package de.governikus.autent.eudiwallet.keycloak.provider.credentialbuilder;

import de.governikus.autent.eudiwallet.keycloak.constants.Constants;
import de.governikus.autent.eudiwallet.keycloak.constants.StaticContext;
import de.governikus.autent.eudiwallet.keycloak.constants.UtilityMethods;
import de.governikus.autent.eudiwallet.keycloak.database.ClientScopeRepository;
import de.governikus.autent.eudiwallet.keycloak.exceptions.UnparseableCredentialException;
import de.governikus.autent.eudiwallet.keycloak.provider.mapper.WalletCredentialProtocolMapper;
import java.net.URI;
import java.security.PublicKey;
import java.time.Instant;
import java.time.LocalDateTime;
import java.time.ZoneOffset;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;
import org.keycloak.TokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.models.ClientScopeModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.UserModel;
import org.keycloak.models.light.LightweightUserAdapter;
import org.keycloak.protocol.oid4vc.model.CredentialSubject;
import org.keycloak.protocol.oid4vc.model.VerifiableCredential;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.util.JsonSerialization;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/governikus/autent/eudiwallet/keycloak/provider/credentialbuilder/JwtVcCredentialBuilderProvider.class */
public class JwtVcCredentialBuilderProvider implements OpenId4VciCredentialBuilderProvider<VerifiableCredential> {
    private static final Logger log;
    private final KeycloakSession keycloakSession;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX WARN: Can't rename method to resolve collision */
    @Override // de.governikus.autent.eudiwallet.keycloak.provider.credentialbuilder.OpenId4VciCredentialBuilderProvider
    public VerifiableCredential buildCredential(ClientScopeModel clientScopeModel, UserModel userModel) {
        VerifiableCredential type = new VerifiableCredential().setContext(List.of("https://www.w3.org/ns/credentials/v1")).setIssuer(URI.create(StaticContext.getIssuer(this.keycloakSession))).setIssuanceDate(Instant.now()).setExpirationDate(LocalDateTime.now().plusMonths(6L).toInstant(ZoneOffset.UTC)).setType(List.of("VerifiableCredential", clientScopeModel.getName()));
        Map<String, Object> subjectClaimsForIssuance = getSubjectClaimsForIssuance(this.keycloakSession, clientScopeModel, userModel);
        CredentialSubject credentialSubject = new CredentialSubject();
        credentialSubject.setClaims(subjectClaimsForIssuance);
        type.setCredentialSubject(credentialSubject);
        return type;
    }

    @Override // de.governikus.autent.eudiwallet.keycloak.provider.credentialbuilder.OpenId4VciCredentialBuilderProvider
    public UserModel parseCredential(String str) throws UnparseableCredentialException {
        TokenVerifier create = TokenVerifier.create(str, JsonWebToken.class);
        try {
            JWSHeader header = create.getHeader();
            Object obj = create.getToken().getOtherClaims().get(Constants.ProtocolAttributes.VC_CLAIM_KEY);
            if (obj == null) {
                throw new UnparseableCredentialException(String.format("Got invalid token with missing 'vc'-parameter. Credential is not of format '%s'", "jwt_vc_json"));
            }
            VerifiableCredential verifiableCredential = (VerifiableCredential) JsonSerialization.mapper.convertValue(obj, VerifiableCredential.class);
            HashSet hashSet = new HashSet(verifiableCredential.getType());
            hashSet.remove("VerifiableCredential");
            if (!$assertionsDisabled && hashSet.size() != 1) {
                throw new AssertionError();
            }
            String str2 = (String) hashSet.iterator().next();
            if (StringUtils.isBlank(str2)) {
                throw new UnparseableCredentialException(String.format("Credential is not of format '%s'", "jwt_vc_json"));
            }
            ClientScopeModel clientScopeByName = ClientScopeRepository.getClientScopeByName(this.keycloakSession, str2);
            KeyWrapper pidProviderSigningKeyByKid = UtilityMethods.getPidProviderSigningKeyByKid(this.keycloakSession, header.getKeyId());
            create.publicKey((PublicKey) pidProviderSigningKeyByKid.getPublicKey());
            try {
                create.verifierContext(getVerifierContext(pidProviderSigningKeyByKid)).verifySignature();
                CredentialSubject credentialSubject = verifiableCredential.getCredentialSubject();
                Map map = (Map) JsonSerialization.mapper.convertValue(credentialSubject, Map.class);
                LightweightUserAdapter lightweightUserAdapter = new LightweightUserAdapter(this.keycloakSession, (String) credentialSubject.getClaims().get("id"));
                lightweightUserAdapter.setEnabled(true);
                getWalletCLaimsProtocolMappers(this.keycloakSession, clientScopeByName).forEach(pair -> {
                    ((WalletCredentialProtocolMapper) pair.getRight()).transformDocumentToUser(map, lightweightUserAdapter, (ProtocolMapperModel) pair.getLeft());
                });
                lightweightUserAdapter.setUsername((String) credentialSubject.getClaims().get("id"));
                lightweightUserAdapter.setAttribute("VerifiableCredential", Stream.concat(lightweightUserAdapter.getAttributeStream("VerifiableCredential"), Stream.of(clientScopeByName.getName())).toList());
                return lightweightUserAdapter;
            } catch (VerificationException e) {
                log.debug(e.getMessage(), e);
                throw new UnparseableCredentialException("Failed to verify signature of credential");
            }
        } catch (VerificationException e2) {
            throw new UnparseableCredentialException("Given Credential is not a JWS representation", e2);
        }
    }

    public JwtVcCredentialBuilderProvider(KeycloakSession keycloakSession) {
        this.keycloakSession = keycloakSession;
    }

    static {
        $assertionsDisabled = !JwtVcCredentialBuilderProvider.class.desiredAssertionStatus();
        log = LoggerFactory.getLogger(JwtVcCredentialBuilderProvider.class);
    }
}
