package io.asgardeo.java.oidc.sdk.validators;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.Audience;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import io.asgardeo.java.oidc.sdk.SSOAgentConstants;
import io.asgardeo.java.oidc.sdk.config.model.OIDCAgentConfig;
import io.asgardeo.java.oidc.sdk.exception.SSOAgentServerException;
import java.net.URI;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:io/asgardeo/java/oidc/sdk/validators/IDTokenValidator.class */
public class IDTokenValidator {
    private static final Logger logger = LogManager.getLogger(IDTokenValidator.class);
    private OIDCAgentConfig oidcAgentConfig;
    private JWT idToken;

    public IDTokenValidator(OIDCAgentConfig oIDCAgentConfig, JWT jwt) {
        this.oidcAgentConfig = oIDCAgentConfig;
        this.idToken = jwt;
    }

    public IDTokenClaimsSet validate(Nonce nonce) throws SSOAgentServerException {
        try {
            IDTokenClaimsSet validate = getIDTokenValidator(validateJWSAlgorithm(this.idToken)).validate(this.idToken, nonce);
            validateAudience(validate);
            return validate;
        } catch (JOSEException | BadJOSEException e) {
            throw new SSOAgentServerException(e.getMessage(), e.getCause());
        }
    }

    private com.nimbusds.openid.connect.sdk.validators.IDTokenValidator getIDTokenValidator(JWSAlgorithm jWSAlgorithm) throws SSOAgentServerException {
        com.nimbusds.openid.connect.sdk.validators.IDTokenValidator iDTokenValidator;
        Issuer issuer = this.oidcAgentConfig.getIssuer();
        URI jwksEndpoint = this.oidcAgentConfig.getJwksEndpoint();
        ClientID consumerKey = this.oidcAgentConfig.getConsumerKey();
        Secret consumerSecret = this.oidcAgentConfig.getConsumerSecret();
        DefaultResourceRetriever defaultResourceRetriever = new DefaultResourceRetriever(this.oidcAgentConfig.getHttpConnectTimeout(), this.oidcAgentConfig.getHttpReadTimeout(), this.oidcAgentConfig.getHttpSizeLimit());
        if (JWSAlgorithm.Family.RSA.contains(jWSAlgorithm) || JWSAlgorithm.Family.EC.contains(jWSAlgorithm) || JWSAlgorithm.Family.ED.contains(jWSAlgorithm)) {
            try {
                iDTokenValidator = new com.nimbusds.openid.connect.sdk.validators.IDTokenValidator(issuer, consumerKey, jWSAlgorithm, jwksEndpoint.toURL(), defaultResourceRetriever);
            } catch (Exception e) {
                throw new SSOAgentServerException(e.getMessage(), e.getCause());
            }
        } else {
            if (!JWSAlgorithm.Family.HMAC_SHA.contains(jWSAlgorithm)) {
                throw new SSOAgentServerException(String.format("Unsupported algorithm: %s.", jWSAlgorithm.getName()));
            }
            iDTokenValidator = new com.nimbusds.openid.connect.sdk.validators.IDTokenValidator(issuer, consumerKey, jWSAlgorithm, consumerSecret);
        }
        return iDTokenValidator;
    }

    private JWSAlgorithm validateJWSAlgorithm(JWT jwt) throws SSOAgentServerException {
        JWSAlgorithm algorithm = jwt.getHeader().getAlgorithm();
        JWSAlgorithm signatureAlgorithm = this.oidcAgentConfig.getSignatureAlgorithm();
        if (signatureAlgorithm == null) {
            if (JWSAlgorithm.RS256.equals(algorithm)) {
                return algorithm;
            }
            throw new SSOAgentServerException(String.format("Signed JWT rejected. Provided signature algorithm: %s is not the default of RS256.", algorithm.getName()));
        }
        if (signatureAlgorithm.equals(algorithm)) {
            return algorithm;
        }
        throw new SSOAgentServerException(String.format("Signed JWT rejected: Another algorithm expected. Provided signature algorithm: %s.", algorithm.getName()));
    }

    private void validateAudience(IDTokenClaimsSet iDTokenClaimsSet) throws SSOAgentServerException {
        List audience = iDTokenClaimsSet.getAudience();
        if (audience.size() > 1) {
            if (iDTokenClaimsSet.getClaim(SSOAgentConstants.AZP) == null) {
                throw new SSOAgentServerException("ID token validation failed. AZP claim cannot be null for multiple audiences.");
            }
            Set<String> trustedAudience = this.oidcAgentConfig.getTrustedAudience();
            Iterator it = audience.iterator();
            while (it.hasNext()) {
                if (!trustedAudience.contains(((Audience) it.next()).getValue())) {
                    throw new SSOAgentServerException("ID token validation failed. Untrusted JWT audience.");
                }
            }
        }
    }
}
