package io.quarkus.oidc.common.runtime;

import io.netty.handler.codec.rtsp.RtspHeaders;
import io.quarkus.credentials.CredentialsProvider;
import io.quarkus.credentials.runtime.CredentialsProviderFinder;
import io.quarkus.mongodb.runtime.MongoServiceBindingConverter;
import io.quarkus.oidc.common.runtime.OidcCommonConfig;
import io.quarkus.runtime.TlsConfig;
import io.quarkus.runtime.configuration.ConfigurationException;
import io.smallrye.jwt.algorithm.SignatureAlgorithm;
import io.smallrye.jwt.build.Jwt;
import io.smallrye.jwt.build.JwtSignatureBuilder;
import io.smallrye.jwt.util.KeyUtils;
import io.smallrye.jwt.util.ResourceUtils;
import io.smallrye.mutiny.Uni;
import io.vertx.core.http.HttpClientOptions;
import io.vertx.core.json.JsonObject;
import io.vertx.core.net.KeyCertOptions;
import io.vertx.core.net.KeyStoreOptions;
import io.vertx.core.net.ProxyOptions;
import io.vertx.core.net.TrustOptions;
import io.vertx.mutiny.core.MultiMap;
import io.vertx.mutiny.core.buffer.Buffer;
import io.vertx.mutiny.ext.web.client.WebClient;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.ConnectException;
import java.net.URI;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.Key;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.time.Duration;
import java.util.Base64;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
import java.util.OptionalInt;
import java.util.function.Predicate;
import java.util.function.Supplier;
import javax.crypto.SecretKey;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/oidc/common/runtime/OidcCommonUtils.class */
public class OidcCommonUtils {
    static final byte AMP = 38;
    static final byte EQ = 61;
    static final String HTTP_SCHEME = "http";
    public static final Duration CONNECTION_BACKOFF_DURATION = Duration.ofSeconds(2);
    private static final Logger LOG = Logger.getLogger((Class<?>) OidcCommonUtils.class);

    private OidcCommonUtils() {
    }

    public static void verifyEndpointUrl(String str) {
        try {
            URI.create(str).toURL();
        } catch (Throwable th) {
            throw new ConfigurationException(String.format("'%s' is invalid", str), th);
        }
    }

    public static void verifyCommonConfiguration(OidcCommonConfig oidcCommonConfig, boolean z, boolean z2) {
        String str = z2 ? "quarkus.oidc." : "quarkus.oidc-client.";
        if (!z && !oidcCommonConfig.getClientId().isPresent()) {
            throw new ConfigurationException(String.format("'%sclient-id' property must be configured", str));
        }
        OidcCommonConfig.Credentials credentials = oidcCommonConfig.getCredentials();
        if (credentials.secret.isPresent() && credentials.clientSecret.value.isPresent()) {
            throw new ConfigurationException(String.format("'%1$scredentials.secret' and '%1$scredentials.client-secret' properties are mutually exclusive", str));
        }
        if ((credentials.secret.isPresent() || credentials.clientSecret.value.isPresent()) && credentials.jwt.secret.isPresent()) {
            throw new ConfigurationException(String.format("Use only '%1$scredentials.secret' or '%1$scredentials.client-secret' or '%1$scredentials.jwt.secret' property", str));
        }
    }

    public static String prependSlash(String str) {
        return !str.startsWith("/") ? "/" + str : str;
    }

    public static Buffer encodeForm(MultiMap multiMap) {
        Buffer buffer = Buffer.buffer();
        Iterator<Map.Entry<String, String>> it = multiMap.iterator();
        while (it.hasNext()) {
            Map.Entry<String, String> next = it.next();
            if (buffer.length() != 0) {
                buffer.appendByte((byte) 38);
            }
            buffer.appendString(next.getKey());
            buffer.appendByte((byte) 61);
            buffer.appendString(urlEncode(next.getValue()));
        }
        return buffer;
    }

    public static String urlEncode(String str) {
        try {
            return URLEncoder.encode(str, StandardCharsets.UTF_8.name());
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static void setHttpClientOptions(OidcCommonConfig oidcCommonConfig, TlsConfig tlsConfig, HttpClientOptions httpClientOptions) {
        if (oidcCommonConfig.tls.verification.isPresent() ? oidcCommonConfig.tls.verification.get() == OidcCommonConfig.Tls.Verification.NONE : tlsConfig.trustAll) {
            httpClientOptions.setTrustAll(true);
            httpClientOptions.setVerifyHost(false);
        } else if (oidcCommonConfig.tls.trustStoreFile.isPresent()) {
            try {
                httpClientOptions.setTrustOptions((TrustOptions) new KeyStoreOptions().setPassword(oidcCommonConfig.tls.getTrustStorePassword().orElse("password")).setAlias(oidcCommonConfig.tls.getTrustStoreCertAlias().orElse(null)).setValue(io.vertx.core.buffer.Buffer.buffer(getFileContent(oidcCommonConfig.tls.trustStoreFile.get()))).setType(getStoreType(oidcCommonConfig.tls.trustStoreFileType, oidcCommonConfig.tls.trustStoreFile.get())));
                if (OidcCommonConfig.Tls.Verification.CERTIFICATE_VALIDATION == oidcCommonConfig.tls.verification.orElse(OidcCommonConfig.Tls.Verification.REQUIRED)) {
                    httpClientOptions.setVerifyHost(false);
                }
            } catch (IOException e) {
                throw new ConfigurationException(String.format("OIDC truststore file does not exist or can not be read", oidcCommonConfig.tls.trustStoreFile.get().toString()), e);
            }
        }
        if (oidcCommonConfig.tls.keyStoreFile.isPresent()) {
            try {
                httpClientOptions.setKeyCertOptions((KeyCertOptions) new KeyStoreOptions().setPassword(oidcCommonConfig.tls.keyStorePassword).setAlias(oidcCommonConfig.tls.keyStoreKeyAlias.orElse(null)).setAliasPassword(oidcCommonConfig.tls.keyStoreKeyPassword.orElse(null)).setValue(io.vertx.core.buffer.Buffer.buffer(getFileContent(oidcCommonConfig.tls.keyStoreFile.get()))).setType(getStoreType(oidcCommonConfig.tls.keyStoreFileType, oidcCommonConfig.tls.keyStoreFile.get())));
            } catch (IOException e2) {
                throw new ConfigurationException(String.format("OIDC keystore file does not exist or can not be read", oidcCommonConfig.tls.keyStoreFile.get().toString()), e2);
            }
        }
        Optional<ProxyOptions> proxyOptions = toProxyOptions(oidcCommonConfig.getProxy());
        if (proxyOptions.isPresent()) {
            httpClientOptions.setProxyOptions(proxyOptions.get());
        }
        OptionalInt optionalInt = oidcCommonConfig.maxPoolSize;
        if (optionalInt.isPresent()) {
            httpClientOptions.setMaxPoolSize(optionalInt.getAsInt());
        }
        httpClientOptions.setConnectTimeout((int) oidcCommonConfig.getConnectionTimeout().toMillis());
    }

    private static String getStoreType(Optional<String> optional, Path path) {
        if (optional.isPresent()) {
            return optional.get().toUpperCase();
        }
        String path2 = path.toString();
        return (path2.endsWith(".p12") || path2.endsWith(".pkcs12") || path2.endsWith(".pfx")) ? "PKCS12" : "JKS";
    }

    public static String getAuthServerUrl(OidcCommonConfig oidcCommonConfig) {
        return removeLastPathSeparator(oidcCommonConfig.getAuthServerUrl().get());
    }

    private static String removeLastPathSeparator(String str) {
        return str.endsWith("/") ? str.substring(0, str.length() - 1) : str;
    }

    public static String getOidcEndpointUrl(String str, Optional<String> optional) {
        if (optional == null || !optional.isPresent()) {
            return null;
        }
        return isAbsoluteUrl(optional) ? optional.get() : str + prependSlash(optional.get());
    }

    public static boolean isAbsoluteUrl(Optional<String> optional) {
        return optional.isPresent() && optional.get().startsWith("http");
    }

    private static long getConnectionDelay(OidcCommonConfig oidcCommonConfig) {
        if (oidcCommonConfig.getConnectionDelay().isPresent()) {
            return oidcCommonConfig.getConnectionDelay().get().getSeconds();
        }
        return 0L;
    }

    public static long getConnectionDelayInMillis(OidcCommonConfig oidcCommonConfig) {
        long connectionDelay = getConnectionDelay(oidcCommonConfig);
        long j = connectionDelay > 1 ? connectionDelay / 2 : 1L;
        if (j > 1) {
            LOG.infof("Connecting to OpenId Connect Provider for up to %d times every 2 seconds", Long.valueOf(j));
        }
        return connectionDelay * 1000;
    }

    public static Optional<ProxyOptions> toProxyOptions(OidcCommonConfig.Proxy proxy) {
        if (!proxy.host.isPresent()) {
            return Optional.empty();
        }
        JsonObject jsonObject = new JsonObject();
        jsonObject.put(MongoServiceBindingConverter.DB_HOST, proxy.host.get());
        jsonObject.put(RtspHeaders.Values.PORT, Integer.valueOf(proxy.port));
        if (proxy.username.isPresent()) {
            jsonObject.put("username", proxy.username.get());
        }
        if (proxy.password.isPresent()) {
            jsonObject.put("password", proxy.password.get());
        }
        return Optional.of(new ProxyOptions(jsonObject));
    }

    public static String formatConnectionErrorMessage(String str) {
        return String.format("OIDC server is not available at the '%s' URL. Please make sure it is correct. Note it has to end with a realm value if you work with Keycloak, for example: 'https://localhost:8180/auth/realms/quarkus'", str);
    }

    public static boolean isClientSecretBasicAuthRequired(OidcCommonConfig.Credentials credentials) {
        return credentials.secret.isPresent() || ((credentials.clientSecret.value.isPresent() || credentials.clientSecret.provider.key.isPresent()) && clientSecretMethod(credentials) == OidcCommonConfig.Credentials.Secret.Method.BASIC);
    }

    public static boolean isClientJwtAuthRequired(OidcCommonConfig.Credentials credentials) {
        return credentials.jwt.secret.isPresent() || credentials.jwt.secretProvider.key.isPresent() || credentials.jwt.keyFile.isPresent() || credentials.jwt.keyStoreFile.isPresent();
    }

    public static boolean isClientSecretPostAuthRequired(OidcCommonConfig.Credentials credentials) {
        return (credentials.clientSecret.value.isPresent() || credentials.clientSecret.provider.key.isPresent()) && clientSecretMethod(credentials) == OidcCommonConfig.Credentials.Secret.Method.POST;
    }

    public static boolean isClientSecretPostJwtAuthRequired(OidcCommonConfig.Credentials credentials) {
        return clientSecretMethod(credentials) == OidcCommonConfig.Credentials.Secret.Method.POST_JWT && isClientJwtAuthRequired(credentials);
    }

    public static String clientSecret(OidcCommonConfig.Credentials credentials) {
        return credentials.secret.orElse(credentials.clientSecret.value.orElseGet(fromCredentialsProvider(credentials.clientSecret.provider)));
    }

    public static OidcCommonConfig.Credentials.Secret.Method clientSecretMethod(OidcCommonConfig.Credentials credentials) {
        return credentials.clientSecret.method.orElseGet(() -> {
            return OidcCommonConfig.Credentials.Secret.Method.BASIC;
        });
    }

    private static Supplier<? extends String> fromCredentialsProvider(final OidcCommonConfig.Credentials.Provider provider) {
        return new Supplier<String>() { // from class: io.quarkus.oidc.common.runtime.OidcCommonUtils.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.function.Supplier
            public String get() {
                String orElse;
                CredentialsProvider find;
                if (!OidcCommonConfig.Credentials.Provider.this.key.isPresent() || (find = CredentialsProviderFinder.find((orElse = OidcCommonConfig.Credentials.Provider.this.name.orElse(null)))) == null) {
                    return null;
                }
                return find.getCredentials(orElse).get(OidcCommonConfig.Credentials.Provider.this.key.get());
            }
        };
    }

    public static Key clientJwtKey(OidcCommonConfig.Credentials credentials) {
        if (credentials.jwt.secret.isPresent() || credentials.jwt.secretProvider.key.isPresent()) {
            return KeyUtils.createSecretKeyFromSecret(credentials.jwt.secret.orElseGet(fromCredentialsProvider(credentials.jwt.secretProvider)));
        }
        Key key = null;
        try {
            if (credentials.jwt.getKeyFile().isPresent()) {
                key = KeyUtils.readSigningKey(credentials.jwt.getKeyFile().get(), credentials.jwt.keyId.orElse(null), getSignatureAlgorithm(credentials, SignatureAlgorithm.RS256));
            } else if (credentials.jwt.keyStoreFile.isPresent()) {
                KeyStore keyStore = KeyStore.getInstance("JKS");
                keyStore.load(ResourceUtils.getResourceStream(credentials.jwt.keyStoreFile.get()), credentials.jwt.keyStorePassword.toCharArray());
                key = keyStore.getKey(credentials.jwt.keyId.get(), credentials.jwt.keyPassword.toCharArray());
            }
            if (key == null) {
                throw new ConfigurationException("Key is null");
            }
            return key;
        } catch (Exception e) {
            throw new ConfigurationException("Key can not be loaded", e);
        }
    }

    public static String signJwtWithKey(OidcCommonConfig oidcCommonConfig, String str, Key key) {
        JwtSignatureBuilder jws = Jwt.issuer(oidcCommonConfig.credentials.jwt.issuer.orElse(oidcCommonConfig.clientId.get())).subject(oidcCommonConfig.credentials.jwt.subject.orElse(oidcCommonConfig.clientId.get())).audience(oidcCommonConfig.credentials.jwt.getAudience().isPresent() ? removeLastPathSeparator(oidcCommonConfig.credentials.jwt.getAudience().get()) : str).expiresIn(oidcCommonConfig.credentials.jwt.lifespan).jws();
        if (oidcCommonConfig.credentials.jwt.getTokenKeyId().isPresent()) {
            jws.keyId(oidcCommonConfig.credentials.jwt.getTokenKeyId().get());
        }
        SignatureAlgorithm signatureAlgorithm = getSignatureAlgorithm(oidcCommonConfig.credentials, null);
        if (signatureAlgorithm != null) {
            jws.algorithm(signatureAlgorithm);
        }
        return key instanceof SecretKey ? jws.sign((SecretKey) key) : jws.sign((PrivateKey) key);
    }

    private static SignatureAlgorithm getSignatureAlgorithm(OidcCommonConfig.Credentials credentials, SignatureAlgorithm signatureAlgorithm) {
        if (!credentials.jwt.getSignatureAlgorithm().isPresent()) {
            return signatureAlgorithm;
        }
        try {
            return SignatureAlgorithm.fromAlgorithm(credentials.jwt.getSignatureAlgorithm().get());
        } catch (Exception e) {
            throw new ConfigurationException("Unsupported signature algorithm");
        }
    }

    public static void verifyConfigurationId(String str, String str2, Optional<String> optional) {
        if (str2.equals(str)) {
            throw new ConfigurationException("configuration id '" + str2 + "' duplicates the default configuration id");
        }
        if (optional.isPresent() && !str2.equals(optional.get())) {
            throw new ConfigurationException("Configuration has 2 different id values: '" + str2 + "' and '" + optional.get() + "'");
        }
    }

    public static String initClientSecretBasicAuth(OidcCommonConfig oidcCommonConfig) {
        if (isClientSecretBasicAuthRequired(oidcCommonConfig.credentials)) {
            return "Basic " + Base64.getEncoder().encodeToString((oidcCommonConfig.getClientId().get() + ":" + clientSecret(oidcCommonConfig.credentials)).getBytes(StandardCharsets.UTF_8));
        }
        return null;
    }

    public static Key initClientJwtKey(OidcCommonConfig oidcCommonConfig) {
        if (isClientJwtAuthRequired(oidcCommonConfig.credentials)) {
            return clientJwtKey(oidcCommonConfig.credentials);
        }
        return null;
    }

    public static Predicate<? super Throwable> oidcEndpointNotAvailable() {
        return th -> {
            return (th instanceof ConnectException) || ((th instanceof OidcEndpointAccessException) && ((OidcEndpointAccessException) th).getErrorStatus() == 404);
        };
    }

    public static Uni<JsonObject> discoverMetadata(WebClient webClient, String str, long j) {
        return webClient.getAbs(str + "/.well-known/openid-configuration").send().onItem().transform(httpResponse -> {
            if (httpResponse.statusCode() == 200) {
                return httpResponse.bodyAsJsonObject();
            }
            LOG.tracef("Discovery has failed, status code: %d", httpResponse.statusCode());
            throw new OidcEndpointAccessException(httpResponse.statusCode());
        }).onFailure(oidcEndpointNotAvailable()).retry().withBackOff(CONNECTION_BACKOFF_DURATION, CONNECTION_BACKOFF_DURATION).expireIn(j).onFailure().transform(th -> {
            return th.getCause();
        });
    }

    private static byte[] getFileContent(Path path) throws IOException {
        byte[] doRead;
        InputStream resourceAsStream = Thread.currentThread().getContextClassLoader().getResourceAsStream(path.toString());
        if (resourceAsStream != null) {
            try {
                doRead = doRead(resourceAsStream);
                if (resourceAsStream != null) {
                    resourceAsStream.close();
                }
            } catch (Throwable th) {
                if (resourceAsStream != null) {
                    try {
                        resourceAsStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } else {
            InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
            try {
                doRead = doRead(newInputStream);
                if (newInputStream != null) {
                    newInputStream.close();
                }
            } catch (Throwable th3) {
                if (newInputStream != null) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                }
                throw th3;
            }
        }
        return doRead;
    }

    private static byte[] doRead(InputStream inputStream) throws IOException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        byte[] bArr = new byte[1024];
        while (true) {
            int read = inputStream.read(bArr);
            if (read <= 0) {
                return byteArrayOutputStream.toByteArray();
            }
            byteArrayOutputStream.write(bArr, 0, read);
        }
    }
}
