package io.quarkus.oidc.runtime;

import io.quarkus.oidc.AuthorizationCodeTokens;
import io.quarkus.oidc.OidcRequestContext;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.TokenStateManager;
import io.quarkus.security.AuthenticationFailedException;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.groups.UniCreate;
import io.vertx.core.http.impl.ServerCookie;
import io.vertx.ext.web.RoutingContext;
import javax.enterprise.context.ApplicationScoped;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/oidc/runtime/DefaultTokenStateManager.class */
public class DefaultTokenStateManager implements TokenStateManager {
    private static final String SESSION_AT_COOKIE_NAME = "q_session_at";
    private static final String SESSION_RT_COOKIE_NAME = "q_session_rt";

    @Override // io.quarkus.oidc.TokenStateManager
    public Uni<String> createTokenState(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig, AuthorizationCodeTokens authorizationCodeTokens, OidcRequestContext<String> oidcRequestContext) {
        StringBuilder sb = new StringBuilder();
        sb.append(encryptToken(authorizationCodeTokens.getIdToken(), routingContext, oidcTenantConfig));
        if (oidcTenantConfig.tokenStateManager.strategy == OidcTenantConfig.TokenStateManager.Strategy.KEEP_ALL_TOKENS) {
            if (oidcTenantConfig.tokenStateManager.splitTokens) {
                CodeAuthenticationMechanism.createCookie(routingContext, oidcTenantConfig, getAccessTokenCookieName(oidcTenantConfig), encryptToken(authorizationCodeTokens.getAccessToken(), routingContext, oidcTenantConfig), ((Long) routingContext.get("session-max-age")).longValue());
                if (authorizationCodeTokens.getRefreshToken() != null) {
                    CodeAuthenticationMechanism.createCookie(routingContext, oidcTenantConfig, getRefreshTokenCookieName(oidcTenantConfig), encryptToken(authorizationCodeTokens.getRefreshToken(), routingContext, oidcTenantConfig), ((Long) routingContext.get("session-max-age")).longValue());
                }
            } else {
                sb.append("|").append(encryptToken(authorizationCodeTokens.getAccessToken(), routingContext, oidcTenantConfig)).append("|").append(encryptToken(authorizationCodeTokens.getRefreshToken(), routingContext, oidcTenantConfig));
            }
        } else if (oidcTenantConfig.tokenStateManager.strategy == OidcTenantConfig.TokenStateManager.Strategy.ID_REFRESH_TOKENS) {
            if (!oidcTenantConfig.tokenStateManager.splitTokens) {
                sb.append("|").append("").append("|").append(encryptToken(authorizationCodeTokens.getRefreshToken(), routingContext, oidcTenantConfig));
            } else if (authorizationCodeTokens.getRefreshToken() != null) {
                CodeAuthenticationMechanism.createCookie(routingContext, oidcTenantConfig, getRefreshTokenCookieName(oidcTenantConfig), encryptToken(authorizationCodeTokens.getRefreshToken(), routingContext, oidcTenantConfig), ((Long) routingContext.get("session-max-age")).longValue());
            }
        }
        return Uni.createFrom().item((UniCreate) sb.toString());
    }

    @Override // io.quarkus.oidc.TokenStateManager
    public Uni<AuthorizationCodeTokens> getTokens(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig, String str, OidcRequestContext<AuthorizationCodeTokens> oidcRequestContext) {
        String[] split = CodeAuthenticationMechanism.COOKIE_PATTERN.split(str);
        String decryptToken = decryptToken(split[0], routingContext, oidcTenantConfig);
        String str2 = null;
        String str3 = null;
        if (oidcTenantConfig.tokenStateManager.strategy == OidcTenantConfig.TokenStateManager.Strategy.KEEP_ALL_TOKENS) {
            if (oidcTenantConfig.tokenStateManager.splitTokens) {
                ServerCookie accessTokenCookie = getAccessTokenCookie(routingContext, oidcTenantConfig);
                if (accessTokenCookie != null) {
                    str2 = decryptToken(accessTokenCookie.getValue(), routingContext, oidcTenantConfig);
                }
                ServerCookie refreshTokenCookie = getRefreshTokenCookie(routingContext, oidcTenantConfig);
                if (refreshTokenCookie != null) {
                    str3 = decryptToken(refreshTokenCookie.getValue(), routingContext, oidcTenantConfig);
                }
            } else {
                str2 = decryptToken(split[1], routingContext, oidcTenantConfig);
                str3 = decryptToken(split[2], routingContext, oidcTenantConfig);
            }
        } else if (oidcTenantConfig.tokenStateManager.strategy == OidcTenantConfig.TokenStateManager.Strategy.ID_REFRESH_TOKENS) {
            if (oidcTenantConfig.tokenStateManager.splitTokens) {
                ServerCookie refreshTokenCookie2 = getRefreshTokenCookie(routingContext, oidcTenantConfig);
                if (refreshTokenCookie2 != null) {
                    str3 = decryptToken(refreshTokenCookie2.getValue(), routingContext, oidcTenantConfig);
                }
            } else {
                str3 = decryptToken(split[2], routingContext, oidcTenantConfig);
            }
        }
        return Uni.createFrom().item((UniCreate) new AuthorizationCodeTokens(decryptToken, str2, str3));
    }

    @Override // io.quarkus.oidc.TokenStateManager
    public Uni<Void> deleteTokens(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig, String str, OidcRequestContext<Void> oidcRequestContext) {
        if (oidcTenantConfig.tokenStateManager.splitTokens) {
            OidcUtils.removeCookie(routingContext, getAccessTokenCookie(routingContext, oidcTenantConfig), oidcTenantConfig);
            OidcUtils.removeCookie(routingContext, getRefreshTokenCookie(routingContext, oidcTenantConfig), oidcTenantConfig);
        }
        return CodeAuthenticationMechanism.VOID_UNI;
    }

    private static ServerCookie getAccessTokenCookie(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        return (ServerCookie) routingContext.request().getCookie(getAccessTokenCookieName(oidcTenantConfig));
    }

    private static ServerCookie getRefreshTokenCookie(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        return (ServerCookie) routingContext.request().getCookie(getRefreshTokenCookieName(oidcTenantConfig));
    }

    private static String getAccessTokenCookieName(OidcTenantConfig oidcTenantConfig) {
        return "q_session_at" + CodeAuthenticationMechanism.getCookieSuffix(oidcTenantConfig);
    }

    private static String getRefreshTokenCookieName(OidcTenantConfig oidcTenantConfig) {
        return "q_session_rt" + CodeAuthenticationMechanism.getCookieSuffix(oidcTenantConfig);
    }

    private String encryptToken(String str, RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        if (!oidcTenantConfig.tokenStateManager.encryptionRequired.orElse(false).booleanValue()) {
            return str;
        }
        try {
            return OidcUtils.encryptString(str, ((TenantConfigContext) routingContext.get(TenantConfigContext.class.getName())).getTokenEncSecretKey());
        } catch (Exception e) {
            throw new AuthenticationFailedException(e);
        }
    }

    private String decryptToken(String str, RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        if (!oidcTenantConfig.tokenStateManager.encryptionRequired.orElse(false).booleanValue()) {
            return str;
        }
        try {
            return OidcUtils.decryptString(str, ((TenantConfigContext) routingContext.get(TenantConfigContext.class.getName())).getTokenEncSecretKey());
        } catch (Exception e) {
            throw new AuthenticationFailedException(e);
        }
    }
}
