package io.quarkus.oidc.runtime;

import io.quarkus.oidc.AuthorizationCodeTokens;
import io.quarkus.oidc.OidcRequestContext;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.TokenStateManager;
import io.quarkus.security.AuthenticationCompletionException;
import io.quarkus.security.AuthenticationFailedException;
import io.smallrye.mutiny.Uni;
import io.vertx.core.http.impl.ServerCookie;
import io.vertx.ext.web.RoutingContext;
import jakarta.enterprise.context.ApplicationScoped;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/oidc/runtime/DefaultTokenStateManager.class */
public class DefaultTokenStateManager implements TokenStateManager {
    @Override // io.quarkus.oidc.TokenStateManager
    public Uni<String> createTokenState(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig, AuthorizationCodeTokens authorizationCodeTokens, OidcRequestContext<String> oidcRequestContext) {
        boolean z = !oidcTenantConfig.tokenStateManager.splitTokens;
        StringBuilder sb = new StringBuilder();
        sb.append(z ? authorizationCodeTokens.getIdToken() : encryptToken(authorizationCodeTokens.getIdToken(), routingContext, oidcTenantConfig));
        if (oidcTenantConfig.tokenStateManager.strategy == OidcTenantConfig.TokenStateManager.Strategy.KEEP_ALL_TOKENS) {
            if (oidcTenantConfig.tokenStateManager.splitTokens) {
                CodeAuthenticationMechanism.createCookie(routingContext, oidcTenantConfig, getAccessTokenCookieName(oidcTenantConfig), encryptToken(authorizationCodeTokens.getAccessToken(), routingContext, oidcTenantConfig), ((Long) routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM)).longValue(), true);
                if (authorizationCodeTokens.getRefreshToken() != null) {
                    CodeAuthenticationMechanism.createCookie(routingContext, oidcTenantConfig, getRefreshTokenCookieName(oidcTenantConfig), encryptToken(authorizationCodeTokens.getRefreshToken(), routingContext, oidcTenantConfig), ((Long) routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM)).longValue(), true);
                }
            } else {
                sb.append("|").append(z ? authorizationCodeTokens.getAccessToken() : encryptToken(authorizationCodeTokens.getAccessToken(), routingContext, oidcTenantConfig)).append("|").append(z ? authorizationCodeTokens.getRefreshToken() : encryptToken(authorizationCodeTokens.getRefreshToken(), routingContext, oidcTenantConfig));
            }
        } else if (oidcTenantConfig.tokenStateManager.strategy == OidcTenantConfig.TokenStateManager.Strategy.ID_REFRESH_TOKENS) {
            if (!oidcTenantConfig.tokenStateManager.splitTokens) {
                sb.append("|").append("").append("|").append(z ? authorizationCodeTokens.getRefreshToken() : encryptToken(authorizationCodeTokens.getRefreshToken(), routingContext, oidcTenantConfig));
            } else if (authorizationCodeTokens.getRefreshToken() != null) {
                CodeAuthenticationMechanism.createCookie(routingContext, oidcTenantConfig, getRefreshTokenCookieName(oidcTenantConfig), encryptToken(authorizationCodeTokens.getRefreshToken(), routingContext, oidcTenantConfig), ((Long) routingContext.get(CodeAuthenticationMechanism.SESSION_MAX_AGE_PARAM)).longValue());
            }
        }
        return Uni.createFrom().item(z ? encryptToken(sb.toString(), routingContext, oidcTenantConfig) : sb.toString());
    }

    @Override // io.quarkus.oidc.TokenStateManager
    public Uni<AuthorizationCodeTokens> getTokens(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig, String str, OidcRequestContext<AuthorizationCodeTokens> oidcRequestContext) {
        boolean z = !oidcTenantConfig.tokenStateManager.splitTokens;
        String[] split = CodeAuthenticationMechanism.COOKIE_PATTERN.split(z ? decryptToken(str, routingContext, oidcTenantConfig) : str);
        String decryptToken = z ? split[0] : decryptToken(split[0], routingContext, oidcTenantConfig);
        String str2 = null;
        String str3 = null;
        try {
            if (oidcTenantConfig.tokenStateManager.strategy == OidcTenantConfig.TokenStateManager.Strategy.KEEP_ALL_TOKENS) {
                if (oidcTenantConfig.tokenStateManager.splitTokens) {
                    ServerCookie accessTokenCookie = getAccessTokenCookie(routingContext, oidcTenantConfig);
                    if (accessTokenCookie != null) {
                        str2 = decryptToken(accessTokenCookie.getValue(), routingContext, oidcTenantConfig);
                    }
                    ServerCookie refreshTokenCookie = getRefreshTokenCookie(routingContext, oidcTenantConfig);
                    if (refreshTokenCookie != null) {
                        str3 = decryptToken(refreshTokenCookie.getValue(), routingContext, oidcTenantConfig);
                    }
                } else {
                    str2 = z ? split[1] : decryptToken(split[1], routingContext, oidcTenantConfig);
                    str3 = z ? split[2] : decryptToken(split[2], routingContext, oidcTenantConfig);
                }
            } else if (oidcTenantConfig.tokenStateManager.strategy == OidcTenantConfig.TokenStateManager.Strategy.ID_REFRESH_TOKENS) {
                if (oidcTenantConfig.tokenStateManager.splitTokens) {
                    ServerCookie refreshTokenCookie2 = getRefreshTokenCookie(routingContext, oidcTenantConfig);
                    if (refreshTokenCookie2 != null) {
                        str3 = decryptToken(refreshTokenCookie2.getValue(), routingContext, oidcTenantConfig);
                    }
                } else {
                    str3 = z ? split[2] : decryptToken(split[2], routingContext, oidcTenantConfig);
                }
            }
            return Uni.createFrom().item(new AuthorizationCodeTokens(decryptToken, str2, str3));
        } catch (ArrayIndexOutOfBoundsException e) {
            return Uni.createFrom().failure(new AuthenticationCompletionException("Session cookie is malformed"));
        }
    }

    @Override // io.quarkus.oidc.TokenStateManager
    public Uni<Void> deleteTokens(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig, String str, OidcRequestContext<Void> oidcRequestContext) {
        if (oidcTenantConfig.tokenStateManager.splitTokens) {
            OidcUtils.removeCookie(routingContext, getAccessTokenCookie(routingContext, oidcTenantConfig), oidcTenantConfig);
            OidcUtils.removeCookie(routingContext, getRefreshTokenCookie(routingContext, oidcTenantConfig), oidcTenantConfig);
        }
        return CodeAuthenticationMechanism.VOID_UNI;
    }

    private static ServerCookie getAccessTokenCookie(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        return routingContext.request().getCookie(getAccessTokenCookieName(oidcTenantConfig));
    }

    private static ServerCookie getRefreshTokenCookie(RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        return routingContext.request().getCookie(getRefreshTokenCookieName(oidcTenantConfig));
    }

    private static String getAccessTokenCookieName(OidcTenantConfig oidcTenantConfig) {
        return "q_session_at" + OidcUtils.getCookieSuffix(oidcTenantConfig);
    }

    private static String getRefreshTokenCookieName(OidcTenantConfig oidcTenantConfig) {
        return "q_session_rt" + OidcUtils.getCookieSuffix(oidcTenantConfig);
    }

    private String encryptToken(String str, RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        if (!oidcTenantConfig.tokenStateManager.encryptionRequired) {
            return str;
        }
        try {
            return OidcUtils.encryptString(str, ((TenantConfigContext) routingContext.get(TenantConfigContext.class.getName())).getTokenEncSecretKey());
        } catch (Exception e) {
            throw new AuthenticationFailedException(e);
        }
    }

    private String decryptToken(String str, RoutingContext routingContext, OidcTenantConfig oidcTenantConfig) {
        if (!oidcTenantConfig.tokenStateManager.encryptionRequired) {
            return str;
        }
        try {
            return OidcUtils.decryptString(str, ((TenantConfigContext) routingContext.get(TenantConfigContext.class.getName())).getTokenEncSecretKey());
        } catch (Exception e) {
            throw new AuthenticationFailedException(e);
        }
    }
}
