package org.keycloak.protocol.oid4vc.issuance;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.zxing.BarcodeFormat;
import com.google.zxing.WriterException;
import com.google.zxing.client.j2se.MatrixToImageWriter;
import com.google.zxing.common.BitMatrix;
import com.google.zxing.qrcode.QRCodeWriter;
import jakarta.ws.rs.BadRequestException;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DefaultValue;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.PathParam;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.WebApplicationException;
import jakarta.ws.rs.core.Response;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.net.URI;
import java.net.URLEncoder;
import java.nio.charset.StandardCharsets;
import java.time.Instant;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import org.jboss.logging.Logger;
import org.keycloak.common.util.SecretGenerator;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.ProtocolMapper;
import org.keycloak.protocol.oid4vc.OID4VCClientRegistrationProvider;
import org.keycloak.protocol.oid4vc.OID4VCLoginProtocolFactory;
import org.keycloak.protocol.oid4vc.issuance.mappers.OID4VCMapper;
import org.keycloak.protocol.oid4vc.issuance.signing.VerifiableCredentialsSigningService;
import org.keycloak.protocol.oid4vc.model.CredentialOfferURI;
import org.keycloak.protocol.oid4vc.model.CredentialRequest;
import org.keycloak.protocol.oid4vc.model.CredentialResponse;
import org.keycloak.protocol.oid4vc.model.CredentialsOffer;
import org.keycloak.protocol.oid4vc.model.ErrorResponse;
import org.keycloak.protocol.oid4vc.model.ErrorType;
import org.keycloak.protocol.oid4vc.model.Format;
import org.keycloak.protocol.oid4vc.model.OID4VCClient;
import org.keycloak.protocol.oid4vc.model.OfferUriType;
import org.keycloak.protocol.oid4vc.model.PreAuthorizedCode;
import org.keycloak.protocol.oid4vc.model.PreAuthorizedGrant;
import org.keycloak.protocol.oid4vc.model.SupportedCredentialConfiguration;
import org.keycloak.protocol.oid4vc.model.VerifiableCredential;
import org.keycloak.protocol.oidc.grants.PreAuthorizedCodeGrantType;
import org.keycloak.services.managers.AppAuthManager;
import org.keycloak.services.managers.AuthenticationManager;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;
import org.keycloak.utils.MediaType;

/* loaded from: input_file:org/keycloak/protocol/oid4vc/issuance/OID4VCIssuerEndpoint.class */
public class OID4VCIssuerEndpoint {
    private static final Logger LOGGER = Logger.getLogger(OID4VCIssuerEndpoint.class);
    public static final String CREDENTIAL_PATH = "credential";
    public static final String CREDENTIAL_OFFER_PATH = "credential-offer/";
    public static final String RESPONSE_TYPE_IMG_PNG = "image/png";
    private final KeycloakSession session;
    private final AppAuthManager.BearerTokenAuthenticator bearerTokenAuthenticator;
    private final ObjectMapper objectMapper;
    private final TimeProvider timeProvider;
    private final String issuerDid;
    private final int preAuthorizedCodeLifeSpan;
    private final Map<Format, VerifiableCredentialsSigningService> signingServices;

    /* renamed from: org.keycloak.protocol.oid4vc.issuance.OID4VCIssuerEndpoint$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/protocol/oid4vc/issuance/OID4VCIssuerEndpoint$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$protocol$oid4vc$model$OfferUriType;
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$protocol$oid4vc$model$Format = new int[Format.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$protocol$oid4vc$model$Format[Format.LDP_VC.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$oid4vc$model$Format[Format.JWT_VC.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$oid4vc$model$Format[Format.SD_JWT_VC.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            $SwitchMap$org$keycloak$protocol$oid4vc$model$OfferUriType = new int[OfferUriType.values().length];
            try {
                $SwitchMap$org$keycloak$protocol$oid4vc$model$OfferUriType[OfferUriType.URI.ordinal()] = 1;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$oid4vc$model$OfferUriType[OfferUriType.QR_CODE.ordinal()] = 2;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    public OID4VCIssuerEndpoint(KeycloakSession keycloakSession, String str, Map<Format, VerifiableCredentialsSigningService> map, AppAuthManager.BearerTokenAuthenticator bearerTokenAuthenticator, ObjectMapper objectMapper, TimeProvider timeProvider, int i) {
        this.session = keycloakSession;
        this.bearerTokenAuthenticator = bearerTokenAuthenticator;
        this.objectMapper = objectMapper;
        this.timeProvider = timeProvider;
        this.issuerDid = str;
        this.signingServices = map;
        this.preAuthorizedCodeLifeSpan = i;
    }

    @Produces({MediaType.APPLICATION_JSON, RESPONSE_TYPE_IMG_PNG})
    @GET
    @Path("credential-offer-uri")
    public Response getCredentialOfferURI(@QueryParam("credential_configuration_id") String str, @QueryParam("type") @DefaultValue("uri") OfferUriType offerUriType, @QueryParam("width") @DefaultValue("200") int i, @QueryParam("height") @DefaultValue("200") int i2) {
        AuthenticatedClientSessionModel authenticatedClientSession = getAuthenticatedClientSession();
        Map<String, SupportedCredentialConfiguration> supportedCredentials = OID4VCIssuerWellKnownProvider.getSupportedCredentials(this.session);
        LOGGER.debugf("Get an offer for %s", str);
        if (!supportedCredentials.containsKey(str)) {
            LOGGER.debugf("No credential with id %s exists.", str);
            LOGGER.debugf("Supported credentials are %s.", supportedCredentials);
            throw new BadRequestException(getErrorResponse(ErrorType.INVALID_CREDENTIAL_REQUEST));
        }
        SupportedCredentialConfiguration supportedCredentialConfiguration = supportedCredentials.get(str);
        if (getClientsOfType(supportedCredentialConfiguration.getScope(), supportedCredentialConfiguration.getFormat()).isEmpty()) {
            LOGGER.debugf("No OID4VP-Client supporting type %s registered.", supportedCredentialConfiguration.getScope());
            throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_TYPE));
        }
        String generateNonce = generateNonce();
        try {
            authenticatedClientSession.setNote(generateNonce, this.objectMapper.writeValueAsString(supportedCredentialConfiguration));
            switch (AnonymousClass1.$SwitchMap$org$keycloak$protocol$oid4vc$model$OfferUriType[offerUriType.ordinal()]) {
                case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
                    return getOfferUriAsUri(generateNonce);
                case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
                    return getOfferUriAsQr(generateNonce, i, i2);
                default:
                    throw new IncompatibleClassChangeError();
            }
        } catch (JsonProcessingException e) {
            LOGGER.errorf("Could not convert Supported Credential POJO to JSON: %s", e.getMessage());
            throw new BadRequestException(getErrorResponse(ErrorType.INVALID_CREDENTIAL_REQUEST));
        }
    }

    private Response getOfferUriAsUri(String str) {
        return Response.ok().type(MediaType.APPLICATION_JSON).entity(new CredentialOfferURI().setIssuer(OID4VCIssuerWellKnownProvider.getIssuer(this.session.getContext()) + "/protocol/oid4vc/credential-offer/").setNonce(str)).build();
    }

    private Response getOfferUriAsQr(String str, int i, int i2) {
        try {
            BitMatrix encode = new QRCodeWriter().encode("openid-credential-offer://?credential_offer_uri=" + URLEncoder.encode(OID4VCIssuerWellKnownProvider.getIssuer(this.session.getContext()) + "/protocol/oid4vc/credential-offer/" + str, StandardCharsets.UTF_8), BarcodeFormat.QR_CODE, i, i2);
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            MatrixToImageWriter.writeToStream(encode, "png", byteArrayOutputStream);
            return Response.ok().type(RESPONSE_TYPE_IMG_PNG).entity(byteArrayOutputStream.toByteArray()).build();
        } catch (WriterException | IOException e) {
            LOGGER.warnf("Was not able to create a qr code of dimension %s:%s.", Integer.valueOf(i), Integer.valueOf(i2), e);
            return Response.status(Response.Status.INTERNAL_SERVER_ERROR).entity("Was not able to generate qr.").build();
        }
    }

    @Produces({MediaType.APPLICATION_JSON})
    @GET
    @Path("credential-offer/{nonce}")
    public Response getCredentialOffer(@PathParam("nonce") String str) {
        if (str == null) {
            throw new BadRequestException(getErrorResponse(ErrorType.INVALID_CREDENTIAL_REQUEST));
        }
        AuthenticatedClientSessionModel authenticatedClientSession = getAuthenticatedClientSession();
        String note = authenticatedClientSession.getNote(str);
        if (note == null) {
            throw new BadRequestException(getErrorResponse(ErrorType.INVALID_CREDENTIAL_REQUEST));
        }
        try {
            SupportedCredentialConfiguration supportedCredentialConfiguration = (SupportedCredentialConfiguration) this.objectMapper.readValue(note, SupportedCredentialConfiguration.class);
            LOGGER.debugf("Creating an offer for %s - %s", supportedCredentialConfiguration.getScope(), supportedCredentialConfiguration.getFormat());
            authenticatedClientSession.removeNote(str);
            CredentialsOffer grants = new CredentialsOffer().setCredentialIssuer(OID4VCIssuerWellKnownProvider.getIssuer(this.session.getContext())).setCredentialConfigurationIds(List.of(supportedCredentialConfiguration.getId())).setGrants(new PreAuthorizedGrant().setPreAuthorizedCode(new PreAuthorizedCode().setPreAuthorizedCode(generateAuthorizationCodeForClientSession(authenticatedClientSession))));
            LOGGER.debugf("Responding with offer: %s", grants);
            return Response.ok().entity(grants).build();
        } catch (JsonProcessingException e) {
            LOGGER.errorf("Could not convert SupportedCredential JSON to POJO: %s", e);
            throw new BadRequestException(getErrorResponse(ErrorType.INVALID_CREDENTIAL_REQUEST));
        }
    }

    @Produces({MediaType.APPLICATION_JSON})
    @POST
    @Path(CREDENTIAL_PATH)
    @Consumes({MediaType.APPLICATION_JSON})
    public Response requestCredential(CredentialRequest credentialRequest) {
        LOGGER.debugf("Received credentials request %s.", credentialRequest);
        UserSessionModel userSessionModel = getUserSessionModel();
        Format format = credentialRequest.getFormat();
        String credentialIdentifier = credentialRequest.getCredentialIdentifier();
        SupportedCredentialConfiguration supportedCredentialConfiguration = (SupportedCredentialConfiguration) Optional.ofNullable(OID4VCIssuerWellKnownProvider.getSupportedCredentials(this.session).get(credentialIdentifier)).orElseThrow(() -> {
            LOGGER.debugf("Unsupported credential %s was requested.", credentialIdentifier);
            return new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_TYPE));
        });
        if (!supportedCredentialConfiguration.getFormat().equals(format)) {
            LOGGER.debugf("Format %s is not supported for credential %s.", format, credentialIdentifier);
            throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_FORMAT));
        }
        CredentialResponse credentialResponse = new CredentialResponse();
        Object credential = getCredential(userSessionModel, supportedCredentialConfiguration.getScope(), credentialRequest.getFormat());
        switch (AnonymousClass1.$SwitchMap$org$keycloak$protocol$oid4vc$model$Format[format.ordinal()]) {
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
            case 3:
                credentialResponse.setCredential(credential);
                return Response.ok().entity(credentialResponse).build();
            default:
                throw new BadRequestException(getErrorResponse(ErrorType.UNSUPPORTED_CREDENTIAL_TYPE));
        }
    }

    private AuthenticatedClientSessionModel getAuthenticatedClientSession() {
        AuthenticationManager.AuthResult authResult = getAuthResult();
        AuthenticatedClientSessionModel authenticatedClientSessionByClient = authResult.getSession().getAuthenticatedClientSessionByClient(authResult.getClient().getId());
        if (authenticatedClientSessionByClient == null) {
            throw new BadRequestException(getErrorResponse(ErrorType.INVALID_TOKEN));
        }
        return authenticatedClientSessionByClient;
    }

    private UserSessionModel getUserSessionModel() {
        return getAuthResult(new BadRequestException(getErrorResponse(ErrorType.INVALID_TOKEN))).getSession();
    }

    private AuthenticationManager.AuthResult getAuthResult() {
        return getAuthResult(new BadRequestException(getErrorResponse(ErrorType.INVALID_TOKEN)));
    }

    private AuthenticationManager.AuthResult getAuthResult(WebApplicationException webApplicationException) {
        AuthenticationManager.AuthResult authenticate = this.bearerTokenAuthenticator.authenticate();
        if (authenticate == null) {
            throw webApplicationException;
        }
        return authenticate;
    }

    private Object getCredential(UserSessionModel userSessionModel, String str, Format format) {
        VerifiableCredential vCToSign = getVCToSign(getProtocolMappers(getClientsOfType(str, format)).stream().map(protocolMapperModel -> {
            OID4VCMapper provider = this.session.getProvider(ProtocolMapper.class, protocolMapperModel.getProtocolMapper());
            if (provider instanceof OID4VCMapper) {
                ProtocolMapper create = provider.create(this.session);
                if (create instanceof OID4VCMapper) {
                    OID4VCMapper oID4VCMapper = (OID4VCMapper) create;
                    oID4VCMapper.setMapperModel(protocolMapperModel);
                    return oID4VCMapper;
                }
            }
            LOGGER.warnf("The protocol mapper %s is not an instance of OID4VCMapper.", protocolMapperModel.getId());
            return null;
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toList(), str, userSessionModel);
        return Optional.ofNullable(this.signingServices.get(format)).map(verifiableCredentialsSigningService -> {
            return verifiableCredentialsSigningService.signCredential(vCToSign);
        }).orElseThrow(() -> {
            return new IllegalArgumentException(String.format("Requested format %s is not supported.", format));
        });
    }

    private List<ProtocolMapperModel> getProtocolMappers(List<OID4VCClient> list) {
        return list.stream().map((v0) -> {
            return v0.getClientDid();
        }).map(this::getClient).flatMap((v0) -> {
            return v0.getProtocolMappersStream();
        }).toList();
    }

    private String generateNonce() {
        return SecretGenerator.getInstance().randomString();
    }

    private String generateAuthorizationCodeForClientSession(AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        return PreAuthorizedCodeGrantType.getPreAuthorizedCode(this.session, authenticatedClientSessionModel, this.timeProvider.currentTimeSeconds() + this.preAuthorizedCodeLifeSpan);
    }

    private Response getErrorResponse(ErrorType errorType) {
        ErrorResponse errorResponse = new ErrorResponse();
        errorResponse.setError(errorType);
        return Response.status(Response.Status.BAD_REQUEST).entity(errorResponse).build();
    }

    private List<OID4VCClient> getClientsOfType(String str, Format format) {
        LOGGER.debugf("Retrieve all clients of type %s, supporting format %s", str, format.toString());
        if (Optional.ofNullable(str).filter(str2 -> {
            return !str2.isEmpty();
        }).isEmpty()) {
            throw new BadRequestException("No VerifiableCredential-Type was provided in the request.");
        }
        return getOID4VCClientsFromSession().stream().filter(oID4VCClient -> {
            return oID4VCClient.getSupportedVCTypes().stream().anyMatch(supportedCredentialConfiguration -> {
                return supportedCredentialConfiguration.getScope().equals(str);
            });
        }).toList();
    }

    private ClientModel getClient(String str) {
        return this.session.clients().getClientByClientId(this.session.getContext().getRealm(), str);
    }

    private List<OID4VCClient> getOID4VCClientsFromSession() {
        return this.session.clients().getClientsStream(this.session.getContext().getRealm()).filter(clientModel -> {
            return clientModel.getProtocol() != null;
        }).filter(clientModel2 -> {
            return clientModel2.getProtocol().equals(OID4VCLoginProtocolFactory.PROTOCOL_ID);
        }).map(clientModel3 -> {
            return OID4VCClientRegistrationProvider.fromClientAttributes(clientModel3.getClientId(), clientModel3.getAttributes());
        }).toList();
    }

    private VerifiableCredential getVCToSign(List<OID4VCMapper> list, String str, UserSessionModel userSessionModel) {
        VerifiableCredential type = new VerifiableCredential().setIssuer(URI.create(this.issuerDid)).setIssuanceDate(Date.from(Instant.ofEpochMilli(this.timeProvider.currentTimeMillis()))).setType(List.of(str));
        HashMap hashMap = new HashMap();
        list.stream().filter(oID4VCMapper -> {
            return oID4VCMapper.isTypeSupported(str);
        }).forEach(oID4VCMapper2 -> {
            oID4VCMapper2.setClaimsForSubject(hashMap, userSessionModel);
        });
        hashMap.forEach((str2, obj) -> {
            type.getCredentialSubject().setClaims(str2, obj);
        });
        list.stream().filter(oID4VCMapper3 -> {
            return oID4VCMapper3.isTypeSupported(str);
        }).forEach(oID4VCMapper4 -> {
            oID4VCMapper4.setClaimsForCredential(type, userSessionModel);
        });
        LOGGER.debugf("The credential to sign is: %s", type);
        return type;
    }
}
