package org.cloudfoundry.identity.uaa.oauth;

import java.security.Principal;
import java.security.interfaces.RSAPublicKey;
import java.util.Base64;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.oauth.jwk.JsonWebKey;
import org.cloudfoundry.identity.uaa.oauth.token.VerificationKeyResponse;
import org.cloudfoundry.identity.uaa.oauth.token.VerificationKeysListResponse;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.authentication.AnonymousAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.stereotype.Controller;
import org.springframework.util.MultiValueMap;
import org.springframework.web.bind.annotation.RequestHeader;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;

@Controller
/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.10.1.jar:org/cloudfoundry/identity/uaa/oauth/TokenKeyEndpoint.class */
public class TokenKeyEndpoint {
    protected final Log logger = LogFactory.getLog(getClass());

    @RequestMapping(value = {"/token_key"}, method = {RequestMethod.GET})
    @ResponseBody
    public ResponseEntity<VerificationKeyResponse> getKey(Principal principal, @RequestHeader(value = "If-None-Match", required = false, defaultValue = "NaN") String str) {
        String l = KeyInfo.getLastModified().toString();
        if (unmodifiedResource(str, l)) {
            return new ResponseEntity<>(HttpStatus.NOT_MODIFIED);
        }
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.put("ETag", Collections.singletonList(l));
        return new ResponseEntity<>(getKey(principal), (MultiValueMap<String, String>) httpHeaders, HttpStatus.OK);
    }

    @RequestMapping(value = {"/token_keys"}, method = {RequestMethod.GET})
    @ResponseBody
    public ResponseEntity<VerificationKeysListResponse> getKeys(Principal principal, @RequestHeader(value = "If-None-Match", required = false, defaultValue = "NaN") String str) {
        String l = KeyInfo.getLastModified().toString();
        if (unmodifiedResource(str, l)) {
            return new ResponseEntity<>(HttpStatus.NOT_MODIFIED);
        }
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.put("ETag", Collections.singletonList(l));
        return new ResponseEntity<>(getKeys(principal), (MultiValueMap<String, String>) httpHeaders, HttpStatus.OK);
    }

    public VerificationKeyResponse getKey(Principal principal) {
        KeyInfo activeKey = KeyInfo.getActiveKey();
        if (includeSymmetricalKeys(principal) || activeKey.isAssymetricKey()) {
            return getVerificationKeyResponse(activeKey);
        }
        throw new AccessDeniedException("You need to authenticate to see a shared key");
    }

    public static VerificationKeyResponse getVerificationKeyResponse(KeyInfo keyInfo) {
        return new VerificationKeyResponse(getResultMap(keyInfo));
    }

    public static Map<String, Object> getResultMap(KeyInfo keyInfo) {
        RSAPublicKey rsaPublicKey;
        HashMap hashMap = new HashMap();
        hashMap.put("alg", keyInfo.getSigner().algorithm());
        hashMap.put("value", keyInfo.getVerifierKey());
        hashMap.put("use", JsonWebKey.KeyUse.sig.name());
        hashMap.put("kid", keyInfo.getKeyId());
        hashMap.put("kty", keyInfo.getType());
        if (keyInfo.isAssymetricKey() && "RSA".equals(keyInfo.getType()) && (rsaPublicKey = keyInfo.getRsaPublicKey()) != null) {
            Base64.Encoder withoutPadding = Base64.getUrlEncoder().withoutPadding();
            String encodeToString = withoutPadding.encodeToString(rsaPublicKey.getModulus().toByteArray());
            String encodeToString2 = withoutPadding.encodeToString(rsaPublicKey.getPublicExponent().toByteArray());
            hashMap.put("n", encodeToString);
            hashMap.put("e", encodeToString2);
        }
        return hashMap;
    }

    private boolean unmodifiedResource(String str, String str2) {
        return !str.equals("NaN") && str2.equals(str);
    }

    public VerificationKeysListResponse getKeys(Principal principal) {
        boolean includeSymmetricalKeys = includeSymmetricalKeys(principal);
        return new VerificationKeysListResponse((List) KeyInfo.getKeys().values().stream().filter(keyInfo -> {
            return includeSymmetricalKeys || keyInfo.isAssymetricKey();
        }).map(TokenKeyEndpoint::getVerificationKeyResponse).collect(Collectors.toList()));
    }

    protected boolean includeSymmetricalKeys(Principal principal) {
        if (principal == null || (principal instanceof AnonymousAuthenticationToken) || !(principal instanceof Authentication)) {
            return false;
        }
        Authentication authentication = (Authentication) principal;
        if (authentication.getAuthorities() == null) {
            return false;
        }
        Iterator<? extends GrantedAuthority> it = authentication.getAuthorities().iterator();
        while (it.hasNext()) {
            if ("uaa.resource".equals(it.next().getAuthority())) {
                return true;
            }
        }
        return false;
    }
}
