package com.evolveum.midpoint.authentication.impl.module.configuration;

import com.evolveum.midpoint.authentication.api.ModuleWebSecurityConfiguration;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.module.authentication.RemoteModuleAuthenticationImpl;
import com.evolveum.midpoint.authentication.impl.module.configuration.OidcAdditionalConfiguration;
import com.evolveum.midpoint.authentication.impl.util.AuthSequenceUtil;
import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractKeyStoreKeyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractSimpleKeyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OidcAuthenticationModuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OidcClientAuthenticationModuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OidcOpenIdProviderType;
import java.io.IOException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.servlet.ServletRequest;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.lang3.StringUtils;
import org.apache.cxf.common.util.Base64Exception;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.pkcs.PKCSException;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrations;
import org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository;
import org.springframework.security.oauth2.core.AuthenticationMethod;
import org.springframework.security.oauth2.core.AuthorizationGrantType;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.oidc.OidcScopes;
import org.springframework.util.Assert;
import org.springframework.web.util.UriComponentsBuilder;

/* loaded from: input_file:WEB-INF/lib/authentication-impl-4.5.1-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/module/configuration/OidcClientModuleWebSecurityConfiguration.class */
public class OidcClientModuleWebSecurityConfiguration extends RemoteModuleWebSecurityConfiguration {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) OidcClientModuleWebSecurityConfiguration.class);
    private static Protector protector;
    private InMemoryClientRegistrationRepository clientRegistrationRepository;
    private final Map<String, OidcAdditionalConfiguration> additionalConfiguration = new HashMap();

    private OidcClientModuleWebSecurityConfiguration() {
    }

    public static void setProtector(Protector protector2) {
        protector = protector2;
    }

    public static OidcClientModuleWebSecurityConfiguration build(OidcAuthenticationModuleType oidcAuthenticationModuleType, String str, String str2, ServletRequest servletRequest) {
        OidcClientModuleWebSecurityConfiguration buildInternal = buildInternal(oidcAuthenticationModuleType, str, str2, servletRequest);
        buildInternal.validate();
        return buildInternal;
    }

    private static OidcClientModuleWebSecurityConfiguration buildInternal(OidcAuthenticationModuleType oidcAuthenticationModuleType, String str, String str2, ServletRequest servletRequest) {
        OidcClientModuleWebSecurityConfiguration oidcClientModuleWebSecurityConfiguration = new OidcClientModuleWebSecurityConfiguration();
        build(oidcClientModuleWebSecurityConfiguration, oidcAuthenticationModuleType, str);
        List<OidcClientAuthenticationModuleType> client = oidcAuthenticationModuleType.getClient();
        ArrayList arrayList = new ArrayList();
        client.forEach(oidcClientAuthenticationModuleType -> {
            OidcOpenIdProviderType openIdProvider = oidcClientAuthenticationModuleType.getOpenIdProvider();
            Assert.notNull(openIdProvider, "openIdProvider cannot be null");
            ClientRegistration.Builder builder = null;
            try {
                builder = ClientRegistrations.fromOidcIssuerLocation(openIdProvider.getIssuerUri());
            } catch (Exception e) {
                LOGGER.debug("Couldn't create oidc client builder by issuer uri.");
            }
            Assert.hasText(oidcClientAuthenticationModuleType.getRegistrationId(), "registrationId cannot be empty");
            if (builder == null) {
                builder = ClientRegistration.withRegistrationId(oidcClientAuthenticationModuleType.getRegistrationId());
            } else {
                builder.registrationId(oidcClientAuthenticationModuleType.getRegistrationId());
            }
            builder.authorizationGrantType(AuthorizationGrantType.AUTHORIZATION_CODE);
            builder.userInfoAuthenticationMethod(AuthenticationMethod.HEADER);
            UriComponentsBuilder fromUriString = UriComponentsBuilder.fromUriString(StringUtils.isNotBlank(str2) ? str2 : AuthSequenceUtil.getBasePath((HttpServletRequest) servletRequest));
            fromUriString.pathSegment(ModuleWebSecurityConfiguration.DEFAULT_PREFIX_OF_MODULE, AuthUtil.stripSlashes(str), AuthUtil.stripSlashes(oidcAuthenticationModuleType.getName()), AuthUtil.stripSlashes(RemoteModuleAuthenticationImpl.AUTHENTICATION_REQUEST_PROCESSING_URL_SUFFIX), oidcClientAuthenticationModuleType.getRegistrationId());
            builder.redirectUri(fromUriString.toUriString());
            Assert.hasText(oidcClientAuthenticationModuleType.getClientId(), "clientId cannot be empty");
            builder.clientId(oidcClientAuthenticationModuleType.getClientId());
            if (oidcClientAuthenticationModuleType.getNameOfUsernameAttribute() != null) {
                builder.userNameAttributeName(oidcClientAuthenticationModuleType.getNameOfUsernameAttribute());
            }
            if (!Objects.isNull(oidcClientAuthenticationModuleType.getClientSecret())) {
                try {
                    builder.clientSecret(protector.decryptString(oidcClientAuthenticationModuleType.getClientSecret()));
                } catch (EncryptionException e2) {
                    LOGGER.error("Couldn't obtain clear string for client secret");
                }
            }
            Optional<String> optionalIfNotEmpty = getOptionalIfNotEmpty(oidcClientAuthenticationModuleType.getClientName());
            ClientRegistration.Builder builder2 = builder;
            Objects.requireNonNull(builder2);
            optionalIfNotEmpty.ifPresent(builder2::clientName);
            Optional<String> optionalIfNotEmpty2 = getOptionalIfNotEmpty(openIdProvider.getAuthorizationUri());
            ClientRegistration.Builder builder3 = builder;
            Objects.requireNonNull(builder3);
            optionalIfNotEmpty2.ifPresent(builder3::authorizationUri);
            Optional<String> optionalIfNotEmpty3 = getOptionalIfNotEmpty(openIdProvider.getTokenUri());
            ClientRegistration.Builder builder4 = builder;
            Objects.requireNonNull(builder4);
            optionalIfNotEmpty3.ifPresent(builder4::tokenUri);
            Optional<String> optionalIfNotEmpty4 = getOptionalIfNotEmpty(openIdProvider.getUserInfoUri());
            ClientRegistration.Builder builder5 = builder;
            Objects.requireNonNull(builder5);
            optionalIfNotEmpty4.ifPresent(builder5::userInfoUri);
            Optional<String> optionalIfNotEmpty5 = getOptionalIfNotEmpty(openIdProvider.getIssuerUri());
            ClientRegistration.Builder builder6 = builder;
            Objects.requireNonNull(builder6);
            optionalIfNotEmpty5.ifPresent(builder6::issuerUri);
            ClientRegistration build = builder.build();
            if (build.getScopes() == null || !build.getScopes().contains(OidcScopes.OPENID)) {
                ArrayList arrayList2 = new ArrayList();
                if (build.getScopes() != null) {
                    arrayList2.addAll(build.getScopes());
                }
                arrayList2.add(OidcScopes.OPENID);
                builder.scope(arrayList2);
            }
            if (StringUtils.isNotEmpty(openIdProvider.getEndSessionUri())) {
                HashMap hashMap = new HashMap(build.getProviderDetails().getConfigurationMetadata());
                hashMap.remove("end_session_endpoint");
                hashMap.put("end_session_endpoint", openIdProvider.getEndSessionUri());
                builder.providerConfigurationMetadata(hashMap);
            }
            if (oidcClientAuthenticationModuleType.getClientAuthenticationMethod() != null) {
                builder.clientAuthenticationMethod(new ClientAuthenticationMethod(oidcClientAuthenticationModuleType.getClientAuthenticationMethod().name().toLowerCase()));
            }
            ClientRegistration build2 = builder.build();
            Assert.hasText(build2.getProviderDetails().getUserInfoEndpoint().getUri(), "UserInfoUri cannot be empty");
            arrayList.add(build2);
            OidcAdditionalConfiguration.Builder singingAlg = OidcAdditionalConfiguration.builder().singingAlg(oidcClientAuthenticationModuleType.getClientSigningAlgorithm());
            if (oidcClientAuthenticationModuleType.getSimpleProofKey() != null) {
                initializeProofKey(oidcClientAuthenticationModuleType.getSimpleProofKey(), singingAlg);
            } else if (oidcClientAuthenticationModuleType.getKeyStoreProofKey() != null) {
                initializeProofKey(oidcClientAuthenticationModuleType.getKeyStoreProofKey(), singingAlg);
            }
            oidcClientModuleWebSecurityConfiguration.additionalConfiguration.put(oidcClientAuthenticationModuleType.getRegistrationId(), singingAlg.build());
        });
        oidcClientModuleWebSecurityConfiguration.clientRegistrationRepository = new InMemoryClientRegistrationRepository(arrayList);
        return oidcClientModuleWebSecurityConfiguration;
    }

    private static Optional<String> getOptionalIfNotEmpty(String str) {
        return Optional.ofNullable(str).filter(str2 -> {
            return !str2.isEmpty();
        });
    }

    public InMemoryClientRegistrationRepository getClientRegistrationRepository() {
        return this.clientRegistrationRepository;
    }

    public Map<String, OidcAdditionalConfiguration> getAdditionalConfiguration() {
        return this.additionalConfiguration;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.authentication.impl.module.configuration.ModuleWebSecurityConfigurationImpl
    public void validate() {
        super.validate();
        if (getClientRegistrationRepository() == null) {
            throw new IllegalArgumentException("Oidc configuration is null");
        }
    }

    public String getPrefixOfSequence() {
        return "/auth/" + AuthUtil.stripSlashes(getSequenceSuffix());
    }

    private static void initializeProofKey(AbstractSimpleKeyType abstractSimpleKeyType, OidcAdditionalConfiguration.Builder builder) {
        if (abstractSimpleKeyType == null) {
            return;
        }
        try {
            PrivateKey privateKey = getPrivateKey(abstractSimpleKeyType, protector);
            if (!(privateKey instanceof RSAPrivateKey)) {
                throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get key from " + abstractSimpleKeyType);
            }
            try {
                PublicKey publicKey = getCertificate(abstractSimpleKeyType, protector).getPublicKey();
                builder.privateKey((RSAPrivateKey) privateKey);
                builder.publicKey((RSAPublicKey) publicKey);
            } catch (EncryptionException | CertificateException | Base64Exception e) {
                throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get certificate from " + abstractSimpleKeyType, e);
            }
        } catch (EncryptionException | IOException | OperatorCreationException | PKCSException e2) {
            throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get key from " + abstractSimpleKeyType, e2);
        }
    }

    private static void initializeProofKey(AbstractKeyStoreKeyType abstractKeyStoreKeyType, OidcAdditionalConfiguration.Builder builder) {
        if (abstractKeyStoreKeyType == null) {
            return;
        }
        try {
            PrivateKey privateKey = getPrivateKey(abstractKeyStoreKeyType, protector);
            if (!(privateKey instanceof RSAPrivateKey)) {
                throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Alias " + abstractKeyStoreKeyType.getKeyAlias() + " don't return key of RSAPrivateKey type.");
            }
            try {
                PublicKey publicKey = getCertificate(abstractKeyStoreKeyType, protector).getPublicKey();
                if (!(publicKey instanceof RSAPublicKey)) {
                    throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Alias " + abstractKeyStoreKeyType.getKeyAlias() + " don't return public key of RSAPublicKey type.");
                }
                builder.privateKey((RSAPrivateKey) privateKey);
                builder.publicKey((RSAPublicKey) publicKey);
            } catch (EncryptionException | IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get certificate from " + abstractKeyStoreKeyType, e);
            }
        } catch (EncryptionException | IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e2) {
            throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get key from " + abstractKeyStoreKeyType, e2);
        }
    }
}
