package org.keycloak.protocol.oidc.mappers;

import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.UUID;
import org.jboss.logging.Logger;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperContainerModel;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.ProtocolMapperConfigException;
import org.keycloak.provider.ProviderConfigProperty;
import org.keycloak.representations.idm.ProtocolMapperRepresentation;

/* loaded from: input_file:org/keycloak/protocol/oidc/mappers/SHA256PairwiseSubMapper.class */
public class SHA256PairwiseSubMapper extends AbstractPairwiseSubMapper {
    public static final String PROVIDER_ID = "sha256";
    private static final String HASH_ALGORITHM = "SHA-256";
    private static final Logger logger = Logger.getLogger(SHA256PairwiseSubMapper.class);
    private final Charset charset = StandardCharsets.UTF_8;

    public static ProtocolMapperRepresentation createPairwiseMapper(String str, String str2) {
        ProtocolMapperRepresentation protocolMapperRepresentation = new ProtocolMapperRepresentation();
        protocolMapperRepresentation.setName("pairwise subject identifier");
        protocolMapperRepresentation.setProtocolMapper(new SHA256PairwiseSubMapper().getId());
        protocolMapperRepresentation.setProtocol("openid-connect");
        HashMap hashMap = new HashMap();
        hashMap.put(PairwiseSubMapperHelper.SECTOR_IDENTIFIER_URI, str);
        if (str2 == null) {
            str2 = KeycloakModelUtils.generateId();
        }
        hashMap.put(PairwiseSubMapperHelper.PAIRWISE_SUB_ALGORITHM_SALT, str2);
        protocolMapperRepresentation.setConfig(hashMap);
        return protocolMapperRepresentation;
    }

    @Override // org.keycloak.protocol.oidc.mappers.AbstractPairwiseSubMapper
    public void validateAdditionalConfig(KeycloakSession keycloakSession, RealmModel realmModel, ProtocolMapperContainerModel protocolMapperContainerModel, ProtocolMapperModel protocolMapperModel) throws ProtocolMapperConfigException {
        String salt = PairwiseSubMapperHelper.getSalt(protocolMapperModel);
        if (salt == null || salt.trim().isEmpty()) {
            PairwiseSubMapperHelper.setSalt(protocolMapperModel, generateSalt());
        }
    }

    public String getHelpText() {
        return "Calculates a pairwise subject identifier using a salted sha-256 hash and adds it to the 'sub' claim. See OpenID Connect specification for more info about pairwise subject identifiers.";
    }

    @Override // org.keycloak.protocol.oidc.mappers.AbstractPairwiseSubMapper
    public List<ProviderConfigProperty> getAdditionalConfigProperties() {
        LinkedList linkedList = new LinkedList();
        linkedList.add(PairwiseSubMapperHelper.createSaltConfig());
        return linkedList;
    }

    @Override // org.keycloak.protocol.oidc.mappers.AbstractPairwiseSubMapper
    public String generateSub(ProtocolMapperModel protocolMapperModel, String str, String str2) {
        String salt = PairwiseSubMapperHelper.getSalt(protocolMapperModel);
        if (salt == null) {
            throw new IllegalStateException("Salt not available on mappingModel. Please update protocol mapper");
        }
        String generateSub = generateSub(str, str2, salt.getBytes(StandardCharsets.UTF_8));
        logger.tracef("local sub = '%s', pairwise sub = '%s'", str2, generateSub);
        return generateSub;
    }

    private String generateSub(String str, String str2, byte[] bArr) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-256");
            messageDigest.update(str.getBytes(this.charset));
            messageDigest.update(str2.getBytes(this.charset));
            return UUID.nameUUIDFromBytes(messageDigest.digest(bArr)).toString();
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException(e.getMessage(), e);
        }
    }

    private static String generateSalt() {
        return KeycloakModelUtils.generateId();
    }

    public String getDisplayType() {
        return "Pairwise subject identifier";
    }

    @Override // org.keycloak.protocol.oidc.mappers.AbstractPairwiseSubMapper
    public String getIdPrefix() {
        return PROVIDER_ID;
    }
}
