package io.quarkus.oidc.runtime;

import io.quarkus.oidc.OIDCException;
import io.quarkus.oidc.OidcTenantConfig;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.smallrye.jwt.util.KeyUtils;
import java.nio.charset.StandardCharsets;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/oidc/runtime/TenantConfigContext.class */
public class TenantConfigContext {
    private static final Logger LOG = Logger.getLogger(TenantConfigContext.class);
    final OidcProvider provider;
    final OidcTenantConfig oidcConfig;
    private final SecretKey pkceSecretKey;
    private final SecretKey tokenEncSecretKey;
    final boolean ready;

    public TenantConfigContext(OidcProvider oidcProvider, OidcTenantConfig oidcTenantConfig) {
        this(oidcProvider, oidcTenantConfig, true);
    }

    public TenantConfigContext(OidcProvider oidcProvider, OidcTenantConfig oidcTenantConfig, boolean z) {
        this.provider = oidcProvider;
        this.oidcConfig = oidcTenantConfig;
        this.ready = z;
        boolean isServiceApp = OidcUtils.isServiceApp(oidcTenantConfig);
        this.pkceSecretKey = (isServiceApp || this.provider == null || this.provider.client == null) ? null : createPkceSecretKey(oidcTenantConfig);
        this.tokenEncSecretKey = (isServiceApp || this.provider == null || this.provider.client == null) ? null : createTokenEncSecretKey(oidcTenantConfig);
    }

    private static SecretKey createPkceSecretKey(OidcTenantConfig oidcTenantConfig) {
        if (!oidcTenantConfig.authentication.pkceRequired.orElse(false).booleanValue()) {
            return null;
        }
        String orElse = oidcTenantConfig.authentication.pkceSecret.orElse(OidcCommonUtils.clientSecret(oidcTenantConfig.credentials));
        if (orElse == null) {
            throw new RuntimeException("Secret key for encrypting PKCE code verifier is missing");
        }
        if (orElse.length() < 32) {
            throw new RuntimeException("Secret key for encrypting PKCE code verifier must be at least 32 characters long");
        }
        return KeyUtils.createSecretKeyFromSecret(orElse);
    }

    private static SecretKey createTokenEncSecretKey(OidcTenantConfig oidcTenantConfig) {
        if (!oidcTenantConfig.tokenStateManager.encryptionRequired) {
            return null;
        }
        String orElse = oidcTenantConfig.tokenStateManager.encryptionSecret.orElse(OidcCommonUtils.clientSecret(oidcTenantConfig.credentials));
        if (orElse == null) {
            orElse = OidcCommonUtils.jwtSecret(oidcTenantConfig.credentials);
        }
        try {
            if (orElse == null) {
                LOG.warn("Secret key for encrypting tokens is missing, auto-generating it");
                KeyGenerator keyGenerator = KeyGenerator.getInstance("AES");
                keyGenerator.init(256);
                return keyGenerator.generateKey();
            }
            byte[] bytes = orElse.getBytes(StandardCharsets.UTF_8);
            if (bytes.length < 32) {
                LOG.warn("Secret key for encrypting tokens should be 32 characters long");
            }
            return new SecretKeySpec(OidcUtils.getSha256Digest(bytes), "AES");
        } catch (Exception e) {
            throw new OIDCException(e);
        }
    }

    public OidcTenantConfig getOidcTenantConfig() {
        return this.oidcConfig;
    }

    public SecretKey getPkceSecretKey() {
        return this.pkceSecretKey;
    }

    public SecretKey getTokenEncSecretKey() {
        return this.tokenEncSecretKey;
    }
}
