package org.apache.cxf.rs.security.oidc.rp;

import java.util.List;
import java.util.concurrent.ConcurrentHashMap;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtException;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
import org.apache.cxf.rs.security.oauth2.provider.OAuthJoseJwtConsumer;
import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException;
import org.apache.cxf.rs.security.oidc.common.IdToken;

/* loaded from: input_file:org/apache/cxf/rs/security/oidc/rp/OidcClaimsValidator.class */
public class OidcClaimsValidator extends OAuthJoseJwtConsumer {
    private static final String SELF_ISSUED_ISSUER = "https://self-issued.me";
    private String issuerId;
    private WebClient jwkSetClient;
    private boolean supportSelfIssuedProvider;
    private boolean strictTimeValidation;
    private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<>();

    public void validateJwtClaims(JwtClaims jwtClaims, String str, boolean z) {
        String issuer = jwtClaims.getIssuer();
        if (issuer == null && z) {
            throw new OAuthServiceException("Invalid issuer");
        }
        if (this.supportSelfIssuedProvider && this.issuerId == null && issuer != null && SELF_ISSUED_ISSUER.equals(issuer)) {
            validateSelfIssuedProvider(jwtClaims, str, z);
            return;
        }
        if (issuer != null && !issuer.equals(this.issuerId)) {
            throw new OAuthServiceException("Invalid issuer");
        }
        if (jwtClaims.getSubject() == null) {
            throw new OAuthServiceException("Invalid subject");
        }
        String str2 = (String) jwtClaims.getClaim(IdToken.AZP_CLAIM);
        if (str2 != null && !str2.equals(str)) {
            throw new OAuthServiceException("Invalid authorized party");
        }
        List audiences = jwtClaims.getAudiences();
        if ((StringUtils.isEmpty(audiences) && z) || (!StringUtils.isEmpty(audiences) && !audiences.contains(str))) {
            throw new OAuthServiceException("Invalid audience");
        }
        try {
            JwtUtils.validateJwtExpiry(jwtClaims, getClockOffset(), z || (this.strictTimeValidation && jwtClaims.getIssuedAt() == null));
            try {
                JwtUtils.validateJwtIssuedAt(jwtClaims, getTtl(), getClockOffset(), z || (this.strictTimeValidation && jwtClaims.getExpiryTime() == null));
                if (this.strictTimeValidation) {
                    try {
                        JwtUtils.validateJwtNotBefore(jwtClaims, getClockOffset(), this.strictTimeValidation);
                    } catch (JwtException e) {
                        throw new OAuthServiceException("ID Token can not be used yet", e);
                    }
                }
            } catch (JwtException e2) {
                throw new OAuthServiceException("Invalid issuedAt claim", e2);
            }
        } catch (JwtException e3) {
            throw new OAuthServiceException("ID Token has expired", e3);
        }
    }

    private void validateSelfIssuedProvider(JwtClaims jwtClaims, String str, boolean z) {
    }

    public void setIssuerId(String str) {
        this.issuerId = str;
    }

    public void setJwkSetClient(WebClient webClient) {
        this.jwkSetClient = webClient;
    }

    protected JwsSignatureVerifier getInitializedSignatureVerifier(JwtToken jwtToken) {
        JsonWebKey jsonWebKey = null;
        if (this.supportSelfIssuedProvider && SELF_ISSUED_ISSUER.equals(jwtToken.getClaim("issuer"))) {
            String str = (String) jwtToken.getClaim("sub_jwk");
            if (str != null) {
                JsonWebKey readJwkKey = JwkUtils.readJwkKey(str);
                if (JwkUtils.getThumbprint(readJwkKey).equals(jwtToken.getClaim("sub"))) {
                    jsonWebKey = readJwkKey;
                }
            }
            if (jsonWebKey == null) {
                throw new SecurityException("Self-issued JWK key is invalid or not available");
            }
        } else {
            String keyId = jwtToken.getJwsHeaders().getKeyId();
            jsonWebKey = keyId != null ? this.keyMap.get(keyId) : null;
            if (jsonWebKey == null && this.jwkSetClient != null) {
                JsonWebKeys jsonWebKeys = (JsonWebKeys) this.jwkSetClient.get(JsonWebKeys.class);
                if (keyId != null) {
                    jsonWebKey = jsonWebKeys.getKey(keyId);
                } else if (jsonWebKeys.getKeys().size() == 1) {
                    jsonWebKey = (JsonWebKey) jsonWebKeys.getKeys().get(0);
                }
                this.keyMap.clear();
                this.keyMap.putAll(jsonWebKeys.getKeyIdMap());
            }
        }
        JwsSignatureVerifier signatureVerifier = jsonWebKey != null ? JwsUtils.getSignatureVerifier(jsonWebKey) : super.getInitializedSignatureVerifier(jwtToken.getJwsHeaders());
        if (signatureVerifier == null) {
            throw new SecurityException("JWS Verifier is not available");
        }
        return signatureVerifier;
    }

    public void setSupportSelfIssuedProvider(boolean z) {
        this.supportSelfIssuedProvider = z;
    }

    public void setStrictTimeValidation(boolean z) {
        this.strictTimeValidation = z;
    }
}
