package org.apache.tomee.security.cdi.openid;

import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.json.Json;
import jakarta.json.JsonObject;
import jakarta.json.JsonReader;
import jakarta.security.enterprise.authentication.mechanism.http.HttpMessageContext;
import jakarta.security.enterprise.authentication.mechanism.http.OpenIdAuthenticationMechanismDefinition;
import jakarta.security.enterprise.credential.Credential;
import jakarta.security.enterprise.identitystore.CredentialValidationResult;
import jakarta.security.enterprise.identitystore.IdentityStore;
import jakarta.security.enterprise.identitystore.openid.AccessToken;
import jakarta.security.enterprise.identitystore.openid.IdentityToken;
import jakarta.ws.rs.client.Client;
import jakarta.ws.rs.client.ClientBuilder;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import java.io.StringReader;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.function.Consumer;
import org.apache.openejb.util.LogCategory;
import org.apache.openejb.util.Logger;
import org.apache.tomee.security.cdi.openid.storage.OpenIdStorageHandler;
import org.apache.tomee.security.http.openid.JwtValidators;
import org.apache.tomee.security.http.openid.model.TokenResponse;
import org.apache.tomee.security.http.openid.model.TomEEAccesToken;
import org.apache.tomee.security.http.openid.model.TomEEIdentityToken;
import org.apache.tomee.security.http.openid.model.TomEEOpenIdCredential;
import org.apache.tomee.security.http.openid.model.TomEERefreshToken;
import org.jose4j.http.Get;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;

@ApplicationScoped
/* loaded from: input_file:lib/tomee-security-10.0.0-M2.jar:org/apache/tomee/security/cdi/openid/OpenIdIdentityStore.class */
public class OpenIdIdentityStore implements IdentityStore {
    private static final Logger LOGGER = Logger.getInstance(LogCategory.TOMEE_SECURITY, OpenIdIdentityStore.class);

    @Inject
    private OpenIdAuthenticationMechanismDefinition definition;

    @Inject
    private TomEEOpenIdContext openIdContext;

    @Inject
    private OpenIdStorageHandler storageHandler;

    @Override // jakarta.security.enterprise.identitystore.IdentityStore
    public CredentialValidationResult validate(Credential credential) {
        if (!(credential instanceof TomEEOpenIdCredential)) {
            return CredentialValidationResult.NOT_VALIDATED_RESULT;
        }
        TomEEOpenIdCredential tomEEOpenIdCredential = (TomEEOpenIdCredential) credential;
        JwtConsumer buildJwtConsumer = buildJwtConsumer(null);
        JwtConsumer buildJwtConsumer2 = buildJwtConsumer(jwtConsumerBuilder -> {
            if (this.definition.useNonce()) {
                HttpMessageContext messageContext = tomEEOpenIdCredential.getMessageContext();
                jwtConsumerBuilder.registerValidator(JwtValidators.nonce(this.storageHandler.getStoredNonce(messageContext.getRequest(), messageContext.getResponse())));
            }
        });
        this.openIdContext.setAccessToken(createAccessToken(buildJwtConsumer, tomEEOpenIdCredential.getTokenResponse()));
        this.openIdContext.setIdentityToken(createIdentityToken(buildJwtConsumer2, tomEEOpenIdCredential.getTokenResponse()));
        this.openIdContext.setRefreshToken(tomEEOpenIdCredential.getTokenResponse().getRefreshToken().map(TomEERefreshToken::new));
        if (this.openIdContext.getIdentityToken() == null) {
            return CredentialValidationResult.INVALID_RESULT;
        }
        this.openIdContext.setUserInfoClaims(fetchUserinfoClaims(buildJwtConsumer, this.openIdContext.getAccessToken().getToken()));
        String callerNameClaim = this.definition.claimsDefinition().callerNameClaim();
        String callerGroupsClaim = this.definition.claimsDefinition().callerGroupsClaim();
        String str = null;
        List<String> emptyList = Collections.emptyList();
        if (this.openIdContext.getAccessToken().isJWT()) {
            str = this.openIdContext.getAccessToken().getJwtClaims().getStringClaim(callerNameClaim).orElse(null);
            emptyList = this.openIdContext.getAccessToken().getJwtClaims().getArrayStringClaim(callerGroupsClaim);
        }
        if (str == null) {
            str = this.openIdContext.getIdentityToken().getJwtClaims().getStringClaim(callerNameClaim).orElse(null);
        }
        if (emptyList.isEmpty()) {
            emptyList = this.openIdContext.getIdentityToken().getJwtClaims().getArrayStringClaim(callerGroupsClaim);
        }
        if (str == null) {
            str = this.openIdContext.getClaims().getStringClaim(callerNameClaim).orElse(null);
        }
        if (emptyList.isEmpty()) {
            emptyList = this.openIdContext.getClaims().getArrayStringClaim(callerGroupsClaim);
        }
        if (str == null) {
            str = this.openIdContext.getSubject();
        }
        return new CredentialValidationResult(str, new HashSet(emptyList));
    }

    @Override // jakarta.security.enterprise.identitystore.IdentityStore
    public Set<String> getCallerGroups(CredentialValidationResult credentialValidationResult) {
        return credentialValidationResult.getCallerGroups();
    }

    private AccessToken createAccessToken(JwtConsumer jwtConsumer, TokenResponse tokenResponse) {
        boolean z = false;
        try {
            jwtConsumer.process(tokenResponse.getAccesToken());
            z = true;
        } catch (InvalidJwtException e) {
            LOGGER.warning("access_token is invalid: " + e.getMessage());
        }
        return new TomEEAccesToken(z, tokenResponse.getAccesToken(), "Bearer".equals(tokenResponse.getTokenType()) ? AccessToken.Type.BEARER : AccessToken.Type.MAC, tokenResponse.getScope(), Long.valueOf(tokenResponse.getExpiresIn()), this.definition.tokenMinValidity());
    }

    private IdentityToken createIdentityToken(JwtConsumer jwtConsumer, TokenResponse tokenResponse) {
        try {
            return new TomEEIdentityToken(jwtConsumer.process(tokenResponse.getIdToken()).getJwt(), this.definition.tokenMinValidity());
        } catch (InvalidJwtException e) {
            LOGGER.warning("id_token is invalid: " + e.getMessage());
            return null;
        }
    }

    private JsonObject fetchUserinfoClaims(JwtConsumer jwtConsumer, String str) {
        Client newClient = ClientBuilder.newClient();
        try {
            Response response = newClient.target(this.definition.providerMetadata().userinfoEndpoint()).request(MediaType.APPLICATION_JSON, "application/jwt").header("Authorization", "Bearer " + str).get();
            if (response.getStatus() != Response.Status.OK.getStatusCode()) {
                LOGGER.warning("Could not fetch userinfo, response was " + response.getStatus() + "\n" + ((String) response.readEntity(String.class)));
                if (newClient != null) {
                    newClient.close();
                }
                return null;
            }
            String headerString = response.getHeaderString("Content-Type");
            if (headerString == null || headerString.startsWith(MediaType.APPLICATION_JSON)) {
                JsonObject jsonObject = (JsonObject) response.readEntity(JsonObject.class);
                if (newClient != null) {
                    newClient.close();
                }
                return jsonObject;
            }
            if (!"application/jwt".startsWith(headerString)) {
                throw new IllegalStateException("Illegal response from userinfo endpoint received with Content-Type " + headerString + ", supported values are application/json and application/jwt");
            }
            try {
                JsonReader createReader = Json.createReader(new StringReader(jwtConsumer.process((String) response.readEntity(String.class)).getJwtClaims().getRawJson()));
                try {
                    JsonObject readObject = createReader.readObject();
                    if (createReader != null) {
                        createReader.close();
                    }
                    if (newClient != null) {
                        newClient.close();
                    }
                    return readObject;
                } catch (Throwable th) {
                    if (createReader != null) {
                        try {
                            createReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (InvalidJwtException e) {
                LOGGER.warning("userinfo endpoint response was of type application/jwt but jwt could not be verified", e);
                if (newClient != null) {
                    newClient.close();
                }
                return null;
            }
        } catch (Throwable th3) {
            if (newClient != null) {
                try {
                    newClient.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    protected JwtConsumer buildJwtConsumer(Consumer<JwtConsumerBuilder> consumer) {
        HttpsJwks httpsJwks = new HttpsJwks(this.definition.providerMetadata().jwksURI());
        Get get = new Get();
        get.setConnectTimeout(this.definition.jwksConnectTimeout());
        get.setReadTimeout(this.definition.jwksReadTimeout());
        httpsJwks.setSimpleHttpGet(get);
        JwtConsumerBuilder registerValidator = new JwtConsumerBuilder().setRequireSubject().setRequireIssuedAt().setRequireExpirationTime().setVerificationKeyResolver(new HttpsJwksVerificationKeyResolver(httpsJwks)).setExpectedIssuer(this.definition.providerMetadata().issuer()).setExpectedAudience(this.definition.clientId()).registerValidator(JwtValidators.azp(this.definition.clientId())).registerValidator(JwtValidators.EXPIRATION).registerValidator(JwtValidators.ISSUED_AT).registerValidator(JwtValidators.NOT_BEOFRE);
        if (consumer != null) {
            consumer.accept(registerValidator);
        }
        return registerValidator.build();
    }
}
