package io.quarkus.oidc.runtime;

import io.quarkus.oidc.AccessTokenCredential;
import io.quarkus.oidc.AuthorizationCodeTokens;
import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.RefreshToken;
import io.quarkus.oidc.TokenIntrospection;
import io.quarkus.oidc.TokenStateManager;
import io.quarkus.oidc.UserInfo;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.oidc.runtime.providers.KnownOidcProviders;
import io.quarkus.security.AuthenticationFailedException;
import io.quarkus.security.StringPermission;
import io.quarkus.security.credential.TokenCredential;
import io.quarkus.security.identity.AuthenticationRequestContext;
import io.quarkus.security.identity.request.TokenAuthenticationRequest;
import io.quarkus.security.runtime.QuarkusSecurityIdentity;
import io.quarkus.vertx.http.runtime.security.HttpSecurityUtils;
import io.smallrye.jwt.algorithm.ContentEncryptionAlgorithm;
import io.smallrye.jwt.algorithm.KeyEncryptionAlgorithm;
import io.smallrye.jwt.auth.principal.DefaultJWTCallerPrincipal;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.subscription.UniEmitter;
import io.vertx.core.Handler;
import io.vertx.core.MultiMap;
import io.vertx.core.http.Cookie;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.HttpMethod;
import io.vertx.core.http.HttpServerRequest;
import io.vertx.core.http.impl.ServerCookie;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.web.RoutingContext;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Permission;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.StringTokenizer;
import java.util.TreeMap;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.regex.Pattern;
import javax.crypto.SecretKey;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.lang.JoseException;

/* loaded from: input_file:io/quarkus/oidc/runtime/OidcUtils.class */
public final class OidcUtils {
    public static final String CONFIG_METADATA_ATTRIBUTE = "configuration-metadata";
    public static final String USER_INFO_ATTRIBUTE = "userinfo";
    public static final String INTROSPECTION_ATTRIBUTE = "introspection";
    public static final String TENANT_ID_ATTRIBUTE = "tenant-id";
    public static final String TENANT_ID_SET_BY_ANNOTATION = "tenant-id-set-by-annotation";
    public static final String TENANT_ID_SET_BY_SESSION_COOKIE = "tenant-id-set-by-session-cookie";
    public static final String TENANT_ID_SET_BY_STATE_COOKIE = "tenant-id-set-by-state-cookie";
    public static final String DEFAULT_TENANT_ID = "Default";
    public static final String SESSION_COOKIE_NAME = "q_session";
    public static final String SESSION_COOKIE_CHUNK_START = "chunk_";
    public static final String SESSION_COOKIE_CHUNK = "_chunk_";
    public static final String ACCESS_TOKEN_COOKIE_SUFFIX = "_at";
    public static final String REFRESH_TOKEN_COOKIE_SUFFIX = "_rt";
    public static final String SESSION_AT_COOKIE_NAME = "q_session_at";
    public static final String SESSION_RT_COOKIE_NAME = "q_session_rt";
    public static final String STATE_COOKIE_NAME = "q_auth";
    public static final String POST_LOGOUT_COOKIE_NAME = "q_post_logout";
    public static final String DEFAULT_SCOPE_SEPARATOR = " ";
    public static final String ANNOTATION_BASED_TENANT_RESOLUTION_ENABLED = "io.quarkus.oidc.runtime.select-tenants-with-annotation";
    static final String UNDERSCORE = "_";
    static final String CODE_ACCESS_TOKEN_RESULT = "code_flow_access_token_result";
    static final String COMMA = ",";
    private static final String EXTRACTED_BEARER_TOKEN = "quarkus.oidc.extracted-bearer-token";
    public static final String QUARKUS_IDENTITY_EXPIRE_TIME = "quarkus.identity.expire-time";
    private static final Logger LOG = Logger.getLogger(OidcUtils.class);
    public static final Integer MAX_COOKIE_VALUE_LENGTH = 4056;
    static final Uni<Void> VOID_UNI = Uni.createFrom().voidItem();
    static final BlockingTaskRunner<Void> deleteTokensRequestContext = new BlockingTaskRunner<>();
    private static final Pattern CLAIM_PATH_PATTERN = Pattern.compile("\\/(?=(?:(?:[^\"]*\"){2})*[^\"]*$)");

    private OidcUtils() {
    }

    public static String getSessionCookie(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        return getSessionCookie(routingContext.data(), routingContext.request().cookieMap(), oidcTenantConfig);
    }

    public static String getSessionCookie(Map<String, Object> map, Map<String, Cookie> map2, OidcTenantConfig oidcTenantConfig) {
        if (map2.isEmpty()) {
            return null;
        }
        String sessionCookieName = getSessionCookieName(oidcTenantConfig);
        if (map2.containsKey(sessionCookieName)) {
            map.put(SESSION_COOKIE_NAME, List.of(sessionCookieName));
            return map2.get(sessionCookieName).getValue();
        }
        String str = sessionCookieName + "_chunk_";
        TreeMap treeMap = new TreeMap(new Comparator<String>() { // from class: io.quarkus.oidc.runtime.OidcUtils.1
            @Override // java.util.Comparator
            public int compare(String str2, String str3) {
                return Integer.valueOf(str2.substring(str2.lastIndexOf(OidcUtils.UNDERSCORE) + 1)).compareTo(Integer.valueOf(str3.substring(str3.lastIndexOf(OidcUtils.UNDERSCORE) + 1)));
            }
        });
        for (String str2 : map2.keySet()) {
            if (str2.startsWith(str)) {
                treeMap.put(str2, map2.get(str2).getValue());
            }
        }
        if (treeMap.isEmpty()) {
            return null;
        }
        map.put(SESSION_COOKIE_NAME, new ArrayList(treeMap.keySet()));
        StringBuilder sb = new StringBuilder();
        Iterator it = treeMap.values().iterator();
        while (it.hasNext()) {
            sb.append((String) it.next());
        }
        return sb.toString();
    }

    public static String getSessionCookieName(OidcTenantConfig oidcTenantConfig) {
        return "q_session" + getCookieSuffix(oidcTenantConfig);
    }

    public static String getCookieSuffix(OidcTenantConfig oidcTenantConfig) {
        String str = oidcTenantConfig.tenantId.get();
        boolean isPresent = oidcTenantConfig.authentication.cookieSuffix.isPresent();
        String str2 = (isPresent || !DEFAULT_TENANT_ID.equals(str)) ? "_" + str : "";
        return isPresent ? str2 + "_" + oidcTenantConfig.authentication.cookieSuffix.get() : str2;
    }

    public static boolean isServiceApp(OidcTenantConfig oidcTenantConfig) {
        return OidcTenantConfig.ApplicationType.SERVICE.equals(oidcTenantConfig.applicationType.orElse(OidcTenantConfig.ApplicationType.SERVICE));
    }

    public static boolean isWebApp(OidcTenantConfig oidcTenantConfig) {
        return OidcTenantConfig.ApplicationType.WEB_APP.equals(oidcTenantConfig.applicationType.orElse(OidcTenantConfig.ApplicationType.SERVICE));
    }

    public static boolean isEncryptedToken(String str) {
        return new StringTokenizer(str, ".").countTokens() == 5;
    }

    public static boolean isOpaqueToken(String str) {
        return new StringTokenizer(str, ".").countTokens() != 3;
    }

    public static JsonObject decodeJwtContent(String str) {
        String jwtContentPart = getJwtContentPart(str);
        if (jwtContentPart == null) {
            return null;
        }
        return decodeAsJsonObject(jwtContentPart);
    }

    public static String decodeJwtContentAsString(String str) {
        StringTokenizer stringTokenizer = new StringTokenizer(str, ".");
        stringTokenizer.nextToken();
        if (!stringTokenizer.hasMoreTokens()) {
            return null;
        }
        String nextToken = stringTokenizer.nextToken();
        if (stringTokenizer.countTokens() != 1) {
            return null;
        }
        try {
            return base64UrlDecode(nextToken);
        } catch (IllegalArgumentException e) {
            return null;
        }
    }

    public static String getJwtContentPart(String str) {
        StringTokenizer stringTokenizer = new StringTokenizer(str, ".");
        stringTokenizer.nextToken();
        if (!stringTokenizer.hasMoreTokens()) {
            return null;
        }
        String nextToken = stringTokenizer.nextToken();
        if (stringTokenizer.countTokens() != 1) {
            return null;
        }
        return nextToken;
    }

    private static JsonObject decodeAsJsonObject(String str) {
        try {
            return new JsonObject(base64UrlDecode(str));
        } catch (IllegalArgumentException e) {
            return null;
        }
    }

    private static String base64UrlDecode(String str) {
        return new String(Base64.getUrlDecoder().decode(str), StandardCharsets.UTF_8);
    }

    public static JsonObject decodeJwtHeaders(String str) {
        return decodeAsJsonObject(new StringTokenizer(str, ".").nextToken());
    }

    public static String decodeJwtHeadersAsString(String str) {
        return base64UrlDecode(new StringTokenizer(str, ".").nextToken());
    }

    public static List<String> findRoles(String str, OidcTenantConfig.Roles roles, JsonObject jsonObject) {
        if (roles.getRoleClaimPath().isPresent()) {
            LinkedList linkedList = new LinkedList();
            Iterator<String> it = roles.getRoleClaimPath().get().iterator();
            while (it.hasNext()) {
                linkedList.addAll(findClaimWithRoles(roles, it.next().trim(), jsonObject));
            }
            return linkedList;
        }
        List<String> findClaimWithRoles = findClaimWithRoles(roles, Claims.groups.name(), jsonObject);
        if (!findClaimWithRoles.isEmpty()) {
            return findClaimWithRoles;
        }
        LinkedList linkedList2 = new LinkedList();
        linkedList2.addAll(findClaimWithRoles(roles, "realm_access/roles", jsonObject));
        if (str != null) {
            linkedList2.addAll(findClaimWithRoles(roles, "resource_access/" + str + "/roles", jsonObject));
        }
        return linkedList2;
    }

    private static List<String> findClaimWithRoles(OidcTenantConfig.Roles roles, String str, JsonObject jsonObject) {
        Object findClaimValue = findClaimValue(str, jsonObject, splitClaimPath(str), 0);
        if (findClaimValue instanceof JsonArray) {
            return convertJsonArrayToList((JsonArray) findClaimValue);
        }
        if (findClaimValue != null) {
            return findClaimValue.toString().isBlank() ? Collections.emptyList() : Arrays.asList(findClaimValue.toString().split(roles.getRoleClaimSeparator().isPresent() ? roles.getRoleClaimSeparator().get() : DEFAULT_SCOPE_SEPARATOR));
        }
        return Collections.emptyList();
    }

    private static String[] splitClaimPath(String str) {
        return str.indexOf(47) > 0 ? CLAIM_PATH_PATTERN.split(str) : new String[]{str};
    }

    private static Object findClaimValue(String str, JsonObject jsonObject, String[] strArr, int i) {
        Object value = jsonObject.getValue(strArr[i].replace("\"", ""));
        if (value == null) {
            LOG.debugf("No claim exists at the path '%s' at the path segment '%s'", str, strArr[i]);
        } else if (i + 1 < strArr.length) {
            if (value instanceof JsonObject) {
                return findClaimValue(str, (JsonObject) value, strArr, i + 1);
            }
            LOG.debugf("Claim value at the path '%s' is not a json object", str);
        }
        return value;
    }

    private static List<String> convertJsonArrayToList(JsonArray jsonArray) {
        ArrayList arrayList = new ArrayList(jsonArray.size());
        for (int i = 0; i < jsonArray.size(); i++) {
            String string = jsonArray.getString(i);
            if (string != null && !string.isBlank()) {
                arrayList.add(jsonArray.getString(i));
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static QuarkusSecurityIdentity validateAndCreateIdentity(Map<String, Object> map, TokenCredential tokenCredential, TenantConfigContext tenantConfigContext, JsonObject jsonObject, JsonObject jsonObject2, UserInfo userInfo, TokenIntrospection tokenIntrospection, TokenAuthenticationRequest tokenAuthenticationRequest) {
        OidcTenantConfig oidcTenantConfig = tenantConfigContext.oidcConfig;
        QuarkusSecurityIdentity.Builder builder = QuarkusSecurityIdentity.builder();
        builder.addCredential(tokenCredential);
        AuthorizationCodeTokens authorizationCodeTokens = (AuthorizationCodeTokens) map.get(AuthorizationCodeTokens.class.getName());
        if (authorizationCodeTokens != null) {
            RefreshToken refreshToken = new RefreshToken(authorizationCodeTokens.getRefreshToken());
            builder.addCredential(refreshToken);
            builder.addCredential(new AccessTokenCredential(authorizationCodeTokens.getAccessToken(), refreshToken));
        }
        try {
            JwtClaims parse = JwtClaims.parse(jsonObject.encode());
            parse.setClaim(Claims.raw_token.name(), tokenCredential.getToken());
            DefaultJWTCallerPrincipal oidcJwtCallerPrincipal = new OidcJwtCallerPrincipal(parse, tokenCredential, oidcTenantConfig.token.principalClaim.isPresent() ? oidcTenantConfig.token.principalClaim.get() : null);
            builder.addAttribute(QUARKUS_IDENTITY_EXPIRE_TIME, Long.valueOf(oidcJwtCallerPrincipal.getExpirationTime()));
            builder.setPrincipal(oidcJwtCallerPrincipal);
            RoutingContext routingContextAttribute = HttpSecurityUtils.getRoutingContextAttribute(tokenAuthenticationRequest);
            setRoutingContextAttribute(builder, routingContextAttribute);
            setSecurityIdentityRoles(builder, oidcTenantConfig, jsonObject2);
            setSecurityIdentityPermissions(builder, oidcTenantConfig, jsonObject2);
            setSecurityIdentityUserInfo(builder, userInfo);
            setSecurityIdentityIntrospection(builder, tokenIntrospection);
            setSecurityIdentityConfigMetadata(builder, tenantConfigContext);
            setBlockingApiAttribute(builder, routingContextAttribute);
            setTenantIdAttribute(builder, oidcTenantConfig);
            TokenVerificationResult tokenVerificationResult = (TokenVerificationResult) map.get(CODE_ACCESS_TOKEN_RESULT);
            if (tokenVerificationResult != null) {
                builder.addAttribute(CODE_ACCESS_TOKEN_RESULT, tokenVerificationResult);
            }
            return builder.build();
        } catch (InvalidJwtException e) {
            throw new AuthenticationFailedException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void setSecurityIdentityPermissions(QuarkusSecurityIdentity.Builder builder, OidcTenantConfig oidcTenantConfig, JsonObject jsonObject) {
        addTokenScopesAsPermissions(builder, findClaimWithRoles(oidcTenantConfig.getRoles(), "scope", jsonObject));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void addTokenScopesAsPermissions(QuarkusSecurityIdentity.Builder builder, final Collection<String> collection) {
        if (collection.isEmpty()) {
            return;
        }
        builder.addPermissionChecker(new Function<Permission, Uni<Boolean>>() { // from class: io.quarkus.oidc.runtime.OidcUtils.2
            private final Permission[] permissions;

            {
                this.permissions = OidcUtils.transformScopesToPermissions(collection);
            }

            @Override // java.util.function.Function
            public Uni<Boolean> apply(Permission permission) {
                for (Permission permission2 : this.permissions) {
                    if (permission2.implies(permission)) {
                        return Uni.createFrom().item(Boolean.TRUE);
                    }
                }
                return Uni.createFrom().item(Boolean.FALSE);
            }
        });
    }

    static Permission[] transformScopesToPermissions(Collection<String> collection) {
        Permission[] permissionArr = new Permission[collection.size()];
        int i = 0;
        for (String str : collection) {
            int indexOf = str.indexOf(58);
            if (indexOf <= 0 || indexOf >= str.length() - 1) {
                int i2 = i;
                i++;
                permissionArr[i2] = new StringPermission(str, new String[0]);
            } else {
                int i3 = i;
                i++;
                permissionArr[i3] = new StringPermission(str.substring(0, indexOf), new String[]{str.substring(indexOf + 1)});
            }
        }
        return permissionArr;
    }

    public static void setSecurityIdentityRoles(QuarkusSecurityIdentity.Builder builder, OidcTenantConfig oidcTenantConfig, JsonObject jsonObject) {
        Iterator<String> it = findRoles(oidcTenantConfig.getClientId().isPresent() ? (String) oidcTenantConfig.getClientId().get() : null, oidcTenantConfig.getRoles(), jsonObject).iterator();
        while (it.hasNext()) {
            builder.addRole(it.next());
        }
    }

    public static void setBlockingApiAttribute(QuarkusSecurityIdentity.Builder builder, RoutingContext routingContext) {
        if (routingContext != null) {
            builder.addAttribute(AuthenticationRequestContext.class.getName(), routingContext.get(AuthenticationRequestContext.class.getName()));
        }
    }

    public static void setTenantIdAttribute(QuarkusSecurityIdentity.Builder builder, OidcTenantConfig oidcTenantConfig) {
        builder.addAttribute(TENANT_ID_ATTRIBUTE, oidcTenantConfig.tenantId.orElse(DEFAULT_TENANT_ID));
    }

    public static void setRoutingContextAttribute(QuarkusSecurityIdentity.Builder builder, RoutingContext routingContext) {
        builder.addAttribute(RoutingContext.class.getName(), routingContext);
    }

    public static void setSecurityIdentityUserInfo(QuarkusSecurityIdentity.Builder builder, UserInfo userInfo) {
        if (userInfo != null) {
            builder.addAttribute(USER_INFO_ATTRIBUTE, userInfo);
        }
    }

    public static void setSecurityIdentityIntrospection(QuarkusSecurityIdentity.Builder builder, TokenIntrospection tokenIntrospection) {
        if (tokenIntrospection != null) {
            builder.addAttribute(INTROSPECTION_ATTRIBUTE, tokenIntrospection);
        }
    }

    public static void setSecurityIdentityConfigMetadata(QuarkusSecurityIdentity.Builder builder, TenantConfigContext tenantConfigContext) {
        if (tenantConfigContext.provider.client != null) {
            builder.addAttribute(CONFIG_METADATA_ATTRIBUTE, tenantConfigContext.provider.client.getMetadata());
        }
    }

    public static void validatePrimaryJwtTokenType(OidcTenantConfig.Token token, JsonObject jsonObject) {
        if (jsonObject.containsKey("typ")) {
            String string = jsonObject.getString("typ");
            if (token.getTokenType().isPresent() && !token.getTokenType().get().equals(string)) {
                throw new OIDCException("Invalid token type");
            }
            if ("Refresh".equals(string)) {
                throw new OIDCException("Refresh token can only be used with the refresh token grant");
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Uni<Void> removeSessionCookie(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig, TokenStateManager tokenStateManager) {
        List list = (List) routingContext.get(SESSION_COOKIE_NAME);
        if (list == null) {
            return VOID_UNI;
        }
        LOG.debugf("Remove session cookie names: %s", list);
        StringBuilder sb = new StringBuilder();
        Iterator it = list.iterator();
        while (it.hasNext()) {
            sb.append(removeCookie(routingContext, oidcTenantConfig, (String) it.next()));
        }
        return tokenStateManager.deleteTokens(routingContext, oidcTenantConfig, sb.toString(), deleteTokensRequestContext);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String removeCookie(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig, String str) {
        ServerCookie serverCookie = (ServerCookie) routingContext.cookieMap().get(str);
        String str2 = null;
        if (serverCookie != null) {
            str2 = serverCookie.getValue();
            removeCookie(routingContext, serverCookie, oidcTenantConfig);
        }
        return str2;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void removeCookie(RoutingContext routingContext, ServerCookie serverCookie, OidcTenantConfig oidcTenantConfig) {
        if (serverCookie != null) {
            serverCookie.setValue("");
            serverCookie.setMaxAge(0L);
            OidcTenantConfig.Authentication authentication = oidcTenantConfig.getAuthentication();
            setCookiePath(routingContext, authentication, serverCookie);
            if (authentication.cookieDomain.isPresent()) {
                serverCookie.setDomain(authentication.cookieDomain.get());
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void setCookiePath(RoutingContext routingContext, OidcTenantConfig.Authentication authentication, ServerCookie serverCookie) {
        if (authentication.cookiePathHeader.isPresent() && routingContext.request().headers().contains(authentication.cookiePathHeader.get())) {
            serverCookie.setPath(routingContext.request().getHeader(authentication.cookiePathHeader.get()));
        } else {
            serverCookie.setPath(authentication.getCookiePath());
        }
    }

    static OidcTenantConfig mergeTenantConfig(OidcTenantConfig oidcTenantConfig, OidcTenantConfig oidcTenantConfig2) {
        if (oidcTenantConfig.tenantId.isEmpty()) {
            throw new IllegalStateException();
        }
        if (oidcTenantConfig.authServerUrl.isEmpty()) {
            oidcTenantConfig.authServerUrl = oidcTenantConfig2.authServerUrl;
        }
        if (oidcTenantConfig.applicationType.isEmpty()) {
            oidcTenantConfig.applicationType = oidcTenantConfig2.applicationType;
        }
        if (oidcTenantConfig.discoveryEnabled.isEmpty()) {
            oidcTenantConfig.discoveryEnabled = oidcTenantConfig2.discoveryEnabled;
        }
        if (oidcTenantConfig.authorizationPath.isEmpty()) {
            oidcTenantConfig.authorizationPath = oidcTenantConfig2.authorizationPath;
        }
        if (oidcTenantConfig.jwksPath.isEmpty()) {
            oidcTenantConfig.jwksPath = oidcTenantConfig2.jwksPath;
        }
        if (oidcTenantConfig.tokenPath.isEmpty()) {
            oidcTenantConfig.tokenPath = oidcTenantConfig2.tokenPath;
        }
        if (oidcTenantConfig.userInfoPath.isEmpty()) {
            oidcTenantConfig.userInfoPath = oidcTenantConfig2.userInfoPath;
        }
        if (oidcTenantConfig.authentication.idTokenRequired.isEmpty()) {
            oidcTenantConfig.authentication.idTokenRequired = oidcTenantConfig2.authentication.idTokenRequired;
        }
        if (oidcTenantConfig.authentication.userInfoRequired.isEmpty()) {
            oidcTenantConfig.authentication.userInfoRequired = oidcTenantConfig2.authentication.userInfoRequired;
        }
        if (oidcTenantConfig.authentication.pkceRequired.isEmpty()) {
            oidcTenantConfig.authentication.pkceRequired = oidcTenantConfig2.authentication.pkceRequired;
        }
        if (oidcTenantConfig.authentication.scopes.isEmpty()) {
            oidcTenantConfig.authentication.scopes = oidcTenantConfig2.authentication.scopes;
        }
        if (oidcTenantConfig.authentication.scopeSeparator.isEmpty()) {
            oidcTenantConfig.authentication.scopeSeparator = oidcTenantConfig2.authentication.scopeSeparator;
        }
        if (oidcTenantConfig.authentication.addOpenidScope.isEmpty()) {
            oidcTenantConfig.authentication.addOpenidScope = oidcTenantConfig2.authentication.addOpenidScope;
        }
        if (oidcTenantConfig.authentication.forceRedirectHttpsScheme.isEmpty()) {
            oidcTenantConfig.authentication.forceRedirectHttpsScheme = oidcTenantConfig2.authentication.forceRedirectHttpsScheme;
        }
        if (oidcTenantConfig.authentication.responseMode.isEmpty()) {
            oidcTenantConfig.authentication.responseMode = oidcTenantConfig2.authentication.responseMode;
        }
        if (oidcTenantConfig.authentication.redirectPath.isEmpty()) {
            oidcTenantConfig.authentication.redirectPath = oidcTenantConfig2.authentication.redirectPath;
        }
        if (oidcTenantConfig.credentials.clientSecret.method.isEmpty()) {
            oidcTenantConfig.credentials.clientSecret.method = oidcTenantConfig2.credentials.clientSecret.method;
        }
        if (oidcTenantConfig.credentials.jwt.audience.isEmpty()) {
            oidcTenantConfig.credentials.jwt.audience = oidcTenantConfig2.credentials.jwt.audience;
        }
        if (oidcTenantConfig.credentials.jwt.signatureAlgorithm.isEmpty()) {
            oidcTenantConfig.credentials.jwt.signatureAlgorithm = oidcTenantConfig2.credentials.jwt.signatureAlgorithm;
        }
        if (oidcTenantConfig.token.issuer.isEmpty()) {
            oidcTenantConfig.token.issuer = oidcTenantConfig2.token.issuer;
        }
        if (oidcTenantConfig.token.principalClaim.isEmpty()) {
            oidcTenantConfig.token.principalClaim = oidcTenantConfig2.token.principalClaim;
        }
        if (oidcTenantConfig.token.verifyAccessTokenWithUserInfo.isEmpty()) {
            oidcTenantConfig.token.verifyAccessTokenWithUserInfo = oidcTenantConfig2.token.verifyAccessTokenWithUserInfo;
        }
        return oidcTenantConfig;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static OidcTenantConfig resolveProviderConfig(OidcTenantConfig oidcTenantConfig) {
        return (oidcTenantConfig == null || !oidcTenantConfig.provider.isPresent()) ? oidcTenantConfig : mergeTenantConfig(oidcTenantConfig, KnownOidcProviders.provider(oidcTenantConfig.provider.get()));
    }

    public static byte[] getSha256Digest(byte[] bArr) throws NoSuchAlgorithmException {
        MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
        messageDigest.update(bArr);
        return messageDigest.digest();
    }

    public static String encryptJson(JsonObject jsonObject, SecretKey secretKey) throws Exception {
        return encryptString(jsonObject.encode(), secretKey);
    }

    public static String encryptString(String str, SecretKey secretKey) throws Exception {
        return encryptString(str, secretKey, KeyEncryptionAlgorithm.A256GCMKW);
    }

    public static String encryptString(String str, SecretKey secretKey, KeyEncryptionAlgorithm keyEncryptionAlgorithm) throws Exception {
        JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
        jsonWebEncryption.setAlgorithmHeaderValue(keyEncryptionAlgorithm.getAlgorithm());
        jsonWebEncryption.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithm.A256GCM.getAlgorithm());
        jsonWebEncryption.setKey(secretKey);
        jsonWebEncryption.setPlaintext(str);
        return jsonWebEncryption.getCompactSerialization();
    }

    public static JsonObject decryptJson(String str, Key key) throws Exception {
        return new JsonObject(decryptString(str, key));
    }

    public static String decryptString(String str, Key key) throws Exception {
        return decryptString(str, key, KeyEncryptionAlgorithm.A256GCMKW);
    }

    public static String decryptString(String str, Key key, KeyEncryptionAlgorithm keyEncryptionAlgorithm) throws JoseException {
        JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
        jsonWebEncryption.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, new String[]{keyEncryptionAlgorithm.getAlgorithm()}));
        jsonWebEncryption.setKey(key);
        jsonWebEncryption.setCompactSerialization(str);
        return jsonWebEncryption.getPlaintextString();
    }

    public static boolean isFormUrlEncodedRequest(RoutingContext routingContext) {
        String header = routingContext.request().getHeader("Content-Type");
        return routingContext.request().method() == HttpMethod.POST && header != null && (header.equals(HttpHeaders.APPLICATION_X_WWW_FORM_URLENCODED.toString()) || header.startsWith(HttpHeaders.APPLICATION_X_WWW_FORM_URLENCODED.toString() + ";"));
    }

    public static Uni<MultiMap> getFormUrlEncodedData(final RoutingContext routingContext) {
        routingContext.request().setExpectMultipart(true);
        return Uni.createFrom().emitter(new Consumer<UniEmitter<? super MultiMap>>() { // from class: io.quarkus.oidc.runtime.OidcUtils.3
            @Override // java.util.function.Consumer
            public void accept(final UniEmitter<? super MultiMap> uniEmitter) {
                routingContext.request().endHandler(new Handler<Void>() { // from class: io.quarkus.oidc.runtime.OidcUtils.3.1
                    public void handle(Void r4) {
                        uniEmitter.complete(routingContext.request().formAttributes());
                    }
                });
                routingContext.request().resume();
            }
        });
    }

    public static String encodeScopes(OidcTenantConfig oidcTenantConfig) {
        return OidcCommonUtils.urlEncode(String.join(oidcTenantConfig.authentication.scopeSeparator.orElse(DEFAULT_SCOPE_SEPARATOR), getAllScopes(oidcTenantConfig)));
    }

    public static List<String> getAllScopes(OidcTenantConfig oidcTenantConfig) {
        List<String> emptyList = oidcTenantConfig.getAuthentication().scopes.isPresent() ? oidcTenantConfig.getAuthentication().scopes.get() : Collections.emptyList();
        ArrayList arrayList = new ArrayList(emptyList.size() + 1);
        if (oidcTenantConfig.getAuthentication().addOpenidScope.orElse(true).booleanValue()) {
            arrayList.add("openid");
        }
        arrayList.addAll(emptyList);
        String str = oidcTenantConfig.getAuthentication().getExtraParams().get("scope");
        if (str != null) {
            arrayList.addAll(List.of((Object[]) str.split(COMMA)));
        }
        return arrayList;
    }

    public static boolean isSessionCookie(String str) {
        return (!str.startsWith(SESSION_COOKIE_NAME) || str.regionMatches(SESSION_COOKIE_NAME.length(), ACCESS_TOKEN_COOKIE_SUFFIX, 0, 3) || str.regionMatches(SESSION_COOKIE_NAME.length(), REFRESH_TOKEN_COOKIE_SUFFIX, 0, 3)) ? false : true;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String extractBearerToken(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        if (routingContext.get(EXTRACTED_BEARER_TOKEN) != null) {
            return (String) routingContext.get(EXTRACTED_BEARER_TOKEN);
        }
        HttpServerRequest request = routingContext.request();
        String charSequence = oidcTenantConfig.token.header.isPresent() ? oidcTenantConfig.token.header.get() : HttpHeaders.AUTHORIZATION.toString();
        LOG.debugf("Looking for a token in the %s header", charSequence);
        String str = request.headers().get(charSequence);
        if (str == null) {
            return null;
        }
        int indexOf = str.indexOf(32);
        String substring = indexOf > 0 ? str.substring(0, indexOf) : null;
        if (substring != null) {
            LOG.debugf("Authorization scheme: %s", substring);
        }
        if (substring == null && !charSequence.equalsIgnoreCase(HttpHeaders.AUTHORIZATION.toString())) {
            return str;
        }
        if (oidcTenantConfig.token.authorizationScheme.equalsIgnoreCase(substring)) {
            return str.substring(indexOf + 1);
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void storeExtractedBearerToken(RoutingContext routingContext, String str) {
        routingContext.put(EXTRACTED_BEARER_TOKEN, str);
    }

    public static String getTenantIdFromCookie(String str, String str2, boolean z) {
        if (str2.length() == str.length()) {
            return DEFAULT_TENANT_ID;
        }
        String substring = str2.substring(str.length() + 1);
        if (z && substring.startsWith(SESSION_COOKIE_CHUNK_START)) {
            return DEFAULT_TENANT_ID;
        }
        int indexOf = substring.indexOf(UNDERSCORE, 0);
        return indexOf == -1 ? substring : substring.substring(0, indexOf);
    }

    public static boolean cacheUserInfoInIdToken(DefaultTenantConfigResolver defaultTenantConfigResolver, OidcTenantConfig oidcTenantConfig) {
        if (defaultTenantConfigResolver.getUserInfoCache() == null || !oidcTenantConfig.allowUserInfoCache) {
            return oidcTenantConfig.cacheUserInfoInIdtoken.isPresent() ? oidcTenantConfig.cacheUserInfoInIdtoken.get().booleanValue() : (defaultTenantConfigResolver.getTokenStateManager() instanceof DefaultTokenStateManager) && oidcTenantConfig.tokenStateManager.encryptionRequired;
        }
        return false;
    }
}
