package org.teiid.jboss.oauth;

import java.io.IOException;
import java.security.Key;
import java.security.PrivateKey;
import java.security.Signature;
import java.text.MessageFormat;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.rs.security.oauth2.client.OAuthClientUtils;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oauth2.grants.jwt.JwtBearerGrant;
import org.jboss.security.JBossJSSESecurityDomain;
import org.teiid.core.util.Base64;
import org.teiid.logging.LogManager;

/* loaded from: input_file:org/teiid/jboss/oauth/JWTBearerTokenLoginModule.class */
public class JWTBearerTokenLoginModule extends OAuth20LoginModule {
    private String scope;
    private String issuer;
    private String audience;
    private String subject;
    private String keystoreType;
    private String keystorePassword;
    private String keystoreURL;
    private String certificateAlias;
    private String certificatePassword;
    private String algorithamName;
    private static JBossJSSESecurityDomain securityDomain;

    @Override // org.teiid.jboss.oauth.OAuth20LoginModule
    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        super.initialize(subject, callbackHandler, map, map2);
        this.scope = (String) map2.get("scope");
        this.issuer = (String) map2.get("jwt-issuer");
        this.audience = (String) map2.get("jwt-audience");
        this.subject = (String) map2.get("jwt-subject");
        this.keystoreType = (String) map2.get("keystore-type");
        this.keystorePassword = (String) map2.get("keystore-password");
        this.keystoreURL = (String) map2.get("keystore-url");
        this.certificateAlias = (String) map2.get("certificate-alias");
        this.certificatePassword = (String) map2.get("certificate-password");
        this.algorithamName = (String) map2.get("signature-algorithm-name");
    }

    @Override // org.teiid.jboss.oauth.OAuth20LoginModule
    public boolean login() throws LoginException {
        this.callerSubject = getSubject();
        this.callerPrincipal = getPrincipal();
        final String jWTAssertion = getJWTAssertion();
        if (jWTAssertion == null) {
            return false;
        }
        OAuth20CredentialImpl oAuth20CredentialImpl = new OAuth20CredentialImpl() { // from class: org.teiid.jboss.oauth.JWTBearerTokenLoginModule.1
            @Override // org.teiid.jboss.oauth.OAuth20CredentialImpl
            protected ClientAccessToken getAccessToken() {
                return OAuthClientUtils.getAccessToken(WebClient.create(getAccessTokenURI()), new OAuthClientUtils.Consumer(getClientId(), getClientSecret()), JWTBearerTokenLoginModule.this.scope != null ? new JwtBearerGrant(jWTAssertion, true, JWTBearerTokenLoginModule.this.scope) : new JwtBearerGrant(jWTAssertion, true), (Map) null, false);
            }
        };
        oAuth20CredentialImpl.setClientId(getClientId());
        oAuth20CredentialImpl.setClientSecret(getClientSecret());
        oAuth20CredentialImpl.setAccessTokenURI(getAccessTokenURI());
        setCredential(oAuth20CredentialImpl);
        return super.login();
    }

    protected String getJWTAssertion() throws LoginException {
        StringBuffer stringBuffer = new StringBuffer();
        try {
            stringBuffer.append(Base64.encodeUrlSafe("{\"alg\":\"RS256\"}".getBytes("UTF-8")));
            stringBuffer.append(".");
            String[] strArr = new String[4];
            strArr[0] = this.issuer == null ? getClientId() : this.issuer;
            strArr[1] = this.subject == null ? this.callerPrincipal.getName() : this.subject;
            strArr[2] = this.audience;
            strArr[3] = Long.toString((System.currentTimeMillis() / 1000) + 120);
            stringBuffer.append(Base64.encodeUrlSafe(new MessageFormat("'{'\"iss\": \"{0}\", \"sub\": \"{1}\", \"aud\": \"{2}\", \"exp\": \"{3}\"'}'").format(strArr).getBytes("UTF-8")));
            String str = this.certificatePassword == null ? this.keystorePassword : this.certificatePassword;
            loadKeystore(this.keystoreURL, this.keystorePassword, this.keystoreType, str);
            Key key = securityDomain.getKey(this.certificateAlias, str);
            Signature signature = Signature.getInstance(this.algorithamName == null ? "SHA256withRSA" : this.algorithamName);
            signature.initSign((PrivateKey) key);
            signature.update(stringBuffer.toString().getBytes("UTF-8"));
            String encodeUrlSafe = Base64.encodeUrlSafe(signature.sign());
            stringBuffer.append(".");
            stringBuffer.append(encodeUrlSafe);
            return stringBuffer.toString();
        } catch (Exception e) {
            LogManager.logDetail("org.teiid.SECURITY", e);
            throw new LoginException(e.getMessage());
        }
    }

    private static void loadKeystore(String str, String str2, String str3, String str4) throws Exception, IOException {
        if (securityDomain == null) {
            securityDomain = new JBossJSSESecurityDomain("JWTBearer");
            securityDomain.setKeyStorePassword(str2);
            securityDomain.setKeyStoreType(str3 == null ? "JKS" : str3);
            securityDomain.setKeyStoreURL(str);
            securityDomain.setServiceAuthToken(str4);
            securityDomain.reloadKeyAndTrustStore();
        }
    }
}
