package io.helidon.security.providers.oidc.common;

import io.helidon.common.Errors;
import io.helidon.security.Security;
import io.helidon.security.SecurityException;
import io.helidon.security.jwt.jwk.JwkKeys;
import io.helidon.security.providers.common.OutboundTarget;
import io.helidon.security.providers.httpauth.HttpBasicAuthProvider;
import io.helidon.security.providers.httpauth.HttpBasicOutboundConfig;
import io.helidon.security.providers.oidc.common.OidcConfig;
import io.helidon.webclient.api.WebClient;
import io.helidon.webclient.api.WebClientConfig;
import io.helidon.webclient.security.WebClientSecurity;
import jakarta.json.JsonObject;
import java.net.URI;

/* loaded from: input_file:io/helidon/security/providers/oidc/common/Tenant.class */
public class Tenant {
    private final TenantConfig tenantConfig;
    private final URI tokenEndpointUri;
    private final String authorizationEndpointUri;
    private final URI logoutEndpointUri;
    private final String issuer;
    private final WebClient appWebClient;
    private final JwkKeys signJwk;
    private final URI introspectUri;

    private Tenant(TenantConfig tenantConfig, URI uri, URI uri2, URI uri3, String str, WebClient webClient, JwkKeys jwkKeys, URI uri4) {
        this.tenantConfig = tenantConfig;
        this.tokenEndpointUri = uri;
        this.authorizationEndpointUri = uri2.toString();
        this.logoutEndpointUri = uri3;
        this.issuer = str;
        this.appWebClient = webClient;
        this.signJwk = jwkKeys;
        this.introspectUri = uri4;
    }

    public static Tenant create(OidcConfig oidcConfig, TenantConfig tenantConfig) {
        WebClient generalWebClient = oidcConfig.generalWebClient();
        Errors.Collector collector = Errors.collector();
        URI identityUri = tenantConfig.identityUri();
        OidcMetadata m11build = OidcMetadata.builder().remoteEnabled(tenantConfig.useWellKnown()).json(tenantConfig.oidcMetadata()).webClient(generalWebClient).identityUri(identityUri).collector(collector).m11build();
        String serverType = tenantConfig.serverType();
        URI oidcEndpoint = m11build.getOidcEndpoint(collector, tenantConfig.tenantTokenEndpointUri().orElse(null), resolveMetaKey("token_endpoint", serverType, identityUri), "/oauth2/v1/token");
        URI oidcEndpoint2 = m11build.getOidcEndpoint(collector, tenantConfig.authorizationEndpoint().orElse(null), "authorization_endpoint", "/oauth2/v1/authorize");
        URI oidcEndpoint3 = m11build.getOidcEndpoint(collector, tenantConfig.tenantLogoutEndpointUri().orElse(null), resolveMetaKey("end_session_endpoint", serverType, identityUri), "oauth2/v1/userlogout");
        String orElse = tenantConfig.tenantIssuer().or(() -> {
            return m11build.getString("issuer");
        }).orElse(null);
        collector.collect().checkValid();
        WebClientConfig.Builder builder = oidcConfig.webClientBuilderSupplier().get();
        if (tenantConfig.tokenEndpointAuthentication() == OidcConfig.ClientAuthentication.CLIENT_SECRET_BASIC) {
            builder.addService(WebClientSecurity.create(Security.builder().addOutboundSecurityProvider(HttpBasicAuthProvider.builder().addOutboundTarget(OutboundTarget.builder("oidc").addHost("*").customObject(HttpBasicOutboundConfig.class, HttpBasicOutboundConfig.create(tenantConfig.clientId(), tenantConfig.clientSecret())).build()).build()).build()));
        }
        WebClient build = builder.build();
        JwkKeys orElseGet = tenantConfig.tenantSignJwk().orElseGet(() -> {
            URI oidcEndpoint4;
            return (!tenantConfig.validateJwtWithJwk() || (oidcEndpoint4 = m11build.getOidcEndpoint(collector, null, resolveMetaKey("jwks_uri", serverType, identityUri), null)) == null) ? JwkKeys.builder().build() : "idcs".equals(serverType) ? IdcsSupport.signJwk(build, generalWebClient, oidcEndpoint, oidcEndpoint4, tenantConfig.clientTimeout(), tenantConfig) : JwkKeys.builder().json((JsonObject) generalWebClient.get().uri(oidcEndpoint4).requestEntity(JsonObject.class)).build();
        });
        URI orElse2 = tenantConfig.tenantIntrospectUri().orElse(null);
        if (!tenantConfig.validateJwtWithJwk()) {
            orElse2 = m11build.getOidcEndpoint(collector, orElse2, resolveMetaKey("introspection_endpoint", serverType, identityUri), "/oauth2/v1/introspect");
        }
        return new Tenant(tenantConfig, oidcEndpoint, oidcEndpoint2, oidcEndpoint3, orElse, build, orElseGet, orElse2);
    }

    private static String resolveMetaKey(String str, String str2, URI uri) {
        return ("idcs".equals(str2) && uri.toString().contains(".secure.")) ? "secure_" + str : str;
    }

    public TenantConfig tenantConfig() {
        return this.tenantConfig;
    }

    public URI tokenEndpointUri() {
        return this.tokenEndpointUri;
    }

    public String authorizationEndpointUri() {
        return this.authorizationEndpointUri;
    }

    public URI logoutEndpointUri() {
        return this.logoutEndpointUri;
    }

    public String issuer() {
        return this.issuer;
    }

    public WebClient appWebClient() {
        return this.appWebClient;
    }

    public JwkKeys signJwk() {
        return this.signJwk;
    }

    public URI introspectUri() {
        if (this.introspectUri == null) {
            throw new SecurityException("Introspect URI is not configured when using validate with JWK.");
        }
        return this.introspectUri;
    }
}
