package com.evolveum.midpoint.authentication.impl.module.configuration;

import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.crypto.Protector;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractKeyStoreKeyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OidcAuthenticationModuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OidcResourceServerAuthenticationModuleType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import com.nimbusds.jose.KeySourceException;
import com.nimbusds.jose.proc.JWSAlgorithmFamilyJWSKeySelector;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.interfaces.RSAPublicKey;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.common.util.Base64Utility;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoders;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;

/* loaded from: input_file:com/evolveum/midpoint/authentication/impl/module/configuration/OidcResourceServerModuleWebSecurityConfiguration.class */
public class OidcResourceServerModuleWebSecurityConfiguration extends RemoteModuleWebSecurityConfiguration {
    private static Protector protector;
    private JwtDecoder decoder;

    private OidcResourceServerModuleWebSecurityConfiguration() {
    }

    public JwtDecoder getDecoder() {
        return this.decoder;
    }

    public static void setProtector(Protector protector2) {
        protector = protector2;
    }

    public static OidcResourceServerModuleWebSecurityConfiguration build(OidcAuthenticationModuleType oidcAuthenticationModuleType, String str) {
        OidcResourceServerModuleWebSecurityConfiguration buildInternal = buildInternal(oidcAuthenticationModuleType, str);
        buildInternal.validate();
        return buildInternal;
    }

    private static OidcResourceServerModuleWebSecurityConfiguration buildInternal(OidcAuthenticationModuleType oidcAuthenticationModuleType, String str) {
        byte[] bytes;
        OidcResourceServerModuleWebSecurityConfiguration oidcResourceServerModuleWebSecurityConfiguration = new OidcResourceServerModuleWebSecurityConfiguration();
        build(oidcResourceServerModuleWebSecurityConfiguration, oidcAuthenticationModuleType, str);
        OidcResourceServerAuthenticationModuleType resourceServer = oidcAuthenticationModuleType.getResourceServer();
        if (resourceServer.getTrustingAsymmetricCertificate() != null || resourceServer.getKeyStoreTrustingAsymmetricKey() != null) {
            NimbusJwtDecoder.PublicKeyJwtDecoderBuilder initializePublicKeyDecoderFromKeyStore = resourceServer.getKeyStoreTrustingAsymmetricKey() != null ? initializePublicKeyDecoderFromKeyStore(resourceServer.getKeyStoreTrustingAsymmetricKey()) : initializePublicKeyDecoderFromCertificate(resourceServer.getTrustingAsymmetricCertificate());
            if (resourceServer.getTrustedAlgorithm() != null) {
                initializePublicKeyDecoderFromKeyStore.signatureAlgorithm(SignatureAlgorithm.from(resourceServer.getTrustedAlgorithm()));
            }
            oidcResourceServerModuleWebSecurityConfiguration.decoder = initializePublicKeyDecoderFromKeyStore.build();
        } else if (resourceServer.getSingleSymmetricKey() != null) {
            try {
                String decryptString = protector.decryptString(resourceServer.getSingleSymmetricKey());
                if (Base64.isBase64(decryptString)) {
                    bytes = Base64Utility.decode(decryptString, decryptString.contains("-") || decryptString.contains("_"));
                } else {
                    bytes = protector.decryptString(resourceServer.getSingleSymmetricKey()).getBytes();
                }
                String name = MacAlgorithm.HS256.getName();
                if (resourceServer.getTrustedAlgorithm() != null) {
                    name = resourceServer.getTrustedAlgorithm();
                }
                NimbusJwtDecoder.SecretKeyJwtDecoderBuilder withSecretKey = NimbusJwtDecoder.withSecretKey(new SecretKeySpec(bytes, name));
                withSecretKey.macAlgorithm(MacAlgorithm.from(name));
                oidcResourceServerModuleWebSecurityConfiguration.decoder = withSecretKey.build();
            } catch (EncryptionException e) {
                throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get single symmetric key", e);
            } catch (Base64Exception e2) {
                e2.printStackTrace();
            }
        } else if (resourceServer.getJwkSetUri() != null) {
            if (resourceServer.getTrustedAlgorithm() != null) {
                oidcResourceServerModuleWebSecurityConfiguration.decoder = NimbusJwtDecoder.withJwkSetUri(resourceServer.getJwkSetUri()).jwsAlgorithm(SignatureAlgorithm.from(resourceServer.getTrustedAlgorithm())).build();
            } else {
                try {
                    JWSAlgorithmFamilyJWSKeySelector fromJWKSetURL = JWSAlgorithmFamilyJWSKeySelector.fromJWKSetURL(new URL(resourceServer.getJwkSetUri()));
                    DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
                    defaultJWTProcessor.setJWSKeySelector(fromJWKSetURL);
                    oidcResourceServerModuleWebSecurityConfiguration.decoder = new NimbusJwtDecoder(defaultJWTProcessor);
                } catch (KeySourceException | MalformedURLException e3) {
                    e3.printStackTrace();
                }
            }
        } else if (resourceServer.getIssuerUri() != null) {
            oidcResourceServerModuleWebSecurityConfiguration.decoder = JwtDecoders.fromIssuerLocation(resourceServer.getIssuerUri());
        }
        return oidcResourceServerModuleWebSecurityConfiguration;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.authentication.impl.module.configuration.ModuleWebSecurityConfigurationImpl
    public void validate() {
        super.validate();
        if (getDecoder() == null) {
            throw new IllegalArgumentException("Jwt decoder is null, please define public key, client secret, JWS uri or issuer uri in configuration of OIDC authentication module");
        }
    }

    private static NimbusJwtDecoder.PublicKeyJwtDecoderBuilder initializePublicKeyDecoderFromCertificate(ProtectedStringType protectedStringType) {
        if (protectedStringType == null) {
            return null;
        }
        try {
            return NimbusJwtDecoder.withPublicKey((RSAPublicKey) getCertificate(protectedStringType, protector).getPublicKey());
        } catch (Base64Exception | EncryptionException | CertificateException e) {
            throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get certificate", e);
        }
    }

    private static NimbusJwtDecoder.PublicKeyJwtDecoderBuilder initializePublicKeyDecoderFromKeyStore(AbstractKeyStoreKeyType abstractKeyStoreKeyType) {
        if (abstractKeyStoreKeyType == null) {
            return null;
        }
        try {
            PublicKey publicKey = getCertificate(abstractKeyStoreKeyType, protector).getPublicKey();
            if (publicKey instanceof RSAPublicKey) {
                return NimbusJwtDecoder.withPublicKey((RSAPublicKey) publicKey);
            }
            throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Alias " + abstractKeyStoreKeyType.getKeyAlias() + " don't return public key of RSAPublicKey type.");
        } catch (EncryptionException | IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get certificate from " + abstractKeyStoreKeyType, e);
        }
    }
}
