package org.apache.cxf.rs.security.oauth2.grants.jwt;

import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.core.Form;
import javax.ws.rs.core.MultivaluedMap;
import org.apache.cxf.jaxrs.provider.FormEncodingProvider;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.jaxrs.utils.FormUtils;
import org.apache.cxf.jaxrs.utils.HttpUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.Message;
import org.apache.cxf.rs.security.jose.jaxrs.JwtTokenSecurityContext;
import org.apache.cxf.rs.security.jose.jwt.JwtConstants;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
import org.apache.cxf.rs.security.oauth2.common.Client;
import org.apache.cxf.rs.security.oauth2.provider.ClientRegistrationProvider;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServerJoseJwtConsumer;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oauth2.utils.OAuthConstants;
import org.apache.cxf.security.SecurityContext;

/* loaded from: input_file:org/apache/cxf/rs/security/oauth2/grants/jwt/JwtBearerAuthHandler.class */
public class JwtBearerAuthHandler extends OAuthServerJoseJwtConsumer implements ContainerRequestFilter {
    private ClientRegistrationProvider clientProvider;
    private FormEncodingProvider<Form> provider = new FormEncodingProvider<>(true);
    private boolean validateAudience = true;

    public void filter(ContainerRequestContext containerRequestContext) {
        Message currentMessage = JAXRSUtils.getCurrentMessage();
        Form readFormData = readFormData(currentMessage);
        MultivaluedMap asMap = readFormData.asMap();
        String str = (String) asMap.getFirst("client_assertion_type");
        String urlDecode = str != null ? HttpUtils.urlDecode(str) : null;
        if (urlDecode == null || !Constants.CLIENT_AUTH_JWT_BEARER.equals(urlDecode)) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
        String str2 = (String) asMap.getFirst("client_assertion");
        if (str2 == null) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
        String str3 = (String) asMap.getFirst("client_id");
        Client client = null;
        if (str3 != null && this.clientProvider != null) {
            client = this.clientProvider.getClient(str3);
            if (client == null) {
                throw ExceptionUtils.toNotAuthorizedException(null, null);
            }
            currentMessage.put((Class<Class>) Client.class, (Class) client);
        }
        JwtToken jwtToken = super.getJwtToken(str2, client);
        String str4 = (String) jwtToken.getClaim(JwtConstants.CLAIM_SUBJECT);
        if (str3 != null && !str3.equals(str4)) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
        currentMessage.put("client_id", str4);
        asMap.remove("client_id");
        asMap.remove("client_assertion");
        asMap.remove("client_assertion_type");
        SecurityContext configureSecurityContext = configureSecurityContext(jwtToken);
        if (configureSecurityContext != null) {
            JAXRSUtils.getCurrentMessage().put((Class<Class>) SecurityContext.class, (Class) configureSecurityContext);
        }
        try {
            FormUtils.restoreForm(this.provider, readFormData, currentMessage);
        } catch (Exception e) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
    }

    protected SecurityContext configureSecurityContext(JwtToken jwtToken) {
        return new JwtTokenSecurityContext(jwtToken, null);
    }

    private Form readFormData(Message message) {
        try {
            return FormUtils.readForm(this.provider, message);
        } catch (Exception e) {
            throw ExceptionUtils.toNotAuthorizedException(null, null);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer
    public void validateToken(JwtToken jwtToken) {
        super.validateToken(jwtToken);
        if (jwtToken.getClaim(JwtConstants.CLAIM_ISSUER) == null) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
        }
        if (jwtToken.getClaim(JwtConstants.CLAIM_SUBJECT) == null) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
        }
        if (jwtToken.getClaim(JwtConstants.CLAIM_EXPIRY) == null) {
            throw new OAuthServiceException(OAuthConstants.INVALID_GRANT);
        }
        JwtUtils.validateTokenClaims(jwtToken.getClaims(), getTtl(), getClockOffset(), isValidateAudience());
    }

    public void setClientProvider(ClientRegistrationProvider clientRegistrationProvider) {
        this.clientProvider = clientRegistrationProvider;
    }

    public boolean isValidateAudience() {
        return this.validateAudience;
    }

    public void setValidateAudience(boolean z) {
        this.validateAudience = z;
    }
}
