package org.wildfly.security.http.oidc;

import java.nio.charset.StandardCharsets;
import java.util.Map;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.lang.JoseException;
import org.wildfly.security.http.oidc.Oidc;

/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.15.16.Final.jar:org/wildfly/security/http/oidc/JWTClientSecretCredentialsProvider.class */
public class JWTClientSecretCredentialsProvider implements ClientSecretCredentialsProvider {
    private SecretKey clientSecret;
    private String clientSecretJwtAlg;
    private int tokenTimeout;

    @Override // org.wildfly.security.http.oidc.ClientCredentialsProvider
    public String getId() {
        return Oidc.ClientCredentialsProviderType.SECRET_JWT.getValue();
    }

    public void setTokenTimeout(int i) {
        this.tokenTimeout = i;
    }

    protected int getTokenTimeout() {
        return this.tokenTimeout;
    }

    @Override // org.wildfly.security.http.oidc.ClientCredentialsProvider
    public void init(OidcClientConfiguration oidcClientConfiguration, Object obj) {
        if (!(obj instanceof Map)) {
            throw ElytronMessages.log.invalidJwtClientCredentialsUsingSecretConfig(oidcClientConfiguration.getResourceName());
        }
        Map map = (Map) obj;
        String str = (String) map.get("secret");
        if (str == null) {
            throw ElytronMessages.log.missingParameterInJwtClientCredentialsConfig("secret", oidcClientConfiguration.getResourceName());
        }
        String str2 = (String) map.get("algorithm");
        if (str2 == null) {
            setClientSecret(str);
        } else {
            if (!isValidClientSecretJwtAlg(str2)) {
                throw ElytronMessages.log.invalidAlgorithmInJwtClientCredentialsConfig(oidcClientConfiguration.getResourceName());
            }
            setClientSecret(str, str2);
        }
        this.tokenTimeout = Oidc.asInt(map, "token-timeout", 10).intValue();
    }

    private boolean isValidClientSecretJwtAlg(String str) {
        boolean z = false;
        if (AlgorithmIdentifiers.HMAC_SHA256.equals(str) || AlgorithmIdentifiers.HMAC_SHA384.equals(str) || AlgorithmIdentifiers.HMAC_SHA512.equals(str)) {
            z = true;
        }
        return z;
    }

    @Override // org.wildfly.security.http.oidc.ClientCredentialsProvider
    public void setClientCredentials(OidcClientConfiguration oidcClientConfiguration, Map<String, String> map, Map<String, String> map2) {
        String createSignedRequestToken = createSignedRequestToken(oidcClientConfiguration.getResourceName(), oidcClientConfiguration.getTokenUrl());
        map2.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        map2.put("client_assertion", createSignedRequestToken);
    }

    @Override // org.wildfly.security.http.oidc.ClientSecretCredentialsProvider
    public SecretKey getClientSecret() {
        return this.clientSecret;
    }

    public void setClientSecret(String str) {
        setClientSecret(str, AlgorithmIdentifiers.HMAC_SHA256);
    }

    public void setClientSecret(String str, String str2) {
        this.clientSecret = new SecretKeySpec(str.getBytes(StandardCharsets.UTF_8), Oidc.getJavaAlgorithm(str2));
        this.clientSecretJwtAlg = str2;
    }

    public String createSignedRequestToken(String str, String str2) {
        return createSignedRequestToken(str, str2, this.clientSecretJwtAlg);
    }

    public String createSignedRequestToken(String str, String str2, String str3) {
        JwtClaims createRequestToken = createRequestToken(str, str2);
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setKey(this.clientSecret);
        jsonWebSignature.setAlgorithmHeaderValue(this.clientSecretJwtAlg);
        jsonWebSignature.setPayload(createRequestToken.toJson());
        try {
            return jsonWebSignature.getCompactSerialization();
        } catch (JoseException e) {
            throw ElytronMessages.log.unableToCreateSignedToken();
        }
    }

    private JwtClaims createRequestToken(String str, String str2) {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setJwtId(Oidc.generateId());
        jwtClaims.setIssuer(str);
        jwtClaims.setSubject(str);
        jwtClaims.setAudience(str2);
        NumericDate now = NumericDate.now();
        jwtClaims.setIssuedAt(now);
        jwtClaims.setNotBefore(now);
        jwtClaims.setExpirationTime(NumericDate.fromSeconds(now.getValue() + this.tokenTimeout));
        return jwtClaims;
    }
}
