package org.wildfly.security.mechanism.oauth2;

import java.io.IOException;
import java.util.Map;
import java.util.NoSuchElementException;
import javax.json.Json;
import javax.json.JsonObjectBuilder;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.AuthorizeCallback;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.callback.EvidenceVerifyCallback;
import org.wildfly.security.auth.callback.IdentityCredentialCallback;
import org.wildfly.security.credential.BearerTokenCredential;
import org.wildfly.security.evidence.BearerTokenEvidence;
import org.wildfly.security.mechanism.AuthenticationMechanismException;
import org.wildfly.security.mechanism.MechanismUtil;
import org.wildfly.security.sasl.digest._private.DigestUtil;
import org.wildfly.security.util.ByteIterator;

/* loaded from: input_file:WEB-INF/lib/wildfly-elytron-1.1.0.Final.jar:org/wildfly/security/mechanism/oauth2/OAuth2Server.class */
public class OAuth2Server {
    public static final String CONFIG_OPENID_CONFIGURATION_URL = "openid-configuration";
    private static final String KV_DELIMITER = "%x01";
    private final String mechanismName;
    private final CallbackHandler callbackHandler;
    private final Map<String, ?> serverConfig;

    public OAuth2Server(String str, CallbackHandler callbackHandler, Map<String, ?> map) {
        this.mechanismName = str;
        this.callbackHandler = callbackHandler;
        this.serverConfig = map;
    }

    public OAuth2InitialClientMessage parseInitialClientMessage(byte[] bArr) throws AuthenticationMechanismException {
        byte[] bArr2 = (byte[]) bArr.clone();
        ByteIterator ofBytes = ByteIterator.ofBytes((byte[]) bArr.clone());
        try {
            if (((char) ofBytes.next()) != 'n') {
                throw ElytronMessages.log.mechChannelBindingNotSupported(this.mechanismName);
            }
            String str = null;
            if (ofBytes.next() == 44 && ofBytes.next() == 97) {
                if (ofBytes.next() != 61) {
                    throw ElytronMessages.log.mechInvalidClientMessage(this.mechanismName);
                }
                str = ofBytes.delimitedBy(44).asUtf8String().drainToString();
                if (ofBytes.next() != 44) {
                    throw ElytronMessages.log.mechInvalidClientMessage(this.mechanismName);
                }
            }
            String value = getValue(DigestUtil.QOP_AUTH, ofBytes.asUtf8String().drainToString());
            if (value == null) {
                throw ElytronMessages.log.mechInvalidClientMessage(this.mechanismName);
            }
            return new OAuth2InitialClientMessage(str, value, bArr2);
        } catch (NoSuchElementException e) {
            throw ElytronMessages.log.mechInvalidMessageReceived(this.mechanismName);
        }
    }

    private String getValue(String str, String str2) {
        for (String str3 : str2.split(KV_DELIMITER)) {
            String[] split = str3.split("=");
            if (split[0].equals(str)) {
                return split[1];
            }
        }
        return null;
    }

    public byte[] evaluateInitialResponse(OAuth2InitialClientMessage oAuth2InitialClientMessage) throws AuthenticationMechanismException {
        if (!oAuth2InitialClientMessage.isBearerToken()) {
            throw ElytronMessages.log.mechInvalidClientMessage(this.mechanismName);
        }
        String auth = oAuth2InitialClientMessage.getAuth();
        BearerTokenEvidence bearerTokenEvidence = new BearerTokenEvidence(auth.substring(auth.indexOf(" ") + 1));
        EvidenceVerifyCallback evidenceVerifyCallback = new EvidenceVerifyCallback(bearerTokenEvidence);
        try {
            MechanismUtil.handleCallbacks(this.mechanismName, this.callbackHandler, evidenceVerifyCallback);
            if (evidenceVerifyCallback.isVerified()) {
                Callback authorizeCallback = new AuthorizeCallback((String) null, (String) null);
                try {
                    MechanismUtil.handleCallbacks(this.mechanismName, this.callbackHandler, authorizeCallback);
                    if (authorizeCallback.isAuthorized()) {
                        try {
                            this.callbackHandler.handle(new Callback[]{new IdentityCredentialCallback(new BearerTokenCredential(bearerTokenEvidence.getToken()), true)});
                        } catch (AuthenticationMechanismException e) {
                            throw e;
                        } catch (IOException e2) {
                            throw ElytronMessages.log.mechServerSideAuthenticationFailed(this.mechanismName, e2);
                        } catch (UnsupportedCallbackException e3) {
                        }
                        return new byte[0];
                    }
                } catch (UnsupportedCallbackException e4) {
                    throw ElytronMessages.log.mechAuthorizationUnsupported(this.mechanismName, e4);
                }
            }
            return createErrorMessage();
        } catch (UnsupportedCallbackException e5) {
            throw ElytronMessages.log.mechAuthorizationUnsupported(this.mechanismName, e5);
        }
    }

    private byte[] createErrorMessage() {
        JsonObjectBuilder createObjectBuilder = Json.createObjectBuilder();
        createObjectBuilder.add("status", "invalid_token");
        Object obj = this.serverConfig.get(CONFIG_OPENID_CONFIGURATION_URL);
        if (obj != null) {
            createObjectBuilder.add(CONFIG_OPENID_CONFIGURATION_URL, obj.toString());
        }
        return ByteIterator.ofBytes(createObjectBuilder.build().toString().getBytes()).base64Encode().asUtf8().drain();
    }
}
