package com.evolveum.midpoint.authentication.impl.module.configuration;

import com.evolveum.midpoint.prism.crypto.EncryptionException;
import com.evolveum.midpoint.prism.path.ItemName;
import com.evolveum.midpoint.util.logging.Trace;
import com.evolveum.midpoint.util.logging.TraceManager;
import com.evolveum.midpoint.xml.ns._public.common.common_3.AbstractKeyStoreKeyType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.JwtOidcResourceServerType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OidcAuthenticationModuleType;
import com.evolveum.midpoint.xml.ns._public.common.common_3.OidcResourceServerAuthenticationModuleType;
import com.evolveum.prism.xml.ns._public.types_3.ProtectedStringType;
import com.nimbusds.jose.KeySourceException;
import com.nimbusds.jose.proc.JWSAlgorithmFamilyJWSKeySelector;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.interfaces.RSAPublicKey;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.apache.cxf.common.util.Base64Exception;
import org.apache.cxf.common.util.Base64Utility;
import org.springframework.security.oauth2.core.OAuth2AuthenticationException;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.jose.jws.MacAlgorithm;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoders;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;

/* loaded from: input_file:BOOT-INF/lib/authentication-impl-4.9.4-SNAPSHOT.jar:com/evolveum/midpoint/authentication/impl/module/configuration/JwtOidcResourceServerConfiguration.class */
public class JwtOidcResourceServerConfiguration extends RemoteModuleWebSecurityConfiguration {
    private static final Trace LOGGER = TraceManager.getTrace((Class<?>) JwtOidcResourceServerConfiguration.class);
    private JwtDecoder decoder;

    private JwtOidcResourceServerConfiguration() {
    }

    public JwtDecoder getDecoder() {
        return this.decoder;
    }

    public static JwtOidcResourceServerConfiguration build(OidcAuthenticationModuleType oidcAuthenticationModuleType, String str) {
        JwtOidcResourceServerConfiguration buildInternal = buildInternal(oidcAuthenticationModuleType, str);
        buildInternal.validate();
        return buildInternal;
    }

    private static JwtOidcResourceServerConfiguration buildInternal(OidcAuthenticationModuleType oidcAuthenticationModuleType, String str) {
        byte[] bytes;
        JwtOidcResourceServerConfiguration jwtOidcResourceServerConfiguration = new JwtOidcResourceServerConfiguration();
        build(jwtOidcResourceServerConfiguration, oidcAuthenticationModuleType, str);
        OidcResourceServerAuthenticationModuleType resourceServer = oidcAuthenticationModuleType.getResourceServer();
        String str2 = (String) getAttribute(resourceServer, JwtOidcResourceServerType.F_TRUSTED_ALGORITHM);
        AbstractKeyStoreKeyType abstractKeyStoreKeyType = (AbstractKeyStoreKeyType) getAttribute(resourceServer, JwtOidcResourceServerType.F_KEY_STORE_TRUSTING_ASYMMETRIC_KEY);
        ProtectedStringType protectedStringType = (ProtectedStringType) getAttribute(resourceServer, JwtOidcResourceServerType.F_TRUSTING_ASYMMETRIC_CERTIFICATE);
        ProtectedStringType protectedStringType2 = (ProtectedStringType) getAttribute(resourceServer, JwtOidcResourceServerType.F_SINGLE_SYMMETRIC_KEY);
        String str3 = (String) getAttribute(resourceServer, JwtOidcResourceServerType.F_JWK_SET_URI);
        String str4 = (String) getAttribute(resourceServer, JwtOidcResourceServerType.F_ISSUER_URI);
        if (protectedStringType != null || abstractKeyStoreKeyType != null) {
            NimbusJwtDecoder.PublicKeyJwtDecoderBuilder initializePublicKeyDecoderFromKeyStore = abstractKeyStoreKeyType != null ? initializePublicKeyDecoderFromKeyStore(abstractKeyStoreKeyType) : initializePublicKeyDecoderFromCertificate(protectedStringType);
            if (str2 != null) {
                initializePublicKeyDecoderFromKeyStore.signatureAlgorithm(SignatureAlgorithm.from(str2));
            }
            jwtOidcResourceServerConfiguration.decoder = initializePublicKeyDecoderFromKeyStore.build();
        } else if (protectedStringType2 != null) {
            try {
                String decryptString = protector.decryptString(protectedStringType2);
                if (Base64.isBase64(decryptString)) {
                    bytes = Base64Utility.decode(decryptString, decryptString.contains("-") || decryptString.contains("_"));
                } else {
                    bytes = protector.decryptString(protectedStringType2).getBytes();
                }
                String name = MacAlgorithm.HS256.getName();
                if (str2 != null) {
                    name = str2;
                }
                NimbusJwtDecoder.SecretKeyJwtDecoderBuilder withSecretKey = NimbusJwtDecoder.withSecretKey(new SecretKeySpec(bytes, name));
                withSecretKey.macAlgorithm(MacAlgorithm.from(name));
                jwtOidcResourceServerConfiguration.decoder = withSecretKey.build();
            } catch (EncryptionException e) {
                throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get single symmetric key", e);
            } catch (Base64Exception e2) {
                e2.printStackTrace();
            }
        } else if (str3 != null) {
            if (str2 != null) {
                jwtOidcResourceServerConfiguration.decoder = NimbusJwtDecoder.withJwkSetUri(str3).jwsAlgorithm(SignatureAlgorithm.from(str2)).build();
            } else {
                try {
                    JWSAlgorithmFamilyJWSKeySelector fromJWKSetURL = JWSAlgorithmFamilyJWSKeySelector.fromJWKSetURL(new URL(str3));
                    DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
                    defaultJWTProcessor.setJWSKeySelector(fromJWKSetURL);
                    jwtOidcResourceServerConfiguration.decoder = new NimbusJwtDecoder(defaultJWTProcessor);
                } catch (KeySourceException | MalformedURLException e3) {
                    e3.printStackTrace();
                }
            }
        } else if (str4 != null) {
            jwtOidcResourceServerConfiguration.decoder = JwtDecoders.fromIssuerLocation(str4);
        }
        return jwtOidcResourceServerConfiguration;
    }

    private static <T> T getAttribute(OidcResourceServerAuthenticationModuleType oidcResourceServerAuthenticationModuleType, ItemName itemName) {
        OidcResourceServerAuthenticationModuleType oidcResourceServerAuthenticationModuleType2 = oidcResourceServerAuthenticationModuleType;
        if (oidcResourceServerAuthenticationModuleType.getJwt() != null) {
            oidcResourceServerAuthenticationModuleType2 = oidcResourceServerAuthenticationModuleType.getJwt();
        }
        String str = "get" + StringUtils.capitalize(itemName.getLocalPart());
        try {
            return (T) oidcResourceServerAuthenticationModuleType2.getClass().getMethod(str, new Class[0]).invoke(oidcResourceServerAuthenticationModuleType2, new Object[0]);
        } catch (IllegalAccessException | InvocationTargetException e) {
            LOGGER.debug("Couldn't invoke method " + str + " on object " + oidcResourceServerAuthenticationModuleType2);
            return null;
        } catch (NoSuchMethodException e2) {
            LOGGER.debug("Couldn't find method " + str + " in class " + oidcResourceServerAuthenticationModuleType2.getClass());
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.evolveum.midpoint.authentication.impl.module.configuration.ModuleWebSecurityConfigurationImpl
    public void validate() {
        super.validate();
        if (getDecoder() == null) {
            throw new IllegalArgumentException("Jwt decoder is null, please define public key, client secret, JWS uri or issuer uri in configuration of OIDC authentication module");
        }
    }

    private static NimbusJwtDecoder.PublicKeyJwtDecoderBuilder initializePublicKeyDecoderFromCertificate(ProtectedStringType protectedStringType) {
        if (protectedStringType == null) {
            return null;
        }
        try {
            return NimbusJwtDecoder.withPublicKey((RSAPublicKey) getCertificate(protectedStringType, protector).getPublicKey());
        } catch (EncryptionException | CertificateException | Base64Exception e) {
            throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get certificate", e);
        }
    }

    private static NimbusJwtDecoder.PublicKeyJwtDecoderBuilder initializePublicKeyDecoderFromKeyStore(AbstractKeyStoreKeyType abstractKeyStoreKeyType) {
        if (abstractKeyStoreKeyType == null) {
            return null;
        }
        try {
            PublicKey publicKey = getCertificate(abstractKeyStoreKeyType, protector).getPublicKey();
            if (publicKey instanceof RSAPublicKey) {
                return NimbusJwtDecoder.withPublicKey((RSAPublicKey) publicKey);
            }
            throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Alias " + abstractKeyStoreKeyType.getKeyAlias() + " don't return public key of RSAPublicKey type.");
        } catch (EncryptionException | IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new OAuth2AuthenticationException(new OAuth2Error("missing_key"), "Unable get certificate from " + abstractKeyStoreKeyType, e);
        }
    }
}
