package org.wildfly.security.auth.realm.oauth2;

import java.net.URL;
import java.security.Principal;
import javax.json.JsonObject;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.principal.NamePrincipal;
import org.wildfly.security.auth.server.RealmIdentity;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.auth.server.SupportLevel;
import org.wildfly.security.authz.Attributes;
import org.wildfly.security.authz.AuthorizationIdentity;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.evidence.BearerTokenEvidence;
import org.wildfly.security.evidence.Evidence;

/* loaded from: input_file:org/wildfly/security/auth/realm/oauth2/OAuth2SecurityRealm.class */
public class OAuth2SecurityRealm implements SecurityRealm {
    private final URL tokenIntrospectionUrl;
    private final String clientId;
    private final String clientSecret;
    private final String principalClaimName;
    private final SSLContext sslContext;
    private final HostnameVerifier hostnameVerifier;

    /* loaded from: input_file:org/wildfly/security/auth/realm/oauth2/OAuth2SecurityRealm$Builder.class */
    public static class Builder {
        private String clientId;
        private String clientSecret;
        private URL tokenIntrospectionUrl;
        private String principalClaimName;
        private SSLContext sslContext;
        private HostnameVerifier hostnameVerifier;

        private Builder() {
            this.principalClaimName = "username";
        }

        public Builder tokenIntrospectionUrl(URL url) {
            this.tokenIntrospectionUrl = url;
            return this;
        }

        public Builder principalClaimName(String str) {
            this.principalClaimName = str;
            return this;
        }

        public Builder clientId(String str) {
            this.clientId = str;
            return this;
        }

        public Builder clientSecret(String str) {
            this.clientSecret = str;
            return this;
        }

        public Builder useSslContext(SSLContext sSLContext) {
            this.sslContext = sSLContext;
            return this;
        }

        public Builder useSslHostnameVerifier(HostnameVerifier hostnameVerifier) {
            this.hostnameVerifier = hostnameVerifier;
            return this;
        }

        public OAuth2SecurityRealm build() {
            return new OAuth2SecurityRealm(this);
        }
    }

    /* loaded from: input_file:org/wildfly/security/auth/realm/oauth2/OAuth2SecurityRealm$OAuth2RealmIdentity.class */
    final class OAuth2RealmIdentity implements RealmIdentity {
        private final BearerTokenEvidence evidence;
        private JsonObject claims;

        OAuth2RealmIdentity(Evidence evidence) {
            if (evidence == null || !OAuth2SecurityRealm.this.isBearerTokenEvidence(evidence.getClass())) {
                this.evidence = null;
            } else {
                this.evidence = (BearerTokenEvidence) evidence;
            }
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public Principal getRealmIdentityPrincipal() {
            try {
                if (exists()) {
                    return new NamePrincipal(getClaims().getString(OAuth2SecurityRealm.this.principalClaimName));
                }
                return null;
            } catch (Exception e) {
                throw ElytronMessages.log.oauth2RealmFailedToObtainPrincipal(e);
            }
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public boolean verifyEvidence(Evidence evidence) throws RealmUnavailableException {
            return isValidToken(introspectToken());
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public boolean exists() throws RealmUnavailableException {
            return getClaims() != null;
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public AuthorizationIdentity getAuthorizationIdentity() throws RealmUnavailableException {
            if (exists()) {
                return new AuthorizationIdentity() { // from class: org.wildfly.security.auth.realm.oauth2.OAuth2SecurityRealm.OAuth2RealmIdentity.1
                    private Attributes attributes;

                    @Override // org.wildfly.security.authz.AuthorizationIdentity
                    public Attributes getAttributes() {
                        if (this.attributes == null) {
                            this.attributes = OAuth2Util.toAttributes(OAuth2RealmIdentity.this.claims);
                        }
                        return this.attributes;
                    }
                };
            }
            return null;
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public boolean createdBySecurityRealm(SecurityRealm securityRealm) {
            return OAuth2SecurityRealm.this == securityRealm;
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str) throws RealmUnavailableException {
            return SupportLevel.UNSUPPORTED;
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public <C extends Credential> C getCredential(Class<C> cls) throws RealmUnavailableException {
            return null;
        }

        @Override // org.wildfly.security.auth.server.RealmIdentity
        public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
            return OAuth2SecurityRealm.this.isBearerTokenEvidence(cls) ? SupportLevel.SUPPORTED : SupportLevel.UNSUPPORTED;
        }

        private JsonObject getClaims() throws RealmUnavailableException {
            if (this.claims == null) {
                JsonObject introspectToken = introspectToken();
                if (isValidToken(introspectToken)) {
                    this.claims = introspectToken;
                }
            }
            return this.claims;
        }

        private boolean isValidToken(JsonObject jsonObject) {
            return jsonObject != null && jsonObject.getBoolean("active", false);
        }

        private JsonObject introspectToken() throws RealmUnavailableException {
            if (this.evidence == null) {
                return null;
            }
            try {
                return OAuth2Util.introspectAccessToken(OAuth2SecurityRealm.this.tokenIntrospectionUrl, OAuth2SecurityRealm.this.clientId, OAuth2SecurityRealm.this.clientSecret, this.evidence.getToken(), OAuth2SecurityRealm.this.sslContext, OAuth2SecurityRealm.this.hostnameVerifier);
            } catch (Exception e) {
                throw ElytronMessages.log.oauth2RealmTokenIntrospectionFailed(e);
            }
        }
    }

    public static Builder builder() {
        return new Builder();
    }

    OAuth2SecurityRealm(Builder builder) {
        Assert.checkNotNullParam("configuration", builder);
        this.tokenIntrospectionUrl = (URL) Assert.checkNotNullParam("tokenIntrospectionUrl", builder.tokenIntrospectionUrl);
        this.clientId = (String) Assert.checkNotNullParam("clientId", builder.clientId);
        this.clientSecret = (String) Assert.checkNotNullParam("clientSecret", builder.clientSecret);
        if (builder.principalClaimName == null) {
            this.principalClaimName = "username";
        } else {
            this.principalClaimName = builder.principalClaimName;
        }
        if (this.tokenIntrospectionUrl.getProtocol().equalsIgnoreCase("https")) {
            if (builder.sslContext == null) {
                throw ElytronMessages.log.oauth2RealmSSLContextNotSpecified(this.tokenIntrospectionUrl);
            }
            if (builder.hostnameVerifier == null) {
                throw ElytronMessages.log.oauth2RealmHostnameVerifierNotSpecified(this.tokenIntrospectionUrl);
            }
        }
        this.sslContext = builder.sslContext;
        this.hostnameVerifier = builder.hostnameVerifier;
    }

    @Override // org.wildfly.security.auth.server.SecurityRealm
    public RealmIdentity getRealmIdentity(String str, Principal principal, Evidence evidence) throws RealmUnavailableException {
        return new OAuth2RealmIdentity(evidence);
    }

    @Override // org.wildfly.security.auth.server.SecurityRealm
    public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str) throws RealmUnavailableException {
        return SupportLevel.UNSUPPORTED;
    }

    @Override // org.wildfly.security.auth.server.SecurityRealm
    public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
        return isBearerTokenEvidence(cls) ? SupportLevel.POSSIBLY_SUPPORTED : SupportLevel.UNSUPPORTED;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isBearerTokenEvidence(Class<?> cls) {
        return cls != null && cls.equals(BearerTokenEvidence.class);
    }
}
