package org.forgerock.openam.sts.rest.token.validator;

import com.iplanet.services.util.Crypt;
import org.forgerock.json.jose.common.JwtReconstruction;
import org.forgerock.json.jose.jws.SignedJwt;
import org.forgerock.json.jose.jwt.JwtClaimsSet;
import org.forgerock.openam.sts.TokenType;
import org.forgerock.openam.sts.TokenValidationException;
import org.forgerock.openam.sts.rest.operation.validate.IssuedTokenValidatorFactory;
import org.forgerock.openam.sts.token.ThreadLocalAMTokenCache;
import org.forgerock.openam.sts.token.model.OpenIdConnectIdToken;
import org.forgerock.openam.sts.token.validator.AuthenticationHandler;
import org.forgerock.openam.sts.token.validator.PrincipalFromSession;
import org.forgerock.openam.sts.token.validator.ValidationInvocationContext;

/* loaded from: input_file:org/forgerock/openam/sts/rest/token/validator/OpenIdConnectIdTokenTransformValidator.class */
public class OpenIdConnectIdTokenTransformValidator implements RestTokenTransformValidator<OpenIdConnectIdToken> {
    private final AuthenticationHandler<OpenIdConnectIdToken> authenticationHandler;
    private final ThreadLocalAMTokenCache threadLocalAMTokenCache;
    private final PrincipalFromSession principalFromSession;
    private final ValidationInvocationContext validationInvocationContext;
    private final IssuedTokenValidatorFactory issuedTokenValidatorFactory;
    private final boolean invalidateAMSession;

    public OpenIdConnectIdTokenTransformValidator(AuthenticationHandler<OpenIdConnectIdToken> authenticationHandler, ThreadLocalAMTokenCache threadLocalAMTokenCache, PrincipalFromSession principalFromSession, ValidationInvocationContext validationInvocationContext, IssuedTokenValidatorFactory issuedTokenValidatorFactory, boolean z) {
        this.authenticationHandler = authenticationHandler;
        this.threadLocalAMTokenCache = threadLocalAMTokenCache;
        this.principalFromSession = principalFromSession;
        this.validationInvocationContext = validationInvocationContext;
        this.issuedTokenValidatorFactory = issuedTokenValidatorFactory;
        this.invalidateAMSession = z;
    }

    @Override // org.forgerock.openam.sts.rest.token.validator.RestTokenTransformValidator
    public RestTokenTransformValidatorResult validateToken(RestTokenTransformValidatorParameters<OpenIdConnectIdToken> restTokenTransformValidatorParameters) throws TokenValidationException {
        RestTokenTransformValidatorResult validateInternal = validateInternal(restTokenTransformValidatorParameters);
        if (validateInternal != null) {
            return validateInternal;
        }
        String authenticate = this.authenticationHandler.authenticate(restTokenTransformValidatorParameters.getInputToken(), TokenType.OPENIDCONNECT);
        this.threadLocalAMTokenCache.cacheSessionIdForContext(this.validationInvocationContext, authenticate, this.invalidateAMSession);
        return new RestTokenTransformValidatorResult(this.principalFromSession.getPrincipalFromSession(authenticate), authenticate);
    }

    private RestTokenTransformValidatorResult validateInternal(RestTokenTransformValidatorParameters<OpenIdConnectIdToken> restTokenTransformValidatorParameters) {
        try {
            if (!this.issuedTokenValidatorFactory.getTokenValidator(TokenType.OPENIDCONNECT).validateToken(() -> {
                return (OpenIdConnectIdToken) restTokenTransformValidatorParameters.getInputToken();
            })) {
                return null;
            }
            JwtClaimsSet claimsSet = new JwtReconstruction().reconstructJwt(restTokenTransformValidatorParameters.getInputToken().getTokenValue(), SignedJwt.class).getClaimsSet();
            if (!claimsSet.isDefined("auth:token:encrypt")) {
                return null;
            }
            String decryptLocal = Crypt.decryptLocal((String) claimsSet.getClaim("auth:token:encrypt", String.class));
            this.threadLocalAMTokenCache.cacheSessionIdForContext(this.validationInvocationContext, decryptLocal, this.invalidateAMSession);
            return new RestTokenTransformValidatorResult(this.principalFromSession.getPrincipalFromSession(decryptLocal), decryptLocal);
        } catch (Exception e) {
            return null;
        }
    }
}
