package org.apache.cxf.rs.security.oauth2.client;

import javax.ws.rs.core.MultivaluedMap;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.helpers.CastUtils;
import org.apache.cxf.jaxrs.ext.MessageContext;
import org.apache.cxf.jaxrs.impl.MetadataMap;
import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweUtils;
import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsCompactProducer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jws.NoneJwsSignatureProvider;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;

/* loaded from: input_file:lib/cxf-rt-rs-security-oauth2-3.1.15.jar:org/apache/cxf/rs/security/oauth2/client/JoseClientCodeStateManager.class */
public class JoseClientCodeStateManager implements ClientCodeStateManager {
    private JwsSignatureProvider sigProvider;
    private JweEncryptionProvider encryptionProvider;
    private JweDecryptionProvider decryptionProvider;
    private JwsSignatureVerifier signatureVerifier;
    private JsonMapObjectReaderWriter jsonp = new JsonMapObjectReaderWriter();
    private boolean generateNonce;
    private boolean storeInSession;

    @Override // org.apache.cxf.rs.security.oauth2.client.ClientCodeStateManager
    public MultivaluedMap<String, String> toRedirectState(MessageContext messageContext, MultivaluedMap<String, String> multivaluedMap) {
        JweEncryptionProvider initializedEncryptionProvider = getInitializedEncryptionProvider();
        JwsSignatureProvider initializedSigProvider = getInitializedSigProvider(initializedEncryptionProvider);
        if (initializedEncryptionProvider == null && initializedSigProvider == null) {
            throw new OAuthServiceException("The state can not be protected");
        }
        MetadataMap metadataMap = new MetadataMap();
        if (this.generateNonce && initializedSigProvider != null) {
            String signWith = new JwsCompactProducer(OAuthUtils.generateRandomTokenKey()).signWith(initializedSigProvider);
            multivaluedMap.putSingle("nonce", signWith);
            metadataMap.putSingle("nonce", signWith);
        }
        String json = this.jsonp.toJson(CastUtils.cast(multivaluedMap));
        String str = null;
        if (initializedSigProvider != null) {
            str = new JwsCompactProducer(json).signWith(initializedSigProvider);
        }
        if (initializedEncryptionProvider != null) {
            str = initializedEncryptionProvider.encrypt(StringUtils.toBytesUTF8(str), null);
        }
        if (this.storeInSession) {
            String generateRandomTokenKey = OAuthUtils.generateRandomTokenKey();
            OAuthUtils.setSessionToken(messageContext, str, generateRandomTokenKey, 0);
            str = generateRandomTokenKey;
        }
        metadataMap.putSingle(OAuthConstants.STATE, str);
        return metadataMap;
    }

    @Override // org.apache.cxf.rs.security.oauth2.client.ClientCodeStateManager
    public MultivaluedMap<String, String> fromRedirectState(MessageContext messageContext, MultivaluedMap<String, String> multivaluedMap) {
        String first = multivaluedMap.getFirst(OAuthConstants.STATE);
        if (this.storeInSession) {
            first = OAuthUtils.getSessionToken(messageContext, first);
        }
        JweDecryptionProvider initializedDecryptionProvider = getInitializedDecryptionProvider();
        if (initializedDecryptionProvider != null) {
            first = initializedDecryptionProvider.decrypt(first).getContentText();
        }
        JwsCompactConsumer jwsCompactConsumer = new JwsCompactConsumer(first);
        if (!jwsCompactConsumer.verifySignatureWith(getInitializedSigVerifier())) {
            throw new SecurityException();
        }
        return (MultivaluedMap) CastUtils.cast(this.jsonp.fromJson(jwsCompactConsumer.getUnsignedEncodedSequence()));
    }

    public void setSignatureProvider(JwsSignatureProvider jwsSignatureProvider) {
        this.sigProvider = jwsSignatureProvider;
    }

    protected JwsSignatureProvider getInitializedSigProvider(JweEncryptionProvider jweEncryptionProvider) {
        if (this.sigProvider != null) {
            return this.sigProvider;
        }
        JwsSignatureProvider loadSignatureProvider = JwsUtils.loadSignatureProvider(false);
        if (loadSignatureProvider == null && jweEncryptionProvider != null) {
            loadSignatureProvider = new NoneJwsSignatureProvider();
        }
        return loadSignatureProvider;
    }

    public void setDecryptionProvider(JweDecryptionProvider jweDecryptionProvider) {
        this.decryptionProvider = jweDecryptionProvider;
    }

    protected JweDecryptionProvider getInitializedDecryptionProvider() {
        return this.decryptionProvider != null ? this.decryptionProvider : JweUtils.loadDecryptionProvider(false);
    }

    public void setSignatureVerifier(JwsSignatureVerifier jwsSignatureVerifier) {
        this.signatureVerifier = jwsSignatureVerifier;
    }

    protected JwsSignatureVerifier getInitializedSigVerifier() {
        return this.signatureVerifier != null ? this.signatureVerifier : JwsUtils.loadSignatureVerifier(false);
    }

    public void setEncryptionProvider(JweEncryptionProvider jweEncryptionProvider) {
        this.encryptionProvider = jweEncryptionProvider;
    }

    protected JweEncryptionProvider getInitializedEncryptionProvider() {
        return this.encryptionProvider != null ? this.encryptionProvider : JweUtils.loadEncryptionProvider(false);
    }

    public void setGenerateNonce(boolean z) {
        this.generateNonce = z;
    }

    public void setStoreInSession(boolean z) {
        this.storeInSession = z;
    }
}
