package org.apache.cxf.sts.token.provider.jwt;

import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.security.auth.callback.CallbackHandler;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.rs.security.jose.common.JoseConstants;
import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
import org.apache.cxf.rs.security.jose.jwe.JweUtils;
import org.apache.cxf.rs.security.jose.jws.JwsHeaders;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.sts.STSPropertiesMBean;
import org.apache.cxf.sts.SignatureProperties;
import org.apache.cxf.sts.cache.CacheUtils;
import org.apache.cxf.sts.request.KeyRequirements;
import org.apache.cxf.sts.request.TokenRequirements;
import org.apache.cxf.sts.service.EncryptionProperties;
import org.apache.cxf.sts.token.provider.TokenProvider;
import org.apache.cxf.sts.token.provider.TokenProviderParameters;
import org.apache.cxf.sts.token.provider.TokenProviderResponse;
import org.apache.cxf.sts.token.realm.RealmProperties;
import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.cxf.ws.security.tokenstore.SecurityToken;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.Merlin;
import org.apache.wss4j.common.ext.WSPasswordCallback;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-476.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-services-sts-core-3.1.5.redhat-630476.jar:org/apache/cxf/sts/token/provider/jwt/JWTTokenProvider.class */
public class JWTTokenProvider implements TokenProvider {
    public static final String JWT_TOKEN_TYPE = "urn:ietf:params:oauth:token-type:jwt";
    private static final Logger LOG = LogUtils.getL7dLogger(JWTTokenProvider.class);
    private boolean signToken = true;
    private Map<String, RealmProperties> realmMap = new HashMap();
    private JWTClaimsProvider jwtClaimsProvider = new DefaultJWTClaimsProvider();

    @Override // org.apache.cxf.sts.token.provider.TokenProvider
    public boolean canHandleToken(String str) {
        return canHandleToken(str, null);
    }

    @Override // org.apache.cxf.sts.token.provider.TokenProvider
    public boolean canHandleToken(String str, String str2) {
        if (str2 == null || this.realmMap.containsKey(str2)) {
            return JWT_TOKEN_TYPE.equals(str);
        }
        return false;
    }

    @Override // org.apache.cxf.sts.token.provider.TokenProvider
    public TokenProviderResponse createToken(TokenProviderParameters tokenProviderParameters) {
        TokenRequirements tokenRequirements = tokenProviderParameters.getTokenRequirements();
        if (LOG.isLoggable(Level.FINE)) {
            LOG.fine("Handling token of type: " + tokenRequirements.getTokenType());
        }
        String realm = tokenProviderParameters.getRealm();
        RealmProperties realmProperties = null;
        if (realm != null && this.realmMap.containsKey(realm)) {
            realmProperties = this.realmMap.get(realm);
        }
        JWTClaimsProviderParameters jWTClaimsProviderParameters = new JWTClaimsProviderParameters();
        jWTClaimsProviderParameters.setProviderParameters(tokenProviderParameters);
        if (realmProperties != null) {
            jWTClaimsProviderParameters.setIssuer(realmProperties.getIssuer());
        }
        JwtClaims jwtClaims = this.jwtClaimsProvider.getJwtClaims(jWTClaimsProviderParameters);
        try {
            String signToken = signToken(jwtClaims, realmProperties, tokenProviderParameters.getStsProperties());
            if (tokenProviderParameters.isEncryptToken()) {
                signToken = encryptToken(signToken, new JweHeaders(), tokenProviderParameters.getStsProperties(), tokenProviderParameters.getEncryptionProperties(), tokenProviderParameters.getKeyRequirements());
            }
            TokenProviderResponse tokenProviderResponse = new TokenProviderResponse();
            tokenProviderResponse.setToken(signToken);
            tokenProviderResponse.setTokenId(jwtClaims.getTokenId());
            if (jwtClaims.getIssuedAt().longValue() > 0) {
                tokenProviderResponse.setCreated(new Date(jwtClaims.getIssuedAt().longValue() * 1000));
            }
            Date date = null;
            if (jwtClaims.getExpiryTime().longValue() > 0) {
                date = new Date(jwtClaims.getExpiryTime().longValue() * 1000);
                tokenProviderResponse.setExpires(date);
            }
            if (this.signToken && tokenProviderParameters.getTokenStore() != null) {
                SecurityToken createSecurityTokenForStorage = CacheUtils.createSecurityTokenForStorage(null, jwtClaims.getTokenId(), date, tokenProviderParameters.getPrincipal(), tokenProviderParameters.getRealm(), tokenProviderParameters.getTokenRequirements().getRenewing());
                createSecurityTokenForStorage.setData(signToken.getBytes());
                CacheUtils.storeTokenInCache(createSecurityTokenForStorage, tokenProviderParameters.getTokenStore(), signToken.substring(signToken.lastIndexOf(".") + 1).getBytes());
            }
            LOG.fine("JWT Token successfully created");
            return tokenProviderResponse;
        } catch (Exception e) {
            e.printStackTrace();
            LOG.log(Level.WARNING, "", (Throwable) e);
            throw new STSException("Can't serialize JWT token", e, STSException.REQUEST_FAILED);
        }
    }

    public boolean isSignToken() {
        return this.signToken;
    }

    public void setSignToken(boolean z) {
        this.signToken = z;
    }

    public void setRealmMap(Map<String, ? extends RealmProperties> map) {
        this.realmMap.clear();
        this.realmMap.putAll(map);
    }

    public Map<String, RealmProperties> getRealmMap() {
        return Collections.unmodifiableMap(this.realmMap);
    }

    public JWTClaimsProvider getJwtClaimsProvider() {
        return this.jwtClaimsProvider;
    }

    public void setJwtClaimsProvider(JWTClaimsProvider jWTClaimsProvider) {
        this.jwtClaimsProvider = jWTClaimsProvider;
    }

    private String signToken(JwtClaims jwtClaims, RealmProperties realmProperties, STSPropertiesMBean sTSPropertiesMBean) throws Exception {
        if (!this.signToken) {
            return new JwsJwtCompactProducer(new JwsHeaders(SignatureAlgorithm.NONE), jwtClaims).getSignedEncodedJws();
        }
        Crypto signatureCrypto = sTSPropertiesMBean.getSignatureCrypto();
        CallbackHandler callbackHandler = sTSPropertiesMBean.getCallbackHandler();
        SignatureProperties signatureProperties = sTSPropertiesMBean.getSignatureProperties();
        String signatureUsername = sTSPropertiesMBean.getSignatureUsername();
        if (realmProperties != null) {
            if (realmProperties.getSignatureCrypto() != null) {
                LOG.fine("SAMLRealm signature keystore used");
                signatureCrypto = realmProperties.getSignatureCrypto();
                callbackHandler = realmProperties.getCallbackHandler();
                signatureUsername = realmProperties.getSignatureAlias();
            }
            if (realmProperties.getSignatureProperties() != null) {
                signatureProperties = realmProperties.getSignatureProperties();
            }
        }
        String signatureAlgorithm = signatureProperties.getSignatureAlgorithm();
        try {
            SignatureAlgorithm.getAlgorithm(signatureAlgorithm);
        } catch (IllegalArgumentException e) {
            signatureAlgorithm = SignatureAlgorithm.RS256.name();
        }
        if ((signatureUsername == null || "".equals(signatureUsername)) && signatureCrypto != null) {
            signatureUsername = signatureCrypto.getDefaultX509Identifier();
            if (LOG.isLoggable(Level.FINE)) {
                LOG.fine("Signature alias is null so using default alias: " + signatureUsername);
            }
        }
        WSPasswordCallback[] wSPasswordCallbackArr = {new WSPasswordCallback(signatureUsername, 3)};
        callbackHandler.handle(wSPasswordCallbackArr);
        String password = wSPasswordCallbackArr[0].getPassword();
        Properties properties = new Properties();
        properties.put(JoseConstants.RSSEC_SIGNATURE_ALGORITHM, signatureAlgorithm);
        if (signatureUsername != null) {
            properties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, signatureUsername);
        }
        if (password == null) {
            throw new STSException("Can't get the password", STSException.REQUEST_FAILED);
        }
        properties.put(JoseConstants.RSSEC_KEY_PSWD, password);
        if (!(signatureCrypto instanceof Merlin)) {
            throw new STSException("Can't get the keystore", STSException.REQUEST_FAILED);
        }
        properties.put(JoseConstants.RSSEC_KEY_STORE, ((Merlin) signatureCrypto).getKeyStore());
        JwsHeaders jwsHeaders = new JwsHeaders(properties);
        return new JwsJwtCompactProducer(jwsHeaders, jwtClaims).signWith(JwsUtils.loadSignatureProvider(properties, jwsHeaders));
    }

    private String encryptToken(String str, JweHeaders jweHeaders, STSPropertiesMBean sTSPropertiesMBean, EncryptionProperties encryptionProperties, KeyRequirements keyRequirements) throws Exception {
        Properties properties = new Properties();
        String encryptionName = encryptionProperties.getEncryptionName();
        if (encryptionName == null) {
            encryptionName = sTSPropertiesMBean.getEncryptionUsername();
        }
        if (encryptionName == null) {
            LOG.fine("No encryption alias is configured");
            return str;
        }
        properties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, encryptionName);
        String encryptionAlgorithm = encryptionProperties.getEncryptionAlgorithm();
        try {
            ContentAlgorithm.getAlgorithm(encryptionAlgorithm);
        } catch (IllegalArgumentException e) {
            encryptionAlgorithm = ContentAlgorithm.A128GCM.name();
        }
        properties.put(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM, encryptionAlgorithm);
        String keyWrapAlgorithm = encryptionProperties.getKeyWrapAlgorithm();
        try {
            KeyAlgorithm.getAlgorithm(keyWrapAlgorithm);
        } catch (IllegalArgumentException e2) {
            keyWrapAlgorithm = KeyAlgorithm.RSA_OAEP.name();
        }
        properties.put(JoseConstants.RSSEC_ENCRYPTION_KEY_ALGORITHM, keyWrapAlgorithm);
        Crypto encryptionCrypto = sTSPropertiesMBean.getEncryptionCrypto();
        if (!(encryptionCrypto instanceof Merlin)) {
            throw new STSException("Can't get the keystore", STSException.REQUEST_FAILED);
        }
        properties.put(JoseConstants.RSSEC_KEY_STORE, ((Merlin) encryptionCrypto).getKeyStore());
        return JweUtils.loadEncryptionProvider(properties, jweHeaders, false).encrypt(StringUtils.toBytesUTF8(str), null);
    }
}
