package org.forgerock.openam.authentication.modules.oidc;

import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.shared.debug.Debug;
import java.util.List;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.forgerock.guice.core.InjectorHolder;
import org.forgerock.jaspi.modules.openid.exceptions.FailedToLoadJWKException;
import org.forgerock.jaspi.modules.openid.exceptions.OpenIdConnectVerificationException;
import org.forgerock.jaspi.modules.openid.resolvers.OpenIdResolver;
import org.forgerock.json.jose.common.JwtReconstruction;
import org.forgerock.json.jose.exceptions.InvalidJwtException;
import org.forgerock.json.jose.exceptions.JwsSigningException;
import org.forgerock.json.jose.exceptions.JwtReconstructionException;
import org.forgerock.json.jose.jws.SignedJwt;
import org.forgerock.json.jose.jwt.JwtClaimsSet;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.util.Reject;

/* loaded from: input_file:org/forgerock/openam/authentication/modules/oidc/JwtHandler.class */
public class JwtHandler {
    private static Debug logger = Debug.getInstance("amAuth");
    private static final String AUTHORIZED_PARTY_CLAIM_KEY = "azp";
    private OpenIdResolverCache openIdResolverCache = (OpenIdResolverCache) InjectorHolder.getInstance(OpenIdResolverCache.class);
    private JwtReconstruction jwtReconstruction;
    private JwtHandlerConfig config;

    public JwtHandler(JwtHandlerConfig jwtHandlerConfig) {
        Reject.ifNull(this.openIdResolverCache, "OpenIdResolverCache could not be obtained from the InjectorHolder!");
        this.jwtReconstruction = new JwtReconstruction();
        this.config = jwtHandlerConfig;
    }

    public JwtClaimsSet validateJwt(String str) throws AuthLoginException {
        String cryptoContextValue;
        SignedJwt signedJwt = getSignedJwt(str);
        JwtClaimsSet claimsSet = signedJwt.getClaimsSet();
        String issuer = claimsSet.getIssuer();
        if (!this.config.getConfiguredIssuer().equals(issuer) && !isJwtFromIssuerFormat(claimsSet)) {
            logger.error("The issuer configured for the module, " + this.config.getConfiguredIssuer() + ", and the issuer found in the token, " + issuer + ", do not match. This means that the token authentication was directed at the wrong module, or the targeted module is mis-configured.");
            throw new AuthLoginException("amAuthOpenIdConnect", "token_issuer_mismatch", (Object[]) null);
        }
        OpenIdResolver openIdResolver = null;
        if (StringUtils.isNotEmpty(this.config.getCryptoContextValue())) {
            openIdResolver = this.openIdResolverCache.getResolverForIssuer(this.config.getCryptoContextValue());
        }
        if (openIdResolver == null) {
            if ("client_secret".equals(this.config.getCryptoContextType())) {
                if (logger.messageEnabled()) {
                    logger.message("Creating OpenIdResolver for issuer " + issuer + " using client secret");
                }
                cryptoContextValue = this.config.getClientSecret();
            } else {
                if (logger.messageEnabled()) {
                    logger.message("Creating OpenIdResolver for issuer " + issuer + " using config url " + this.config.getCryptoContextValue());
                }
                cryptoContextValue = this.config.getCryptoContextValue();
            }
            try {
                openIdResolver = this.openIdResolverCache.createResolver(issuer, this.config.getCryptoContextType(), cryptoContextValue, this.config.getCryptoContextUrlValue());
            } catch (FailedToLoadJWKException e) {
                logger.error("Could not create OpenIdResolver for issuer " + issuer + " using crypto context value " + this.config.getCryptoContextValue() + " :" + e, e);
                throw new AuthLoginException("amAuthOpenIdConnect", "jwk_not_loaded", (Object[]) null);
            } catch (IllegalStateException e2) {
                logger.error("Could not create OpenIdResolver for issuer " + issuer + " using crypto context value " + this.config.getCryptoContextValue() + " :" + e2);
                throw new AuthLoginException("amAuthOpenIdConnect", "issuer_mismatch", (Object[]) null);
            }
        }
        try {
            openIdResolver.validateIdentity(signedJwt);
            List audience = claimsSet.getAudience();
            if (!jwtHasAudienceClaim(claimsSet)) {
                logger.error("No audience claim present in ID token.");
                throw new AuthLoginException("amAuthOpenIdConnect", "no_audience_claim", (Object[]) null);
            }
            if (!jwtHasAuthorizedPartyClaim(claimsSet) || audience.contains((String) claimsSet.getClaim(AUTHORIZED_PARTY_CLAIM_KEY))) {
                return claimsSet;
            }
            logger.error("Authorized party was present in ID token, but its value was not found in the audience claim.");
            throw new AuthLoginException("amAuthOpenIdConnect", "authorized_party_not_in_audience", (Object[]) null);
        } catch (OpenIdConnectVerificationException e3) {
            logger.warning("Verification of ID Token failed: " + e3);
            throw new AuthLoginException("amAuthOpenIdConnect", "verification_failed", (Object[]) null);
        } catch (JwsSigningException e4) {
            logger.error("JwsSigningException", e4);
            throw new AuthLoginException("amAuthOpenIdConnect", "jws_signing_exception", (Object[]) null);
        }
    }

    private boolean isJwtFromIssuerFormat(JwtClaimsSet jwtClaimsSet) {
        Matcher matcher = Pattern.compile("\\{[^\\}]+\\}").matcher(this.config.getConfiguredIssuer());
        StringBuffer stringBuffer = new StringBuffer();
        while (matcher.find()) {
            String group = matcher.group();
            Object claim = jwtClaimsSet.getClaim(group.substring(1, group.length() - 1));
            if (claim != null) {
                matcher.appendReplacement(stringBuffer, claim.toString());
            }
        }
        matcher.appendTail(stringBuffer);
        return stringBuffer.toString().equals(jwtClaimsSet.getIssuer());
    }

    private SignedJwt getSignedJwt(String str) throws AuthLoginException {
        try {
            return this.jwtReconstruction.reconstructJwt(str, SignedJwt.class);
        } catch (JwtReconstructionException e) {
            logger.error("Could not reconstruct jwt from header value: " + e);
            throw new AuthLoginException("amAuthOpenIdConnect", "jwt_parse_error", (Object[]) null);
        } catch (InvalidJwtException e2) {
            logger.error("Could not reconstruct jwt from header value: " + e2);
            throw new AuthLoginException("amAuthOpenIdConnect", "jwt_parse_error", (Object[]) null);
        }
    }

    public static boolean isIntendedForAudience(String str, JwtClaimsSet jwtClaimsSet) throws AuthLoginException {
        return jwtClaimsSet.getAudience().contains(str);
    }

    public static boolean isFromValidAuthorizedParty(Set<String> set, JwtClaimsSet jwtClaimsSet) throws AuthLoginException {
        String str = (String) jwtClaimsSet.getClaim(AUTHORIZED_PARTY_CLAIM_KEY);
        if (jwtHasAuthorizedPartyClaim(jwtClaimsSet)) {
            return set.contains(str);
        }
        logger.error("No authorized party found in JWT claims set.");
        return false;
    }

    private static boolean jwtHasAudienceClaim(JwtClaimsSet jwtClaimsSet) throws AuthLoginException {
        List audience = jwtClaimsSet.getAudience();
        return (audience == null || audience.isEmpty()) ? false : true;
    }

    public static boolean jwtHasAuthorizedPartyClaim(JwtClaimsSet jwtClaimsSet) throws AuthLoginException {
        String str = (String) jwtClaimsSet.getClaim(AUTHORIZED_PARTY_CLAIM_KEY);
        return (str == null || str.isEmpty()) ? false : true;
    }

    public JwtClaimsSet getJwtClaims(String str) throws AuthLoginException {
        return getSignedJwt(str).getClaimsSet();
    }
}
