package io.quarkus.elytron.security.oauth2.runtime;

import io.quarkus.elytron.security.oauth2.runtime.auth.ElytronOAuth2CallerPrincipal;
import io.quarkus.elytron.security.oauth2.runtime.auth.OAuth2Augmentor;
import io.quarkus.runtime.RuntimeValue;
import io.quarkus.runtime.annotations.Recorder;
import io.quarkus.runtime.configuration.ConfigurationException;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URI;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import org.wildfly.security.auth.realm.token.TokenSecurityRealm;
import org.wildfly.security.auth.realm.token.validator.OAuth2IntrospectValidator;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.authz.Attributes;

@Recorder
/* loaded from: input_file:io/quarkus/elytron/security/oauth2/runtime/OAuth2Recorder.class */
public class OAuth2Recorder {
    public RuntimeValue<SecurityRealm> createRealm(OAuth2RuntimeConfig oAuth2RuntimeConfig) throws IOException, NoSuchAlgorithmException, CertificateException, KeyStoreException, KeyManagementException {
        if (!oAuth2RuntimeConfig.clientId().isPresent() || !oAuth2RuntimeConfig.clientSecret().isPresent() || !oAuth2RuntimeConfig.introspectionUrl().isPresent()) {
            throw new ConfigurationException("client-id, client-secret and introspection-url must be configured when the oauth2 extension is enabled");
        }
        OAuth2IntrospectValidator.Builder builder = OAuth2IntrospectValidator.builder().clientId(oAuth2RuntimeConfig.clientId().get()).clientSecret(oAuth2RuntimeConfig.clientSecret().get()).tokenIntrospectionUrl(URI.create(oAuth2RuntimeConfig.introspectionUrl().get()).toURL());
        if (oAuth2RuntimeConfig.caCertFile().isPresent()) {
            builder.useSslContext(createSSLContext(oAuth2RuntimeConfig));
        } else {
            builder.useSslContext(SSLContext.getDefault());
        }
        if (oAuth2RuntimeConfig.connectionTimeout().isPresent()) {
            builder.connectionTimeout((int) oAuth2RuntimeConfig.connectionTimeout().get().toMillis());
        }
        if (oAuth2RuntimeConfig.readTimeout().isPresent()) {
            builder.readTimeout((int) oAuth2RuntimeConfig.readTimeout().get().toMillis());
        }
        return new RuntimeValue<>(TokenSecurityRealm.builder().validator(builder.build()).claimToPrincipal(attributes -> {
            return new ElytronOAuth2CallerPrincipal(attributesToMap(attributes));
        }).build());
    }

    private Map<String, Object> attributesToMap(Attributes attributes) {
        HashMap hashMap = new HashMap();
        for (Attributes.Entry entry : attributes.entries()) {
            if (entry.size() > 1) {
                hashMap.put(entry.getKey(), entry.subList(0, entry.size()));
            } else {
                hashMap.put(entry.getKey(), entry.get(0));
            }
        }
        return hashMap;
    }

    private SSLContext createSSLContext(OAuth2RuntimeConfig oAuth2RuntimeConfig) throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException, KeyManagementException {
        FileInputStream fileInputStream = new FileInputStream(oAuth2RuntimeConfig.caCertFile().get());
        try {
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(fileInputStream);
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null);
            keyStore.setCertificateEntry("caCert", x509Certificate);
            trustManagerFactory.init(keyStore);
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(null, trustManagerFactory.getTrustManagers(), null);
            fileInputStream.close();
            return sSLContext;
        } catch (Throwable th) {
            try {
                fileInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public RuntimeValue<OAuth2Augmentor> augmentor(OAuth2BuildTimeConfig oAuth2BuildTimeConfig) {
        return new RuntimeValue<>(new OAuth2Augmentor(oAuth2BuildTimeConfig.roleClaim()));
    }
}
