package org.apache.cxf.rs.security.oidc.utils;

import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.ws.rs.core.MultivaluedMap;
import org.apache.cxf.common.util.Base64UrlUtility;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jws.JwsException;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oauth2.common.OAuthRedirectionState;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oidc.common.AbstractUserInfo;
import org.apache.cxf.rs.security.oidc.common.IdToken;
import org.apache.cxf.rt.security.crypto.MessageDigestUtils;

/* loaded from: input_file:org/apache/cxf/rs/security/oidc/utils/OidcUtils.class */
public final class OidcUtils {
    public static final String ID_TOKEN_RESPONSE_TYPE = "id_token";
    public static final String ID_TOKEN_AT_RESPONSE_TYPE = "id_token token";
    public static final String CODE_AT_RESPONSE_TYPE = "code token";
    public static final String CODE_ID_TOKEN_RESPONSE_TYPE = "code id_token";
    public static final String CODE_ID_TOKEN_AT_RESPONSE_TYPE = "code id_token token";
    public static final String ID_TOKEN = "id_token";
    public static final String OPENID_SCOPE = "openid";
    public static final String PROFILE_SCOPE = "profile";
    public static final String EMAIL_SCOPE = "email";
    public static final String ADDRESS_SCOPE = "address";
    public static final String PHONE_SCOPE = "phone";
    public static final String CLAIMS_PARAM = "claims";
    public static final String CLAIM_NAMES_PROPERTY = "_claim_names";
    public static final String CLAIM_SOURCES_PROPERTY = "_claim_sources";
    public static final String JWT_CLAIM_SOURCE_PROPERTY = "JWT";
    public static final String ENDPOINT_CLAIM_SOURCE_PROPERTY = "endpoint";
    public static final String TOKEN_CLAIM_SOURCE_PROPERTY = "access_token";
    public static final String PROMPT_PARAMETER = "prompt";
    public static final String PROMPT_NONE_VALUE = "none";
    public static final String PROMPT_CONSENT_VALUE = "consent";
    public static final String CONSENT_REQUIRED_ERROR = "consent_required";
    public static final List<String> PROFILE_CLAIMS = Arrays.asList(AbstractUserInfo.NAME_CLAIM, AbstractUserInfo.FAMILY_NAME_CLAIM, AbstractUserInfo.GIVEN_NAME_CLAIM, AbstractUserInfo.MIDDLE_NAME_CLAIM, AbstractUserInfo.NICKNAME_CLAIM, AbstractUserInfo.PREFERRED_USERNAME_CLAIM, "profile", AbstractUserInfo.PICTURE_CLAIM, AbstractUserInfo.WEBSITE_CLAIM, AbstractUserInfo.GENDER_CLAIM, AbstractUserInfo.BIRTHDATE_CLAIM, AbstractUserInfo.ZONEINFO_CLAIM, AbstractUserInfo.LOCALE_CLAIM, AbstractUserInfo.UPDATED_AT_CLAIM);
    public static final List<String> EMAIL_CLAIMS = Arrays.asList("email", AbstractUserInfo.EMAIL_VERIFIED_CLAIM);
    public static final List<String> ADDRESS_CLAIMS = Arrays.asList("address");
    public static final List<String> PHONE_CLAIMS = Arrays.asList(AbstractUserInfo.PHONE_CLAIM);
    private static final Map<String, List<String>> SCOPES_MAP = new HashMap();

    private OidcUtils() {
    }

    public static List<String> getPromptValues(MultivaluedMap<String, String> multivaluedMap) {
        String str = (String) multivaluedMap.getFirst(PROMPT_PARAMETER);
        return str != null ? Arrays.asList(str.trim().split(" ")) : Collections.emptyList();
    }

    public static String getOpenIdScope() {
        return OPENID_SCOPE;
    }

    public static String getProfileScope() {
        return getScope(OPENID_SCOPE, "profile");
    }

    public static String getEmailScope() {
        return getScope(OPENID_SCOPE, "email");
    }

    public static String getAddressScope() {
        return getScope(OPENID_SCOPE, "address");
    }

    public static String getPhoneScope() {
        return getScope(OPENID_SCOPE, PHONE_SCOPE);
    }

    public static String getAllScopes() {
        return getScope(OPENID_SCOPE, "profile", "email", "address", PHONE_SCOPE);
    }

    public static List<String> getScopeClaims(String... strArr) {
        ArrayList arrayList = new ArrayList();
        if (strArr != null) {
            for (String str : strArr) {
                if (SCOPES_MAP.containsKey(str)) {
                    arrayList.addAll(SCOPES_MAP.get(str));
                }
            }
        }
        return arrayList;
    }

    private static String getScope(String... strArr) {
        StringBuilder sb = new StringBuilder();
        for (String str : strArr) {
            if (sb.length() > 0) {
                sb.append(" ");
            }
            sb.append(str);
        }
        return sb.toString();
    }

    public static void validateAccessTokenHash(ClientAccessToken clientAccessToken, JwtToken jwtToken) {
        validateAccessTokenHash(clientAccessToken, jwtToken, true);
    }

    public static void validateAccessTokenHash(ClientAccessToken clientAccessToken, JwtToken jwtToken, boolean z) {
        validateAccessTokenHash(clientAccessToken.getTokenKey(), jwtToken, z);
    }

    public static void validateAccessTokenHash(String str, JwtToken jwtToken, boolean z) {
        if (z) {
            validateHash(str, (String) jwtToken.getClaims().getClaim(IdToken.ACCESS_TOKEN_HASH_CLAIM), jwtToken.getJwsHeaders().getSignatureAlgorithm());
        }
    }

    public static void validateCodeHash(String str, JwtToken jwtToken) {
        validateCodeHash(str, jwtToken, true);
    }

    public static void validateCodeHash(String str, JwtToken jwtToken, boolean z) {
        if (z) {
            validateHash(str, (String) jwtToken.getClaims().getClaim(IdToken.AUTH_CODE_HASH_CLAIM), jwtToken.getJwsHeaders().getSignatureAlgorithm());
        }
    }

    private static void validateHash(String str, String str2, SignatureAlgorithm signatureAlgorithm) {
        if (!calculateHash(str, signatureAlgorithm).equals(str2)) {
            throw new OAuthServiceException("Invalid hash");
        }
    }

    public static String calculateAccessTokenHash(String str, SignatureAlgorithm signatureAlgorithm) {
        return calculateHash(str, signatureAlgorithm);
    }

    public static String calculateAuthorizationCodeHash(String str, SignatureAlgorithm signatureAlgorithm) {
        return calculateHash(str, signatureAlgorithm);
    }

    private static String calculateHash(String str, SignatureAlgorithm signatureAlgorithm) {
        if (signatureAlgorithm == SignatureAlgorithm.NONE) {
            throw new JwsException(JwsException.Error.INVALID_ALGORITHM);
        }
        String substring = signatureAlgorithm.getJwaName().substring(2);
        try {
            return Base64UrlUtility.encodeChunk(MessageDigestUtils.createDigest(StringUtils.toBytesASCII(str), "SHA-" + substring), 0, (Integer.valueOf(substring).intValue() / 8) / 2);
        } catch (NoSuchAlgorithmException e) {
            throw new OAuthServiceException(e);
        }
    }

    public static void setStateClaimsProperty(OAuthRedirectionState oAuthRedirectionState, MultivaluedMap<String, String> multivaluedMap) {
        String str = (String) multivaluedMap.getFirst(CLAIMS_PARAM);
        if (str != null) {
            oAuthRedirectionState.getExtraProperties().put(CLAIMS_PARAM, str);
        }
    }

    static {
        SCOPES_MAP.put(PHONE_SCOPE, PHONE_CLAIMS);
        SCOPES_MAP.put("email", EMAIL_CLAIMS);
        SCOPES_MAP.put("address", ADDRESS_CLAIMS);
        SCOPES_MAP.put("profile", PROFILE_CLAIMS);
    }
}
