package de.governikus.autent.eudiwallet.keycloak.provider.credentialbuilder;

import de.governikus.autent.eudiwallet.keycloak.constants.Constants;
import de.governikus.autent.eudiwallet.keycloak.constants.StaticContext;
import de.governikus.autent.eudiwallet.keycloak.constants.UtilityMethods;
import de.governikus.autent.eudiwallet.keycloak.database.ClientScopeRepository;
import de.governikus.autent.eudiwallet.keycloak.exceptions.UnparseableCredentialException;
import de.governikus.autent.eudiwallet.keycloak.provider.mapper.CredentialAttributeMapper;
import de.governikus.autent.eudiwallet.keycloak.provider.mapper.WalletCredentialProtocolMapper;
import jakarta.ws.rs.BadRequestException;
import java.security.PublicKey;
import java.time.Instant;
import java.time.LocalDateTime;
import java.time.ZoneOffset;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.keycloak.TokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.light.LightweightUserAdapter;
import org.keycloak.protocol.ProtocolMapper;
import org.keycloak.representations.JsonWebToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/provider/credentialbuilder/JwtJsonCredentialBuilderProvider.class */
public class JwtJsonCredentialBuilderProvider implements OpenId4VciCredentialBuilderProvider<JsonWebToken> {
    private static final Logger log = LoggerFactory.getLogger(JwtJsonCredentialBuilderProvider.class);
    private final KeycloakSession keycloakSession;

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // de.governikus.autent.eudiwallet.keycloak.provider.credentialbuilder.OpenId4VciCredentialBuilderProvider
    public JsonWebToken buildCredential(ClientScopeModel clientScopeModel, UserModel userModel) {
        String issuer = StaticContext.getIssuer(this.keycloakSession);
        String name = clientScopeModel.getName();
        JsonWebToken jsonWebToken = new JsonWebToken();
        jsonWebToken.id(userModel.getUsername());
        jsonWebToken.issuer(issuer);
        jsonWebToken.iat(Long.valueOf(Instant.now().getEpochSecond()));
        jsonWebToken.exp(Long.valueOf(LocalDateTime.now().plusMonths(6L).toInstant(ZoneOffset.UTC).getEpochSecond()));
        jsonWebToken.type(name);
        jsonWebToken.setOtherClaims(Constants.ProtocolAttributes.VCT, name);
        Map<String, Object> subjectClaimsForIssuance = getSubjectClaimsForIssuance(this.keycloakSession, clientScopeModel, userModel);
        Objects.requireNonNull(jsonWebToken);
        subjectClaimsForIssuance.forEach(jsonWebToken::setOtherClaims);
        return jsonWebToken;
    }

    @Override // de.governikus.autent.eudiwallet.keycloak.provider.credentialbuilder.OpenId4VciCredentialBuilderProvider
    public UserModel parseCredential(String str) throws UnparseableCredentialException {
        TokenVerifier create = TokenVerifier.create(str, JsonWebToken.class);
        try {
            JWSHeader header = create.getHeader();
            JsonWebToken token = create.getToken();
            String type = token.getType();
            if (StringUtils.isBlank(type)) {
                throw new UnparseableCredentialException(String.format("Credential is not of format '%s'", "jwt_json"));
            }
            ClientScopeModel clientScopeByName = ClientScopeRepository.getClientScopeByName(this.keycloakSession, type);
            KeyWrapper pidProviderSigningKeyByKid = UtilityMethods.getPidProviderSigningKeyByKid(this.keycloakSession, header.getKeyId());
            create.publicKey((PublicKey) pidProviderSigningKeyByKid.getPublicKey());
            try {
                create.verifierContext(getVerifierContext(pidProviderSigningKeyByKid)).verifySignature();
                Map otherClaims = token.getOtherClaims();
                LightweightUserAdapter lightweightUserAdapter = new LightweightUserAdapter(this.keycloakSession, (String) otherClaims.get("id"));
                lightweightUserAdapter.setEnabled(true);
                KeycloakSessionFactory keycloakSessionFactory = this.keycloakSession.getKeycloakSessionFactory();
                clientScopeByName.getProtocolMappersStream().map(protocolMapperModel -> {
                    ProtocolMapper providerFactory = keycloakSessionFactory.getProviderFactory(ProtocolMapper.class, protocolMapperModel.getProtocolMapper());
                    if (providerFactory instanceof CredentialAttributeMapper) {
                        return Pair.of(protocolMapperModel, providerFactory);
                    }
                    return null;
                }).filter((v0) -> {
                    return Objects.nonNull(v0);
                }).forEach(pair -> {
                    ((WalletCredentialProtocolMapper) pair.getRight()).transformDocumentToUser(otherClaims, lightweightUserAdapter, (ProtocolMapperModel) pair.getLeft());
                });
                lightweightUserAdapter.setUsername((String) otherClaims.get("id"));
                lightweightUserAdapter.setAttribute("VerifiableCredential", Stream.concat(lightweightUserAdapter.getAttributeStream("VerifiableCredential"), Stream.of(clientScopeByName.getName())).toList());
                return lightweightUserAdapter;
            } catch (VerificationException e) {
                log.debug(e.getMessage(), e);
                throw new BadRequestException("Failed to verify signature of credential");
            }
        } catch (VerificationException e2) {
            throw new UnparseableCredentialException("Given Credential is not a JWS representation", e2);
        }
    }

    public JwtJsonCredentialBuilderProvider(KeycloakSession keycloakSession) {
        this.keycloakSession = keycloakSession;
    }
}
