package de.governikus.autent.eudiwallet.keycloak.endpoints.credentialendpoints;

import de.governikus.autent.eudiwallet.keycloak.database.ClientScopeRepository;
import de.governikus.autent.eudiwallet.keycloak.endpoints.CorsEndpoint;
import de.governikus.autent.eudiwallet.keycloak.services.CredentialService;
import de.governikus.autent.eudiwallet.keycloak.services.JweService;
import java.time.Duration;
import java.time.temporal.ChronoUnit;
import java.util.Map;
import java.util.Objects;
import java.util.function.Function;
import org.apache.commons.lang3.StringUtils;
import org.keycloak.TokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.SecretGenerator;
import org.keycloak.common.util.Time;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.UserModel;
import org.keycloak.protocol.oid4vc.model.CredentialResponse;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.managers.AuthenticationManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/endpoints/credentialendpoints/AbstractCredentialEndpoint.class */
public abstract class AbstractCredentialEndpoint extends CorsEndpoint implements CredentialEndpoint {
    private static final Logger log = LoggerFactory.getLogger(AbstractCredentialEndpoint.class);
    protected final AuthenticationManager.AuthResult authResult;
    protected final UserModel authenticatedUser;

    /* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/endpoints/credentialendpoints/AbstractCredentialEndpoint$ProofOfPossessionBodyKeyPresentVerifier.class */
    public static class ProofOfPossessionBodyKeyPresentVerifier implements TokenVerifier.Predicate<JsonWebToken> {
        private final String bodyKeyParamName;

        public boolean test(JsonWebToken jsonWebToken) throws VerificationException {
            Map map = (Map) jsonWebToken.getOtherClaims().get(this.bodyKeyParamName);
            if (map == null) {
                throw new VerificationException(String.format("Missing '%s' key in JWS body in proof of possession", this.bodyKeyParamName));
            }
            Object obj = map.get("kty");
            if (!(obj instanceof String) || StringUtils.isBlank((String) obj)) {
                throw new VerificationException("Missing 'kty' parameter in key representation. Cannot be a JWK.");
            }
            return true;
        }

        public ProofOfPossessionBodyKeyPresentVerifier(String str) {
            this.bodyKeyParamName = str;
        }
    }

    /* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/endpoints/credentialendpoints/AbstractCredentialEndpoint$ProofOfPossessionComparisonVerifier.class */
    public static class ProofOfPossessionComparisonVerifier implements TokenVerifier.Predicate<JsonWebToken> {
        private final String parameterName;
        private final String expectedValue;
        private final Function<String, Boolean> expectedValueVerifier;

        public ProofOfPossessionComparisonVerifier(String str, String str2) {
            this.parameterName = (String) Objects.requireNonNull(str);
            this.expectedValue = (String) Objects.requireNonNull(str2);
            this.expectedValueVerifier = null;
        }

        public ProofOfPossessionComparisonVerifier(String str, Function<String, Boolean> function) {
            this.parameterName = (String) Objects.requireNonNull(str);
            this.expectedValue = null;
            this.expectedValueVerifier = (Function) Objects.requireNonNull(function);
        }

        public boolean test(JsonWebToken jsonWebToken) throws VerificationException {
            String str = (String) jsonWebToken.getOtherClaims().get(this.parameterName);
            if (StringUtils.isBlank(str)) {
                throw new VerificationException("Invalid proof of possession. Missing parameter '%s'\n".stripIndent().strip().formatted(this.parameterName));
            }
            if (this.expectedValue != null) {
                if (StringUtils.equals(this.expectedValue, str)) {
                    return true;
                }
                throw new VerificationException("Invalid proof of possession. Invalid value for '%s'. Does not match expected value.\n".stripIndent().strip().formatted(this.parameterName));
            }
            if (this.expectedValueVerifier.apply(str).booleanValue()) {
                return true;
            }
            throw new VerificationException("Invalid proof of possession. Invalid value for '%s'. Does not match expected value.\n".stripIndent().strip().formatted(this.parameterName));
        }

        public ProofOfPossessionComparisonVerifier(String str, String str2, Function<String, Boolean> function) {
            this.parameterName = str;
            this.expectedValue = str2;
            this.expectedValueVerifier = function;
        }
    }

    /* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/endpoints/credentialendpoints/AbstractCredentialEndpoint$ProofOfPossessionLifetimeVerifier.class */
    public static class ProofOfPossessionLifetimeVerifier implements TokenVerifier.Predicate<JsonWebToken> {
        private final int lifetimeSeconds = 30;
        private final int clockSkewSeconds = 5;

        public boolean test(JsonWebToken jsonWebToken) throws VerificationException {
            Long iat = jsonWebToken.getIat();
            if (iat == null) {
                return true;
            }
            long currentTime = Time.currentTime();
            if (iat.longValue() > currentTime + 5 || iat.longValue() <= currentTime - 30) {
                throw new VerificationException("Proof of Possession not active: %1$s(iat) <= %2$s(time) + %3$s(clockSkew) &&                                 %1$s(iat) > %2$s(time) - %4$s(lifetime)\n".stripIndent().strip().formatted(iat, Long.valueOf(currentTime), 5, 30));
            }
            return true;
        }
    }

    public AbstractCredentialEndpoint(KeycloakSession keycloakSession, AuthenticationManager.AuthResult authResult) {
        super(keycloakSession);
        this.authResult = authResult;
        this.authenticatedUser = authResult.getUser();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String parseFormat(String str) {
        return StringUtils.containsIgnoreCase(str, "mso_mdoc") ? "mso_mdoc_authenticated_channel" : StringUtils.containsIgnoreCase("jwt_vc", str) ? "jwt_vc_json" : str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CredentialResponseRecord buildCredential(ClientScopeModel clientScopeModel, String str) {
        log.debug("Requested scope '{}' in format '{}'", clientScopeModel.getName(), str);
        if (!this.authResult.getToken().getScope().contains(clientScopeModel.getName())) {
            throw getUnauthorizedException(String.format("Not authorized to access credential of type '%s'", clientScopeModel.getName()));
        }
        String signedCredential = new CredentialService(this.keycloakSession).getSignedCredential(clientScopeModel, str, this.authenticatedUser);
        String encryptPayload = JweService.encryptPayload(this.keycloakSession, signedCredential);
        CredentialResponse credentialResponse = new CredentialResponse();
        credentialResponse.setCredential(encryptPayload);
        credentialResponse.setcNonce(SecretGenerator.getInstance().randomString());
        credentialResponse.setcNonceExpiresIn(String.valueOf(Duration.of(5L, ChronoUnit.MINUTES).toSeconds()));
        return new CredentialResponseRecord(credentialResponse, signedCredential);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ClientScopeModel getClientScope(String str, String str2) {
        try {
            return ClientScopeRepository.getClientScopeByVctAndFormat(this.keycloakSession, str, str2);
        } catch (IllegalArgumentException e) {
            throw getInvalidRequestException(String.format("Invalid request parameters. Could not find configured credential with type '%s' and format '%s'", str, str2));
        }
    }
}
