package io.micronaut.security.oauth2.endpoint.token.response.validation;

import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jwt.JWT;
import io.micronaut.core.annotation.NonNull;
import io.micronaut.core.annotation.Nullable;
import io.micronaut.security.oauth2.client.OpenIdProviderMetadata;
import io.micronaut.security.oauth2.configuration.OauthClientConfiguration;
import io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims;
import io.micronaut.security.oauth2.endpoint.token.response.OpenIdTokenResponse;
import io.micronaut.security.token.jwt.signature.SignatureConfiguration;
import io.micronaut.security.token.jwt.signature.jwks.JwkSetFetcher;
import io.micronaut.security.token.jwt.signature.jwks.JwkValidator;
import io.micronaut.security.token.jwt.signature.jwks.JwksSignature;
import io.micronaut.security.token.jwt.signature.jwks.JwksSignatureConfigurationProperties;
import io.micronaut.security.token.jwt.validator.GenericJwtClaimsValidator;
import io.micronaut.security.token.jwt.validator.JwtValidator;
import java.text.ParseException;
import java.util.Collection;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Deprecated(since = "4.8.0", forRemoval = true)
/* loaded from: input_file:io/micronaut/security/oauth2/endpoint/token/response/validation/DefaultOpenIdTokenResponseValidator.class */
public class DefaultOpenIdTokenResponseValidator implements OpenIdTokenResponseValidator {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultOpenIdTokenResponseValidator.class);
    private final Collection<OpenIdClaimsValidator> openIdClaimsValidators;
    private final Collection<GenericJwtClaimsValidator> genericJwtClaimsValidators;
    private final NonceClaimValidator nonceClaimValidator;
    private final JwkValidator jwkValidator;
    private final Map<String, JwksSignature> jwksSignatures = new ConcurrentHashMap();
    private final JwkSetFetcher<JWKSet> jwkSetFetcher;

    public DefaultOpenIdTokenResponseValidator(Collection<OpenIdClaimsValidator> collection, Collection<GenericJwtClaimsValidator> collection2, @Nullable NonceClaimValidator nonceClaimValidator, JwkValidator jwkValidator, JwkSetFetcher<JWKSet> jwkSetFetcher) {
        this.openIdClaimsValidators = collection;
        this.genericJwtClaimsValidators = collection2;
        this.nonceClaimValidator = nonceClaimValidator;
        this.jwkValidator = jwkValidator;
        this.jwkSetFetcher = jwkSetFetcher;
    }

    @Override // io.micronaut.security.oauth2.endpoint.token.response.validation.OpenIdTokenResponseValidator
    public Optional<JWT> validate(OauthClientConfiguration oauthClientConfiguration, OpenIdProviderMetadata openIdProviderMetadata, OpenIdTokenResponse openIdTokenResponse, @Nullable String str) {
        if (LOG.isTraceEnabled()) {
            LOG.trace("Validating the JWT signature using the JWKS uri [{}]", openIdProviderMetadata.getJwksUri());
        }
        Optional<JWT> parseJwtWithValidSignature = parseJwtWithValidSignature(openIdProviderMetadata, openIdTokenResponse);
        if (parseJwtWithValidSignature.isPresent()) {
            if (LOG.isTraceEnabled()) {
                LOG.trace("JWT signature validation succeeded. Validating claims...");
            }
            return validateClaims(oauthClientConfiguration, openIdProviderMetadata, parseJwtWithValidSignature.get(), str);
        }
        if (LOG.isErrorEnabled()) {
            LOG.error("JWT signature validation failed for provider [{}]", oauthClientConfiguration.getName());
        }
        return Optional.empty();
    }

    @NonNull
    protected Optional<JWT> validateClaims(@NonNull OauthClientConfiguration oauthClientConfiguration, @NonNull OpenIdProviderMetadata openIdProviderMetadata, @NonNull JWT jwt, @Nullable String str) {
        try {
            JWTOpenIdClaims jWTOpenIdClaims = new JWTOpenIdClaims(jwt.getJWTClaimsSet());
            if (this.genericJwtClaimsValidators.stream().allMatch(genericJwtClaimsValidator -> {
                return genericJwtClaimsValidator.validate(jWTOpenIdClaims, (Object) null);
            })) {
                if (this.openIdClaimsValidators.stream().allMatch(openIdClaimsValidator -> {
                    return openIdClaimsValidator.validate(jWTOpenIdClaims, oauthClientConfiguration, openIdProviderMetadata);
                })) {
                    if (this.nonceClaimValidator == null) {
                        if (LOG.isTraceEnabled()) {
                            LOG.trace("Skipping nonce validation because no bean of type {} present. ", NonceClaimValidator.class.getSimpleName());
                        }
                        return Optional.of(jwt);
                    }
                    if (this.nonceClaimValidator.validate(jWTOpenIdClaims, oauthClientConfiguration, openIdProviderMetadata, str)) {
                        return Optional.of(jwt);
                    }
                    if (LOG.isErrorEnabled()) {
                        LOG.error("Nonce {} validation failed for claims {}", str, jWTOpenIdClaims.getClaims().keySet().stream().map(str2 -> {
                            return str2 + "=" + String.valueOf(jWTOpenIdClaims.getClaims().get(str2));
                        }).collect(Collectors.joining(", ", "{", "}")));
                    }
                } else if (LOG.isErrorEnabled()) {
                    LOG.error("JWT OpenID specific claims validation failed for provider [{}]", oauthClientConfiguration.getName());
                }
            } else if (LOG.isErrorEnabled()) {
                LOG.error("JWT generic claims validation failed for provider [{}]", oauthClientConfiguration.getName());
            }
        } catch (ParseException e) {
            if (LOG.isErrorEnabled()) {
                LOG.error("Failed to parse the JWT returned from provider [{}]", oauthClientConfiguration.getName(), e);
            }
        }
        return Optional.empty();
    }

    @NonNull
    protected Optional<JWT> parseJwtWithValidSignature(@NonNull OpenIdProviderMetadata openIdProviderMetadata, @NonNull OpenIdTokenResponse openIdTokenResponse) {
        return JwtValidator.builder().withSignatures(new SignatureConfiguration[]{jwksSignatureForOpenIdProviderMetadata(openIdProviderMetadata)}).build().validate(openIdTokenResponse.getIdToken(), (Object) null);
    }

    protected JwksSignature jwksSignatureForOpenIdProviderMetadata(@NonNull OpenIdProviderMetadata openIdProviderMetadata) {
        String jwksUri = openIdProviderMetadata.getJwksUri();
        this.jwksSignatures.computeIfAbsent(jwksUri, str -> {
            JwksSignatureConfigurationProperties jwksSignatureConfigurationProperties = new JwksSignatureConfigurationProperties(openIdProviderMetadata.getName());
            jwksSignatureConfigurationProperties.setUrl(jwksUri);
            return new JwksSignature(jwksSignatureConfigurationProperties, this.jwkValidator, this.jwkSetFetcher);
        });
        return this.jwksSignatures.get(jwksUri);
    }
}
