package io.quarkus.oidc.runtime;

import io.quarkus.arc.ClientProxy;
import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.OidcConfigurationMetadata;
import io.quarkus.oidc.OidcRedirectFilter;
import io.quarkus.oidc.Redirect;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.runtime.configuration.ConfigurationException;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.jboss.logging.Logger;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:io/quarkus/oidc/runtime/TenantConfigContextImpl.class */
public final class TenantConfigContextImpl implements TenantConfigContext {
    private static final Logger LOG = Logger.getLogger(TenantConfigContextImpl.class);
    private final OidcProvider provider;
    private final io.quarkus.oidc.OidcTenantConfig oidcConfig;
    private final Map<Redirect.Location, List<OidcRedirectFilter>> redirectFilters;
    private final SecretKey stateSecretKey;
    private final SecretKey tokenEncSecretKey;
    private final SecretKey internalIdTokenGeneratedKey;
    private final boolean ready;

    /* JADX INFO: Access modifiers changed from: package-private */
    public TenantConfigContextImpl(OidcProvider oidcProvider, io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        this(oidcProvider, oidcTenantConfig, true);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TenantConfigContextImpl(OidcProvider oidcProvider, io.quarkus.oidc.OidcTenantConfig oidcTenantConfig, boolean z) {
        this.provider = oidcProvider;
        this.oidcConfig = oidcTenantConfig;
        this.redirectFilters = getRedirectFiltersMap(TenantFeatureFinder.find(oidcTenantConfig, OidcRedirectFilter.class));
        this.ready = z;
        boolean isServiceApp = OidcUtils.isServiceApp(oidcTenantConfig);
        this.stateSecretKey = (isServiceApp || oidcProvider == null || oidcProvider.client == null) ? null : createStateSecretKey(oidcTenantConfig);
        this.tokenEncSecretKey = (isServiceApp || oidcProvider == null || oidcProvider.client == null) ? null : createTokenEncSecretKey(oidcTenantConfig, oidcProvider);
        this.internalIdTokenGeneratedKey = (isServiceApp || oidcProvider == null || oidcProvider.client == null) ? null : generateIdTokenSecretKey(oidcTenantConfig, oidcProvider);
    }

    private static SecretKey createStateSecretKey(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig) {
        if (!oidcTenantConfig.authentication.pkceRequired.orElse(false).booleanValue() && !oidcTenantConfig.authentication.nonceRequired) {
            return null;
        }
        String str = null;
        if (oidcTenantConfig.authentication.pkceSecret.isPresent() && oidcTenantConfig.authentication.getStateSecret().isPresent()) {
            throw new ConfigurationException("Both 'quarkus.oidc.authentication.state-secret' and 'quarkus.oidc.authentication.pkce-secret' are configured");
        }
        if (oidcTenantConfig.authentication.getStateSecret().isPresent()) {
            str = oidcTenantConfig.authentication.getStateSecret().get();
        } else if (oidcTenantConfig.authentication.pkceSecret.isPresent()) {
            str = oidcTenantConfig.authentication.pkceSecret.get();
        }
        if (str == null) {
            LOG.debug("'quarkus.oidc.authentication.state-secret' is not configured");
            String clientOrJwtSecret = OidcCommonUtils.getClientOrJwtSecret(oidcTenantConfig.credentials);
            if (clientOrJwtSecret == null || clientOrJwtSecret.length() >= 32) {
                str = clientOrJwtSecret;
            } else {
                LOG.debug("Client secret is less than 32 characters long, the state secret will be generated");
            }
        }
        try {
            if (str == null) {
                LOG.debug("Secret key for encrypting state cookie is missing, auto-generating it");
                return OidcCommonUtils.generateSecretKey();
            }
            byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
            if (bytes.length < 32) {
                if (bytes.length < 16) {
                    throw new ConfigurationException("Secret key for encrypting state cookie is less than 16 characters long");
                }
                LOG.debug("Secret key for encrypting state cookie should be at least 32 characters long for the strongest state cookie encryption to be produced. Please update 'quarkus.oidc.authentication.state-secret' or update the configured client secret.");
            }
            return new SecretKeySpec(OidcUtils.getSha256Digest(bytes), "AES");
        } catch (Exception e) {
            throw new OIDCException(e);
        }
    }

    private static SecretKey createTokenEncSecretKey(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig, OidcProvider oidcProvider) {
        String clientOrJwtSecret;
        if (!oidcTenantConfig.tokenStateManager.encryptionRequired) {
            return null;
        }
        if (oidcTenantConfig.tokenStateManager.encryptionSecret.isPresent()) {
            clientOrJwtSecret = oidcTenantConfig.tokenStateManager.encryptionSecret.get();
        } else {
            LOG.debug("'quarkus.oidc.token-state-manager.encryption-secret' is not configured");
            clientOrJwtSecret = OidcCommonUtils.getClientOrJwtSecret(oidcTenantConfig.credentials);
        }
        try {
            if (clientOrJwtSecret == null) {
                if (oidcProvider.client.getClientJwtKey() instanceof PrivateKey) {
                    return OidcUtils.createSecretKeyFromDigest(((PrivateKey) oidcProvider.client.getClientJwtKey()).getEncoded());
                }
                LOG.warn("Secret key for encrypting OIDC authorization code flow tokens in a session cookie is not configured, auto-generating it. Note that a new secret will be generated after a restart, thus making it impossible to decrypt the session cookie and requiring a user re-authentication. Use 'quarkus.oidc.token-state-manager.encryption-secret' to configure an encryption secret. Alternatively, disable session cookie encryption with 'quarkus.oidc.token-state-manager.encryption-required=false' but only if it is considered to be safe in your application's network.");
                return OidcCommonUtils.generateSecretKey();
            }
            byte[] bytes = clientOrJwtSecret.getBytes(StandardCharsets.UTF_8);
            if (bytes.length < 32) {
                if (bytes.length < 16) {
                    LOG.warn("Secret key for encrypting tokens in a session cookie should be at least 32 characters long for the strongest cookie encryption to be produced. Please configure 'quarkus.oidc.token-state-manager.encryption-secret' or update the configured client secret. You can disable the session cookie encryption with 'quarkus.oidc.token-state-manager.encryption-required=false' but only if it is considered to be safe in your application's network.");
                } else {
                    LOG.debug("Secret key for encrypting tokens in a session cookie should be at least 32 characters long for the strongest cookie encryption to be produced. Please configure 'quarkus.oidc.token-state-manager.encryption-secret' or update the configured client secret. You can disable the session cookie encryption with 'quarkus.oidc.token-state-manager.encryption-required=false' but only if it is considered to be safe in your application's network.");
                }
            }
            return OidcUtils.createSecretKeyFromDigest(bytes);
        } catch (Exception e) {
            throw new OIDCException(e);
        }
    }

    private static SecretKey generateIdTokenSecretKey(io.quarkus.oidc.OidcTenantConfig oidcTenantConfig, OidcProvider oidcProvider) {
        try {
            if (!oidcTenantConfig.authentication.idTokenRequired.orElse(true).booleanValue() && OidcCommonUtils.getClientOrJwtSecret(oidcTenantConfig.credentials) == null && oidcProvider.client.getClientJwtKey() == null) {
                return OidcCommonUtils.generateSecretKey();
            }
            return null;
        } catch (Exception e) {
            throw new OIDCException(e);
        }
    }

    @Override // io.quarkus.oidc.runtime.TenantConfigContext
    public io.quarkus.oidc.OidcTenantConfig oidcConfig() {
        return this.oidcConfig;
    }

    @Override // io.quarkus.oidc.runtime.TenantConfigContext
    public OidcProvider provider() {
        return this.provider;
    }

    @Override // io.quarkus.oidc.runtime.TenantConfigContext
    public boolean ready() {
        return this.ready;
    }

    @Override // io.quarkus.oidc.runtime.TenantConfigContext
    public io.quarkus.oidc.OidcTenantConfig getOidcTenantConfig() {
        return this.oidcConfig;
    }

    @Override // io.quarkus.oidc.runtime.TenantConfigContext
    public OidcConfigurationMetadata getOidcMetadata() {
        if (this.provider != null) {
            return this.provider.getMetadata();
        }
        return null;
    }

    @Override // io.quarkus.oidc.runtime.TenantConfigContext
    public OidcProviderClient getOidcProviderClient() {
        if (this.provider != null) {
            return this.provider.client;
        }
        return null;
    }

    @Override // io.quarkus.oidc.runtime.TenantConfigContext
    public SecretKey getStateEncryptionKey() {
        return this.stateSecretKey;
    }

    @Override // io.quarkus.oidc.runtime.TenantConfigContext
    public SecretKey getTokenEncSecretKey() {
        return this.tokenEncSecretKey;
    }

    @Override // io.quarkus.oidc.runtime.TenantConfigContext
    public SecretKey getInternalIdTokenSecretKey() {
        return this.internalIdTokenGeneratedKey;
    }

    private static Map<Redirect.Location, List<OidcRedirectFilter>> getRedirectFiltersMap(List<OidcRedirectFilter> list) {
        HashMap hashMap = new HashMap();
        for (OidcRedirectFilter oidcRedirectFilter : list) {
            Redirect redirect = (Redirect) ((OidcRedirectFilter) ClientProxy.unwrap(oidcRedirectFilter)).getClass().getAnnotation(Redirect.class);
            if (redirect != null) {
                for (Redirect.Location location : redirect.value()) {
                    ((List) hashMap.computeIfAbsent(location, location2 -> {
                        return new ArrayList();
                    })).add(oidcRedirectFilter);
                }
            } else {
                ((List) hashMap.computeIfAbsent(Redirect.Location.ALL, location3 -> {
                    return new ArrayList();
                })).add(oidcRedirectFilter);
            }
        }
        return hashMap;
    }

    @Override // io.quarkus.oidc.runtime.TenantConfigContext
    public List<OidcRedirectFilter> getOidcRedirectFilters(Redirect.Location location) {
        List<OidcRedirectFilter> list = this.redirectFilters.get(location);
        List<OidcRedirectFilter> list2 = this.redirectFilters.get(Redirect.Location.ALL);
        if (list == null && list2 == null) {
            return List.of();
        }
        if (list != null && list2 == null) {
            return list;
        }
        if (list == null && list2 != null) {
            return list2;
        }
        ArrayList arrayList = new ArrayList(list.size() + list2.size());
        arrayList.addAll(list);
        arrayList.addAll(list2);
        return arrayList;
    }
}
