package org.keycloak.vault;

import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.spec.AlgorithmParameterSpec;
import java.util.HashMap;
import org.jboss.logging.Logger;
import org.keycloak.Config;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.wildfly.security.auth.SupportLevel;
import org.wildfly.security.auth.server.IdentityCredentials;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.credential.source.CredentialSource;
import org.wildfly.security.credential.store.CredentialStore;
import org.wildfly.security.credential.store.CredentialStoreException;
import org.wildfly.security.credential.store.WildFlyElytronCredentialStoreProvider;
import org.wildfly.security.credential.store.impl.KeyStoreCredentialStore;
import org.wildfly.security.password.interfaces.ClearPassword;
import org.wildfly.security.util.PasswordBasedEncryptionUtil;

/* loaded from: input_file:org/keycloak/vault/ElytronCSKeyStoreProviderFactory.class */
public class ElytronCSKeyStoreProviderFactory extends AbstractVaultProviderFactory {
    private static final Logger logger = Logger.getLogger(MethodHandles.lookup().lookupClass());
    private static final String PROVIDER_ID = "elytron-cs-keystore";
    static final String CS_LOCATION = "location";
    static final String CS_SECRET = "secret";
    static final String CS_KEYSTORE_TYPE = "keyStoreType";
    static final String JCEKS = "JCEKS";
    private String credentialStoreLocation;
    private String credentialStoreType;
    private String credentialStoreSecret;

    /* renamed from: create, reason: merged with bridge method [inline-methods] */
    public VaultProvider m3create(KeycloakSession keycloakSession) {
        if (this.credentialStoreLocation == null || this.credentialStoreSecret == null) {
            logger.debug("Can not create an elytron-based vault provider since it's not initialized correctly");
            return null;
        }
        HashMap hashMap = new HashMap();
        hashMap.put(CS_LOCATION, this.credentialStoreLocation);
        hashMap.put(CS_KEYSTORE_TYPE, this.credentialStoreType);
        try {
            CredentialStore credentialStore = CredentialStore.getInstance(KeyStoreCredentialStore.KEY_STORE_CREDENTIAL_STORE);
            credentialStore.initialize(hashMap, new CredentialStore.CredentialSourceProtectionParameter(getCredentialSource(this.credentialStoreSecret)));
            return new ElytronCSKeyStoreProvider(credentialStore, getRealmName(keycloakSession), ((AbstractVaultProviderFactory) this).keyResolvers);
        } catch (NoSuchAlgorithmException | CredentialStoreException e) {
            logger.debug("Error instantiating credential store", e);
            return null;
        }
    }

    public void init(Config.Scope scope) {
        super.init(scope);
        this.credentialStoreLocation = scope.get(CS_LOCATION);
        if (this.credentialStoreLocation == null) {
            logger.debug("ElytronCSKeyStoreProviderFactory not properly configured - missing store location");
            return;
        }
        if (!Files.exists(Paths.get(this.credentialStoreLocation, new String[0]), new LinkOption[0])) {
            throw new VaultNotFoundException("The " + this.credentialStoreLocation + " file doesn't exist");
        }
        this.credentialStoreSecret = scope.get(CS_SECRET);
        if (this.credentialStoreSecret == null) {
            logger.debug("ElytronCSKeyStoreProviderFactory not properly configured - missing store secret");
        } else {
            this.credentialStoreType = scope.get(CS_KEYSTORE_TYPE, JCEKS);
            Security.addProvider(WildFlyElytronCredentialStoreProvider.getInstance());
        }
    }

    public void postInit(KeycloakSessionFactory keycloakSessionFactory) {
    }

    public void close() {
        Security.removeProvider(WildFlyElytronCredentialStoreProvider.getInstance().getName());
    }

    public String getId() {
        return PROVIDER_ID;
    }

    protected CredentialSource getCredentialSource(final String str) {
        return (str == null || !str.startsWith("MASK-")) ? IdentityCredentials.NONE.withCredential(new PasswordCredential(ClearPassword.createRaw("clear", str.toCharArray()))) : new CredentialSource() { // from class: org.keycloak.vault.ElytronCSKeyStoreProviderFactory.1
            public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str2, AlgorithmParameterSpec algorithmParameterSpec) throws IOException {
                return cls == PasswordCredential.class ? SupportLevel.SUPPORTED : SupportLevel.UNSUPPORTED;
            }

            public <C extends Credential> C getCredential(Class<C> cls, String str2, AlgorithmParameterSpec algorithmParameterSpec) throws IOException {
                String[] split = str.substring(5).split(";");
                if (split.length != 3) {
                    throw new IOException("Masked password command has the wrong format.%nUsage: MASK-<encoded secret>;<salt>;<iteration count> where <salt>=UTF-8 characters, <iteration count>=reasonable sized positive integer");
                }
                String str3 = split[1];
                try {
                    try {
                        return cls.cast(new PasswordCredential(ClearPassword.createRaw("clear", new PasswordBasedEncryptionUtil.Builder().picketBoxCompatibility().salt(str3).iteration(Integer.parseInt(split[2])).decryptMode().build().decodeAndDecrypt(split[0]))));
                    } catch (GeneralSecurityException e) {
                        throw new IOException(e);
                    }
                } catch (NumberFormatException e2) {
                    throw new IOException("Masked password command has the wrong format.%nUsage: MASK-<encoded secret>;<salt>;<iteration count> where <salt>=UTF-8 characters, <iteration count>=reasonable sized positive integer");
                }
            }
        };
    }
}
