package org.forgerock.openam.authentication.modules.oidc;

import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.shared.debug.Debug;
import java.security.Principal;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.login.LoginException;
import org.forgerock.json.jose.jwt.JwtClaimsSet;
import org.forgerock.openam.authentication.modules.common.mapping.AccountProvider;
import org.forgerock.openam.authentication.modules.common.mapping.AttributeMapper;

/* loaded from: input_file:org/forgerock/openam/authentication/modules/oidc/OpenIdConnect.class */
public class OpenIdConnect extends AMLoginModule {
    private static Debug logger = Debug.getInstance("amAuth");
    private OpenIdConnectConfig config;
    private String principalName;
    private JwtHandler jwtHandler;

    public void init(Subject subject, Map map, Map map2) {
        this.config = new OpenIdConnectConfig(map2);
        this.jwtHandler = new JwtHandler(this.config);
    }

    public int process(Callback[] callbackArr, int i) throws LoginException {
        String header = getHttpServletRequest().getHeader(this.config.getHeaderName());
        if (header == null || header.isEmpty()) {
            logger.error("No OpenIdConnect ID Token referenced by header value: " + this.config.getHeaderName());
            throw new AuthLoginException("amAuthOpenIdConnect", "missing_header", (Object[]) null);
        }
        JwtClaimsSet validateJwt = this.jwtHandler.validateJwt(header);
        if (!JwtHandler.isIntendedForAudience(this.config.getAudienceName(), validateJwt)) {
            logger.error("ID token is not for this audience.");
            throw new AuthLoginException("amAuthOpenIdConnect", "id_token_bad_audience", (Object[]) null);
        }
        if (!JwtHandler.jwtHasAuthorizedPartyClaim(validateJwt) || JwtHandler.isFromValidAuthorizedParty(this.config.getAcceptedAuthorizedParties(), validateJwt)) {
            this.principalName = mapPrincipal(validateJwt);
            return -1;
        }
        logger.error("ID token was received from invalid authorized party.");
        throw new AuthLoginException("amAuthOpenIdConnect", "invalid_authorized_party", (Object[]) null);
    }

    private String mapPrincipal(JwtClaimsSet jwtClaimsSet) throws AuthLoginException {
        AttributeMapper<JwtClaimsSet> instantiatePrincipalMapper = instantiatePrincipalMapper();
        AccountProvider instantiateAccountProvider = instantiateAccountProvider();
        Map attributes = instantiatePrincipalMapper.getAttributes(this.config.getJwkToLocalAttributeMappings(), jwtClaimsSet);
        if (!attributes.isEmpty()) {
            return instantiateAccountProvider.searchUser(getAMIdentityRepository(getRequestOrg()), attributes).getName();
        }
        logger.error("None of the attributes specified in the mappings could be found in the Id Token.");
        throw new AuthLoginException("amAuthOpenIdConnect", "no_attributes_mapped", (Object[]) null);
    }

    private AccountProvider instantiateAccountProvider() throws AuthLoginException {
        try {
            return (AccountProvider) Class.forName(this.config.getAccountProviderClass()).asSubclass(AccountProvider.class).newInstance();
        } catch (Exception e) {
            logger.error("Exception caught instantiating principal mapper class: " + e, e);
            throw new AuthLoginException("amAuthOpenIdConnect", "principal_mapper_instantiation_error", (Object[]) null);
        }
    }

    private AttributeMapper<JwtClaimsSet> instantiatePrincipalMapper() throws AuthLoginException {
        try {
            return (AttributeMapper) Class.forName(this.config.getPrincipalMapperClass()).asSubclass(AttributeMapper.class).newInstance();
        } catch (Exception e) {
            logger.error("Exception caught instantiating principal mapper class: " + e, e);
            throw new AuthLoginException("amAuthOpenIdConnect", "principal_mapper_instantiation_error", (Object[]) null);
        }
    }

    public Principal getPrincipal() {
        return new Principal() { // from class: org.forgerock.openam.authentication.modules.oidc.OpenIdConnect.1
            @Override // java.security.Principal
            public String getName() {
                return OpenIdConnect.this.principalName;
            }
        };
    }
}
