package org.glassfish.soteria.mechanisms.openid.controller;

import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.context.RequestScoped;
import jakarta.enterprise.inject.Produces;
import jakarta.inject.Inject;
import jakarta.json.JsonObject;
import jakarta.security.enterprise.authentication.mechanism.http.OpenIdAuthenticationMechanismDefinition;
import jakarta.security.enterprise.authentication.mechanism.http.openid.OpenIdConstant;
import jakarta.security.enterprise.authentication.mechanism.http.openid.OpenIdProviderMetadata;
import java.io.Serializable;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import org.glassfish.soteria.Utils;
import org.glassfish.soteria.cdi.AnnotationELPProcessor;
import org.glassfish.soteria.mechanisms.openid.domain.ClaimsConfiguration;
import org.glassfish.soteria.mechanisms.openid.domain.LogoutConfiguration;
import org.glassfish.soteria.mechanisms.openid.domain.OpenIdConfiguration;
import org.glassfish.soteria.mechanisms.openid.domain.OpenIdProviderData;

@ApplicationScoped
/* loaded from: input_file:org/glassfish/soteria/mechanisms/openid/controller/ConfigurationController.class */
public class ConfigurationController implements Serializable {
    private static final long serialVersionUID = 1;

    @Inject
    private ProviderMetadataController providerMetadataController;
    private static final String SPACE_SEPARATOR = " ";
    private volatile transient LastBuiltConfig lastBuiltConfig;

    /* loaded from: input_file:org/glassfish/soteria/mechanisms/openid/controller/ConfigurationController$LastBuiltConfig.class */
    static class LastBuiltConfig {
        private final OpenIdAuthenticationMechanismDefinition definition;
        private final OpenIdConfiguration configuration;

        public LastBuiltConfig(OpenIdAuthenticationMechanismDefinition openIdAuthenticationMechanismDefinition, OpenIdConfiguration openIdConfiguration) {
            this.definition = openIdAuthenticationMechanismDefinition;
            this.configuration = openIdConfiguration;
        }

        OpenIdConfiguration cachedConfiguration(OpenIdAuthenticationMechanismDefinition openIdAuthenticationMechanismDefinition) {
            if (this.definition == null || !this.definition.equals(openIdAuthenticationMechanismDefinition)) {
                return null;
            }
            return this.configuration;
        }
    }

    @RequestScoped
    @Produces
    public OpenIdConfiguration produceConfiguration(OpenIdAuthenticationMechanismDefinition openIdAuthenticationMechanismDefinition) {
        if (this.lastBuiltConfig == null) {
            this.lastBuiltConfig = new LastBuiltConfig(null, null);
        }
        OpenIdConfiguration cachedConfiguration = this.lastBuiltConfig.cachedConfiguration(openIdAuthenticationMechanismDefinition);
        if (cachedConfiguration != null) {
            return cachedConfiguration;
        }
        OpenIdConfiguration buildConfig = buildConfig(openIdAuthenticationMechanismDefinition);
        this.lastBuiltConfig = new LastBuiltConfig(openIdAuthenticationMechanismDefinition, buildConfig);
        return buildConfig;
    }

    public OpenIdConfiguration buildConfig(OpenIdAuthenticationMechanismDefinition openIdAuthenticationMechanismDefinition) {
        String evalImmediate = AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.providerURI());
        OpenIdProviderMetadata providerMetadata = openIdAuthenticationMechanismDefinition.providerMetadata();
        JsonObject document = this.providerMetadataController.getDocument(evalImmediate);
        String evalImmediate2 = (Utils.isEmpty(providerMetadata.authorizationEndpoint()) && document.containsKey(OpenIdConstant.AUTHORIZATION_ENDPOINT)) ? AnnotationELPProcessor.evalImmediate(document.getString(OpenIdConstant.AUTHORIZATION_ENDPOINT)) : AnnotationELPProcessor.evalImmediate(providerMetadata.authorizationEndpoint());
        String evalImmediate3 = (Utils.isEmpty(providerMetadata.tokenEndpoint()) && document.containsKey(OpenIdConstant.TOKEN_ENDPOINT)) ? AnnotationELPProcessor.evalImmediate(document.getString(OpenIdConstant.TOKEN_ENDPOINT)) : AnnotationELPProcessor.evalImmediate(providerMetadata.tokenEndpoint());
        String evalImmediate4 = (Utils.isEmpty(providerMetadata.userinfoEndpoint()) && document.containsKey(OpenIdConstant.USERINFO_ENDPOINT)) ? AnnotationELPProcessor.evalImmediate(document.getString(OpenIdConstant.USERINFO_ENDPOINT)) : AnnotationELPProcessor.evalImmediate(providerMetadata.userinfoEndpoint());
        String evalImmediate5 = (Utils.isEmpty(providerMetadata.endSessionEndpoint()) && document.containsKey(OpenIdConstant.END_SESSION_ENDPOINT)) ? AnnotationELPProcessor.evalImmediate(document.getString(OpenIdConstant.END_SESSION_ENDPOINT)) : AnnotationELPProcessor.evalImmediate(providerMetadata.endSessionEndpoint());
        try {
            URL url = new URL((Utils.isEmpty(providerMetadata.jwksURI()) && document.containsKey(OpenIdConstant.JWKS_URI)) ? AnnotationELPProcessor.evalImmediate(document.getString(OpenIdConstant.JWKS_URI)) : AnnotationELPProcessor.evalImmediate(providerMetadata.jwksURI()));
            String evalImmediate6 = (Utils.isEmpty(providerMetadata.issuer()) && document.containsKey(OpenIdConstant.ISSUER)) ? AnnotationELPProcessor.evalImmediate(document.getString(OpenIdConstant.ISSUER)) : AnnotationELPProcessor.evalImmediate(providerMetadata.issuer());
            List valuesAs = document.containsKey(OpenIdConstant.RESPONSE_TYPES_SUPPORTED) ? document.getJsonArray(OpenIdConstant.RESPONSE_TYPES_SUPPORTED).getValuesAs((v0) -> {
                return v0.getString();
            }) : null;
            if (Utils.isEmpty(valuesAs)) {
                valuesAs = (List) Arrays.stream(AnnotationELPProcessor.evalImmediate(providerMetadata.responseTypeSupported()).split(",")).map((v0) -> {
                    return v0.trim();
                }).collect(Collectors.toList());
            }
            List valuesAs2 = document.containsKey(OpenIdConstant.ID_TOKEN_SIGNING_ALG_VALUES_SUPPORTED) ? document.getJsonArray(OpenIdConstant.ID_TOKEN_SIGNING_ALG_VALUES_SUPPORTED).getValuesAs((v0) -> {
                return v0.getString();
            }) : null;
            if (Utils.isEmpty(valuesAs2)) {
                valuesAs2 = (List) Arrays.stream(AnnotationELPProcessor.evalImmediate(providerMetadata.idTokenSigningAlgorithmsSupported()).split(",")).map((v0) -> {
                    return v0.trim();
                }).collect(Collectors.toList());
            }
            List valuesAs3 = document.containsKey(OpenIdConstant.SUBJECT_TYPES_SUPPORTED) ? document.getJsonArray(OpenIdConstant.SUBJECT_TYPES_SUPPORTED).getValuesAs((v0) -> {
                return v0.getString();
            }) : null;
            if (Utils.isEmpty(valuesAs3)) {
                valuesAs3 = (List) Arrays.stream(AnnotationELPProcessor.evalImmediate(providerMetadata.subjectTypeSupported()).split(",")).map((v0) -> {
                    return v0.trim();
                }).collect(Collectors.toList());
            }
            String evalImmediate7 = AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.clientId());
            char[] charArray = AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.clientSecret()).toCharArray();
            String evalImmediate8 = AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.redirectURI());
            String str = (String) AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.scopeExpression(), String.join(" ", openIdAuthenticationMechanismDefinition.scope()));
            if (Utils.isEmpty(str)) {
                str = OpenIdConstant.OPENID_SCOPE;
            } else if (!str.contains(OpenIdConstant.OPENID_SCOPE)) {
                str = "openid " + str;
            }
            String str2 = (String) Arrays.stream(AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.responseType()).trim().split(" ")).map((v0) -> {
                return v0.toLowerCase();
            }).sorted().collect(Collectors.joining(" "));
            String evalImmediate9 = AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.responseMode());
            String evalImmediate10 = AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.display().toString().toLowerCase());
            String str3 = (String) AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.promptExpression(), (String) Arrays.stream(openIdAuthenticationMechanismDefinition.prompt()).map((v0) -> {
                return v0.toString();
            }).map((v0) -> {
                return v0.toLowerCase();
            }).collect(Collectors.joining(" ")));
            HashMap hashMap = new HashMap();
            for (String str4 : openIdAuthenticationMechanismDefinition.extraParameters()) {
                String[] split = str4.split("=");
                hashMap.put(split[0], split[1]);
            }
            boolean evalImmediate11 = AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.useNonceExpression(), openIdAuthenticationMechanismDefinition.useNonce());
            boolean evalImmediate12 = AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.useSessionExpression(), openIdAuthenticationMechanismDefinition.useSession());
            boolean evalImmediate13 = AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.redirectToOriginalResourceExpression(), openIdAuthenticationMechanismDefinition.redirectToOriginalResource());
            int evalImmediate14 = AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.jwksConnectTimeoutExpression(), openIdAuthenticationMechanismDefinition.jwksConnectTimeout());
            OpenIdConfiguration tokenMinValidity = new OpenIdConfiguration().setProviderMetadata(new OpenIdProviderData(document).setAuthorizationEndpoint(evalImmediate2).setTokenEndpoint(evalImmediate3).setUserinfoEndpoint(evalImmediate4).setEndSessionEndpoint(evalImmediate5).setJwksURL(url).setIssuer(evalImmediate6).setResponseTypeSupported(new HashSet(valuesAs)).setIdTokenSigningAlgorithmsSupported(new HashSet(valuesAs2)).setSubjectTypesSupported(new HashSet(valuesAs3))).setClaimsConfiguration(new ClaimsConfiguration().setCallerNameClaim(AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.claimsDefinition().callerNameClaim())).setCallerGroupsClaim(AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.claimsDefinition().callerGroupsClaim()))).setLogoutConfiguration(new LogoutConfiguration().setNotifyProvider(AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.logout().notifyProviderExpression(), openIdAuthenticationMechanismDefinition.logout().notifyProvider())).setRedirectURI(AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.logout().redirectURI())).setAccessTokenExpiry(AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.logout().accessTokenExpiryExpression(), openIdAuthenticationMechanismDefinition.logout().accessTokenExpiry())).setIdentityTokenExpiry(AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.logout().identityTokenExpiryExpression(), openIdAuthenticationMechanismDefinition.logout().identityTokenExpiry()))).setClientId(evalImmediate7).setClientSecret(charArray).setRedirectURI(evalImmediate8).setRedirectToOriginalResource(evalImmediate13).setScopes(str).setResponseType(str2).setResponseMode(evalImmediate9).setExtraParameters(hashMap).setPrompt(str3).setDisplay(evalImmediate10).setUseNonce(evalImmediate11).setUseSession(evalImmediate12).setJwksConnectTimeout(evalImmediate14).setJwksReadTimeout(AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.jwksReadTimeoutExpression(), openIdAuthenticationMechanismDefinition.jwksReadTimeout())).setTokenAutoRefresh(AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.tokenAutoRefreshExpression(), openIdAuthenticationMechanismDefinition.tokenAutoRefresh())).setTokenMinValidity(AnnotationELPProcessor.evalImmediate(openIdAuthenticationMechanismDefinition.tokenMinValidityExpression(), openIdAuthenticationMechanismDefinition.tokenMinValidity()));
            validateConfiguration(tokenMinValidity);
            return tokenMinValidity;
        } catch (MalformedURLException e) {
            throw new IllegalStateException("jwksURI is invalid", e);
        }
    }

    private void validateConfiguration(OpenIdConfiguration openIdConfiguration) {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(validateProviderMetadata(openIdConfiguration));
        arrayList.addAll(validateClientConfiguration(openIdConfiguration));
        if (!arrayList.isEmpty()) {
            throw new IllegalStateException(arrayList.toString());
        }
    }

    private List<String> validateProviderMetadata(OpenIdConfiguration openIdConfiguration) {
        ArrayList arrayList = new ArrayList();
        if (Utils.isEmpty(openIdConfiguration.getProviderMetadata().getIssuerURI())) {
            arrayList.add("issuer metadata is mandatory");
        }
        if (Utils.isEmpty(openIdConfiguration.getProviderMetadata().getAuthorizationEndpoint())) {
            arrayList.add("authorization_endpoint metadata is mandatory");
        }
        if (Utils.isEmpty(openIdConfiguration.getProviderMetadata().getTokenEndpoint())) {
            arrayList.add("token_endpoint metadata is mandatory");
        }
        if (openIdConfiguration.getProviderMetadata().getJwksURL() == null) {
            arrayList.add("jwks_uri metadata is mandatory");
        }
        if (openIdConfiguration.getProviderMetadata().getResponseTypeSupported().isEmpty()) {
            arrayList.add("response_types_supported metadata is mandatory");
        }
        if (openIdConfiguration.getProviderMetadata().getSubjectTypesSupported().isEmpty()) {
            arrayList.add("subject_types_supported metadata is mandatory");
        }
        if (openIdConfiguration.getProviderMetadata().getIdTokenSigningAlgorithmsSupported().isEmpty()) {
            arrayList.add("id_token_signing_alg_values_supported metadata is mandatory");
        }
        return arrayList;
    }

    private List<String> validateClientConfiguration(OpenIdConfiguration openIdConfiguration) {
        ArrayList arrayList = new ArrayList();
        if (Utils.isEmpty(openIdConfiguration.getClientId())) {
            arrayList.add("client_id request parameter is mandatory");
        }
        if (Utils.isEmpty(openIdConfiguration.getRedirectURI())) {
            arrayList.add("redirect_uri request parameter is mandatory");
        }
        if (openIdConfiguration.getJwksConnectTimeout() <= 0) {
            arrayList.add("jwksConnectTimeout value is not valid");
        }
        if (openIdConfiguration.getJwksReadTimeout() <= 0) {
            arrayList.add("jwksReadTimeout value is not valid");
        }
        if (Utils.isEmpty(openIdConfiguration.getResponseType())) {
            arrayList.add("The response type must contain at least one value");
        } else if (!openIdConfiguration.getProviderMetadata().getResponseTypeSupported().contains(openIdConfiguration.getResponseType()) && !OpenIdConstant.AUTHORIZATION_CODE_FLOW_TYPES.contains(openIdConfiguration.getResponseType()) && !OpenIdConstant.IMPLICIT_FLOW_TYPES.contains(openIdConfiguration.getResponseType()) && !OpenIdConstant.HYBRID_FLOW_TYPES.contains(openIdConfiguration.getResponseType())) {
            arrayList.add("Unsupported OpenID Connect response type value : " + openIdConfiguration.getResponseType());
        }
        Set<String> scopesSupported = openIdConfiguration.getProviderMetadata().getScopesSupported();
        if (!scopesSupported.isEmpty()) {
            for (String str : openIdConfiguration.getScopes().split(" ")) {
                if (!scopesSupported.contains(str)) {
                    arrayList.add(String.format("%s scope is not supported by %s OpenId Connect provider", str, openIdConfiguration.getProviderMetadata().getIssuerURI()));
                }
            }
        }
        return arrayList;
    }
}
