package io.quarkus.oidc.common.runtime;

import io.quarkus.oidc.common.runtime.OidcCommonConfig;
import io.quarkus.runtime.TlsConfig;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.smallrye.jwt.build.Jwt;
import io.smallrye.jwt.build.JwtSignatureBuilder;
import io.smallrye.jwt.util.KeyUtils;
import io.smallrye.jwt.util.ResourceUtils;
import io.vertx.core.http.HttpClientOptions;
import io.vertx.core.json.JsonObject;
import io.vertx.core.net.ProxyOptions;
import io.vertx.mutiny.core.MultiMap;
import io.vertx.mutiny.core.buffer.Buffer;
import java.net.URI;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.util.Base64;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
import javax.crypto.SecretKey;

/* loaded from: input_file:io/quarkus/oidc/common/runtime/OidcCommonUtils.class */
public class OidcCommonUtils {
    static final byte AMP = 38;
    static final byte EQ = 61;

    private OidcCommonUtils() {
    }

    public static void verifyCommonConfiguration(OidcCommonConfig oidcCommonConfig, boolean z, boolean z2) {
        String str = z2 ? "quarkus.oidc." : "quarkus.oidc-client.";
        if (!oidcCommonConfig.getAuthServerUrl().isPresent()) {
            throw new ConfigurationException(String.format("'%sauth-server-url' property must be configured", str));
        }
        if (!z && !oidcCommonConfig.getClientId().isPresent()) {
            throw new ConfigurationException(String.format("'%sclient-id' property must be configured", str));
        }
        try {
            URI.create(oidcCommonConfig.getAuthServerUrl().get()).toURL();
            OidcCommonConfig.Credentials credentials = oidcCommonConfig.getCredentials();
            if (credentials.secret.isPresent() && credentials.clientSecret.value.isPresent()) {
                throw new ConfigurationException(String.format("'%1$scredentials.secret' and '%1$scredentials.client-secret' properties are mutually exclusive", str));
            }
            if ((credentials.secret.isPresent() || credentials.clientSecret.value.isPresent()) && credentials.jwt.secret.isPresent()) {
                throw new ConfigurationException(String.format("Use only '%1$scredentials.secret' or '%1$scredentials.client-secret' or '%1$scredentials.jwt.secret' property", str));
            }
        } catch (Throwable th) {
            throw new ConfigurationException(String.format("'%sauth-server-url' is invalid", str), th);
        }
    }

    public static String prependSlash(String str) {
        return !str.startsWith("/") ? "/" + str : str;
    }

    public static Buffer encodeForm(MultiMap multiMap) {
        Buffer buffer = Buffer.buffer();
        Iterator<Map.Entry<String, String>> it = multiMap.iterator();
        while (it.hasNext()) {
            Map.Entry<String, String> next = it.next();
            if (buffer.length() != 0) {
                buffer.appendByte((byte) 38);
            }
            buffer.appendString(next.getKey());
            buffer.appendByte((byte) 61);
            buffer.appendString(urlEncode(next.getValue()));
        }
        return buffer;
    }

    public static String urlEncode(String str) {
        try {
            return URLEncoder.encode(str, StandardCharsets.UTF_8.name());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static void setHttpClientOptions(OidcCommonConfig oidcCommonConfig, TlsConfig tlsConfig, HttpClientOptions httpClientOptions) {
        if (oidcCommonConfig.tls.verification.isPresent() ? oidcCommonConfig.tls.verification.get() == OidcCommonConfig.Tls.Verification.NONE : tlsConfig.trustAll) {
            httpClientOptions.setTrustAll(true);
            httpClientOptions.setVerifyHost(false);
        }
        Optional<ProxyOptions> proxyOptions = toProxyOptions(oidcCommonConfig.getProxy());
        if (proxyOptions.isPresent()) {
            httpClientOptions.setProxyOptions(proxyOptions.get());
        }
        httpClientOptions.setConnectTimeout((int) oidcCommonConfig.getConnectionTimeout().toMillis());
    }

    public static String getAuthServerUrl(OidcCommonConfig oidcCommonConfig) {
        String str = oidcCommonConfig.getAuthServerUrl().get();
        if (str.endsWith("/")) {
            str = str.substring(0, str.length() - 1);
        }
        return str;
    }

    public static String getOidcEndpointUrl(String str, Optional<String> optional) {
        if (optional.isPresent()) {
            return str + prependSlash(optional.get());
        }
        return null;
    }

    public static long getConnectionRetryCount(OidcCommonConfig oidcCommonConfig) {
        long connectionDelay = getConnectionDelay(oidcCommonConfig);
        if (connectionDelay > 1) {
            return connectionDelay / 2;
        }
        return 1L;
    }

    private static long getConnectionDelay(OidcCommonConfig oidcCommonConfig) {
        if (oidcCommonConfig.getConnectionDelay().isPresent()) {
            return oidcCommonConfig.getConnectionDelay().get().getSeconds();
        }
        return 0L;
    }

    public static long getConnectionDelayInMillis(OidcCommonConfig oidcCommonConfig) {
        return getConnectionDelay(oidcCommonConfig) * 1000;
    }

    public static Optional<ProxyOptions> toProxyOptions(OidcCommonConfig.Proxy proxy) {
        if (!proxy.host.isPresent()) {
            return Optional.empty();
        }
        JsonObject jsonObject = new JsonObject();
        jsonObject.put("host", proxy.host.get());
        jsonObject.put("port", Integer.valueOf(proxy.port));
        if (proxy.username.isPresent()) {
            jsonObject.put("username", proxy.username.get());
        }
        if (proxy.password.isPresent()) {
            jsonObject.put("password", proxy.password.get());
        }
        return Optional.of(new ProxyOptions(jsonObject));
    }

    public static String formatConnectionErrorMessage(String str) {
        return String.format("OIDC server is not available at the '%s' URL. Please make sure it is correct. Note it has to end with a realm value if you work with Keycloak, for example: 'https://localhost:8180/auth/realms/quarkus'", str);
    }

    public static boolean isClientSecretBasicAuthRequired(OidcCommonConfig.Credentials credentials) {
        return credentials.secret.isPresent() || (credentials.clientSecret.value.isPresent() && credentials.clientSecret.method.orElseGet(() -> {
            return OidcCommonConfig.Credentials.Secret.Method.BASIC;
        }) == OidcCommonConfig.Credentials.Secret.Method.BASIC);
    }

    public static boolean isClientJwtAuthRequired(OidcCommonConfig.Credentials credentials) {
        return credentials.jwt.secret.isPresent() || credentials.jwt.keyFile.isPresent() || credentials.jwt.keyStoreFile.isPresent();
    }

    public static boolean isClientSecretPostAuthRequired(OidcCommonConfig.Credentials credentials) {
        return credentials.clientSecret.value.isPresent() && credentials.clientSecret.method.orElseGet(() -> {
            return OidcCommonConfig.Credentials.Secret.Method.BASIC;
        }) == OidcCommonConfig.Credentials.Secret.Method.POST;
    }

    public static String clientSecret(OidcCommonConfig.Credentials credentials) {
        return credentials.secret.orElseGet(() -> {
            return credentials.clientSecret.value.get();
        });
    }

    public static Key clientJwtKey(OidcCommonConfig.Credentials credentials) {
        if (credentials.jwt.secret.isPresent()) {
            return KeyUtils.createSecretKeyFromSecret(credentials.jwt.secret.get());
        }
        Key key = null;
        try {
            if (credentials.jwt.keyFile.isPresent()) {
                key = KeyUtils.readSigningKey(credentials.jwt.keyFile.get(), credentials.jwt.keyId.orElse(null));
            } else if (credentials.jwt.keyStoreFile.isPresent()) {
                KeyStore keyStore = KeyStore.getInstance("JKS");
                keyStore.load(ResourceUtils.getResourceStream(credentials.jwt.keyStoreFile.get()), credentials.jwt.keyStorePassword.toCharArray());
                key = keyStore.getKey(credentials.jwt.keyId.get(), credentials.jwt.keyPassword.toCharArray());
            }
            if (key == null) {
                throw new ConfigurationException("Key is null");
            }
            return key;
        } catch (Exception e) {
            throw new ConfigurationException("Key can not be loaded");
        }
    }

    public static String signJwt(OidcCommonConfig oidcCommonConfig) {
        return signJwtWithKey(oidcCommonConfig, clientJwtKey(oidcCommonConfig.credentials));
    }

    public static String signJwtWithKey(OidcCommonConfig oidcCommonConfig, Key key) {
        JwtSignatureBuilder jws = Jwt.issuer(oidcCommonConfig.clientId.get()).subject(oidcCommonConfig.clientId.get()).audience(getAuthServerUrl(oidcCommonConfig)).expiresIn(oidcCommonConfig.credentials.jwt.lifespan).jws();
        if (oidcCommonConfig.credentials.jwt.tokenKeyId.isPresent()) {
            jws.keyId(oidcCommonConfig.credentials.jwt.tokenKeyId.get());
        }
        return key instanceof SecretKey ? jws.sign((SecretKey) key) : jws.sign((PrivateKey) key);
    }

    public static void verifyConfigurationId(String str, String str2, Optional<String> optional) {
        if (str2.equals(str)) {
            throw new ConfigurationException("configuration id '" + str2 + "' duplicates the default configuration id");
        }
        if (optional.isPresent() && !str2.equals(optional.get())) {
            throw new ConfigurationException("Configuration has 2 different id values: '" + str2 + "' and '" + optional.get() + "'");
        }
    }

    public static String initClientSecretBasicAuth(OidcCommonConfig oidcCommonConfig) {
        if (isClientSecretBasicAuthRequired(oidcCommonConfig.credentials)) {
            return "Basic " + Base64.getEncoder().encodeToString((oidcCommonConfig.getClientId().get() + ":" + clientSecret(oidcCommonConfig.credentials)).getBytes(StandardCharsets.UTF_8));
        }
        return null;
    }

    public static Key initClientJwtKey(OidcCommonConfig oidcCommonConfig) {
        if (isClientJwtAuthRequired(oidcCommonConfig.credentials)) {
            return clientJwtKey(oidcCommonConfig.credentials);
        }
        return null;
    }
}
