package io.quarkus.oidc.client.runtime;

import io.quarkus.oidc.client.OidcClient;
import io.quarkus.oidc.client.OidcClientException;
import io.quarkus.oidc.client.Tokens;
import io.quarkus.oidc.common.OidcEndpoint;
import io.quarkus.oidc.common.OidcRequestContextProperties;
import io.quarkus.oidc.common.OidcRequestFilter;
import io.quarkus.oidc.common.OidcResponseFilter;
import io.quarkus.oidc.common.runtime.ClientAssertionProvider;
import io.quarkus.oidc.common.runtime.OidcCommonUtils;
import io.quarkus.oidc.common.runtime.config.OidcClientCommonConfig;
import io.smallrye.mutiny.Uni;
import io.smallrye.mutiny.groups.UniOnItem;
import io.vertx.core.Vertx;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.json.DecodeException;
import io.vertx.core.json.JsonObject;
import io.vertx.mutiny.core.MultiMap;
import io.vertx.mutiny.core.buffer.Buffer;
import io.vertx.mutiny.ext.web.client.HttpRequest;
import io.vertx.mutiny.ext.web.client.HttpResponse;
import io.vertx.mutiny.ext.web.client.WebClient;
import java.io.IOException;
import java.net.ConnectException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.security.Key;
import java.time.Instant;
import java.util.Base64;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.function.Supplier;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/oidc/client/runtime/OidcClientImpl.class */
public class OidcClientImpl implements OidcClient {
    private static final String CLIENT_ID_ATTRIBUTE = "client-id";
    private static final String DEFAULT_OIDC_CLIENT_ID = "Default";
    private final WebClient client;
    private final String tokenRequestUri;
    private final String tokenRevokeUri;
    private final MultiMap tokenGrantParams;
    private final MultiMap commonRefreshGrantParams;
    private final String grantType;
    private final String clientSecretBasicAuthScheme;
    private final Key clientJwtKey;
    private final boolean jwtBearerAuthentication;
    private final OidcClientConfig oidcConfig;
    private final Map<OidcEndpoint.Type, List<OidcRequestFilter>> requestFilters;
    private final Map<OidcEndpoint.Type, List<OidcResponseFilter>> responseFilters;
    private final ClientAssertionProvider clientAssertionProvider;
    private volatile boolean closed;
    private static final Logger LOG = Logger.getLogger(OidcClientImpl.class);
    private static final String AUTHORIZATION_HEADER = String.valueOf(HttpHeaders.AUTHORIZATION);

    /* JADX INFO: Access modifiers changed from: package-private */
    public OidcClientImpl(WebClient webClient, String str, String str2, String str3, MultiMap multiMap, MultiMap multiMap2, OidcClientConfig oidcClientConfig, Map<OidcEndpoint.Type, List<OidcRequestFilter>> map, Map<OidcEndpoint.Type, List<OidcResponseFilter>> map2, Vertx vertx) {
        this.client = webClient;
        this.tokenRequestUri = str;
        this.tokenRevokeUri = str2;
        this.tokenGrantParams = multiMap;
        this.commonRefreshGrantParams = multiMap2;
        this.grantType = str3;
        this.oidcConfig = oidcClientConfig;
        this.requestFilters = map;
        this.responseFilters = map2;
        this.clientSecretBasicAuthScheme = OidcCommonUtils.initClientSecretBasicAuth(oidcClientConfig);
        this.jwtBearerAuthentication = oidcClientConfig.credentials().jwt().source() == OidcClientCommonConfig.Credentials.Jwt.Source.BEARER;
        this.clientJwtKey = this.jwtBearerAuthentication ? null : OidcCommonUtils.initClientJwtKey(oidcClientConfig, false);
        if (!this.jwtBearerAuthentication || !oidcClientConfig.credentials().jwt().tokenPath().isPresent()) {
            this.clientAssertionProvider = null;
            return;
        }
        this.clientAssertionProvider = new ClientAssertionProvider(vertx, (Path) oidcClientConfig.credentials().jwt().tokenPath().get());
        if (this.clientAssertionProvider.getClientAssertion() == null) {
            throw new OidcClientException("Cannot find a valid JWT bearer token at path: " + String.valueOf(oidcClientConfig.credentials().jwt().tokenPath().get()));
        }
    }

    @Override // io.quarkus.oidc.client.OidcClient
    public Uni<Tokens> getTokens(Map<String, String> map) {
        checkClosed();
        if (this.tokenGrantParams == null) {
            throw new OidcClientException("Only 'refresh_token' grant is supported, please call OidcClient#refreshTokens method instead");
        }
        return getJsonResponse(OidcEndpoint.Type.TOKEN, this.tokenGrantParams, map, false);
    }

    @Override // io.quarkus.oidc.client.OidcClient
    public Uni<Tokens> refreshTokens(String str, Map<String, String> map) {
        checkClosed();
        if (str == null) {
            throw new OidcClientException("Refresh token is null");
        }
        MultiMap copyMultiMap = copyMultiMap(this.commonRefreshGrantParams);
        copyMultiMap.add("refresh_token", str);
        return getJsonResponse(OidcEndpoint.Type.TOKEN, copyMultiMap, map, true);
    }

    @Override // io.quarkus.oidc.client.OidcClient
    public Uni<Boolean> revokeAccessToken(String str, Map<String, String> map) {
        checkClosed();
        if (str == null) {
            throw new OidcClientException("Access token is null");
        }
        OidcRequestContextProperties requestProps = getRequestProps(null);
        if (this.tokenRevokeUri == null) {
            LOG.debugf("%s OidcClient can not revoke the access token because the revocation endpoint URL is not set", new Object[0]);
            return Uni.createFrom().item(false);
        }
        MultiMap multiMap = new MultiMap(io.vertx.core.MultiMap.caseInsensitiveMultiMap());
        multiMap.set("token", str);
        return postRequest(requestProps, OidcEndpoint.Type.TOKEN_REVOCATION, this.client.postAbs(this.tokenRevokeUri), multiMap, map, false).transform(httpResponse -> {
            return toRevokeResponse(requestProps, httpResponse);
        });
    }

    private OidcRequestContextProperties getRequestProps(String str) {
        if (this.requestFilters.isEmpty() && this.responseFilters.isEmpty()) {
            return null;
        }
        HashMap hashMap = new HashMap();
        hashMap.put(CLIENT_ID_ATTRIBUTE, this.oidcConfig.id().orElse(DEFAULT_OIDC_CLIENT_ID));
        if (str != null) {
            hashMap.put("grant_type", str);
        }
        return new OidcRequestContextProperties(hashMap);
    }

    private Boolean toRevokeResponse(OidcRequestContextProperties oidcRequestContextProperties, HttpResponse<Buffer> httpResponse) {
        OidcCommonUtils.filterHttpResponse(oidcRequestContextProperties, httpResponse, (Buffer) httpResponse.body(), this.responseFilters, OidcEndpoint.Type.TOKEN_REVOCATION);
        return Boolean.valueOf(httpResponse.statusCode() != 503);
    }

    private Uni<Tokens> getJsonResponse(final OidcEndpoint.Type type, final MultiMap multiMap, final Map<String, String> map, final boolean z) {
        final OidcRequestContextProperties requestProps = getRequestProps(z ? "refresh_token" : this.grantType);
        return Uni.createFrom().deferred(new Supplier<Uni<? extends Tokens>>() { // from class: io.quarkus.oidc.client.runtime.OidcClientImpl.1
            @Override // java.util.function.Supplier
            /* renamed from: get, reason: merged with bridge method [inline-methods] */
            public Uni<? extends Tokens> get2() {
                UniOnItem<HttpResponse<Buffer>> postRequest = OidcClientImpl.this.postRequest(requestProps, type, OidcClientImpl.this.client.postAbs(OidcClientImpl.this.tokenRequestUri), multiMap, map, z);
                OidcRequestContextProperties oidcRequestContextProperties = requestProps;
                boolean z2 = z;
                return postRequest.transform(httpResponse -> {
                    return OidcClientImpl.this.emitGrantTokens(oidcRequestContextProperties, httpResponse, z2);
                });
            }
        });
    }

    private UniOnItem<HttpResponse<Buffer>> postRequest(OidcRequestContextProperties oidcRequestContextProperties, OidcEndpoint.Type type, HttpRequest<Buffer> httpRequest, MultiMap multiMap, Map<String, String> map, boolean z) {
        MultiMap multiMap2 = multiMap;
        httpRequest.putHeader(HttpHeaders.CONTENT_TYPE.toString(), HttpHeaders.APPLICATION_X_WWW_FORM_URLENCODED.toString());
        if (this.oidcConfig.headers() != null) {
            for (Map.Entry<String, String> entry : this.oidcConfig.headers().entrySet()) {
                httpRequest.putHeader(entry.getKey(), entry.getValue());
            }
        }
        if (this.clientSecretBasicAuthScheme != null) {
            httpRequest.putHeader(AUTHORIZATION_HEADER, this.clientSecretBasicAuthScheme);
        } else if (this.jwtBearerAuthentication) {
            String str = map.get("client_assertion");
            if (str == null && this.clientAssertionProvider != null) {
                str = this.clientAssertionProvider.getClientAssertion();
                if (str != null) {
                    multiMap2.add("client_assertion", str);
                }
            }
            if (str == null) {
                Object[] objArr = new Object[2];
                objArr[0] = this.oidcConfig.id().get();
                objArr[1] = z ? "refresh_token" : this.grantType;
                String format = String.format("%s OidcClient can not complete the %s grant request because a JWT bearer client_assertion is missing", objArr);
                LOG.error(format);
                throw new OidcClientException(format);
            }
            multiMap2.add("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
        } else if (this.clientJwtKey != null) {
            multiMap2 = !z ? copyMultiMap(multiMap2) : multiMap2;
            String signJwtWithKey = OidcCommonUtils.signJwtWithKey(this.oidcConfig, this.tokenRequestUri, this.clientJwtKey);
            if (OidcCommonUtils.isClientSecretPostJwtAuthRequired(this.oidcConfig.credentials())) {
                multiMap2.add("client_id", (String) this.oidcConfig.clientId().get());
                multiMap2.add("client_secret", signJwtWithKey);
            } else if (!OidcCommonUtils.isJwtAssertion(this.oidcConfig.credentials())) {
                multiMap2.add("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
                multiMap2.add("client_assertion", signJwtWithKey);
            } else {
                if (!"urn:ietf:params:oauth:grant-type:jwt-bearer".equals(multiMap2.get("grant_type"))) {
                    String format2 = String.format("%s OidcClient wants to use JWT bearer grant assertion but has a wrong grant type %s configured. You must set 'quarkus.oidc-client.grant.type' property to 'jwt'.", this.oidcConfig.id().get(), multiMap2.get("grant_type"));
                    LOG.error(format2);
                    throw new OidcClientException(format2);
                }
                multiMap2.add("assertion", signJwtWithKey);
            }
        } else if (OidcCommonUtils.isClientSecretPostAuthRequired(this.oidcConfig.credentials())) {
            multiMap2 = !z ? copyMultiMap(multiMap2) : multiMap2;
            multiMap2.set("client_id", (String) this.oidcConfig.clientId().get());
            multiMap2.set("client_secret", OidcCommonUtils.clientSecret(this.oidcConfig.credentials()));
        } else {
            multiMap2 = copyMultiMap(!z ? copyMultiMap(multiMap2) : multiMap2).set("client_id", (String) this.oidcConfig.clientId().get());
        }
        if (!map.isEmpty()) {
            multiMap2 = copyMultiMap(multiMap2);
            for (Map.Entry<String, String> entry2 : map.entrySet()) {
                multiMap2.add(entry2.getKey(), entry2.getValue());
            }
        }
        Buffer encodeForm = OidcCommonUtils.encodeForm(multiMap2);
        return filterHttpRequest(oidcRequestContextProperties, type, httpRequest, encodeForm).sendBuffer(encodeForm).onFailure(ConnectException.class).retry().atMost(this.oidcConfig.connectionRetryCount()).onFailure().transform(th -> {
            LOG.warn("OIDC Server is not available:", th.getCause() != null ? th.getCause() : th);
            return new OidcClientException("OIDC Server is not available");
        }).onItem();
    }

    private Tokens emitGrantTokens(OidcRequestContextProperties oidcRequestContextProperties, HttpResponse<Buffer> httpResponse, boolean z) {
        Buffer buffer = (Buffer) httpResponse.body();
        OidcCommonUtils.filterHttpResponse(oidcRequestContextProperties, httpResponse, buffer, this.responseFilters, OidcEndpoint.Type.TOKEN);
        if (httpResponse.statusCode() == 200) {
            LOG.debugf("%s OidcClient has %s the tokens", this.oidcConfig.id().get(), z ? "refreshed" : "acquired");
            JsonObject jsonObject = buffer.toJsonObject();
            String string = jsonObject.getString(this.oidcConfig.grant().accessTokenProperty());
            Long accessTokenExpiresAtValue = getAccessTokenExpiresAtValue(string, jsonObject.getValue(this.oidcConfig.grant().expiresInProperty()));
            String string2 = jsonObject.getString(this.oidcConfig.grant().refreshTokenProperty());
            return new Tokens(string, accessTokenExpiresAtValue, this.oidcConfig.refreshTokenTimeSkew().orElse(null), string2, getExpiresAtValue(string2, jsonObject.getValue(this.oidcConfig.grant().refreshExpiresInProperty())), jsonObject, (String) this.oidcConfig.clientId().orElse(DEFAULT_OIDC_CLIENT_ID));
        }
        String buffer2 = buffer.toString();
        Logger logger = LOG;
        Object[] objArr = new Object[4];
        objArr[0] = this.oidcConfig.id().get();
        objArr[1] = z ? "refresh_token" : this.grantType;
        objArr[2] = Integer.valueOf(httpResponse.statusCode());
        objArr[3] = buffer2;
        logger.debugf("%s OidcClient has failed to complete the %s grant request:  status: %d, error message: %s", objArr);
        throw new OidcClientException(buffer2);
    }

    private Long getAccessTokenExpiresAtValue(String str, Object obj) {
        Long expiresAtValue = getExpiresAtValue(str, obj);
        if (expiresAtValue == null && this.oidcConfig.accessTokenExpiresIn().isPresent()) {
            expiresAtValue = Long.valueOf((System.currentTimeMillis() / 1000) + this.oidcConfig.accessTokenExpiresIn().get().toSeconds());
        }
        if (expiresAtValue != null && this.oidcConfig.accessTokenExpirySkew().isPresent()) {
            expiresAtValue = Long.valueOf(expiresAtValue.longValue() + this.oidcConfig.accessTokenExpirySkew().get().getSeconds());
        }
        return expiresAtValue;
    }

    private Long getExpiresAtValue(String str, Object obj) {
        if (obj != null) {
            long longValue = obj instanceof Number ? ((Number) obj).longValue() : Long.parseLong(obj.toString());
            return Long.valueOf(this.oidcConfig.absoluteExpiresIn() ? longValue : Instant.now().getEpochSecond() + longValue);
        }
        if (str != null) {
            return getExpiresJwtClaim(str);
        }
        return null;
    }

    private static Long getExpiresJwtClaim(String str) {
        JsonObject decodeJwtToken = decodeJwtToken(str);
        if (decodeJwtToken == null) {
            return null;
        }
        try {
            return decodeJwtToken.getLong(Claims.exp.name());
        } catch (IllegalArgumentException e) {
            LOG.debug("JWT expiry claim can not be converted to Long");
            return null;
        }
    }

    private static JsonObject decodeJwtToken(String str) {
        String[] split = str.split("\\.");
        if (split.length != 3) {
            LOG.debug("Access token is not formatted as the encoded JWT token");
            return null;
        }
        try {
            return new JsonObject(new String(Base64.getUrlDecoder().decode(split[1]), StandardCharsets.UTF_8));
        } catch (DecodeException e) {
            LOG.debug("JWT token can not be decoded");
            return null;
        } catch (IllegalArgumentException e2) {
            LOG.debug("JWT token can not be decoded using the Base64Url encoding scheme");
            return null;
        }
    }

    private static MultiMap copyMultiMap(MultiMap multiMap) {
        MultiMap multiMap2 = new MultiMap(io.vertx.core.MultiMap.caseInsensitiveMultiMap());
        multiMap2.addAll(multiMap);
        return multiMap2;
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        if (this.closed) {
            return;
        }
        this.client.close();
        if (this.clientAssertionProvider != null) {
            this.clientAssertionProvider.close();
        }
        this.closed = true;
    }

    private void checkClosed() {
        if (this.closed) {
            throw new IllegalStateException("OidcClient " + this.oidcConfig.id().get() + " is closed");
        }
    }

    private HttpRequest<Buffer> filterHttpRequest(OidcRequestContextProperties oidcRequestContextProperties, OidcEndpoint.Type type, HttpRequest<Buffer> httpRequest, Buffer buffer) {
        if (!this.requestFilters.isEmpty()) {
            OidcRequestFilter.OidcRequestContext oidcRequestContext = new OidcRequestFilter.OidcRequestContext(httpRequest, buffer, oidcRequestContextProperties);
            Iterator it = OidcCommonUtils.getMatchingOidcRequestFilters(this.requestFilters, type).iterator();
            while (it.hasNext()) {
                ((OidcRequestFilter) it.next()).filter(oidcRequestContext);
            }
        }
        return httpRequest;
    }
}
