package dev.sigstore.oidc.client;

import com.google.api.client.auth.oauth2.AuthorizationCodeFlow;
import com.google.api.client.auth.oauth2.BearerToken;
import com.google.api.client.auth.oauth2.ClientParametersAuthentication;
import com.google.api.client.auth.openidconnect.IdToken;
import com.google.api.client.auth.openidconnect.IdTokenVerifier;
import com.google.api.client.extensions.java6.auth.oauth2.AuthorizationCodeInstalledApp;
import com.google.api.client.extensions.jetty.auth.oauth2.LocalServerReceiver;
import com.google.api.client.http.GenericUrl;
import com.google.api.client.http.HttpRequestFactory;
import com.google.api.client.http.HttpTransport;
import com.google.api.client.json.GenericJson;
import com.google.api.client.json.JsonFactory;
import com.google.api.client.json.gson.GsonFactory;
import com.google.api.client.util.Key;
import com.google.api.client.util.store.MemoryDataStoreFactory;
import dev.sigstore.http.HttpClients;
import dev.sigstore.http.HttpParams;
import dev.sigstore.http.ImmutableHttpParams;
import java.io.IOException;
import java.util.Arrays;
import java.util.Locale;
import java.util.Objects;

/* loaded from: input_file:dev/sigstore/oidc/client/WebOidcClient.class */
public class WebOidcClient implements OidcClient {
    public static final String PUBLIC_DEX_ISSUER = "https://oauth2.sigstore.dev/auth";
    public static final String STAGING_DEX_ISSUER = "https://oauth2.sigstage.dev/auth";
    private static final String ID_TOKEN_KEY = "id_token";
    private static final String DEFAULT_CLIENT_ID = "sigstore";
    private static final String WELL_KNOWN_CONFIG = "/.well-known/openid-configuration";
    private final HttpParams httpParams;
    private final String clientId;
    private final String issuer;
    private final BrowserHandler browserHandler;

    @FunctionalInterface
    /* loaded from: input_file:dev/sigstore/oidc/client/WebOidcClient$BrowserHandler.class */
    public interface BrowserHandler {
        void openBrowser(String str) throws IOException;
    }

    /* loaded from: input_file:dev/sigstore/oidc/client/WebOidcClient$Builder.class */
    public static class Builder {
        private HttpParams httpParams = ImmutableHttpParams.builder().build();
        private String clientId = WebOidcClient.DEFAULT_CLIENT_ID;
        private String issuer = WebOidcClient.PUBLIC_DEX_ISSUER;
        private BrowserHandler browserHandler = null;

        private Builder() {
        }

        public Builder setHttpParams(HttpParams httpParams) {
            this.httpParams = httpParams;
            return this;
        }

        public Builder setClientId(String str) {
            this.clientId = str;
            return this;
        }

        public Builder setIssuer(String str) {
            this.issuer = str;
            return this;
        }

        public Builder setBrowser(BrowserHandler browserHandler) {
            this.browserHandler = browserHandler;
            return this;
        }

        public WebOidcClient build() {
            BrowserHandler browserHandler;
            if (this.browserHandler != null) {
                browserHandler = this.browserHandler;
            } else {
                AuthorizationCodeInstalledApp.DefaultBrowser defaultBrowser = new AuthorizationCodeInstalledApp.DefaultBrowser();
                browserHandler = defaultBrowser::browse;
            }
            return new WebOidcClient(this.httpParams, this.issuer, this.clientId, browserHandler);
        }
    }

    /* loaded from: input_file:dev/sigstore/oidc/client/WebOidcClient$OIDCEndpoints.class */
    public static class OIDCEndpoints extends GenericJson {

        @Key("authorization_endpoint")
        private String authEndpoint;

        @Key("token_endpoint")
        private String tokenEndpoint;

        @Key("jwks_uri")
        private String jwksUri;

        public String getAuthEndpoint() {
            return this.authEndpoint;
        }

        public String getTokenEndpoint() {
            return this.tokenEndpoint;
        }

        public String getJwksUri() {
            return this.jwksUri;
        }
    }

    private WebOidcClient(HttpParams httpParams, String str, String str2, BrowserHandler browserHandler) {
        this.httpParams = httpParams;
        this.clientId = str2;
        this.issuer = str;
        this.browserHandler = browserHandler;
    }

    public static Builder builder() {
        return new Builder();
    }

    @Override // dev.sigstore.oidc.client.OidcClient
    public boolean isEnabled() {
        return true;
    }

    @Override // dev.sigstore.oidc.client.OidcClient
    public OidcToken getIDToken() throws OidcException {
        GsonFactory gsonFactory = new GsonFactory();
        HttpTransport newHttpTransport = HttpClients.newHttpTransport(this.httpParams);
        MemoryDataStoreFactory memoryDataStoreFactory = new MemoryDataStoreFactory();
        try {
            OIDCEndpoints parseDiscoveryDocument = parseDiscoveryDocument(gsonFactory, newHttpTransport);
            AuthorizationCodeFlow build = new AuthorizationCodeFlow.Builder(BearerToken.authorizationHeaderAccessMethod(), newHttpTransport, gsonFactory, new GenericUrl(parseDiscoveryDocument.getTokenEndpoint()), new ClientParametersAuthentication(this.clientId, (String) null), this.clientId, parseDiscoveryDocument.getAuthEndpoint()).enablePKCE().setScopes(Arrays.asList("openid", "email")).setCredentialCreatedListener((credential, tokenResponse) -> {
                memoryDataStoreFactory.getDataStore("user").set(ID_TOKEN_KEY, tokenResponse.get(ID_TOKEN_KEY).toString());
            }).build();
            LocalServerReceiver localServerReceiver = new LocalServerReceiver();
            BrowserHandler browserHandler = this.browserHandler;
            Objects.requireNonNull(browserHandler);
            try {
                new AuthorizationCodeInstalledApp(build, localServerReceiver, browserHandler::openBrowser).authorize("user");
                String str = (String) memoryDataStoreFactory.getDataStore("user").get(ID_TOKEN_KEY);
                IdToken parse = IdToken.parse(gsonFactory, str);
                if (!new IdTokenVerifier.Builder().setIssuer(this.issuer).setCertificatesLocation(parseDiscoveryDocument.getJwksUri()).build().verify(parse)) {
                    throw new OidcException("id token could not be verified");
                }
                String str2 = (String) parse.getPayload().get("email");
                if (Boolean.FALSE.equals(Boolean.valueOf(((Boolean) parse.getPayload().get("email_verified")).booleanValue()))) {
                    throw new OidcException(String.format(Locale.ROOT, "identity provider '%s' reports email address '%s' has not been verified", parse.getPayload().getIssuer(), str2));
                }
                return ImmutableOidcToken.builder().subjectAlternativeName(str2).idToken(str).build();
            } catch (IOException e) {
                throw new OidcException("ioexception during oidc handshake", e);
            }
        } catch (IOException e2) {
            throw new OidcException("ioexception obtaining and parsing oidc configuration for " + this.issuer, e2);
        }
    }

    OIDCEndpoints parseDiscoveryDocument(JsonFactory jsonFactory, HttpTransport httpTransport) throws IOException {
        HttpRequestFactory createRequestFactory = httpTransport.createRequestFactory(httpRequest -> {
            httpRequest.setParser(jsonFactory.createJsonObjectParser());
        });
        GenericUrl genericUrl = new GenericUrl(this.issuer);
        genericUrl.appendRawPath(WELL_KNOWN_CONFIG);
        return (OIDCEndpoints) createRequestFactory.buildGetRequest(genericUrl).execute().parseAs(OIDCEndpoints.class);
    }
}
