package org.keycloak.jose.jws;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.Key;
import java.time.Duration;
import java.util.Comparator;
import java.util.Optional;
import java.util.function.BiConsumer;
import java.util.stream.Stream;
import org.jboss.logging.Logger;
import org.keycloak.Token;
import org.keycloak.TokenCategory;
import org.keycloak.common.util.Time;
import org.keycloak.crypto.Aes128CbcHmacSha256ContentEncryptionProviderFactory;
import org.keycloak.crypto.CekManagementProvider;
import org.keycloak.crypto.ClientSignatureVerifierProvider;
import org.keycloak.crypto.ContentEncryptionProvider;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.jose.JOSE;
import org.keycloak.jose.JOSEParser;
import org.keycloak.jose.jwe.JWE;
import org.keycloak.jose.jwe.JWEException;
import org.keycloak.jose.jwe.alg.JWEAlgorithmProvider;
import org.keycloak.jose.jwe.enc.JWEEncryptionProvider;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.keys.loader.PublicKeyStorageManager;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.TokenManager;
import org.keycloak.models.UserModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.representations.LogoutToken;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProvider;
import org.keycloak.util.JsonSerialization;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:org/keycloak/jose/jws/DefaultTokenManager.class */
public class DefaultTokenManager implements TokenManager {
    private static final Logger logger = Logger.getLogger(DefaultTokenManager.class);
    private final KeycloakSession session;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.keycloak.jose.jws.DefaultTokenManager$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/jose/jws/DefaultTokenManager$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$TokenCategory = new int[TokenCategory.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$TokenCategory[TokenCategory.INTERNAL.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$TokenCategory[TokenCategory.ADMIN.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$TokenCategory[TokenCategory.ACCESS.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$TokenCategory[TokenCategory.ID.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$keycloak$TokenCategory[TokenCategory.LOGOUT.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$keycloak$TokenCategory[TokenCategory.USERINFO.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$keycloak$TokenCategory[TokenCategory.AUTHORIZATION_RESPONSE.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
        }
    }

    public DefaultTokenManager(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
    }

    public String encode(Token token) {
        return new JWSBuilder().type("JWT").jsonContent(token).sign(this.session.getProvider(SignatureProvider.class, signatureAlgorithm(token.getCategory())).signer());
    }

    public <T extends Token> T decode(String str, Class<T> cls) {
        if (str == null) {
            return null;
        }
        try {
            JWSInput jWSInput = new JWSInput(str);
            String name = jWSInput.getHeader().getAlgorithm().name();
            SignatureProvider signatureProvider = (SignatureProvider) this.session.getProvider(SignatureProvider.class, name);
            if (signatureProvider == null) {
                return null;
            }
            String keyId = jWSInput.getHeader().getKeyId();
            if (keyId == null) {
                logger.debugf("KID is null in token. Using the realm active key to verify token signature.", new Object[0]);
                keyId = this.session.keys().getActiveKey(this.session.getContext().getRealm(), KeyUse.SIG, name).getKid();
            }
            if (signatureProvider.verifier(keyId).verify(jWSInput.getEncodedSignatureInput().getBytes("UTF-8"), jWSInput.getSignature())) {
                return (T) jWSInput.readJsonContent(cls);
            }
            return null;
        } catch (Exception e) {
            logger.debug("Failed to decode token", e);
            return null;
        }
    }

    public <T> T decodeClientJWT(String str, ClientModel clientModel, BiConsumer<JOSE, ClientModel> biConsumer, Class<T> cls) {
        JOSE parse;
        if (str == null) {
            return null;
        }
        JOSE parse2 = JOSEParser.parse(str);
        biConsumer.accept(parse2, clientModel);
        if (!(parse2 instanceof JWE)) {
            return (T) verifyJWS(clientModel, cls, (JWSInput) parse2);
        }
        try {
            String keyId = parse2.getHeader().getKeyId();
            Stream keysStream = this.session.keys().getKeysStream(this.session.getContext().getRealm());
            Optional<T> findFirst = keyId == null ? keysStream.filter(keyWrapper -> {
                return KeyUse.ENC.equals(keyWrapper.getUse()) && keyWrapper.getPublicKey() != null;
            }).sorted(Comparator.comparingLong((v0) -> {
                return v0.getProviderPriority();
            }).reversed()).findFirst() : keysStream.filter(keyWrapper2 -> {
                return KeyUse.ENC.equals(keyWrapper2.getUse()) && keyWrapper2.getKid().equals(keyId);
            }).findAny();
            JWE jwe = (JWE) JWE.class.cast(parse2);
            jwe.getKeyStorage().setDecryptionKey((Key) findFirst.map((v0) -> {
                return v0.getPrivateKey();
            }).orElseThrow(() -> {
                return new RuntimeException("Could not find private key for decrypting token");
            }));
            byte[] content = jwe.verifyAndDecodeJwe().getContent();
            try {
                parse = JOSEParser.parse(new String(content));
            } catch (Exception e) {
            }
            if (!(parse instanceof JWSInput)) {
                return (T) JsonSerialization.readValue(content, cls);
            }
            biConsumer.accept(parse, clientModel);
            return (T) verifyJWS(clientModel, cls, (JWSInput) parse);
        } catch (JWEException e2) {
            throw new RuntimeException("Failed to decrypt JWT", e2);
        } catch (IOException e3) {
            throw new RuntimeException("Failed to deserialize JWT", e3);
        }
    }

    private <T> T verifyJWS(ClientModel clientModel, Class<T> cls, JWSInput jWSInput) {
        try {
            ClientSignatureVerifierProvider provider = this.session.getProvider(ClientSignatureVerifierProvider.class, jWSInput.getHeader().getAlgorithm().name());
            if (provider == null) {
                if (jWSInput.getHeader().getAlgorithm().equals(Algorithm.none)) {
                    return (T) jWSInput.readJsonContent(cls);
                }
                return null;
            }
            if (provider.verifier(clientModel, jWSInput).verify(jWSInput.getEncodedSignatureInput().getBytes("UTF-8"), jWSInput.getSignature())) {
                return (T) jWSInput.readJsonContent(cls);
            }
            return null;
        } catch (Exception e) {
            logger.debug("Failed to decode token", e);
            return null;
        }
    }

    public String signatureAlgorithm(TokenCategory tokenCategory) {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$TokenCategory[tokenCategory.ordinal()]) {
            case DeclarativeUserProfileProvider.PROVIDER_PRIORITY /* 1 */:
                return "HS256";
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                return getSignatureAlgorithm(null);
            case AuthenticationSessionManager.AUTH_SESSION_COOKIE_LIMIT /* 3 */:
                return getSignatureAlgorithm("access.token.signed.response.alg");
            case 4:
            case 5:
                return getSignatureAlgorithm("id.token.signed.response.alg");
            case 6:
                return getSignatureAlgorithm("user.info.response.signature.alg");
            case 7:
                return getSignatureAlgorithm("authorization.signed.response.alg");
            default:
                throw new RuntimeException("Unknown token type");
        }
    }

    private String getSignatureAlgorithm(String str) {
        RealmModel realm = this.session.getContext().getRealm();
        ClientModel client = this.session.getContext().getClient();
        String attribute = (client == null || str == null) ? null : client.getAttribute(str);
        if (attribute != null && !attribute.equals("")) {
            return attribute;
        }
        String defaultSignatureAlgorithm = realm.getDefaultSignatureAlgorithm();
        return (defaultSignatureAlgorithm == null || defaultSignatureAlgorithm.equals("")) ? "RS256" : defaultSignatureAlgorithm;
    }

    public String encodeAndEncrypt(Token token) {
        String encode = encode(token);
        if (isTokenEncryptRequired(token.getCategory())) {
            encode = getEncryptedToken(token.getCategory(), encode);
        }
        return encode;
    }

    private boolean isTokenEncryptRequired(TokenCategory tokenCategory) {
        return (cekManagementAlgorithm(tokenCategory) == null || encryptAlgorithm(tokenCategory) == null) ? false : true;
    }

    private String getEncryptedToken(TokenCategory tokenCategory, String str) {
        String cekManagementAlgorithm = cekManagementAlgorithm(tokenCategory);
        String encryptAlgorithm = encryptAlgorithm(tokenCategory);
        JWEAlgorithmProvider jweAlgorithmProvider = this.session.getProvider(CekManagementProvider.class, cekManagementAlgorithm).jweAlgorithmProvider();
        JWEEncryptionProvider jweEncryptionProvider = this.session.getProvider(ContentEncryptionProvider.class, encryptAlgorithm).jweEncryptionProvider();
        KeyWrapper clientPublicKeyWrapper = PublicKeyStorageManager.getClientPublicKeyWrapper(this.session, this.session.getContext().getClient(), JWK.Use.ENCRYPTION, cekManagementAlgorithm);
        if (clientPublicKeyWrapper == null) {
            throw new RuntimeException("can not get encryption KEK");
        }
        try {
            return TokenUtil.jweKeyEncryptionEncode(clientPublicKeyWrapper.getPublicKey(), str.getBytes("UTF-8"), cekManagementAlgorithm, encryptAlgorithm, clientPublicKeyWrapper.getKid(), jweAlgorithmProvider, jweEncryptionProvider);
        } catch (JWEException | UnsupportedEncodingException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    public String cekManagementAlgorithm(TokenCategory tokenCategory) {
        if (tokenCategory == null) {
            return null;
        }
        switch (AnonymousClass1.$SwitchMap$org$keycloak$TokenCategory[tokenCategory.ordinal()]) {
            case 4:
            case 5:
                return getCekManagementAlgorithm("id.token.encrypted.response.alg");
            case 6:
                return getCekManagementAlgorithm("user.info.encrypted.response.alg");
            case 7:
                return getCekManagementAlgorithm("authorization.encrypted.response.alg");
            default:
                return null;
        }
    }

    private String getCekManagementAlgorithm(String str) {
        ClientModel client = this.session.getContext().getClient();
        String attribute = (client == null || str == null) ? null : client.getAttribute(str);
        if (attribute == null || attribute.equals("")) {
            return null;
        }
        return attribute;
    }

    public String encryptAlgorithm(TokenCategory tokenCategory) {
        if (tokenCategory == null) {
            return null;
        }
        switch (AnonymousClass1.$SwitchMap$org$keycloak$TokenCategory[tokenCategory.ordinal()]) {
            case 4:
                return getEncryptAlgorithm("id.token.encrypted.response.enc", Aes128CbcHmacSha256ContentEncryptionProviderFactory.ID);
            case 5:
                return getEncryptAlgorithm("id.token.encrypted.response.enc");
            case 6:
                return getEncryptAlgorithm("user.info.encrypted.response.enc", Aes128CbcHmacSha256ContentEncryptionProviderFactory.ID);
            case 7:
                return getEncryptAlgorithm("authorization.encrypted.response.enc");
            default:
                return null;
        }
    }

    private String getEncryptAlgorithm(String str) {
        return getEncryptAlgorithm(str, null);
    }

    private String getEncryptAlgorithm(String str, String str2) {
        ClientModel client = this.session.getContext().getClient();
        String attribute = (client == null || str == null) ? null : client.getAttribute(str);
        return (attribute == null || attribute.equals("")) ? str2 : attribute;
    }

    public LogoutToken initLogoutToken(ClientModel clientModel, UserModel userModel, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        LogoutToken logoutToken = new LogoutToken();
        logoutToken.id(KeycloakModelUtils.generateId());
        logoutToken.issuedNow();
        logoutToken.exp(Long.valueOf(Time.currentTime() + Duration.ofMinutes(2L).getSeconds()));
        logoutToken.issuer(authenticatedClientSessionModel.getNote(OIDCLoginProtocol.ISSUER));
        logoutToken.putEvents("http://schemas.openid.net/event/backchannel-logout", JsonSerialization.createObjectNode());
        logoutToken.addAudience(clientModel.getClientId());
        OIDCAdvancedConfigWrapper fromClientModel = OIDCAdvancedConfigWrapper.fromClientModel(clientModel);
        if (fromClientModel.isBackchannelLogoutSessionRequired()) {
            logoutToken.setSid(authenticatedClientSessionModel.getUserSession().getId());
        }
        if (fromClientModel.getBackchannelLogoutRevokeOfflineTokens()) {
            logoutToken.putEvents("revoke_offline_access", true);
        }
        logoutToken.setSubject(userModel.getId());
        return logoutToken;
    }
}
