package org.keycloak.services.clientregistration.oidc;

import java.io.IOException;
import java.net.URI;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import org.keycloak.authentication.ClientAuthenticator;
import org.keycloak.authentication.ClientAuthenticatorFactory;
import org.keycloak.authentication.authenticators.client.ClientIdAndSecretAuthenticator;
import org.keycloak.authentication.authenticators.client.JWTClientAuthenticator;
import org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider;
import org.keycloak.jose.jwk.JSONWebKeySet;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jws.Algorithm;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.OIDCAdvancedConfigWrapper;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.utils.AuthorizeClientUtil;
import org.keycloak.protocol.oidc.utils.JWKSUtils;
import org.keycloak.protocol.oidc.utils.OIDCResponseType;
import org.keycloak.representations.idm.CertificateRepresentation;
import org.keycloak.representations.idm.ClientRepresentation;
import org.keycloak.representations.oidc.OIDCClientRepresentation;
import org.keycloak.services.clientregistration.ClientRegistrationException;
import org.keycloak.services.util.CertificateInfoHelper;

/* loaded from: input_file:org/keycloak/services/clientregistration/oidc/DescriptionConverter.class */
public class DescriptionConverter {
    public static ClientRepresentation toInternal(KeycloakSession keycloakSession, OIDCClientRepresentation oIDCClientRepresentation) throws ClientRegistrationException {
        ClientRepresentation clientRepresentation = new ClientRepresentation();
        clientRepresentation.setClientId(oIDCClientRepresentation.getClientId());
        clientRepresentation.setName(oIDCClientRepresentation.getClientName());
        clientRepresentation.setRedirectUris(oIDCClientRepresentation.getRedirectUris());
        clientRepresentation.setBaseUrl(oIDCClientRepresentation.getClientUri());
        List responseTypes = oIDCClientRepresentation.getResponseTypes();
        if (responseTypes == null || responseTypes.isEmpty()) {
            responseTypes = Collections.singletonList("code");
        }
        List grantTypes = oIDCClientRepresentation.getGrantTypes();
        try {
            OIDCResponseType parse = OIDCResponseType.parse((List<String>) responseTypes);
            clientRepresentation.setStandardFlowEnabled(Boolean.valueOf(parse.hasResponseType("code")));
            clientRepresentation.setImplicitFlowEnabled(Boolean.valueOf(parse.isImplicitOrHybridFlow()));
            if (grantTypes != null) {
                clientRepresentation.setDirectAccessGrantsEnabled(Boolean.valueOf(grantTypes.contains("password")));
                clientRepresentation.setServiceAccountsEnabled(Boolean.valueOf(grantTypes.contains("client_credentials")));
            }
            String tokenEndpointAuthMethod = oIDCClientRepresentation.getTokenEndpointAuthMethod();
            ClientAuthenticatorFactory findClientAuthenticatorForOIDCAuthMethod = tokenEndpointAuthMethod == null ? (ClientAuthenticatorFactory) keycloakSession.getKeycloakSessionFactory().getProviderFactory(ClientAuthenticator.class, KeycloakModelUtils.getDefaultClientAuthenticatorType()) : AuthorizeClientUtil.findClientAuthenticatorForOIDCAuthMethod(keycloakSession, tokenEndpointAuthMethod);
            if (findClientAuthenticatorForOIDCAuthMethod == null) {
                throw new ClientRegistrationException("Not found clientAuthenticator for requested token_endpoint_auth_method");
            }
            clientRepresentation.setClientAuthenticatorType(findClientAuthenticatorForOIDCAuthMethod.getId());
            PublicKey retrievePublicKey = retrievePublicKey(keycloakSession, oIDCClientRepresentation);
            if (tokenEndpointAuthMethod != null && tokenEndpointAuthMethod.equals(OIDCLoginProtocol.PRIVATE_KEY_JWT) && retrievePublicKey == null) {
                throw new ClientRegistrationException("Didn't find key of supported keyType for use " + JWK.Use.SIG.asString());
            }
            if (retrievePublicKey != null) {
                String pemFromKey = KeycloakModelUtils.getPemFromKey(retrievePublicKey);
                CertificateRepresentation certificateRepresentation = new CertificateRepresentation();
                certificateRepresentation.setPublicKey(pemFromKey);
                CertificateInfoHelper.updateClientRepresentationCertificateInfo(clientRepresentation, certificateRepresentation, JWTClientAuthenticator.ATTR_PREFIX);
            }
            OIDCAdvancedConfigWrapper fromClientRepresentation = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation);
            if (oIDCClientRepresentation.getUserinfoSignedResponseAlg() != null) {
                fromClientRepresentation.setUserInfoSignedResponseAlg((Algorithm) Enum.valueOf(Algorithm.class, oIDCClientRepresentation.getUserinfoSignedResponseAlg()));
            }
            if (oIDCClientRepresentation.getRequestObjectSigningAlg() != null) {
                fromClientRepresentation.setRequestObjectSignatureAlg((Algorithm) Enum.valueOf(Algorithm.class, oIDCClientRepresentation.getRequestObjectSigningAlg()));
            }
            return clientRepresentation;
        } catch (IllegalArgumentException e) {
            throw new ClientRegistrationException(e.getMessage(), e);
        }
    }

    private static PublicKey retrievePublicKey(KeycloakSession keycloakSession, OIDCClientRepresentation oIDCClientRepresentation) {
        JSONWebKeySet sendJwksRequest;
        if (oIDCClientRepresentation.getJwksUri() == null && oIDCClientRepresentation.getJwks() == null) {
            return null;
        }
        if (oIDCClientRepresentation.getJwksUri() != null && oIDCClientRepresentation.getJwks() != null) {
            throw new ClientRegistrationException("Illegal to use both jwks_uri and jwks");
        }
        if (oIDCClientRepresentation.getJwks() != null) {
            sendJwksRequest = oIDCClientRepresentation.getJwks();
        } else {
            try {
                sendJwksRequest = JWKSUtils.sendJwksRequest(keycloakSession, oIDCClientRepresentation.getJwksUri());
            } catch (IOException e) {
                throw new ClientRegistrationException("Failed to send JWKS request to specified jwks_uri", e);
            }
        }
        return JWKSUtils.getKeyForUse(sendJwksRequest, JWK.Use.SIG);
    }

    public static OIDCClientRepresentation toExternalResponse(KeycloakSession keycloakSession, ClientRepresentation clientRepresentation, URI uri) {
        OIDCClientRepresentation oIDCClientRepresentation = new OIDCClientRepresentation();
        oIDCClientRepresentation.setClientId(clientRepresentation.getClientId());
        Set protocolAuthenticatorMethods = keycloakSession.getKeycloakSessionFactory().getProviderFactory(ClientAuthenticator.class, clientRepresentation.getClientAuthenticatorType()).getProtocolAuthenticatorMethods("openid-connect");
        if (protocolAuthenticatorMethods != null && !protocolAuthenticatorMethods.isEmpty()) {
            oIDCClientRepresentation.setTokenEndpointAuthMethod((String) protocolAuthenticatorMethods.iterator().next());
        }
        if (clientRepresentation.getClientAuthenticatorType().equals(ClientIdAndSecretAuthenticator.PROVIDER_ID)) {
            oIDCClientRepresentation.setClientSecret(clientRepresentation.getSecret());
            oIDCClientRepresentation.setClientSecretExpiresAt(0);
        }
        oIDCClientRepresentation.setClientName(clientRepresentation.getName());
        oIDCClientRepresentation.setClientUri(clientRepresentation.getBaseUrl());
        oIDCClientRepresentation.setRedirectUris(clientRepresentation.getRedirectUris());
        oIDCClientRepresentation.setRegistrationAccessToken(clientRepresentation.getRegistrationAccessToken());
        oIDCClientRepresentation.setRegistrationClientUri(uri.toString());
        oIDCClientRepresentation.setResponseTypes(getOIDCResponseTypes(clientRepresentation));
        oIDCClientRepresentation.setGrantTypes(getOIDCGrantTypes(clientRepresentation));
        OIDCAdvancedConfigWrapper fromClientRepresentation = OIDCAdvancedConfigWrapper.fromClientRepresentation(clientRepresentation);
        if (fromClientRepresentation.isUserInfoSignatureRequired()) {
            oIDCClientRepresentation.setUserinfoSignedResponseAlg(fromClientRepresentation.getUserInfoSignedResponseAlg().toString());
        }
        if (fromClientRepresentation.getRequestObjectSignatureAlg() != null) {
            oIDCClientRepresentation.setRequestObjectSigningAlg(fromClientRepresentation.getRequestObjectSignatureAlg().toString());
        }
        return oIDCClientRepresentation;
    }

    private static List<String> getOIDCResponseTypes(ClientRepresentation clientRepresentation) {
        ArrayList arrayList = new ArrayList();
        if (clientRepresentation.isStandardFlowEnabled().booleanValue()) {
            arrayList.add("code");
            arrayList.add("none");
        }
        if (clientRepresentation.isImplicitFlowEnabled().booleanValue()) {
            arrayList.add(OIDCResponseType.ID_TOKEN);
            arrayList.add("id_token token");
        }
        if (clientRepresentation.isStandardFlowEnabled().booleanValue() && clientRepresentation.isImplicitFlowEnabled().booleanValue()) {
            arrayList.add("code id_token");
            arrayList.add("code token");
            arrayList.add("code id_token token");
        }
        return arrayList;
    }

    private static List<String> getOIDCGrantTypes(ClientRepresentation clientRepresentation) {
        ArrayList arrayList = new ArrayList();
        if (clientRepresentation.isStandardFlowEnabled().booleanValue()) {
            arrayList.add(AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_AUTHORIZATION_CODE);
        }
        if (clientRepresentation.isImplicitFlowEnabled().booleanValue()) {
            arrayList.add("implicit");
        }
        if (clientRepresentation.isDirectAccessGrantsEnabled().booleanValue()) {
            arrayList.add("password");
        }
        if (clientRepresentation.isServiceAccountsEnabled().booleanValue()) {
            arrayList.add("client_credentials");
        }
        arrayList.add(AbstractOAuth2IdentityProvider.OAUTH2_GRANT_TYPE_REFRESH_TOKEN);
        return arrayList;
    }
}
