package org.wildfly.extension.elytron;

import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import org.jboss.as.controller.AbstractAddStepHandler;
import org.jboss.as.controller.AttributeDefinition;
import org.jboss.as.controller.ObjectTypeAttributeDefinition;
import org.jboss.as.controller.OperationContext;
import org.jboss.as.controller.OperationFailedException;
import org.jboss.as.controller.OperationStepHandler;
import org.jboss.as.controller.PathElement;
import org.jboss.as.controller.SimpleAttributeDefinition;
import org.jboss.as.controller.SimpleAttributeDefinitionBuilder;
import org.jboss.as.controller.SimpleResourceDefinition;
import org.jboss.as.controller.StringListAttributeDefinition;
import org.jboss.as.controller.capability.RuntimeCapability;
import org.jboss.as.controller.operations.validation.EnumValidator;
import org.jboss.as.controller.operations.validation.StringLengthValidator;
import org.jboss.as.controller.registry.AttributeAccess;
import org.jboss.as.controller.registry.ManagementResourceRegistration;
import org.jboss.as.controller.registry.OperationEntry;
import org.jboss.dmr.ModelNode;
import org.jboss.dmr.ModelType;
import org.jboss.msc.service.ServiceBuilder;
import org.jboss.msc.service.ServiceName;
import org.jboss.msc.service.ServiceTarget;
import org.jboss.msc.service.StartException;
import org.jboss.msc.value.InjectedValue;
import org.wildfly.extension.elytron.TrivialService;
import org.wildfly.extension.elytron._private.ElytronSubsystemMessages;
import org.wildfly.security.auth.realm.token.TokenSecurityRealm;
import org.wildfly.security.auth.realm.token.validator.JwtValidator;
import org.wildfly.security.auth.realm.token.validator.OAuth2IntrospectValidator;
import org.wildfly.security.auth.server.SecurityRealm;

/* loaded from: input_file:org/wildfly/extension/elytron/TokenRealmDefinition.class */
class TokenRealmDefinition extends SimpleResourceDefinition {
    static final SimpleAttributeDefinition PRINCIPAL_CLAIM = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.PRINCIPAL_CLAIM, ModelType.STRING, true).setDefaultValue(new ModelNode("username")).setAllowExpression(true).setMinSize(1).setRestartAllServices().build();
    static final AttributeDefinition[] ATTRIBUTES = {PRINCIPAL_CLAIM, JwtValidatorAttributes.JWT_VALIDATOR, OAuth2IntrospectionValidatorAttributes.OAUTH2_INTROSPECTION_VALIDATOR};
    private static final AbstractAddStepHandler ADD = new RealmAddHandler();
    private static final OperationStepHandler REMOVE = new TrivialCapabilityServiceRemoveHandler(ADD, Capabilities.MODIFIABLE_SECURITY_REALM_RUNTIME_CAPABILITY, Capabilities.SECURITY_REALM_RUNTIME_CAPABILITY);

    /* loaded from: input_file:org/wildfly/extension/elytron/TokenRealmDefinition$JwtValidatorAttributes.class */
    static class JwtValidatorAttributes {
        static final StringListAttributeDefinition ISSUER = new StringListAttributeDefinition.Builder(ElytronDescriptionConstants.ISSUER).setAllowExpression(true).setRequired(false).setMinSize(1).build();
        static final StringListAttributeDefinition AUDIENCE = new StringListAttributeDefinition.Builder(ElytronDescriptionConstants.AUDIENCE).setAllowExpression(true).setRequired(false).setMinSize(1).build();
        static final SimpleAttributeDefinition PUBLIC_KEY = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.PUBLIC_KEY, ModelType.STRING, true).setAlternatives(new String[]{ElytronDescriptionConstants.KEY_STORE, ElytronDescriptionConstants.CERTIFICATE}).setAllowExpression(true).setMinSize(1).setFlags(new AttributeAccess.Flag[]{AttributeAccess.Flag.RESTART_RESOURCE_SERVICES}).build();
        static final SimpleAttributeDefinition KEY_STORE = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.KEY_STORE, ModelType.STRING, true).setAlternatives(new String[]{ElytronDescriptionConstants.PUBLIC_KEY}).setRequires(new String[]{ElytronDescriptionConstants.CERTIFICATE}).setMinSize(1).setCapabilityReference("org.wildfly.security.key-store", "org.wildfly.security.security-realm", true).setFlags(new AttributeAccess.Flag[]{AttributeAccess.Flag.RESTART_RESOURCE_SERVICES}).setAllowExpression(false).build();
        static final SimpleAttributeDefinition CERTIFICATE = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.CERTIFICATE, ModelType.STRING, true).setAlternatives(new String[]{ElytronDescriptionConstants.PUBLIC_KEY}).setRequires(new String[]{KEY_STORE.getName()}).setAllowExpression(true).setFlags(new AttributeAccess.Flag[]{AttributeAccess.Flag.RESTART_RESOURCE_SERVICES}).setMinSize(1).build();
        static final AttributeDefinition[] ATTRIBUTES = {ISSUER, AUDIENCE, PUBLIC_KEY};
        static final ObjectTypeAttributeDefinition JWT_VALIDATOR = new ObjectTypeAttributeDefinition.Builder(ElytronDescriptionConstants.JWT, new AttributeDefinition[]{ISSUER, AUDIENCE, PUBLIC_KEY, KEY_STORE, CERTIFICATE}).setRequired(false).setRestartAllServices().build();

        JwtValidatorAttributes() {
        }
    }

    /* loaded from: input_file:org/wildfly/extension/elytron/TokenRealmDefinition$OAuth2IntrospectionValidatorAttributes.class */
    static class OAuth2IntrospectionValidatorAttributes {
        static final SimpleAttributeDefinition CLIENT_ID = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.CLIENT_ID, ModelType.STRING, false).setAllowExpression(true).setMinSize(1).setFlags(new AttributeAccess.Flag[]{AttributeAccess.Flag.RESTART_RESOURCE_SERVICES}).build();
        static final SimpleAttributeDefinition CLIENT_SECRET = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.CLIENT_SECRET, ModelType.STRING, false).setAllowExpression(true).setMinSize(1).setFlags(new AttributeAccess.Flag[]{AttributeAccess.Flag.RESTART_RESOURCE_SERVICES}).build();
        static final SimpleAttributeDefinition INTROSPECTION_URL = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.INTROSPECTION_URL, ModelType.STRING, false).setAllowExpression(true).setValidator(new URLValidator()).setMinSize(1).setFlags(new AttributeAccess.Flag[]{AttributeAccess.Flag.RESTART_RESOURCE_SERVICES}).build();
        protected static final SimpleAttributeDefinition SSL_CONTEXT = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.CLIENT_SSL_CONTEXT, ModelType.STRING, true).setCapabilityReference("org.wildfly.security.ssl-context", "org.wildfly.security.security-realm", true).setFlags(new AttributeAccess.Flag[]{AttributeAccess.Flag.RESTART_ALL_SERVICES}).setValidator(new StringLengthValidator(1)).build();
        static final SimpleAttributeDefinition HOSTNAME_VERIFICATION_POLICY = new SimpleAttributeDefinitionBuilder(ElytronDescriptionConstants.HOST_NAME_VERIFICATION_POLICY, ModelType.STRING, true).setValidator(new EnumValidator(HostnameVerificationPolicy.class, true, true)).setAllowExpression(true).setMinSize(1).setFlags(new AttributeAccess.Flag[]{AttributeAccess.Flag.RESTART_RESOURCE_SERVICES}).build();
        static final AttributeDefinition[] ATTRIBUTES = {CLIENT_ID, CLIENT_SECRET, INTROSPECTION_URL, SSL_CONTEXT, HOSTNAME_VERIFICATION_POLICY};
        static final ObjectTypeAttributeDefinition OAUTH2_INTROSPECTION_VALIDATOR = new ObjectTypeAttributeDefinition.Builder(ElytronDescriptionConstants.OAUTH2_INTROSPECTION, new AttributeDefinition[]{CLIENT_ID, CLIENT_SECRET, INTROSPECTION_URL, SSL_CONTEXT, HOSTNAME_VERIFICATION_POLICY}).setRequired(false).setRestartAllServices().build();

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:org/wildfly/extension/elytron/TokenRealmDefinition$OAuth2IntrospectionValidatorAttributes$HostnameVerificationPolicy.class */
        public enum HostnameVerificationPolicy {
            ANY((str, sSLSession) -> {
                return true;
            });

            private final HostnameVerifier verifier;

            HostnameVerificationPolicy(HostnameVerifier hostnameVerifier) {
                this.verifier = hostnameVerifier;
            }

            HostnameVerifier getVerifier() {
                return this.verifier;
            }
        }

        OAuth2IntrospectionValidatorAttributes() {
        }
    }

    /* loaded from: input_file:org/wildfly/extension/elytron/TokenRealmDefinition$RealmAddHandler.class */
    private static class RealmAddHandler extends BaseAddHandler {
        private RealmAddHandler() {
            super(new HashSet(Arrays.asList(Capabilities.MODIFIABLE_SECURITY_REALM_RUNTIME_CAPABILITY, Capabilities.SECURITY_REALM_RUNTIME_CAPABILITY)), TokenRealmDefinition.ATTRIBUTES);
        }

        protected void performRuntime(OperationContext operationContext, ModelNode modelNode, ModelNode modelNode2) throws OperationFailedException {
            ServiceTarget serviceTarget = operationContext.getServiceTarget();
            String currentAddressValue = operationContext.getCurrentAddressValue();
            ServiceName capabilityServiceName = Capabilities.MODIFIABLE_SECURITY_REALM_RUNTIME_CAPABILITY.fromBaseCapability(currentAddressValue).getCapabilityServiceName();
            ServiceName capabilityServiceName2 = Capabilities.SECURITY_REALM_RUNTIME_CAPABILITY.fromBaseCapability(currentAddressValue).getCapabilityServiceName();
            final ModelNode resolveModelAttribute = TokenRealmDefinition.PRINCIPAL_CLAIM.resolveModelAttribute(operationContext, modelNode);
            if (modelNode.hasDefined(ElytronDescriptionConstants.JWT)) {
                ModelNode resolveModelAttribute2 = JwtValidatorAttributes.JWT_VALIDATOR.resolveModelAttribute(operationContext, modelNode);
                final String[] asStringArrayIfDefined = asStringArrayIfDefined(operationContext, JwtValidatorAttributes.ISSUER, resolveModelAttribute2);
                final String[] asStringArrayIfDefined2 = asStringArrayIfDefined(operationContext, JwtValidatorAttributes.AUDIENCE, resolveModelAttribute2);
                final String asStringIfDefined = ElytronExtension.asStringIfDefined(operationContext, JwtValidatorAttributes.PUBLIC_KEY, resolveModelAttribute2);
                final InjectedValue injectedValue = new InjectedValue();
                final String asStringIfDefined2 = ElytronExtension.asStringIfDefined(operationContext, JwtValidatorAttributes.KEY_STORE, resolveModelAttribute2);
                final String asStringIfDefined3 = ElytronExtension.asStringIfDefined(operationContext, JwtValidatorAttributes.CERTIFICATE, resolveModelAttribute2);
                ServiceBuilder addService = serviceTarget.addService(capabilityServiceName, new TrivialService(new TrivialService.ValueSupplier<SecurityRealm>() { // from class: org.wildfly.extension.elytron.TokenRealmDefinition.RealmAddHandler.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // org.wildfly.extension.elytron.TrivialService.ValueSupplier
                    public SecurityRealm get() throws StartException {
                        JwtValidator.Builder builder = JwtValidator.builder();
                        if (asStringArrayIfDefined != null) {
                            builder.issuer(asStringArrayIfDefined);
                        }
                        if (asStringArrayIfDefined2 != null) {
                            builder.audience(asStringArrayIfDefined2);
                        }
                        if (asStringIfDefined != null) {
                            builder.publicKey(asStringIfDefined.getBytes(StandardCharsets.UTF_8));
                        }
                        KeyStore keyStore = (KeyStore) injectedValue.getOptionalValue();
                        if (keyStore != null) {
                            try {
                                Certificate certificate = keyStore.getCertificate(asStringIfDefined3);
                                if (certificate == null) {
                                    throw ElytronSubsystemMessages.ROOT_LOGGER.unableToAccessEntryFromKeyStore(asStringIfDefined3, asStringIfDefined2);
                                }
                                builder.publicKey(certificate.getPublicKey());
                            } catch (KeyStoreException e) {
                                throw ElytronSubsystemMessages.ROOT_LOGGER.unableToStartService(e);
                            }
                        }
                        return TokenSecurityRealm.builder().principalClaimName(resolveModelAttribute.asString()).validator(builder.build()).build();
                    }

                    @Override // org.wildfly.extension.elytron.TrivialService.ValueSupplier
                    public void dispose() {
                    }
                }));
                String asStringIfDefined4 = ElytronExtension.asStringIfDefined(operationContext, JwtValidatorAttributes.KEY_STORE, resolveModelAttribute2);
                if (asStringIfDefined4 != null) {
                    addService.addDependency(operationContext.getCapabilityServiceName(RuntimeCapability.buildDynamicCapabilityName("org.wildfly.security.key-store", asStringIfDefined4), KeyStore.class), KeyStore.class, injectedValue);
                }
                addService.addAliases(new ServiceName[]{capabilityServiceName2}).install();
                return;
            }
            if (modelNode.hasDefined(ElytronDescriptionConstants.OAUTH2_INTROSPECTION)) {
                ModelNode resolveModelAttribute3 = OAuth2IntrospectionValidatorAttributes.OAUTH2_INTROSPECTION_VALIDATOR.resolveModelAttribute(operationContext, modelNode);
                final String asStringIfDefined5 = ElytronExtension.asStringIfDefined(operationContext, OAuth2IntrospectionValidatorAttributes.CLIENT_ID, resolveModelAttribute3);
                final String asStringIfDefined6 = ElytronExtension.asStringIfDefined(operationContext, OAuth2IntrospectionValidatorAttributes.CLIENT_SECRET, resolveModelAttribute3);
                final String asStringIfDefined7 = ElytronExtension.asStringIfDefined(operationContext, OAuth2IntrospectionValidatorAttributes.INTROSPECTION_URL, resolveModelAttribute3);
                String asStringIfDefined8 = ElytronExtension.asStringIfDefined(operationContext, OAuth2IntrospectionValidatorAttributes.SSL_CONTEXT, resolveModelAttribute3);
                final String asStringIfDefined9 = ElytronExtension.asStringIfDefined(operationContext, OAuth2IntrospectionValidatorAttributes.HOSTNAME_VERIFICATION_POLICY, resolveModelAttribute3);
                final InjectedValue injectedValue2 = new InjectedValue();
                ServiceBuilder addAliases = serviceTarget.addService(capabilityServiceName, new TrivialService(new TrivialService.ValueSupplier<SecurityRealm>() { // from class: org.wildfly.extension.elytron.TokenRealmDefinition.RealmAddHandler.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // org.wildfly.extension.elytron.TrivialService.ValueSupplier
                    public SecurityRealm get() throws StartException {
                        try {
                            HostnameVerifier hostnameVerifier = null;
                            if (asStringIfDefined9 != null) {
                                hostnameVerifier = OAuth2IntrospectionValidatorAttributes.HostnameVerificationPolicy.valueOf(asStringIfDefined9).getVerifier();
                            }
                            return TokenSecurityRealm.builder().principalClaimName(resolveModelAttribute.asString()).validator(OAuth2IntrospectValidator.builder().clientId(asStringIfDefined5).clientSecret(asStringIfDefined6).tokenIntrospectionUrl(new URL(asStringIfDefined7)).useSslContext((SSLContext) injectedValue2.getOptionalValue()).useSslHostnameVerifier(hostnameVerifier).build()).build();
                        } catch (MalformedURLException e) {
                            throw new RuntimeException("Failed to parse token introspection URL.", e);
                        }
                    }

                    @Override // org.wildfly.extension.elytron.TrivialService.ValueSupplier
                    public void dispose() {
                    }
                })).addAliases(new ServiceName[]{capabilityServiceName2});
                if (asStringIfDefined8 != null) {
                    addAliases.addDependency(operationContext.getCapabilityServiceName(RuntimeCapability.buildDynamicCapabilityName("org.wildfly.security.ssl-context", asStringIfDefined8), SSLContext.class), SSLContext.class, injectedValue2);
                }
                addAliases.install();
            }
        }

        private String[] asStringArrayIfDefined(OperationContext operationContext, StringListAttributeDefinition stringListAttributeDefinition, ModelNode modelNode) throws OperationFailedException {
            ModelNode resolveModelAttribute = stringListAttributeDefinition.resolveModelAttribute(operationContext, modelNode);
            if (!resolveModelAttribute.isDefined()) {
                return null;
            }
            List asList = resolveModelAttribute.asList();
            String[] strArr = new String[asList.size()];
            for (int i = 0; i < strArr.length; i++) {
                strArr[i] = ((ModelNode) asList.get(i)).asString();
            }
            return strArr;
        }
    }

    /* loaded from: input_file:org/wildfly/extension/elytron/TokenRealmDefinition$URLValidator.class */
    private static class URLValidator extends StringLengthValidator {
        private URLValidator() {
            super(1, false, false);
        }

        public void validateParameter(String str, ModelNode modelNode) throws OperationFailedException {
            super.validateParameter(str, modelNode);
            String asString = modelNode.asString();
            try {
                new URL(asString);
            } catch (MalformedURLException e) {
                throw ElytronSubsystemMessages.ROOT_LOGGER.invalidURL(asString, e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TokenRealmDefinition() {
        super(new SimpleResourceDefinition.Parameters(PathElement.pathElement(ElytronDescriptionConstants.TOKEN_REALM), ElytronExtension.getResourceDescriptionResolver(ElytronDescriptionConstants.TOKEN_REALM)).setAddHandler(ADD).setRemoveHandler(REMOVE).setAddRestartLevel(OperationEntry.Flag.RESTART_RESOURCE_SERVICES).setRemoveRestartLevel(OperationEntry.Flag.RESTART_RESOURCE_SERVICES).setCapabilities(new RuntimeCapability[]{Capabilities.MODIFIABLE_SECURITY_REALM_RUNTIME_CAPABILITY, Capabilities.SECURITY_REALM_RUNTIME_CAPABILITY}));
    }

    public void registerAttributes(ManagementResourceRegistration managementResourceRegistration) {
        ElytronReloadRequiredWriteAttributeHandler elytronReloadRequiredWriteAttributeHandler = new ElytronReloadRequiredWriteAttributeHandler(ATTRIBUTES);
        for (AttributeDefinition attributeDefinition : ATTRIBUTES) {
            managementResourceRegistration.registerReadWriteAttribute(attributeDefinition, (OperationStepHandler) null, elytronReloadRequiredWriteAttributeHandler);
        }
    }
}
