package org.keycloak.services.clientregistration;

import javax.ws.rs.core.UriInfo;
import org.keycloak.common.util.Time;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.models.ClientInitialAccessModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeyManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.Urls;
import org.keycloak.services.clientregistration.policy.RegistrationAuth;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-services/main/keycloak-services-2.5.5.Final.jar:org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.class */
public class ClientRegistrationTokenUtils {
    public static final String TYPE_INITIAL_ACCESS_TOKEN = "InitialAccessToken";
    public static final String TYPE_REGISTRATION_ACCESS_TOKEN = "RegistrationAccessToken";

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:wildfly-10.1.0.Final/modules/system/add-ons/keycloak/org/keycloak/keycloak-services/main/keycloak-services-2.5.5.Final.jar:org/keycloak/services/clientregistration/ClientRegistrationTokenUtils$TokenVerification.class */
    public static class TokenVerification {
        private final JsonWebToken jwt;
        private final RuntimeException error;

        public static TokenVerification success(JsonWebToken jsonWebToken) {
            return new TokenVerification(jsonWebToken, null);
        }

        public static TokenVerification error(RuntimeException runtimeException) {
            return new TokenVerification(null, runtimeException);
        }

        private TokenVerification(JsonWebToken jsonWebToken, RuntimeException runtimeException) {
            this.jwt = jsonWebToken;
            this.error = runtimeException;
        }

        public JsonWebToken getJwt() {
            return this.jwt;
        }

        public RuntimeException getError() {
            return this.error;
        }
    }

    public static String updateRegistrationAccessToken(KeycloakSession keycloakSession, ClientModel clientModel, RegistrationAuth registrationAuth) {
        return updateRegistrationAccessToken(keycloakSession, keycloakSession.getContext().getRealm(), keycloakSession.getContext().getUri(), clientModel, registrationAuth);
    }

    public static String updateRegistrationAccessToken(KeycloakSession keycloakSession, RealmModel realmModel, UriInfo uriInfo, ClientModel clientModel, RegistrationAuth registrationAuth) {
        String generateId = KeycloakModelUtils.generateId();
        clientModel.setRegistrationToken(generateId);
        RegistrationAccessToken registrationAccessToken = new RegistrationAccessToken();
        registrationAccessToken.setRegistrationAuth(registrationAuth.toString().toLowerCase());
        return setupToken(registrationAccessToken, keycloakSession, realmModel, uriInfo, generateId, TYPE_REGISTRATION_ACCESS_TOKEN, 0);
    }

    public static String createInitialAccessToken(KeycloakSession keycloakSession, RealmModel realmModel, UriInfo uriInfo, ClientInitialAccessModel clientInitialAccessModel) {
        return setupToken(new JsonWebToken(), keycloakSession, realmModel, uriInfo, clientInitialAccessModel.getId(), TYPE_INITIAL_ACCESS_TOKEN, clientInitialAccessModel.getExpiration() > 0 ? clientInitialAccessModel.getTimestamp() + clientInitialAccessModel.getExpiration() : 0);
    }

    public static TokenVerification verifyToken(KeycloakSession keycloakSession, RealmModel realmModel, UriInfo uriInfo, String str) {
        if (str == null) {
            return TokenVerification.error(new RuntimeException("Missing token"));
        }
        try {
            JWSInput jWSInput = new JWSInput(str);
            if (!RSAProvider.verify(jWSInput, keycloakSession.keys().getRsaPublicKey(realmModel, jWSInput.getHeader().getKeyId()))) {
                return TokenVerification.error(new RuntimeException("Failed verify token"));
            }
            try {
                JsonWebToken jsonWebToken = (JsonWebToken) jWSInput.readJsonContent(JsonWebToken.class);
                return !getIssuer(realmModel, uriInfo).equals(jsonWebToken.getIssuer()) ? TokenVerification.error(new RuntimeException("Issuer from token don't match with the realm issuer.")) : !jsonWebToken.isActive() ? TokenVerification.error(new RuntimeException("Token not active.")) : (TokenUtil.TOKEN_TYPE_BEARER.equals(jsonWebToken.getType()) || TYPE_INITIAL_ACCESS_TOKEN.equals(jsonWebToken.getType()) || TYPE_REGISTRATION_ACCESS_TOKEN.equals(jsonWebToken.getType())) ? TokenVerification.success(jsonWebToken) : TokenVerification.error(new RuntimeException("Invalid type of token"));
            } catch (JWSInputException e) {
                return TokenVerification.error(new RuntimeException("Token is not JWT", e));
            }
        } catch (JWSInputException e2) {
            return TokenVerification.error(new RuntimeException("Invalid token", e2));
        }
    }

    private static String setupToken(JsonWebToken jsonWebToken, KeycloakSession keycloakSession, RealmModel realmModel, UriInfo uriInfo, String str, String str2, int i) {
        String issuer = getIssuer(realmModel, uriInfo);
        jsonWebToken.type(str2);
        jsonWebToken.id(str);
        jsonWebToken.issuedAt(Time.currentTime());
        jsonWebToken.expiration(i);
        jsonWebToken.issuer(issuer);
        jsonWebToken.audience(issuer);
        KeyManager.ActiveRsaKey activeRsaKey = keycloakSession.keys().getActiveRsaKey(realmModel);
        return new JWSBuilder().kid(activeRsaKey.getKid()).jsonContent(jsonWebToken).rsa256(activeRsaKey.getPrivateKey());
    }

    private static String getIssuer(RealmModel realmModel, UriInfo uriInfo) {
        return Urls.realmIssuer(uriInfo.getBaseUri(), realmModel.getName());
    }
}
