%5$s'>\n        %2$s\n    </form>\n    <details>\n     <summary class='custom-link'>Custom user</summary>\n     <form class='custom-form' action='/login' method='post'>\n      <input type='hidden' name='redirect_uri' value='%1$s'>\n      <input type='hidden' name='response_type' value='%3$s'>\n      <input type='hidden' name='client_id' value='%4$s'>\n      <input type='hidden' name='scope' value='%5$s'>\n      <input type='text' name='name' placeholder='Name'><br/>\n      <input type='text' name='roles' placeholder='Roles (comma-separated)'><br/>\n      <button class='custom-button' type='submit' name='login'>Login</button>\n     </form>\n    </details>\n   </div>\n  </div>\n </body>\n</html>\n".formatted(uri.toASCIIString(), sb, str, str2, str3));
        } catch (URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    private static void login(RoutingContext routingContext) {
        String str = routingContext.request().params().get("redirect_uri");
        String str2 = null;
        Iterator it = routingContext.request().params().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            Map.Entry entry = (Map.Entry) it.next();
            if (((String) entry.getKey()).startsWith("predefined")) {
                str2 = (String) entry.getValue();
                break;
            }
        }
        String str3 = routingContext.request().params().get("name");
        String str4 = routingContext.request().params().get("roles");
        String str5 = routingContext.request().params().get("scope");
        String str6 = routingContext.request().params().get("client_id");
        String str7 = routingContext.request().params().get("response_type");
        if (str2 != null) {
            str3 = str2;
            str4 = String.join(",", getUserRoles(str3));
        }
        if (str3 == null || str3.isBlank()) {
            str3 = "user";
        }
        if (str7 == null || str7.isEmpty()) {
            routingContext.response().setStatusCode(500).endAndForget("Illegal state - the 'response_type' parameter is required");
            return;
        }
        StringBuilder sb = new StringBuilder();
        if (str7.contains("code")) {
            sb.append("&code=").append(new UserAndRoles(str3, str4).encode());
        }
        if (str7.contains("idtoken")) {
            sb.append("&id_token=").append(createIdToken(str3, getUserRolesSet(str4), str6));
        }
        if (str7.contains(" token")) {
            sb.append("&access_token=").append(createAccessToken(str3, getUserRolesSet(str4), getScopeAsSet(str5)));
        }
        routingContext.response().putHeader("Location", str + String.valueOf(sb)).setStatusCode(302).endAndForget();
    }

    private static void token(RoutingContext routingContext) {
        String str = routingContext.request().formAttributes().get("grant_type");
        boolean z = -1;
        switch (str.hashCode()) {
            case -1432035435:
                if (str.equals("refresh_token")) {
                    z = true;
                    break;
                }
                break;
            case 290069640:
                if (str.equals("client_credentials")) {
                    z = 2;
                    break;
                }
                break;
            case 1216985755:
                if (str.equals("password")) {
                    z = 3;
                    break;
                }
                break;
            case 1571154419:
                if (str.equals("authorization_code")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                authorizationCodeFlowTokenEndpoint(routingContext);
                return;
            case true:
                refreshTokenEndpoint(routingContext);
                return;
            case true:
                clientCredentialsTokenEndpoint(routingContext);
                return;
            case true:
                passwordTokenEndpoint(routingContext);
                return;
            default:
                routingContext.response().setStatusCode(400).putHeader("Content-Type", "application/json").putHeader("Cache-Control", "no-store").endAndForget("Unsupported grant type: " + str);
                return;
        }
    }

    private static void passwordTokenEndpoint(RoutingContext routingContext) {
        String str = routingContext.request().formAttributes().get("scope");
        String str2 = routingContext.request().formAttributes().get("client_id");
        String str3 = routingContext.request().formAttributes().get("username");
        if (str2 == null || str2.isEmpty()) {
            LOG.warn("Invalid client ID, denying token request");
            invalidTokenResponse(routingContext);
        } else if (str3 == null || str3.isEmpty()) {
            LOG.warn("Invalid username, denying token request");
            invalidTokenResponse(routingContext);
        } else {
            List<String> userRoles = getUserRoles(str3);
            routingContext.response().putHeader("Content-Type", "application/json").putHeader("Cache-Control", "no-store").endAndForget("{\n  \"access_token\":\"%s\",\n  \"token_type\":\"Bearer\",\n  \"expires_in\":3600,\n  \"refresh_token\":\"%s\"\n}\n".formatted(createAccessToken(str3, new HashSet(userRoles), getScopeAsSet(str)), new UserAndRoles(str3, String.join(",", userRoles)).encode()));
        }
    }

    private static void clientCredentialsTokenEndpoint(RoutingContext routingContext) {
        String str = routingContext.request().formAttributes().get("scope");
        String str2 = routingContext.request().formAttributes().get("client_id");
        if (str2 != null && !str2.isEmpty()) {
            routingContext.response().putHeader("Content-Type", "application/json").putHeader("Cache-Control", "no-store").endAndForget("{\n      \"access_token\": \"%s\",\n      \"token_type\": \"Bearer\",\n      \"expires_in\": 3600\n}\n".formatted(createAccessToken(str2, new HashSet(getUserRoles(str2)), getScopeAsSet(str))));
        } else {
            LOG.warn("Invalid client ID, denying token request");
            invalidTokenResponse(routingContext);
        }
    }

    private static void refreshTokenEndpoint(RoutingContext routingContext) {
        String str = routingContext.request().formAttributes().get("client_id");
        String str2 = routingContext.request().formAttributes().get("client_secret");
        String str3 = routingContext.request().formAttributes().get("scope");
        if (str == null || str.isEmpty()) {
            LOG.warn("Invalid client ID, denying token refresh");
            invalidTokenResponse(routingContext);
            return;
        }
        if (str2 == null || str2.isEmpty()) {
            LOG.warn("Invalid client secret, denying token refresh");
            invalidTokenResponse(routingContext);
            return;
        }
        String str4 = routingContext.request().formAttributes().get("refresh_token");
        UserAndRoles decode = decode(str4);
        if (decode != null) {
            routingContext.response().putHeader("Content-Type", "application/json").putHeader("Cache-Control", "no-store").endAndForget("{\n   \"access_token\": \"%s\",\n   \"token_type\": \"Bearer\",\n   \"refresh_token\": \"%s\",\n   \"expires_in\": 3600\n}\n".formatted(createAccessToken(decode.user, decode.getRolesAsSet(), getScopeAsSet(str3)), str4));
        } else {
            LOG.warn("Received invalid refresh token, denying token refresh");
            invalidTokenResponse(routingContext);
        }
    }

    private static void authorizationCodeFlowTokenEndpoint(RoutingContext routingContext) {
        String str = routingContext.request().formAttributes().get("client_id");
        if (str == null || str.isEmpty()) {
            str = clientId;
        }
        String str2 = routingContext.request().formAttributes().get("scope");
        UserAndRoles decode = decode(routingContext.request().formAttributes().get("code"));
        if (decode == null) {
            invalidTokenResponse(routingContext);
        } else {
            routingContext.response().putHeader("Content-Type", "application/json").putHeader("Cache-Control", "no-store").endAndForget("{\n \"token_type\":\"Bearer\",\n \"scope\":\"openid email profile\",\n \"expires_in\":3600,\n \"ext_expires_in\":3600,\n \"access_token\":\"%s\",\n \"id_token\":\"%s\",\n \"refresh_token\": \"%s\"\n }\n".formatted(createAccessToken(decode.user, decode.getRolesAsSet(), getScopeAsSet(str2)), createIdToken(decode.user, decode.getRolesAsSet(), str), decode.encode()));
        }
    }

    private static void invalidTokenResponse(RoutingContext routingContext) {
        routingContext.response().setStatusCode(400).putHeader("Content-Type", "application/json").putHeader("Cache-Control", "no-store").endAndForget("{\n   \"error\": \"invalid_request\"\n}\n");
    }

    private static String createIdToken(String str, Set<String> set, String str2) {
        return Jwt.claims().expiresIn(Duration.ofDays(1L)).issuedAt(Instant.now()).issuer(baseURI).audience(str2).subject(str).upn(str).claim("name", JavaBeanUtil.capitalize(str)).claim(Claims.preferred_username, str + "@example.com").claim(Claims.email, str + "@example.com").groups(set).jws().keyId(kid).sign(kp.getPrivate());
    }

    private static String createAccessToken(String str, Set<String> set, Set<String> set2) {
        return Jwt.claims().expiresIn(Duration.ofDays(1L)).issuedAt(Instant.now()).issuer(baseURI).subject(str).scope(set2).upn(str).claim("name", JavaBeanUtil.capitalize(str)).claim(Claims.preferred_username, str + "@example.com").claim(Claims.email, str + "@example.com").groups(set).jws().keyId(kid).sign(kp.getPrivate());
    }

    private static void getKeys(RoutingContext routingContext) {
        RSAPublicKey rSAPublicKey = (RSAPublicKey) kp.getPublic();
        routingContext.response().putHeader("Content-Type", "application/json").endAndForget("{\n  \"keys\": [\n    {\n      \"alg\": \"RS256\",\n      \"kty\": \"RSA\",\n      \"n\": \"%s\",\n      \"use\": \"sig\",\n      \"kid\": \"%s\",\n      \"issuer\": \"%s\",\n      \"e\": \"%s\"\n    }\n  ]\n}\n".formatted(Base64.getUrlEncoder().encodeToString(rSAPublicKey.getModulus().toByteArray()), kid, baseURI, Base64.getUrlEncoder().encodeToString(rSAPublicKey.getPublicExponent().toByteArray())));
    }

    private static void logout(RoutingContext routingContext) {
        routingContext.response().putHeader("Location", routingContext.request().params().get("post_logout_redirect_uri")).setStatusCode(302).endAndForget();
    }

    private static void userInfo(RoutingContext routingContext) {
        JsonObject decodeJwtContent;
        String header = routingContext.request().getHeader("Authorization");
        if (header == null || !header.startsWith("Bearer ") || (decodeJwtContent = decodeJwtContent(header.substring("Bearer ".length()))) == null || !decodeJwtContent.containsKey(Claims.preferred_username.name())) {
            routingContext.response().setStatusCode(401).endAndForget("WWW-Authenticate: Bearer error=\"invalid_token\"");
        } else {
            routingContext.response().putHeader("Content-Type", "application/json").endAndForget("{\n    \"preferred_username\": \"%1$s\",\n    \"sub\": \"%2$s\",\n    \"name\": \"%2$s\",\n    \"family_name\": \"%2$s\",\n    \"given_name\": \"%2$s\",\n    \"email\": \"%3$s\"\n}\n".formatted(decodeJwtContent.getString(Claims.preferred_username.name()), decodeJwtContent.getString(Claims.sub.name()), decodeJwtContent.getString(Claims.email.name())));
        }
    }

    private static UserAndRoles decode(String str) {
        if (str == null || str.isEmpty()) {
            return null;
        }
        String str2 = new String(Base64.getUrlDecoder().decode(str), StandardCharsets.UTF_8);
        int indexOf = str2.indexOf(124);
        if (indexOf == -1) {
            if (getUsers().contains(str2)) {
                return new UserAndRoles(str2, String.join(",", getUserRoles(str2)));
            }
            return null;
        }
        String substring = str2.substring(0, indexOf);
        String substring2 = str2.substring(indexOf + 1);
        if (substring2.isBlank()) {
            substring2 = String.join(",", getUserRoles(substring));
        }
        return new UserAndRoles(substring, substring2);
    }

    private static JsonObject decodeJwtContent(String str) {
        String jwtContentPart = getJwtContentPart(str);
        if (jwtContentPart == null) {
            return null;
        }
        return decodeAsJsonObject(jwtContentPart);
    }

    private static String getJwtContentPart(String str) {
        StringTokenizer stringTokenizer = new StringTokenizer(str, ".");
        stringTokenizer.nextToken();
        if (!stringTokenizer.hasMoreTokens()) {
            return null;
        }
        String nextToken = stringTokenizer.nextToken();
        if (stringTokenizer.countTokens() != 1) {
            return null;
        }
        return nextToken;
    }

    private static String base64UrlDecode(String str) {
        return new String(Base64.getUrlDecoder().decode(str), StandardCharsets.UTF_8);
    }

    private static JsonObject decodeAsJsonObject(String str) {
        try {
            return new JsonObject(base64UrlDecode(str));
        } catch (IllegalArgumentException e) {
            return null;
        }
    }

    private static Set<String> getUserRolesSet(String str) {
        return (str == null || str.isEmpty()) ? Set.of() : (Set) Arrays.stream(str.split(",")).map((v0) -> {
            return v0.trim();
        }).collect(Collectors.toSet());
    }

    private static Set<String> getScopeAsSet(String str) {
        return (str == null || str.isEmpty()) ? Set.of() : (Set) Arrays.stream(str.split(" ")).collect(Collectors.toSet());
    }

    private static String createKeyId() {
        try {
            return Base64Url.encode(MessageDigest.getInstance("SHA-256").digest(kp.getPrivate().getEncoded()));
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException("Failed to generate key id", e);
        }
    }
}
