package net.optionfactory.keycloak.apple;

import java.io.IOException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.util.concurrent.atomic.AtomicReference;
import javax.ws.rs.FormParam;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.QueryParam;
import javax.ws.rs.core.Response;
import org.keycloak.broker.oidc.OIDCIdentityProvider;
import org.keycloak.broker.oidc.OIDCIdentityProviderConfig;
import org.keycloak.broker.provider.BrokeredIdentityContext;
import org.keycloak.broker.provider.IdentityProvider;
import org.keycloak.broker.provider.util.SimpleHttp;
import org.keycloak.broker.social.SocialIdentityProvider;
import org.keycloak.common.util.Time;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.crypto.ServerECDSASignatureSignerContext;
import org.keycloak.events.EventBuilder;
import org.keycloak.jose.jws.JWSBuilder;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.util.JsonSerialization;

/* loaded from: input_file:net/optionfactory/keycloak/apple/AppleIdentityProvider.class */
public class AppleIdentityProvider extends OIDCIdentityProvider implements SocialIdentityProvider<OIDCIdentityProviderConfig> {
    private final AtomicReference<String> userJsonRef;

    /* loaded from: input_file:net/optionfactory/keycloak/apple/AppleIdentityProvider$AppleOidcEndpoint.class */
    public class AppleOidcEndpoint extends OIDCIdentityProvider.OIDCEndpoint {
        private final AtomicReference<String> userJson;

        public AppleOidcEndpoint(IdentityProvider.AuthenticationCallback authenticationCallback, RealmModel realmModel, EventBuilder eventBuilder, AtomicReference<String> atomicReference, AppleIdentityProvider appleIdentityProvider) {
            super(AppleIdentityProvider.this, authenticationCallback, realmModel, eventBuilder);
            this.userJson = atomicReference;
        }

        @POST
        public Response authResponse(@FormParam("state") String str, @FormParam("code") String str2, @FormParam("user") String str3, @FormParam("error") String str4) {
            this.userJson.set(str3);
            return super.authResponse(str, str2, str4);
        }

        @GET
        @Path("logout_response")
        public /* bridge */ /* synthetic */ Response logoutResponse(@QueryParam("state") String str) {
            return super.logoutResponse(str);
        }

        public /* bridge */ /* synthetic */ SimpleHttp generateTokenRequest(String str) {
            return super.generateTokenRequest(str);
        }

        @GET
        public /* bridge */ /* synthetic */ Response authResponse(@QueryParam("state") String str, @QueryParam("code") String str2, @QueryParam("error") String str3) {
            return super.authResponse(str, str2, str3);
        }
    }

    public AppleIdentityProvider(KeycloakSession keycloakSession, AppleIdentityProviderConfig appleIdentityProviderConfig) {
        super(keycloakSession, appleIdentityProviderConfig);
        this.userJsonRef = new AtomicReference<>();
        appleIdentityProviderConfig.setAuthorizationUrl("https://appleid.apple.com/auth/authorize?response_mode=form_post");
        appleIdentityProviderConfig.setTokenUrl("https://appleid.apple.com/auth/token");
    }

    public Object callback(RealmModel realmModel, IdentityProvider.AuthenticationCallback authenticationCallback, EventBuilder eventBuilder) {
        return new AppleOidcEndpoint(authenticationCallback, realmModel, eventBuilder, this.userJsonRef, this);
    }

    public BrokeredIdentityContext getFederatedIdentity(String str) {
        BrokeredIdentityContext federatedIdentity = super.getFederatedIdentity(str);
        String str2 = this.userJsonRef.get();
        if (str2 != null) {
            try {
                AppleUser appleUser = (AppleUser) JsonSerialization.readValue(str2, AppleUser.class);
                federatedIdentity.setEmail(appleUser.email);
                federatedIdentity.setFirstName(appleUser.name.firstName);
                federatedIdentity.setLastName(appleUser.name.lastName);
            } catch (IOException e) {
                logger.errorf("Failed to parse userJson [%s]: %s", str2, e);
            }
        }
        return federatedIdentity;
    }

    public SimpleHttp authenticateTokenRequest(SimpleHttp simpleHttp) {
        AppleIdentityProviderConfig config = getConfig();
        simpleHttp.param("client_id", config.getClientId());
        try {
            PrivateKey generatePrivate = KeyFactory.getInstance("EC").generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(config.getClientSecret())));
            KeyWrapper keyWrapper = new KeyWrapper();
            keyWrapper.setAlgorithm("ES256");
            keyWrapper.setKid(config.getKeyId());
            keyWrapper.setPrivateKey(generatePrivate);
            ServerECDSASignatureSignerContext serverECDSASignatureSignerContext = new ServerECDSASignatureSignerContext(keyWrapper);
            long currentTime = Time.currentTime();
            JsonWebToken jsonWebToken = new JsonWebToken();
            jsonWebToken.issuer(config.getTeamId());
            jsonWebToken.iat(Long.valueOf(currentTime));
            jsonWebToken.exp(Long.valueOf(currentTime + 900));
            jsonWebToken.audience(new String[]{"https://appleid.apple.com"});
            jsonWebToken.subject(config.getClientId());
            simpleHttp.param("client_secret", new JWSBuilder().jsonContent(jsonWebToken).sign(serverECDSASignatureSignerContext));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            logger.errorf("Failed to generate client secret: %s", e);
        }
        return simpleHttp;
    }

    protected String getDefaultScopes() {
        return "email name";
    }
}
