package fish.payara.security.openid.controller;

import fish.payara.security.annotations.ClaimsDefinition;
import fish.payara.security.annotations.LogoutDefinition;
import fish.payara.security.annotations.OpenIdAuthenticationDefinition;
import fish.payara.security.annotations.OpenIdProviderMetadata;
import fish.payara.security.openid.OpenIdUtil;
import fish.payara.security.openid.api.OpenIdConstant;
import fish.payara.security.openid.domain.ClaimsConfiguration;
import fish.payara.security.openid.domain.LogoutConfiguration;
import fish.payara.security.openid.domain.OpenIdConfiguration;
import fish.payara.security.openid.domain.OpenIdTokenEncryptionMetadata;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.json.JsonObject;
import org.eclipse.microprofile.config.Config;
import org.eclipse.microprofile.config.ConfigProvider;
import org.glassfish.common.util.StringHelper;

@ApplicationScoped
/* loaded from: input_file:MICRO-INF/runtime/openid-client-integration.jar:fish/payara/security/openid/controller/ConfigurationController.class */
public class ConfigurationController {

    @Inject
    private ProviderMetadataContoller configurationContoller;
    private static final String SPACE_SEPARATOR = " ";

    public OpenIdConfiguration buildConfig(OpenIdAuthenticationDefinition openIdAuthenticationDefinition) {
        Config config = ConfigProvider.getConfig();
        String str = (String) OpenIdUtil.getConfiguredValue(String.class, openIdAuthenticationDefinition.providerURI(), config, OpenIdAuthenticationDefinition.OPENID_MP_PROVIDER_URI);
        OpenIdProviderMetadata providerMetadata = openIdAuthenticationDefinition.providerMetadata();
        JsonObject document = this.configurationContoller.getDocument(str);
        String str2 = (StringHelper.isEmpty(providerMetadata.authorizationEndpoint()) && document.containsKey(OpenIdConstant.AUTHORIZATION_ENDPOINT)) ? (String) OpenIdUtil.getConfiguredValue(String.class, document.getString(OpenIdConstant.AUTHORIZATION_ENDPOINT), config, OpenIdProviderMetadata.OPENID_MP_AUTHORIZATION_ENDPOINT) : (String) OpenIdUtil.getConfiguredValue(String.class, providerMetadata.authorizationEndpoint(), config, OpenIdProviderMetadata.OPENID_MP_AUTHORIZATION_ENDPOINT);
        String str3 = (StringHelper.isEmpty(providerMetadata.tokenEndpoint()) && document.containsKey(OpenIdConstant.TOKEN_ENDPOINT)) ? (String) OpenIdUtil.getConfiguredValue(String.class, document.getString(OpenIdConstant.TOKEN_ENDPOINT), config, OpenIdProviderMetadata.OPENID_MP_TOKEN_ENDPOINT) : (String) OpenIdUtil.getConfiguredValue(String.class, providerMetadata.tokenEndpoint(), config, OpenIdProviderMetadata.OPENID_MP_TOKEN_ENDPOINT);
        String str4 = (StringHelper.isEmpty(providerMetadata.userinfoEndpoint()) && document.containsKey(OpenIdConstant.USERINFO_ENDPOINT)) ? (String) OpenIdUtil.getConfiguredValue(String.class, document.getString(OpenIdConstant.USERINFO_ENDPOINT), config, OpenIdProviderMetadata.OPENID_MP_USERINFO_ENDPOINT) : (String) OpenIdUtil.getConfiguredValue(String.class, providerMetadata.userinfoEndpoint(), config, OpenIdProviderMetadata.OPENID_MP_USERINFO_ENDPOINT);
        String str5 = (StringHelper.isEmpty(providerMetadata.endSessionEndpoint()) && document.containsKey(OpenIdConstant.END_SESSION_ENDPOINT)) ? (String) OpenIdUtil.getConfiguredValue(String.class, document.getString(OpenIdConstant.END_SESSION_ENDPOINT), config, OpenIdProviderMetadata.OPENID_MP_END_SESSION_ENDPOINT) : (String) OpenIdUtil.getConfiguredValue(String.class, providerMetadata.endSessionEndpoint(), config, OpenIdProviderMetadata.OPENID_MP_END_SESSION_ENDPOINT);
        try {
            URL url = new URL((StringHelper.isEmpty(providerMetadata.jwksURI()) && document.containsKey(OpenIdConstant.JWKS_URI)) ? (String) OpenIdUtil.getConfiguredValue(String.class, document.getString(OpenIdConstant.JWKS_URI), config, OpenIdProviderMetadata.OPENID_MP_JWKS_URI) : (String) OpenIdUtil.getConfiguredValue(String.class, providerMetadata.jwksURI(), config, OpenIdProviderMetadata.OPENID_MP_JWKS_URI));
            String str6 = (String) OpenIdUtil.getConfiguredValue(String.class, openIdAuthenticationDefinition.clientId(), config, OpenIdAuthenticationDefinition.OPENID_MP_CLIENT_ID);
            char[] charArray = ((String) OpenIdUtil.getConfiguredValue(String.class, openIdAuthenticationDefinition.clientSecret(), config, OpenIdAuthenticationDefinition.OPENID_MP_CLIENT_SECRET)).toCharArray();
            String str7 = (String) OpenIdUtil.getConfiguredValue(String.class, openIdAuthenticationDefinition.redirectURI(), config, OpenIdAuthenticationDefinition.OPENID_MP_REDIRECT_URI);
            String str8 = (String) OpenIdUtil.getConfiguredValue(String.class, (String) Arrays.stream(openIdAuthenticationDefinition.scope()).collect(Collectors.joining(" ")), config, OpenIdAuthenticationDefinition.OPENID_MP_SCOPE);
            if (StringHelper.isEmpty(str8)) {
                str8 = OpenIdConstant.OPENID_SCOPE;
            } else if (!str8.contains(OpenIdConstant.OPENID_SCOPE)) {
                str8 = "openid " + str8;
            }
            String str9 = (String) Arrays.stream(((String) OpenIdUtil.getConfiguredValue(String.class, openIdAuthenticationDefinition.responseType(), config, OpenIdAuthenticationDefinition.OPENID_MP_RESPONSE_TYPE)).trim().split(" ")).map((v0) -> {
                return v0.toLowerCase();
            }).sorted().collect(Collectors.joining(" "));
            String str10 = (String) OpenIdUtil.getConfiguredValue(String.class, openIdAuthenticationDefinition.responseMode(), config, OpenIdAuthenticationDefinition.OPENID_MP_RESPONSE_MODE);
            String str11 = (String) OpenIdUtil.getConfiguredValue(String.class, openIdAuthenticationDefinition.display().toString().toLowerCase(), config, OpenIdAuthenticationDefinition.OPENID_MP_DISPLAY);
            String str12 = (String) OpenIdUtil.getConfiguredValue(String.class, (String) Arrays.stream(openIdAuthenticationDefinition.prompt()).map((v0) -> {
                return v0.toString();
            }).map((v0) -> {
                return v0.toLowerCase();
            }).collect(Collectors.joining(" ")), config, OpenIdAuthenticationDefinition.OPENID_MP_PROMPT);
            HashMap hashMap = new HashMap();
            for (String str13 : openIdAuthenticationDefinition.extraParameters()) {
                String[] split = str13.split("=");
                hashMap.put(split[0], split[1]);
            }
            boolean booleanValue = ((Boolean) OpenIdUtil.getConfiguredValue(Boolean.class, Boolean.valueOf(openIdAuthenticationDefinition.useNonce()), config, OpenIdAuthenticationDefinition.OPENID_MP_USE_NONCE)).booleanValue();
            boolean booleanValue2 = ((Boolean) OpenIdUtil.getConfiguredValue(Boolean.class, Boolean.valueOf(openIdAuthenticationDefinition.useSession()), config, OpenIdAuthenticationDefinition.OPENID_MP_USE_SESSION)).booleanValue();
            int intValue = ((Integer) OpenIdUtil.getConfiguredValue(Integer.class, Integer.valueOf(openIdAuthenticationDefinition.jwksConnectTimeout()), config, OpenIdAuthenticationDefinition.OPENID_MP_JWKS_CONNECT_TIMEOUT)).intValue();
            int intValue2 = ((Integer) OpenIdUtil.getConfiguredValue(Integer.class, Integer.valueOf(openIdAuthenticationDefinition.jwksReadTimeout()), config, OpenIdAuthenticationDefinition.OPENID_MP_JWKS_READ_TIMEOUT)).intValue();
            String str14 = (String) config.getOptionalValue(OpenIdAuthenticationDefinition.OPENID_MP_CLIENT_ENC_ALGORITHM, String.class).orElse(null);
            String str15 = (String) config.getOptionalValue(OpenIdAuthenticationDefinition.OPENID_MP_CLIENT_ENC_METHOD, String.class).orElse(null);
            String str16 = (String) config.getOptionalValue(OpenIdAuthenticationDefinition.OPENID_MP_CLIENT_ENC_JWKS, String.class).orElse(null);
            String str17 = (String) OpenIdUtil.getConfiguredValue(String.class, openIdAuthenticationDefinition.claimsDefinition().callerNameClaim(), config, ClaimsDefinition.OPENID_MP_CALLER_NAME_CLAIM);
            OpenIdConfiguration tokenMinValidity = new OpenIdConfiguration().setProviderMetadata(new fish.payara.security.openid.domain.OpenIdProviderMetadata(document).setAuthorizationEndpoint(str2).setTokenEndpoint(str3).setUserinfoEndpoint(str4).setEndSessionEndpoint(str5).setJwksURL(url)).setClaimsConfiguration(new ClaimsConfiguration().setCallerNameClaim(str17).setCallerGroupsClaim((String) OpenIdUtil.getConfiguredValue(String.class, openIdAuthenticationDefinition.claimsDefinition().callerGroupsClaim(), config, ClaimsDefinition.OPENID_MP_CALLER_GROUP_CLAIM))).setLogoutConfiguration(new LogoutConfiguration().setNotifyProvider(((Boolean) OpenIdUtil.getConfiguredValue(Boolean.class, Boolean.valueOf(openIdAuthenticationDefinition.logout().notifyProvider()), config, LogoutDefinition.OPENID_MP_PROVIDER_NOTIFY_LOGOUT)).booleanValue()).setRedirectURI((String) OpenIdUtil.getConfiguredValue(String.class, openIdAuthenticationDefinition.logout().redirectURI(), config, LogoutDefinition.OPENID_MP_POST_LOGOUT_REDIRECT_URI)).setAccessTokenExpiry(((Boolean) OpenIdUtil.getConfiguredValue(Boolean.class, Boolean.valueOf(openIdAuthenticationDefinition.logout().accessTokenExpiry()), config, LogoutDefinition.OPENID_MP_LOGOUT_ON_ACCESS_TOKEN_EXPIRY)).booleanValue()).setIdentityTokenExpiry(((Boolean) OpenIdUtil.getConfiguredValue(Boolean.class, Boolean.valueOf(openIdAuthenticationDefinition.logout().identityTokenExpiry()), config, LogoutDefinition.OPENID_MP_LOGOUT_ON_IDENTITY_TOKEN_EXPIRY)).booleanValue())).setEncryptionMetadata(new OpenIdTokenEncryptionMetadata().setEncryptionAlgorithm(str14).setEncryptionMethod(str15).setPrivateKeySource(str16)).setClientId(str6).setClientSecret(charArray).setRedirectURI(str7).setScopes(str8).setResponseType(str9).setResponseMode(str10).setExtraParameters(hashMap).setPrompt(str12).setDisplay(str11).setUseNonce(booleanValue).setUseSession(booleanValue2).setJwksConnectTimeout(intValue).setJwksReadTimeout(intValue2).setTokenAutoRefresh(((Boolean) OpenIdUtil.getConfiguredValue(Boolean.class, Boolean.valueOf(openIdAuthenticationDefinition.tokenAutoRefresh()), config, OpenIdAuthenticationDefinition.OPENID_MP_TOKEN_AUTO_REFRESH)).booleanValue()).setTokenMinValidity(((Integer) OpenIdUtil.getConfiguredValue(Integer.class, Integer.valueOf(openIdAuthenticationDefinition.tokenMinValidity()), config, OpenIdAuthenticationDefinition.OPENID_MP_TOKEN_MIN_VALIDITY)).intValue());
            validateConfiguration(tokenMinValidity);
            return tokenMinValidity;
        } catch (MalformedURLException e) {
            throw new IllegalStateException("jwksURI is invalid", e);
        }
    }

    private void validateConfiguration(OpenIdConfiguration openIdConfiguration) {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(validateProviderMetadata(openIdConfiguration));
        arrayList.addAll(validateClientConfiguration(openIdConfiguration));
        if (!arrayList.isEmpty()) {
            throw new IllegalStateException(arrayList.toString());
        }
    }

    private List<String> validateProviderMetadata(OpenIdConfiguration openIdConfiguration) {
        ArrayList arrayList = new ArrayList();
        if (StringHelper.isEmpty(openIdConfiguration.getProviderMetadata().getIssuerURI())) {
            arrayList.add("issuer metadata is mandatory");
        }
        if (StringHelper.isEmpty(openIdConfiguration.getProviderMetadata().getAuthorizationEndpoint())) {
            arrayList.add("authorization_endpoint metadata is mandatory");
        }
        if (StringHelper.isEmpty(openIdConfiguration.getProviderMetadata().getTokenEndpoint())) {
            arrayList.add("token_endpoint metadata is mandatory");
        }
        if (openIdConfiguration.getProviderMetadata().getJwksURL() == null) {
            arrayList.add("jwks_uri metadata is mandatory");
        }
        if (openIdConfiguration.getProviderMetadata().getResponseTypeSupported().isEmpty()) {
            arrayList.add("response_types_supported metadata is mandatory");
        }
        if (openIdConfiguration.getProviderMetadata().getResponseTypeSupported().isEmpty()) {
            arrayList.add("subject_types_supported metadata is mandatory");
        }
        if (openIdConfiguration.getProviderMetadata().getIdTokenSigningAlgorithmsSupported().isEmpty()) {
            arrayList.add("id_token_signing_alg_values_supported metadata is mandatory");
        }
        return arrayList;
    }

    private List<String> validateClientConfiguration(OpenIdConfiguration openIdConfiguration) {
        ArrayList arrayList = new ArrayList();
        if (StringHelper.isEmpty(openIdConfiguration.getClientId())) {
            arrayList.add("client_id request parameter is mandatory");
        }
        if (StringHelper.isEmpty(openIdConfiguration.getRedirectURI())) {
            arrayList.add("redirect_uri request parameter is mandatory");
        }
        if (openIdConfiguration.getJwksConnectTimeout() <= 0) {
            arrayList.add("jwksConnectTimeout value is not valid");
        }
        if (openIdConfiguration.getJwksReadTimeout() <= 0) {
            arrayList.add("jwksReadTimeout value is not valid");
        }
        if (StringHelper.isEmpty(openIdConfiguration.getResponseType())) {
            arrayList.add("The response type must contain at least one value");
        } else if (!openIdConfiguration.getProviderMetadata().getResponseTypeSupported().contains(openIdConfiguration.getResponseType()) && !OpenIdConstant.AUTHORIZATION_CODE_FLOW_TYPES.contains(openIdConfiguration.getResponseType()) && !OpenIdConstant.IMPLICIT_FLOW_TYPES.contains(openIdConfiguration.getResponseType()) && !OpenIdConstant.HYBRID_FLOW_TYPES.contains(openIdConfiguration.getResponseType())) {
            arrayList.add("Unsupported OpenID Connect response type value : " + openIdConfiguration.getResponseType());
        }
        Set<String> scopesSupported = openIdConfiguration.getProviderMetadata().getScopesSupported();
        if (!scopesSupported.isEmpty()) {
            for (String str : openIdConfiguration.getScopes().split(" ")) {
                if (!scopesSupported.contains(str)) {
                    arrayList.add(String.format("%s scope is not supported by %s OpenId Connect provider", str, openIdConfiguration.getProviderMetadata().getIssuerURI()));
                }
            }
        }
        return arrayList;
    }
}
