package org.forgerock.openam.sts.config.user;

import com.google.common.base.Objects;
import com.google.common.collect.Sets;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import org.forgerock.json.JsonValue;
import org.forgerock.json.jose.jws.JwsAlgorithm;
import org.forgerock.json.jose.jws.JwsAlgorithmType;
import org.forgerock.openam.sts.AMSTSConstants;
import org.forgerock.openam.sts.MapMarshallUtils;
import org.forgerock.openam.utils.CollectionUtils;

/* loaded from: input_file:org/forgerock/openam/sts/config/user/OpenIdConnectTokenConfig.class */
public class OpenIdConnectTokenConfig {
    private static final String EQUALS = "=";
    static final String ISSUER = "oidc-issuer";
    static final String CLAIM_MAP = "oidc-claim-map";
    static final String TOKEN_LIFETIME = "oidc-token-lifetime-seconds";
    static final String KEYSTORE_LOCATION = "oidc-keystore-location";
    static final String KEYSTORE_PASSWORD = "oidc-keystore-password";
    static final String SIGNATURE_KEY_ALIAS = "oidc-signature-key-alias";
    static final String SIGNATURE_KEY_PASSWORD = "oidc-signature-key-password";
    static final String SIGNATURE_ALGORITHM = "oidc-signature-algorithm";
    static final String AUDIENCE = "oidc-audience";
    static final String AUTHORIZED_PARTY = "oidc-authorized-party";
    static final String CLIENT_SECRET = "oidc-client-secret";
    static final String PUBLIC_KEY_REFERENCE_TYPE = "oidc-public-key-reference-type";
    static final String CUSTOM_CLAIM_MAPPER_CLASS = "oidc-custom-claim-mapper-class";
    static final String CUSTOM_AUTHN_CONTEXT_MAPPER_CLASS = "oidc-custom-authn-context-mapper-class";
    static final String CUSTOM_AUTHN_METHOD_REFERENCES_MAPPER_CLASS = "oidc-custom-authn-method-references-mapper-class";
    private final String issuer;
    private final Map<String, String> claimMap;
    private final JwsAlgorithm signatureAlgorithm;
    private final List<String> audience;
    private final String authorizedParty;
    private final long tokenLifetimeInSeconds;
    private final String keystoreLocation;
    private final byte[] keystorePassword;
    private final String signatureKeyAlias;
    private final byte[] signatureKeyPassword;
    private final byte[] clientSecret;
    private final OpenIdConnectTokenPublicKeyReferenceType publicKeyReferenceType;
    private final String customClaimMapperClass;
    private final String customAuthenticationContextMapper;
    private final String customAuthenticationMethodReferencesMapper;

    /* loaded from: input_file:org/forgerock/openam/sts/config/user/OpenIdConnectTokenConfig$OIDCIdTokenConfigBuilder.class */
    public static class OIDCIdTokenConfigBuilder {
        private String issuer;
        private long tokenLifetimeInSeconds;
        private Map<String, String> claimMap;
        private JwsAlgorithm signatureAlgorithm;
        private List<String> audience;
        private String authorizedParty;
        private String keystoreLocation;
        private byte[] keystorePassword;
        private String signatureKeyAlias;
        private byte[] signatureKeyPassword;
        private byte[] clientSecret;
        private String customClaimMapperClass;
        private String customAuthenticationContextMapper;
        private String customAuthenticationMethodReferencesMapper;
        private OpenIdConnectTokenPublicKeyReferenceType publicKeyReferenceType;

        private OIDCIdTokenConfigBuilder() {
            this.tokenLifetimeInSeconds = 600L;
            this.publicKeyReferenceType = OpenIdConnectTokenPublicKeyReferenceType.NONE;
            this.audience = new ArrayList();
        }

        public OIDCIdTokenConfigBuilder issuer(String str) {
            this.issuer = str;
            return this;
        }

        public OIDCIdTokenConfigBuilder publicKeyReferenceType(String str) {
            this.publicKeyReferenceType = OpenIdConnectTokenPublicKeyReferenceType.valueOf(str);
            return this;
        }

        public OIDCIdTokenConfigBuilder publicKeyReferenceType(OpenIdConnectTokenPublicKeyReferenceType openIdConnectTokenPublicKeyReferenceType) {
            this.publicKeyReferenceType = openIdConnectTokenPublicKeyReferenceType;
            return this;
        }

        public OIDCIdTokenConfigBuilder authorizedParty(String str) {
            this.authorizedParty = str;
            return this;
        }

        public OIDCIdTokenConfigBuilder addAudience(String str) {
            this.audience.add(str);
            return this;
        }

        public OIDCIdTokenConfigBuilder setAudience(List<String> list) {
            this.audience.addAll(list);
            return this;
        }

        public OIDCIdTokenConfigBuilder signatureAlgorithm(String str) {
            this.signatureAlgorithm = JwsAlgorithm.valueOf(str);
            return this;
        }

        public OIDCIdTokenConfigBuilder signatureAlgorithm(JwsAlgorithm jwsAlgorithm) {
            this.signatureAlgorithm = jwsAlgorithm;
            return this;
        }

        public OIDCIdTokenConfigBuilder claimMap(Map<String, String> map) {
            this.claimMap = Collections.unmodifiableMap(map);
            return this;
        }

        public OIDCIdTokenConfigBuilder tokenLifetimeInSeconds(long j) {
            this.tokenLifetimeInSeconds = j;
            return this;
        }

        public OIDCIdTokenConfigBuilder signatureKeyAlias(String str) {
            this.signatureKeyAlias = str;
            return this;
        }

        public OIDCIdTokenConfigBuilder signatureKeyPassword(byte[] bArr) {
            this.signatureKeyPassword = bArr;
            return this;
        }

        public OIDCIdTokenConfigBuilder keystoreLocation(String str) {
            this.keystoreLocation = str;
            return this;
        }

        public OIDCIdTokenConfigBuilder keystorePassword(byte[] bArr) {
            this.keystorePassword = bArr;
            return this;
        }

        public OIDCIdTokenConfigBuilder clientSecret(byte[] bArr) {
            this.clientSecret = bArr;
            return this;
        }

        public OIDCIdTokenConfigBuilder customClaimMapperClass(String str) {
            this.customClaimMapperClass = str;
            return this;
        }

        public OIDCIdTokenConfigBuilder customAuthenticationContextMapperClass(String str) {
            this.customAuthenticationContextMapper = str;
            return this;
        }

        public OIDCIdTokenConfigBuilder customAuthenticationMethodReferencesMapperClass(String str) {
            this.customAuthenticationMethodReferencesMapper = str;
            return this;
        }

        public OpenIdConnectTokenConfig build() {
            return new OpenIdConnectTokenConfig(this);
        }
    }

    private OpenIdConnectTokenConfig(OIDCIdTokenConfigBuilder oIDCIdTokenConfigBuilder) {
        this.issuer = oIDCIdTokenConfigBuilder.issuer;
        if (this.issuer == null) {
            throw new IllegalArgumentException("An OIDC issuer must be specified.");
        }
        if (oIDCIdTokenConfigBuilder.claimMap != null) {
            this.claimMap = Collections.unmodifiableMap(oIDCIdTokenConfigBuilder.claimMap);
        } else {
            this.claimMap = Collections.emptyMap();
        }
        this.tokenLifetimeInSeconds = oIDCIdTokenConfigBuilder.tokenLifetimeInSeconds;
        this.keystoreLocation = oIDCIdTokenConfigBuilder.keystoreLocation;
        this.keystorePassword = oIDCIdTokenConfigBuilder.keystorePassword;
        this.signatureKeyAlias = oIDCIdTokenConfigBuilder.signatureKeyAlias;
        this.signatureKeyPassword = oIDCIdTokenConfigBuilder.signatureKeyPassword;
        this.audience = Collections.unmodifiableList(oIDCIdTokenConfigBuilder.audience);
        this.signatureAlgorithm = oIDCIdTokenConfigBuilder.signatureAlgorithm;
        this.clientSecret = oIDCIdTokenConfigBuilder.clientSecret;
        this.authorizedParty = oIDCIdTokenConfigBuilder.authorizedParty;
        this.publicKeyReferenceType = oIDCIdTokenConfigBuilder.publicKeyReferenceType;
        this.customClaimMapperClass = oIDCIdTokenConfigBuilder.customClaimMapperClass;
        this.customAuthenticationContextMapper = oIDCIdTokenConfigBuilder.customAuthenticationContextMapper;
        this.customAuthenticationMethodReferencesMapper = oIDCIdTokenConfigBuilder.customAuthenticationMethodReferencesMapper;
        if (this.signatureAlgorithm == null) {
            throw new IllegalArgumentException("Signature algorithm must be set, or set to NONE if jwt should not be signed");
        }
        if (CollectionUtils.isEmpty(this.audience)) {
            throw new IllegalArgumentException("An audience must be specified.");
        }
        if (JwsAlgorithmType.RSA.equals(this.signatureAlgorithm.getAlgorithmType()) && (this.keystoreLocation == null || this.keystorePassword == null || this.signatureKeyAlias == null || this.signatureKeyPassword == null)) {
            throw new IllegalArgumentException("For a signing algorithm of " + this.signatureAlgorithm + " the keystore location, password, and signature key alias and password values must be specified.");
        }
        if (JwsAlgorithmType.HMAC.equals(this.signatureAlgorithm.getAlgorithmType()) && this.clientSecret == null) {
            throw new IllegalArgumentException("The client secret must be set for HMAC family of signing algorithms.");
        }
        if (this.publicKeyReferenceType == null) {
            throw new IllegalArgumentException("A OpenIdConnectTokenPublicKeyReferenceType must be specified.");
        }
    }

    public static OIDCIdTokenConfigBuilder builder() {
        return new OIDCIdTokenConfigBuilder();
    }

    public String getIssuer() {
        return this.issuer;
    }

    public long getTokenLifetimeInSeconds() {
        return this.tokenLifetimeInSeconds;
    }

    public Map<String, String> getClaimMap() {
        return this.claimMap;
    }

    public String getKeystoreLocation() {
        return this.keystoreLocation;
    }

    public byte[] getKeystorePassword() {
        return this.keystorePassword;
    }

    public String getSignatureKeyAlias() {
        return this.signatureKeyAlias;
    }

    public byte[] getSignatureKeyPassword() {
        return this.signatureKeyPassword;
    }

    public JwsAlgorithm getSignatureAlgorithm() {
        return this.signatureAlgorithm;
    }

    public List<String> getAudience() {
        return this.audience;
    }

    public String getAuthorizedParty() {
        return this.authorizedParty;
    }

    public OpenIdConnectTokenPublicKeyReferenceType getPublicKeyReferenceType() {
        return this.publicKeyReferenceType;
    }

    public byte[] getClientSecret() {
        return this.clientSecret;
    }

    public String getCustomClaimMapperClass() {
        return this.customClaimMapperClass;
    }

    public String getCustomAuthnContextMapperClass() {
        return this.customAuthenticationContextMapper;
    }

    public String getCustomAuthnMethodReferencesMapperClass() {
        return this.customAuthenticationMethodReferencesMapper;
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("OpenIdConnectTokenConfig instance:").append('\n');
        sb.append('\t').append("issuer: ").append(this.issuer).append('\n');
        sb.append('\t').append("audience: ").append(this.audience).append('\n');
        sb.append('\t').append("authorizedParty: ").append(this.authorizedParty).append('\n');
        sb.append('\t').append("signature algorithm: ").append(this.signatureAlgorithm).append('\n');
        sb.append('\t').append("claimMap: ").append(this.claimMap).append('\n');
        sb.append('\t').append("tokenLifetimeInSeconds: ").append(this.tokenLifetimeInSeconds).append('\n');
        sb.append('\t').append("Keystore File ").append(this.keystoreLocation).append('\n');
        sb.append('\t').append("Public key reference type ").append(this.publicKeyReferenceType).append('\n');
        sb.append('\t').append("Signature key alias").append(this.signatureKeyAlias).append('\n');
        sb.append('\t').append("Custom claim mapper class").append(this.customClaimMapperClass).append('\n');
        sb.append('\t').append("Custom authn context mapper class").append(this.customAuthenticationContextMapper).append('\n');
        sb.append('\t').append("Custom authn method references mapper class").append(this.customAuthenticationMethodReferencesMapper).append('\n');
        return sb.toString();
    }

    public boolean equals(Object obj) {
        if (this == obj) {
            return true;
        }
        if (!(obj instanceof OpenIdConnectTokenConfig)) {
            return false;
        }
        OpenIdConnectTokenConfig openIdConnectTokenConfig = (OpenIdConnectTokenConfig) obj;
        return this.issuer.equals(openIdConnectTokenConfig.issuer) && this.signatureAlgorithm.equals(openIdConnectTokenConfig.signatureAlgorithm) && Objects.equal(this.authorizedParty, openIdConnectTokenConfig.authorizedParty) && this.audience.equals(openIdConnectTokenConfig.audience) && this.tokenLifetimeInSeconds == openIdConnectTokenConfig.tokenLifetimeInSeconds && this.claimMap.equals(openIdConnectTokenConfig.claimMap) && Objects.equal(this.keystoreLocation, openIdConnectTokenConfig.keystoreLocation) && Arrays.equals(this.keystorePassword, openIdConnectTokenConfig.keystorePassword) && Objects.equal(this.signatureKeyAlias, openIdConnectTokenConfig.signatureKeyAlias) && Objects.equal(this.customClaimMapperClass, openIdConnectTokenConfig.customClaimMapperClass) && Objects.equal(this.customAuthenticationContextMapper, openIdConnectTokenConfig.customAuthenticationContextMapper) && Objects.equal(this.customAuthenticationMethodReferencesMapper, openIdConnectTokenConfig.customAuthenticationMethodReferencesMapper) && Objects.equal(this.publicKeyReferenceType, openIdConnectTokenConfig.publicKeyReferenceType) && Arrays.equals(this.signatureKeyPassword, openIdConnectTokenConfig.signatureKeyPassword) && Arrays.equals(this.clientSecret, openIdConnectTokenConfig.clientSecret);
    }

    public int hashCode() {
        return (this.claimMap + Long.toString(this.tokenLifetimeInSeconds) + this.issuer).hashCode();
    }

    public JsonValue toJson() {
        try {
            Map.Entry[] entryArr = new Map.Entry[15];
            entryArr[0] = JsonValue.field(ISSUER, this.issuer);
            entryArr[1] = JsonValue.field(PUBLIC_KEY_REFERENCE_TYPE, this.publicKeyReferenceType.name());
            entryArr[2] = JsonValue.field(TOKEN_LIFETIME, String.valueOf(this.tokenLifetimeInSeconds));
            entryArr[3] = JsonValue.field(AUTHORIZED_PARTY, this.authorizedParty);
            entryArr[4] = JsonValue.field(AUDIENCE, CollectionUtils.newList(this.audience));
            entryArr[5] = JsonValue.field(SIGNATURE_ALGORITHM, this.signatureAlgorithm.name());
            entryArr[6] = JsonValue.field(CLAIM_MAP, this.claimMap);
            entryArr[7] = JsonValue.field(CUSTOM_CLAIM_MAPPER_CLASS, this.customClaimMapperClass);
            entryArr[8] = JsonValue.field(CUSTOM_AUTHN_CONTEXT_MAPPER_CLASS, this.customAuthenticationContextMapper);
            entryArr[9] = JsonValue.field(CUSTOM_AUTHN_METHOD_REFERENCES_MAPPER_CLASS, this.customAuthenticationMethodReferencesMapper);
            entryArr[10] = JsonValue.field(KEYSTORE_LOCATION, this.keystoreLocation);
            entryArr[11] = JsonValue.field(KEYSTORE_PASSWORD, this.keystorePassword != null ? new String(this.keystorePassword, AMSTSConstants.UTF_8_CHARSET_ID) : null);
            entryArr[12] = JsonValue.field(CLIENT_SECRET, this.clientSecret != null ? new String(this.clientSecret, AMSTSConstants.UTF_8_CHARSET_ID) : null);
            entryArr[13] = JsonValue.field(SIGNATURE_KEY_ALIAS, this.signatureKeyAlias);
            entryArr[14] = JsonValue.field(SIGNATURE_KEY_PASSWORD, this.signatureKeyPassword != null ? new String(this.signatureKeyPassword, AMSTSConstants.UTF_8_CHARSET_ID) : null);
            return JsonValue.json(JsonValue.object(entryArr));
        } catch (UnsupportedEncodingException e) {
            throw new IllegalStateException("Unsupported encoding when marshalling from String to to byte[]: " + e, e);
        }
    }

    public static OpenIdConnectTokenConfig fromJson(JsonValue jsonValue) throws IllegalStateException {
        try {
            return builder().tokenLifetimeInSeconds(Long.valueOf(jsonValue.get(TOKEN_LIFETIME).asString()).longValue()).issuer(jsonValue.get(ISSUER).asString()).publicKeyReferenceType(jsonValue.get(PUBLIC_KEY_REFERENCE_TYPE).isString() ? OpenIdConnectTokenPublicKeyReferenceType.valueOf(jsonValue.get(PUBLIC_KEY_REFERENCE_TYPE).asString()) : OpenIdConnectTokenPublicKeyReferenceType.NONE).claimMap(jsonValue.get(CLAIM_MAP).asMap(String.class)).keystoreLocation(jsonValue.get(KEYSTORE_LOCATION).asString()).keystorePassword(jsonValue.get(KEYSTORE_PASSWORD).isString() ? jsonValue.get(KEYSTORE_PASSWORD).asString().getBytes(AMSTSConstants.UTF_8_CHARSET_ID) : null).signatureKeyPassword(jsonValue.get(SIGNATURE_KEY_PASSWORD).isString() ? jsonValue.get(SIGNATURE_KEY_PASSWORD).asString().getBytes(AMSTSConstants.UTF_8_CHARSET_ID) : null).clientSecret(jsonValue.get(CLIENT_SECRET).isString() ? jsonValue.get(CLIENT_SECRET).asString().getBytes(AMSTSConstants.UTF_8_CHARSET_ID) : null).signatureKeyAlias(jsonValue.get(SIGNATURE_KEY_ALIAS).isString() ? jsonValue.get(SIGNATURE_KEY_ALIAS).asString() : null).customClaimMapperClass(jsonValue.get(CUSTOM_CLAIM_MAPPER_CLASS).isString() ? jsonValue.get(CUSTOM_CLAIM_MAPPER_CLASS).asString() : null).customAuthenticationContextMapperClass(jsonValue.get(CUSTOM_AUTHN_CONTEXT_MAPPER_CLASS).isString() ? jsonValue.get(CUSTOM_AUTHN_CONTEXT_MAPPER_CLASS).asString() : null).customAuthenticationMethodReferencesMapperClass(jsonValue.get(CUSTOM_AUTHN_METHOD_REFERENCES_MAPPER_CLASS).isString() ? jsonValue.get(CUSTOM_AUTHN_METHOD_REFERENCES_MAPPER_CLASS).asString() : null).authorizedParty(jsonValue.get(AUTHORIZED_PARTY).isString() ? jsonValue.get(AUTHORIZED_PARTY).asString() : null).setAudience(jsonValue.get(AUDIENCE).asList(String.class)).signatureAlgorithm(jsonValue.get(SIGNATURE_ALGORITHM).asString()).build();
        } catch (UnsupportedEncodingException e) {
            throw new IllegalStateException("Unsupported encoding when marshalling from String to to byte[]: " + e, e);
        }
    }

    public Map<String, Set<String>> marshalToAttributeMap() {
        Map asMap = toJson().asMap();
        Map<String, Set<String>> smsMap = MapMarshallUtils.toSmsMap(asMap);
        Object obj = asMap.get(CLAIM_MAP);
        if (!(obj instanceof Map)) {
            throw new IllegalStateException("Type corresponding to oidc-claim-map key unexpected. Type: " + (obj != null ? obj.getClass().getName() : " null"));
        }
        smsMap.remove(CLAIM_MAP);
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        smsMap.put(CLAIM_MAP, linkedHashSet);
        for (Map.Entry entry : ((Map) obj).entrySet()) {
            linkedHashSet.add(((String) entry.getKey()) + "=" + ((String) entry.getValue()));
        }
        Object obj2 = asMap.get(AUDIENCE);
        if (!(obj2 instanceof List)) {
            throw new IllegalStateException("Type corresponding to oidc-audience claim type unexpected: " + (obj2 != null ? obj2.getClass().getCanonicalName() : null));
        }
        smsMap.remove(AUDIENCE);
        smsMap.put(AUDIENCE, Sets.newHashSet((List) obj2));
        return smsMap;
    }

    public static OpenIdConnectTokenConfig marshalFromAttributeMap(Map<String, Set<String>> map) {
        if (CollectionUtils.isEmpty(map.get(ISSUER))) {
            return null;
        }
        Set<String> set = map.get(CLAIM_MAP);
        Map<String, Object> jsonValueMap = MapMarshallUtils.toJsonValueMap(map);
        jsonValueMap.remove(CLAIM_MAP);
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            StringTokenizer stringTokenizer = new StringTokenizer(it.next(), "=");
            linkedHashMap.put(stringTokenizer.nextToken(), stringTokenizer.nextToken());
        }
        jsonValueMap.put(CLAIM_MAP, new JsonValue(linkedHashMap));
        jsonValueMap.put(AUDIENCE, new JsonValue(CollectionUtils.newList(map.get(AUDIENCE))));
        return fromJson(new JsonValue(jsonValueMap));
    }

    public static Map<String, Set<String>> getEmptySMSAttributeState() {
        HashMap hashMap = new HashMap();
        hashMap.put(ISSUER, Collections.emptySet());
        hashMap.put(CLAIM_MAP, Collections.emptySet());
        hashMap.put(TOKEN_LIFETIME, Collections.emptySet());
        hashMap.put(KEYSTORE_LOCATION, Collections.emptySet());
        hashMap.put(KEYSTORE_PASSWORD, Collections.emptySet());
        hashMap.put(SIGNATURE_KEY_ALIAS, Collections.emptySet());
        hashMap.put(SIGNATURE_KEY_PASSWORD, Collections.emptySet());
        hashMap.put(SIGNATURE_ALGORITHM, Collections.emptySet());
        hashMap.put(AUDIENCE, Collections.emptySet());
        hashMap.put(AUTHORIZED_PARTY, Collections.emptySet());
        hashMap.put(CLIENT_SECRET, Collections.emptySet());
        hashMap.put(PUBLIC_KEY_REFERENCE_TYPE, Collections.emptySet());
        hashMap.put(CUSTOM_CLAIM_MAPPER_CLASS, Collections.emptySet());
        hashMap.put(CUSTOM_AUTHN_CONTEXT_MAPPER_CLASS, Collections.emptySet());
        hashMap.put(CUSTOM_AUTHN_METHOD_REFERENCES_MAPPER_CLASS, Collections.emptySet());
        return hashMap;
    }
}
