package org.apache.cxf.rs.security.oidc.idp;

import java.util.LinkedList;
import java.util.Properties;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
import org.apache.cxf.rs.security.oauth2.provider.AccessTokenResponseFilter;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServerJoseJwtProducer;
import org.apache.cxf.rs.security.oauth2.utils.OAuthUtils;
import org.apache.cxf.rs.security.oidc.common.IdToken;
import org.apache.cxf.rs.security.oidc.utils.OidcUtils;

/* loaded from: input_file:org/apache/cxf/rs/security/oidc/idp/IdTokenResponseFilter.class */
public class IdTokenResponseFilter extends OAuthServerJoseJwtProducer implements AccessTokenResponseFilter {
    private IdTokenProvider idTokenProvider;
    private WebClient keyServiceClient;

    public void process(ClientAccessToken clientAccessToken, ServerAccessToken serverAccessToken) {
        String processedIdToken;
        if ((serverAccessToken.getResponseType() != null && OidcUtils.CODE_AT_RESPONSE_TYPE.equals(serverAccessToken.getResponseType()) && "implicit".equals(serverAccessToken.getGrantType())) || clientAccessToken.getApprovedScope() == null || !clientAccessToken.getApprovedScope().contains(OidcUtils.OPENID_SCOPE) || (processedIdToken = getProcessedIdToken(serverAccessToken)) == null) {
            return;
        }
        clientAccessToken.getParameters().put("id_token", processedIdToken);
    }

    private String getProcessedIdToken(ServerAccessToken serverAccessToken) {
        if (this.idTokenProvider != null) {
            IdToken idToken = this.idTokenProvider.getIdToken(serverAccessToken.getClient().getClientId(), serverAccessToken.getSubject(), OAuthUtils.convertPermissionsToScopeList(serverAccessToken.getScopes()));
            setAtHashAndNonce(idToken, serverAccessToken);
            return processJwt(new JwtToken(idToken), serverAccessToken.getClient());
        }
        if (serverAccessToken.getSubject().getProperties().containsKey("id_token")) {
            return (String) serverAccessToken.getSubject().getProperties().get("id_token");
        }
        if (!(serverAccessToken.getSubject() instanceof OidcUserSubject)) {
            return null;
        }
        OidcUserSubject oidcUserSubject = (OidcUserSubject) serverAccessToken.getSubject();
        if (oidcUserSubject.getIdToken() == null) {
            return null;
        }
        IdToken idToken2 = new IdToken(oidcUserSubject.getIdToken());
        idToken2.setAudience(serverAccessToken.getClient().getClientId());
        idToken2.setAuthorizedParty(serverAccessToken.getClient().getClientId());
        setAtHashAndNonce(idToken2, serverAccessToken);
        return processJwt(new JwtToken(idToken2), serverAccessToken.getClient());
    }

    private void setAtHashAndNonce(IdToken idToken, ServerAccessToken serverAccessToken) {
        String responseType = serverAccessToken.getResponseType();
        boolean z = idToken.getAccessTokenHash() == null && (responseType == null || !responseType.equals("id_token"));
        boolean z2 = idToken.getAuthorizationCodeHash() == null && responseType != null && (responseType.equals(OidcUtils.CODE_ID_TOKEN_AT_RESPONSE_TYPE) || responseType.equals(OidcUtils.CODE_ID_TOKEN_RESPONSE_TYPE));
        Message currentMessage = JAXRSUtils.getCurrentMessage();
        if (z || z2) {
            Properties loadSignatureOutProperties = JwsUtils.loadSignatureOutProperties(false);
            SignatureAlgorithm clientSecretSignatureAlgorithm = super.isSignWithClientSecret() ? OAuthUtils.getClientSecretSignatureAlgorithm(loadSignatureOutProperties) : JwsUtils.getSignatureAlgorithm(loadSignatureOutProperties, SignatureAlgorithm.RS256);
            if (clientSecretSignatureAlgorithm != SignatureAlgorithm.NONE) {
                if (z) {
                    idToken.setAccessTokenHash(OidcUtils.calculateAccessTokenHash(serverAccessToken.getTokenKey(), clientSecretSignatureAlgorithm));
                }
                if (z2) {
                    String grantCode = serverAccessToken.getGrantCode() != null ? serverAccessToken.getGrantCode() : (String) currentMessage.getExchange().get("code");
                    if (grantCode != null) {
                        idToken.setAuthorizationCodeHash(OidcUtils.calculateAuthorizationCodeHash(grantCode, clientSecretSignatureAlgorithm));
                    }
                }
            }
        }
        if (currentMessage != null && currentMessage.getExchange().containsKey(IdToken.NONCE_CLAIM)) {
            idToken.setNonce((String) currentMessage.getExchange().get(IdToken.NONCE_CLAIM));
        } else if (serverAccessToken.getNonce() != null) {
            idToken.setNonce(serverAccessToken.getNonce());
        }
    }

    public void setIdTokenProvider(IdTokenProvider idTokenProvider) {
        this.idTokenProvider = idTokenProvider;
    }

    public String processJwt(JwtToken jwtToken, Client client) {
        if (this.keyServiceClient == null) {
            return super.processJwt(jwtToken, client);
        }
        LinkedList linkedList = new LinkedList();
        if (super.isJwsRequired()) {
            linkedList.add("sign");
        }
        if (super.isJweRequired()) {
            linkedList.add("encrypt");
        }
        this.keyServiceClient.resetQuery();
        this.keyServiceClient.query("key_ops", new Object[]{linkedList});
        return (String) this.keyServiceClient.post(jwtToken, String.class);
    }

    public void setKeyServiceClient(WebClient webClient) {
        this.keyServiceClient = webClient;
    }
}
