package com.evolveum.midpoint.authentication.impl.provider;

import com.evolveum.midpoint.authentication.api.AuthenticationChannel;
import com.evolveum.midpoint.authentication.api.util.AuthUtil;
import com.evolveum.midpoint.authentication.impl.module.authentication.OidcClientModuleAuthenticationImpl;
import com.evolveum.midpoint.authentication.impl.module.configuration.OidcAdditionalConfiguration;
import com.evolveum.midpoint.security.api.MidPointPrincipal;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.FocusType;
import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.OctetSequenceKey;
import com.nimbusds.jose.jwk.RSAKey;
import java.nio.charset.StandardCharsets;
import java.security.interfaces.RSAPublicKey;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.function.Function;
import org.apache.commons.lang3.StringUtils;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.oauth2.client.authentication.OAuth2LoginAuthenticationToken;
import org.springframework.security.oauth2.client.endpoint.DefaultAuthorizationCodeTokenResponseClient;
import org.springframework.security.oauth2.client.endpoint.NimbusJwtClientAuthenticationParametersConverter;
import org.springframework.security.oauth2.client.endpoint.OAuth2AuthorizationCodeGrantRequestEntityConverter;
import org.springframework.security.oauth2.client.oidc.authentication.OidcAuthorizationCodeAuthenticationProvider;
import org.springframework.security.oauth2.client.oidc.authentication.OidcIdTokenDecoderFactory;
import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.ClientAuthenticationMethod;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;

/* loaded from: input_file:com/evolveum/midpoint/authentication/impl/provider/OidcClientProvider.class */
public class OidcClientProvider extends RemoteModuleProvider {
    private static final Trace LOGGER = TraceManager.getTrace(OidcClientProvider.class);
    private final OidcAuthorizationCodeAuthenticationProvider oidcProvider;
    private final Map<String, OidcAdditionalConfiguration> additionalConfiguration;
    private Function<ClientRegistration, JWK> jwkResolver;

    public OidcClientProvider(Map<String, OidcAdditionalConfiguration> map) {
        this.additionalConfiguration = map;
        initJwkResolver();
        OidcIdTokenDecoderFactory oidcIdTokenDecoderFactory = new OidcIdTokenDecoderFactory();
        OAuth2AuthorizationCodeGrantRequestEntityConverter oAuth2AuthorizationCodeGrantRequestEntityConverter = new OAuth2AuthorizationCodeGrantRequestEntityConverter();
        oAuth2AuthorizationCodeGrantRequestEntityConverter.addParametersConverter(new NimbusJwtClientAuthenticationParametersConverter(this.jwkResolver));
        DefaultAuthorizationCodeTokenResponseClient defaultAuthorizationCodeTokenResponseClient = new DefaultAuthorizationCodeTokenResponseClient();
        defaultAuthorizationCodeTokenResponseClient.setRequestEntityConverter(oAuth2AuthorizationCodeGrantRequestEntityConverter);
        this.oidcProvider = new OidcAuthorizationCodeAuthenticationProvider(defaultAuthorizationCodeTokenResponseClient, new OidcUserService());
        this.oidcProvider.setJwtDecoderFactory(oidcIdTokenDecoderFactory);
    }

    private void initJwkResolver() {
        this.jwkResolver = clientRegistration -> {
            if (clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.CLIENT_SECRET_JWT)) {
                OctetSequenceKey.Builder keyID = new OctetSequenceKey.Builder(clientRegistration.getClientSecret().getBytes(StandardCharsets.UTF_8)).keyID(UUID.randomUUID().toString());
                keyID.algorithm(Algorithm.parse(this.additionalConfiguration.get(clientRegistration.getRegistrationId()).getSingingAlg()));
                return keyID.build();
            }
            if (!clientRegistration.getClientAuthenticationMethod().equals(ClientAuthenticationMethod.PRIVATE_KEY_JWT)) {
                return null;
            }
            OidcAdditionalConfiguration oidcAdditionalConfiguration = this.additionalConfiguration.get(clientRegistration.getRegistrationId());
            RSAPublicKey publicKey = oidcAdditionalConfiguration.getPublicKey();
            RSAKey.Builder keyID2 = new RSAKey.Builder(publicKey).privateKey(oidcAdditionalConfiguration.getPrivateKey()).keyID(UUID.randomUUID().toString());
            keyID2.algorithm(Algorithm.parse(this.additionalConfiguration.get(clientRegistration.getRegistrationId()).getSingingAlg()));
            keyID2.keyID((String) null);
            return keyID2.build();
        };
    }

    @Override // com.evolveum.midpoint.authentication.impl.provider.MidPointAbstractAuthenticationProvider
    protected Authentication internalAuthentication(Authentication authentication, List list, AuthenticationChannel authenticationChannel, Class cls) throws AuthenticationException {
        if (!(authentication instanceof OAuth2LoginAuthenticationToken)) {
            LOGGER.error("Unsupported authentication {}", authentication);
            throw new AuthenticationServiceException("web.security.provider.unavailable");
        }
        try {
            Authentication authentication2 = (OAuth2LoginAuthenticationToken) this.oidcProvider.authenticate(authentication);
            OidcClientModuleAuthenticationImpl oidcClientModuleAuthenticationImpl = (OidcClientModuleAuthenticationImpl) AuthUtil.getProcessingModule();
            try {
                String name = authentication2.getName();
                if (StringUtils.isEmpty(name)) {
                    LOGGER.error("Oidc attribute, which define username don't contains value");
                    throw new AuthenticationServiceException("web.security.provider.invalid");
                }
                PreAuthenticatedAuthenticationToken preAuthenticationToken = getPreAuthenticationToken(authentication, name, cls, list, authenticationChannel);
                ((OAuth2LoginAuthenticationToken) authentication).setDetails(authentication2.getPrincipal());
                LOGGER.debug("User '{}' authenticated ({}), authorities: {}", new Object[]{authentication.getPrincipal(), authentication.getClass().getSimpleName(), ((MidPointPrincipal) preAuthenticationToken.getPrincipal()).getAuthorities()});
                return preAuthenticationToken;
            } catch (AuthenticationException e) {
                oidcClientModuleAuthenticationImpl.setAuthentication(authentication2);
                LOGGER.info("Authentication with oidc module failed: {}", e.getMessage());
                throw e;
            }
        } catch (Exception e2) {
            getAuditProvider().auditLoginFailure((String) null, (FocusType) null, createConnectEnvironment(getChannel()), e2.getMessage());
            throw new AuthenticationServiceException("web.security.provider.unavailable", e2);
        }
    }

    public boolean supports(Class cls) {
        return this.oidcProvider.supports(cls);
    }
}
