package org.keycloak.protocol.oidc.client.authentication;

import java.nio.charset.StandardCharsets;
import java.util.Map;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.jboss.logging.Logger;
import org.keycloak.OAuth2Constants;
import org.keycloak.common.util.SecretGenerator;
import org.keycloak.common.util.Time;
import org.keycloak.crypto.Algorithm;
import org.keycloak.crypto.JavaAlgorithm;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.representations.adapters.config.AdapterConfig;

/* loaded from: input_file:org/keycloak/protocol/oidc/client/authentication/JWTClientSecretCredentialsProvider.class */
public class JWTClientSecretCredentialsProvider implements ClientCredentialsProvider {
    private static final Logger logger = Logger.getLogger(JWTClientSecretCredentialsProvider.class);
    public static final String PROVIDER_ID = "secret-jwt";
    private SecretKey clientSecret;
    private String clientSecretJwtAlg = Algorithm.HS256;

    @Override // org.keycloak.protocol.oidc.client.authentication.ClientCredentialsProvider
    public String getId() {
        return PROVIDER_ID;
    }

    @Override // org.keycloak.protocol.oidc.client.authentication.ClientCredentialsProvider
    public void init(AdapterConfig adapterConfig, Object obj) {
        if (!(obj instanceof Map)) {
            throw new RuntimeException("Configuration of jwt credentials by client secret is missing or incorrect for client '" + adapterConfig.getResource() + "'. Check your adapter configuration");
        }
        Map map = (Map) obj;
        String str = (String) map.get("secret");
        if (str == null) {
            throw new RuntimeException("Missing parameter secret-jwt in configuration of jwt for client " + adapterConfig.getResource());
        }
        String str2 = (String) map.get("algorithm");
        if (str2 == null) {
            setClientSecret(str);
        } else {
            if (!isValidClientSecretJwtAlg(str2)) {
                throw new RuntimeException("Invalid parameter secret-jwt in configuration of jwt for client " + adapterConfig.getResource());
            }
            setClientSecret(str, str2);
        }
    }

    private boolean isValidClientSecretJwtAlg(String str) {
        boolean z = false;
        if (Algorithm.HS256.equals(str) || Algorithm.HS384.equals(str) || Algorithm.HS512.equals(str)) {
            z = true;
        }
        return z;
    }

    @Override // org.keycloak.protocol.oidc.client.authentication.ClientCredentialsProvider
    public void setClientCredentials(AdapterConfig adapterConfig, Map<String, String> map, Map<String, String> map2) {
        String createSignedRequestToken = createSignedRequestToken(adapterConfig.getResource(), adapterConfig.getRealmInfoUrl());
        map2.put(OAuth2Constants.CLIENT_ASSERTION_TYPE, OAuth2Constants.CLIENT_ASSERTION_TYPE_JWT);
        map2.put(OAuth2Constants.CLIENT_ASSERTION, createSignedRequestToken);
    }

    public void setClientSecret(String str) {
        setClientSecret(str, Algorithm.HS256);
    }

    public void setClientSecret(String str, String str2) {
        this.clientSecret = new SecretKeySpec(str.getBytes(StandardCharsets.UTF_8), JavaAlgorithm.getJavaAlgorithm(str2));
        this.clientSecretJwtAlg = str2;
    }

    public String createSignedRequestToken(String str, String str2) {
        return createSignedRequestToken(str, str2, this.clientSecretJwtAlg);
    }

    public String createSignedRequestToken(String str, String str2, String str3) {
        JsonWebToken createRequestToken = createRequestToken(str, str2);
        return Algorithm.HS512.equals(str3) ? new JWSBuilder().jsonContent(createRequestToken).hmac512(this.clientSecret) : Algorithm.HS384.equals(str3) ? new JWSBuilder().jsonContent(createRequestToken).hmac384(this.clientSecret) : new JWSBuilder().jsonContent(createRequestToken).hmac256(this.clientSecret);
    }

    protected JsonWebToken createRequestToken(String str, String str2) {
        JsonWebToken jsonWebToken = new JsonWebToken();
        jsonWebToken.id(SecretGenerator.getInstance().generateSecureID());
        jsonWebToken.issuer(str);
        jsonWebToken.subject(str);
        jsonWebToken.audience(str2);
        long currentTime = Time.currentTime();
        jsonWebToken.iat(Long.valueOf(currentTime));
        jsonWebToken.exp(Long.valueOf(currentTime + 10));
        jsonWebToken.nbf(Long.valueOf(currentTime));
        return jsonWebToken;
    }
}
