package org.keycloak.services.clientregistration;

import org.keycloak.TokenCategory;
import org.keycloak.TokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.SignatureProvider;
import org.keycloak.crypto.SignatureSignerContext;
import org.keycloak.crypto.SignatureVerifierContext;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.models.ClientInitialAccessModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.protocol.oidc.TokenManager;
import org.keycloak.representations.AccessToken;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.services.Urls;
import org.keycloak.services.clientregistration.policy.RegistrationAuth;

/* loaded from: input_file:org/keycloak/services/clientregistration/ClientRegistrationTokenUtils.class */
public class ClientRegistrationTokenUtils {
    public static final String TYPE_INITIAL_ACCESS_TOKEN = "InitialAccessToken";
    public static final String TYPE_REGISTRATION_ACCESS_TOKEN = "RegistrationAccessToken";

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/keycloak/services/clientregistration/ClientRegistrationTokenUtils$TokenVerification.class */
    public static class TokenVerification {
        private final String kid;
        private final AccessToken jwt;
        private final RuntimeException error;

        public static TokenVerification success(String str, AccessToken accessToken) {
            return new TokenVerification(str, accessToken, null);
        }

        public static TokenVerification error(RuntimeException runtimeException) {
            return new TokenVerification(null, null, runtimeException);
        }

        private TokenVerification(String str, AccessToken accessToken, RuntimeException runtimeException) {
            this.kid = str;
            this.jwt = accessToken;
            this.error = runtimeException;
        }

        public String getKid() {
            return this.kid;
        }

        public AccessToken getJwt() {
            return this.jwt;
        }

        public RuntimeException getError() {
            return this.error;
        }
    }

    public static String updateTokenSignature(KeycloakSession keycloakSession, ClientRegistrationAuth clientRegistrationAuth) {
        SignatureSignerContext signer = keycloakSession.getProvider(SignatureProvider.class, keycloakSession.tokens().signatureAlgorithm(TokenCategory.INTERNAL)).signer();
        if (signer.getKid().equals(clientRegistrationAuth.getKid())) {
            return clientRegistrationAuth.getToken();
        }
        RegistrationAccessToken registrationAccessToken = new RegistrationAccessToken();
        registrationAccessToken.setRegistrationAuth(clientRegistrationAuth.getRegistrationAuth().toString().toLowerCase());
        registrationAccessToken.type(clientRegistrationAuth.getJwt().getType());
        registrationAccessToken.id(clientRegistrationAuth.getJwt().getId());
        registrationAccessToken.issuedNow();
        registrationAccessToken.issuer(clientRegistrationAuth.getJwt().getIssuer());
        registrationAccessToken.audience(new String[]{clientRegistrationAuth.getJwt().getIssuer()});
        return new JWSBuilder().jsonContent(registrationAccessToken).sign(signer);
    }

    public static String updateRegistrationAccessToken(KeycloakSession keycloakSession, ClientModel clientModel, RegistrationAuth registrationAuth) {
        return updateRegistrationAccessToken(keycloakSession, keycloakSession.getContext().getRealm(), clientModel, registrationAuth);
    }

    public static String updateRegistrationAccessToken(KeycloakSession keycloakSession, RealmModel realmModel, ClientModel clientModel, RegistrationAuth registrationAuth) {
        String generateId = KeycloakModelUtils.generateId();
        clientModel.setRegistrationToken(generateId);
        RegistrationAccessToken registrationAccessToken = new RegistrationAccessToken();
        registrationAccessToken.setRegistrationAuth(registrationAuth.toString().toLowerCase());
        return setupToken(registrationAccessToken, keycloakSession, realmModel, generateId, TYPE_REGISTRATION_ACCESS_TOKEN, 0L);
    }

    public static String createInitialAccessToken(KeycloakSession keycloakSession, RealmModel realmModel, ClientInitialAccessModel clientInitialAccessModel) {
        return setupToken(new InitialAccessToken(), keycloakSession, realmModel, clientInitialAccessModel.getId(), TYPE_INITIAL_ACCESS_TOKEN, clientInitialAccessModel.getExpiration() > 0 ? clientInitialAccessModel.getTimestamp() + clientInitialAccessModel.getExpiration() : 0L);
    }

    public static TokenVerification verifyToken(KeycloakSession keycloakSession, RealmModel realmModel, String str) {
        if (str == null) {
            return TokenVerification.error(new RuntimeException("Missing token"));
        }
        try {
            TokenVerifier withChecks = TokenVerifier.create(str, AccessToken.class).withChecks(new TokenVerifier.Predicate[]{new TokenVerifier.RealmUrlCheck(getIssuer(keycloakSession, realmModel)), TokenVerifier.IS_ACTIVE, new TokenManager.TokenRevocationCheck(keycloakSession)});
            SignatureVerifierContext verifier = keycloakSession.getProvider(SignatureProvider.class, withChecks.getHeader().getAlgorithm().name()).verifier(withChecks.getHeader().getKeyId());
            withChecks.verifierContext(verifier);
            String kid = verifier.getKid();
            withChecks.verify();
            AccessToken token = withChecks.getToken();
            return ("Bearer".equals(token.getType()) || TYPE_INITIAL_ACCESS_TOKEN.equals(token.getType()) || TYPE_REGISTRATION_ACCESS_TOKEN.equals(token.getType())) ? TokenVerification.success(kid, token) : TokenVerification.error(new RuntimeException("Invalid type of token"));
        } catch (VerificationException e) {
            return TokenVerification.error(new RuntimeException("Failed decode token", e));
        }
    }

    private static String setupToken(JsonWebToken jsonWebToken, KeycloakSession keycloakSession, RealmModel realmModel, String str, String str2, long j) {
        String issuer = getIssuer(keycloakSession, realmModel);
        jsonWebToken.type(str2);
        jsonWebToken.id(str);
        jsonWebToken.issuedNow();
        jsonWebToken.exp(Long.valueOf(j));
        jsonWebToken.issuer(issuer);
        jsonWebToken.audience(new String[]{issuer});
        return keycloakSession.tokens().encode(jsonWebToken);
    }

    private static String getIssuer(KeycloakSession keycloakSession, RealmModel realmModel) {
        return Urls.realmIssuer(keycloakSession.getContext().getUri().getBaseUri(), realmModel.getName());
    }
}
