package org.clazzes.login.oauth.impl;

import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Arrays;
import java.util.Map;
import org.clazzes.login.oauth.ConfigOptions;
import org.clazzes.login.oauth.DomainConfig;
import org.clazzes.login.oauth.OAuthTokenErrorResponse;
import org.clazzes.login.oauth.OAuthTokenResponse;
import org.clazzes.login.oauth.TokenValidator;
import org.clazzes.login.oauth.jwt.Helpers;
import org.clazzes.login.oauth.jwt.JWKPubKey;
import org.clazzes.login.oauth.jwt.JWToken;
import org.clazzes.login.oauth.jwt.JWTokenClaims;
import org.clazzes.login.oauth.jwt.JWTokenParser;
import org.clazzes.util.aop.i18n.Messages;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/clazzes/login/oauth/impl/JWTokenValidator.class */
public class JWTokenValidator implements TokenValidator {
    private static final Logger log = LoggerFactory.getLogger(JWTokenValidator.class);

    @Override // org.clazzes.login.oauth.TokenValidator
    public JWToken validateToken(DomainConfig domainConfig, OAuthTokenResponse oAuthTokenResponse, Messages messages) throws OAuthTokenErrorResponse {
        String additionalClaim;
        try {
            String idToken = oAuthTokenResponse.getIdToken();
            if (idToken == null) {
                return null;
            }
            if (log.isDebugEnabled()) {
                log.debug("Validating ID token [{}].", idToken);
            }
            JWToken parseJWToken = JWTokenParser.parseJWToken(idToken);
            JWTokenClaims claimSet = parseJWToken.getClaimSet();
            if (log.isDebugEnabled()) {
                log.debug("Checking signature on ID Token with issuer [{}] and key ID [{}]...", claimSet.getIssuer(), parseJWToken.getKeyId());
            }
            Map<String, Object> openIdConfiguration = domainConfig.getOpenIdConfiguration();
            if (openIdConfiguration == null) {
                log.error("OpenID configuration of domain [" + domainConfig.getDomain() + "] not loaded while validation Open ID token.");
                throw new OAuthTokenErrorResponse("openid-configuration-not-loaded", messages);
            }
            String str = (String) openIdConfiguration.get("issuer");
            if (str == null) {
                log.error("OpenID configuration of domain [" + domainConfig.getDomain() + "] does not contain an [issuer] entry while validation Open ID token.");
                throw new OAuthTokenErrorResponse("openid-configuration-invalid", messages);
            }
            if (str.contains("{tenantid}") && (additionalClaim = claimSet.getAdditionalClaim("tid")) != null) {
                if (log.isDebugEnabled()) {
                    log.debug("Replacing {tenantid} in domain issuer [{}] with tid [{}]", str, additionalClaim);
                }
                str = str.replace("{tenantid}", additionalClaim);
            }
            if (log.isDebugEnabled()) {
                log.debug("Checking domain issuer [{}] against token issuer [{}].", str, claimSet.getIssuer());
            }
            if (!str.equals(claimSet.getIssuer())) {
                log.error("Domain issuer [{}] differs from token issuer [{}] while validation Open ID token.", str, claimSet.getIssuer());
                throw new OAuthTokenErrorResponse("openid-token-invalid-issuer", messages);
            }
            if (Arrays.binarySearch(Helpers.parseScope(claimSet.getAudience()), domainConfig.getClientCredentials().getUserName()) < 0) {
                log.error("Domain clientId [{}] is not contained in the token audience [{}] while validation Open ID token.", domainConfig.getClientCredentials().getUserName(), claimSet.getAudience());
                throw new OAuthTokenErrorResponse("openid-token-invalid-audience", messages);
            }
            JWKPubKey jWKPubKey = domainConfig.getOpenIdKeys().get(parseJWToken.getKeyId());
            if (jWKPubKey == null) {
                throw new OAuthTokenErrorResponse("openid-token-unknown-key", messages);
            }
            Object obj = openIdConfiguration.get("id_token_signing_alg_values_supported");
            if (obj == null || !(obj instanceof String[])) {
                log.error("OpenID configuration of domain [" + domainConfig.getDomain() + "] does not contain an [id_token_signing_alg_values_supported] entry of type array while validation Open ID token.");
                throw new OAuthTokenErrorResponse("openid-configuration-invalid", messages);
            }
            String[] strArr = (String[]) obj;
            String str2 = null;
            int length = strArr.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                String jceAlgorithmName = Helpers.getJceAlgorithmName(strArr[i]);
                if (parseJWToken.getAlgorithm().equals(jceAlgorithmName)) {
                    str2 = jceAlgorithmName;
                    break;
                }
                i++;
            }
            if (str2 == null) {
                log.error("OpenID token algorithm [{}] not contained in [id_token_signing_alg_values_supported] entry of the OpenID configuration of domain [{}].", parseJWToken.getAlgorithm(), domainConfig.getDomain());
                throw new OAuthTokenErrorResponse("openid-token-validation-failed", messages);
            }
            if (log.isDebugEnabled()) {
                log.debug("Checking token signature using algorithm [{}].", str2);
            }
            Signature signature = Signature.getInstance(str2);
            signature.initVerify(jWKPubKey.getPubKey());
            signature.update(parseJWToken.getSignaturePayload());
            if (!signature.verify(parseJWToken.getSignature())) {
                log.error("OpenID token signature validation failed.");
                throw new OAuthTokenErrorResponse("openid-token-validation-failed", messages);
            }
            if (log.isDebugEnabled()) {
                log.debug("Successfully checked signature on ID Token with key ID [{}], claims are [{}].", parseJWToken.getKeyId(), claimSet);
            }
            String accessToken = oAuthTokenResponse.getAccessToken();
            if (accessToken != null) {
                String additionalClaim2 = parseJWToken.getClaimSet().getAdditionalClaim("at_hash");
                if (additionalClaim2 != null) {
                    byte[] digest = MessageDigest.getInstance(Helpers.getJceHashName(str2)).digest(accessToken.getBytes("US-ASCII"));
                    if (!Arrays.equals(Arrays.copyOf(digest, digest.length / 2), Helpers.parseBase64(additionalClaim2))) {
                        log.error("OpenID access token validation failed, because [at_hash] value differs from actual acces token hash.");
                        throw new OAuthTokenErrorResponse("access-token-validation-failed", messages);
                    }
                    if (log.isDebugEnabled()) {
                        log.debug("Correctly validated access token against [at_hash] open ID access token.");
                    }
                } else {
                    if (!domainConfig.getOptions().contains(ConfigOptions.lenientAccessTokenCheck)) {
                        log.error("OpenID access token validation failed, no [at_hash] given in claims.");
                        throw new OAuthTokenErrorResponse("access-token-validation-failed", messages);
                    }
                    if (log.isDebugEnabled()) {
                        log.debug("Ignoring missing [at_hash] claim during open ID access token validation, because option [lenientAccessTokenCheck] is given.");
                    }
                }
            }
            Long notBefore = parseJWToken.getClaimSet().getNotBefore();
            Long expiration = parseJWToken.getClaimSet().getExpiration();
            long currentTimeMillis = System.currentTimeMillis();
            if (notBefore != null && currentTimeMillis < notBefore.longValue()) {
                log.error("OpenID access token is not yet valid, nbf claim was [{}].", Helpers.formatTimeStamp(notBefore));
                throw new OAuthTokenErrorResponse("openid-token-not-yet-valid", messages);
            }
            if (expiration == null || currentTimeMillis <= expiration.longValue()) {
                log.info("Correctly validated openID token valid from [{}] to [{}]", Helpers.formatTimeStamp(notBefore), Helpers.formatTimeStamp(expiration));
                return parseJWToken;
            }
            log.error("OpenID access token has expired, exp claim was [{}].", Helpers.formatTimeStamp(expiration));
            throw new OAuthTokenErrorResponse("openid-token-expired", messages);
        } catch (IOException | RuntimeException | InvalidKeyException | NoSuchAlgorithmException | SignatureException e) {
            log.error("Error validating OpenID token", e);
            throw new OAuthTokenErrorResponse("openid-token-validation-failed", messages);
        }
    }
}
