package pl.edu.icm.unity.oauth.as.token.introspection;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.KeyTypeException;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import eu.emi.security.authn.x509.X509CertChainValidator;
import eu.emi.security.authn.x509.X509CertChainValidatorExt;
import eu.unicore.util.configuration.ConfigurationException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.exceptions.EngineException;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.engine.api.pki.NamedCertificate;
import pl.edu.icm.unity.oauth.oidc.metadata.JWKSetRequest;
import pl.edu.icm.unity.oauth.oidc.metadata.OAuthDiscoveryMetadataCache;
import pl.edu.icm.unity.oauth.oidc.metadata.OAuthJWKSetCache;
import pl.edu.icm.unity.oauth.oidc.metadata.OIDCMetadataRequest;

/* loaded from: input_file:pl/edu/icm/unity/oauth/as/token/introspection/IntrospectionServiceContextProvider.class */
class IntrospectionServiceContextProvider {
    private static final Logger log = Log.getLogger("unity.server.oauth", RemoteTokenIntrospectionService.class);
    private final OAuthDiscoveryMetadataCache oAuthDiscoveryMetadataCache;
    private final OAuthJWKSetCache keyResourceCache;
    private final PKIManagement pkiManagement;
    final Map<String, RemoteIntrospectionServiceContext> remoteConfiguredSerivceContextByIssuer = new HashMap();
    final Map<String, RemoteIntrospectionServiceContext> manualyConfiguredServiceContextByIssuer = new HashMap();
    final List<TrustedUpstreamConfiguration> config;

    /* JADX INFO: Access modifiers changed from: package-private */
    public IntrospectionServiceContextProvider(OAuthDiscoveryMetadataCache oAuthDiscoveryMetadataCache, OAuthJWKSetCache oAuthJWKSetCache, PKIManagement pKIManagement, List<TrustedUpstreamConfiguration> list) {
        this.config = list;
        this.oAuthDiscoveryMetadataCache = oAuthDiscoveryMetadataCache;
        this.keyResourceCache = oAuthJWKSetCache;
        this.pkiManagement = pKIManagement;
        initManualConfiguredIntrospectionServices(list);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Optional<RemoteIntrospectionServiceContext> getRemoteServiceContext(String str) {
        initServicesConfiguredByMetadata(this.config);
        return this.manualyConfiguredServiceContextByIssuer.get(str) != null ? Optional.of(this.manualyConfiguredServiceContextByIssuer.get(str)) : this.remoteConfiguredSerivceContextByIssuer.get(str) != null ? Optional.of(this.remoteConfiguredSerivceContextByIssuer.get(str)) : Optional.empty();
    }

    private void initManualConfiguredIntrospectionServices(List<TrustedUpstreamConfiguration> list) {
        this.manualyConfiguredServiceContextByIssuer.clear();
        for (TrustedUpstreamConfiguration trustedUpstreamConfiguration : list) {
            if (!trustedUpstreamConfiguration.isMetadata()) {
                try {
                    RemoteIntrospectionServiceContext manualIntrospectionConfig = getManualIntrospectionConfig(trustedUpstreamConfiguration);
                    this.manualyConfiguredServiceContextByIssuer.put(manualIntrospectionConfig.issuer, manualIntrospectionConfig);
                } catch (Exception e) {
                    log.error("Invalid remote introspection service configuration", e);
                }
            }
        }
    }

    private void initServicesConfiguredByMetadata(List<TrustedUpstreamConfiguration> list) {
        this.remoteConfiguredSerivceContextByIssuer.clear();
        for (TrustedUpstreamConfiguration trustedUpstreamConfiguration : list) {
            if (trustedUpstreamConfiguration.isMetadata()) {
                try {
                    getByMetadataIntrospectionConfig(trustedUpstreamConfiguration).ifPresent(remoteIntrospectionServiceContext -> {
                        this.remoteConfiguredSerivceContextByIssuer.put(remoteIntrospectionServiceContext.issuer, remoteIntrospectionServiceContext);
                    });
                } catch (Exception e) {
                    log.error("Invalid remote introspection service configuration", e);
                }
            }
        }
    }

    private RemoteIntrospectionServiceContext getManualIntrospectionConfig(TrustedUpstreamConfiguration trustedUpstreamConfiguration) throws MalformedURLException, JOSEException {
        JWSVerifier jWSVerifier = getJWSVerifier(getCertificate(trustedUpstreamConfiguration.certificate));
        return RemoteIntrospectionServiceContext.builder().withClientId(trustedUpstreamConfiguration.clientId).withClientSecret(trustedUpstreamConfiguration.clientSecret).withIssuer(trustedUpstreamConfiguration.issuerURI).withVerifier(jWSVerifier).withUrl(new URL(trustedUpstreamConfiguration.introspectionEndpointURL)).withValidator(getValidator(trustedUpstreamConfiguration.clientTrustStore)).withHostnameCheckingMode(trustedUpstreamConfiguration.clientHostnameChecking).build();
    }

    private Optional<RemoteIntrospectionServiceContext> getByMetadataIntrospectionConfig(TrustedUpstreamConfiguration trustedUpstreamConfiguration) {
        X509CertChainValidator validator = getValidator(trustedUpstreamConfiguration.clientTrustStore);
        try {
            OIDCProviderMetadata metadata = this.oAuthDiscoveryMetadataCache.getMetadata(OIDCMetadataRequest.builder().withHostnameChecking(trustedUpstreamConfiguration.clientHostnameChecking).withUrl(trustedUpstreamConfiguration.metadataURL).withValidatorName(trustedUpstreamConfiguration.clientTrustStore).withValidator(validator).build());
            if (metadata.getJWKSetURI() == null) {
                log.debug("JWKSet URI in OIDCMetadata from {} is not provided", trustedUpstreamConfiguration.metadataURL);
                return Optional.empty();
            }
            try {
                try {
                    try {
                        return Optional.of(RemoteIntrospectionServiceContext.builder().withClientId(trustedUpstreamConfiguration.clientId).withClientSecret(trustedUpstreamConfiguration.clientSecret).withIssuer(metadata.getIssuer().getValue()).withVerifier(getJWSVerifier(this.keyResourceCache.getMetadata(JWKSetRequest.builder().withHostnameChecking(trustedUpstreamConfiguration.clientHostnameChecking).withUrl(metadata.getJWKSetURI().toURL().toExternalForm()).withValidatorName(trustedUpstreamConfiguration.clientTrustStore).withValidator(validator).build()))).withValidator(validator).withHostnameCheckingMode(trustedUpstreamConfiguration.clientHostnameChecking).withUrl(metadata.getIntrospectionEndpointURI().toURL()).build());
                    } catch (MalformedURLException e) {
                        log.error("Invalid remote introspection service configuration", e);
                        return Optional.empty();
                    }
                } catch (Exception e2) {
                    log.error("Can not build JWSVerifier from JWKSet", e2);
                    return Optional.empty();
                }
            } catch (Exception e3) {
                log.error("Can not get JWKSet from " + metadata.getJWKSetURI(), e3);
                return Optional.empty();
            }
        } catch (Exception e4) {
            log.error("Can not get OIDCMetadata from " + trustedUpstreamConfiguration.metadataURL, e4);
            return Optional.empty();
        }
    }

    private JWSVerifier getJWSVerifier(NamedCertificate namedCertificate) throws JOSEException {
        if (namedCertificate.value.getPublicKey() instanceof RSAPublicKey) {
            return new RSASSAVerifier((RSAPublicKey) namedCertificate.value.getPublicKey());
        }
        if (namedCertificate.value.getPublicKey() instanceof ECPublicKey) {
            return new ECDSAVerifier((ECPublicKey) namedCertificate.value.getPublicKey());
        }
        throw new ConfigurationException("Can not build JWSVerifier from certificate " + namedCertificate.name);
    }

    private JWSVerifier getJWSVerifier(JWKSet jWKSet) throws JOSEException {
        for (JWK jwk : jWKSet.getKeys()) {
            if (jwk.getKeyUse().equals(KeyUse.SIGNATURE)) {
                if (jwk.getKeyType().equals(KeyType.RSA)) {
                    if (jwk instanceof RSAKey) {
                        return new RSASSAVerifier(jwk.toRSAKey().toRSAPublicKey());
                    }
                    throw new KeyTypeException(RSAPublicKey.class);
                }
                if (jwk.getKeyType().equals(KeyType.EC)) {
                    if (jwk instanceof ECKey) {
                        return new ECDSAVerifier(jwk.toECKey().toECPublicKey());
                    }
                    throw new KeyTypeException(ECPublicKey.class);
                }
            }
        }
        throw new ConfigurationException("Can not find JWK key to build verifier");
    }

    private NamedCertificate getCertificate(String str) {
        try {
            return this.pkiManagement.getCertificate(str);
        } catch (EngineException e) {
            throw new ConfigurationException("Can not establish the certificate " + str, e);
        }
    }

    private X509CertChainValidatorExt getValidator(String str) {
        if (str == null) {
            return null;
        }
        try {
            if (this.pkiManagement.getValidatorNames().contains(str)) {
                return this.pkiManagement.getValidator(str);
            }
            throw new ConfigurationException("The http client truststore " + str + " for the OAuth verification client does not exist");
        } catch (EngineException e) {
            throw new ConfigurationException("Can not establish the http client truststore " + str, e);
        }
    }
}
