package net.shibboleth.idp.plugin.oidc.op.profile.flow;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSet;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.interfaces.ECPrivateKey;
import java.time.Instant;
import java.util.Collection;
import java.util.Date;
import net.shibboleth.idp.plugin.oidc.op.token.support.AccessTokenClaimsSet;
import net.shibboleth.idp.plugin.oidc.op.token.support.RefreshTokenClaimsSet;
import net.shibboleth.utilities.java.support.component.ComponentInitializationException;
import net.shibboleth.utilities.java.support.security.DataSealerException;

/* loaded from: input_file:net/shibboleth/idp/plugin/oidc/op/profile/flow/AbstractOidcApiFlowTest.class */
public class AbstractOidcApiFlowTest extends AbstractOidcFlowTest {
    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractOidcApiFlowTest(String str) {
        super(str);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public BearerAccessToken buildLegacyToken(String str, String str2, Scope scope, String... strArr) throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException {
        return buildLegacyToken(str, str2, scope, null, strArr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RefreshToken buildRefreshToken(String str, String str2, Scope scope, ClaimsSet claimsSet, String str3, String str4) throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException {
        return buildRefreshToken(str, str2, scope, claimsSet, str3, str4, Instant.now(), null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RefreshToken buildRefreshToken(String str, String str2, Scope scope, ClaimsSet claimsSet, String str3, String str4, Instant instant, Instant instant2) throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException {
        String generateIdentifier = str3 == null ? this.idGenerator.generateIdentifier() : str3;
        RefreshTokenClaimsSet.Builder builder = new RefreshTokenClaimsSet.Builder();
        builder.setJWTID(generateIdentifier).setClientID(new ClientID(str)).setIssuer("https://op.example.org").setPrincipal("jdoe").setSubject(str2).setIssuedAt(Instant.now()).setExpiresAt(Instant.now().plusSeconds(30L)).setAuthenticationTime(instant).setRedirectURI(new URI("https://example.org/cb")).setScope(scope).setDlClaimsUI(claimsSet).setRootTokenIdentifier(str4);
        if (instant2 != null) {
            builder.addCustomClaim("c_exp", Date.from(instant2));
        }
        return new RefreshToken(builder.build().serialize(getDataSealer()));
    }

    protected BearerAccessToken buildLegacyToken(String str, String str2, Scope scope, ClaimsSet claimsSet, String... strArr) throws URISyntaxException, NoSuchAlgorithmException, DataSealerException, ComponentInitializationException {
        return new BearerAccessToken(getDataSealer().wrap(buildJsonForLegacyToken(str2, str, scope, "at", strArr), Instant.now().plusSeconds(30L)));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public BearerAccessToken buildJWTToken(String str, String str2, Scope scope, Collection<String> collection, PrivateKey privateKey, String str3) throws JOSEException {
        return buildJWTToken((AccessTokenClaimsSet) new AccessTokenClaimsSet.Builder().setJWTID(this.idGenerator).setClientID(new ClientID(str)).setIssuer("https://op.example.org").setSubject(str2).setIssuedAt(Instant.now()).setNotBefore(Instant.now().minusSeconds(300L)).setExpiresAt(Instant.now().plusSeconds(1800L)).setAuthenticationTime(Instant.now()).setScope(scope).setAudience(collection).build(), privateKey, str3);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public BearerAccessToken buildJWTToken(AccessTokenClaimsSet accessTokenClaimsSet, PrivateKey privateKey, String str) throws JOSEException {
        if (privateKey == null) {
            return new BearerAccessToken(new PlainJWT(accessTokenClaimsSet.getClaimsSet()).serialize());
        }
        JWSAlgorithm jWSAlgorithm = new JWSAlgorithm(str);
        JWSSigner signer = getSigner(privateKey, jWSAlgorithm);
        SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(jWSAlgorithm).type(new JOSEObjectType("at+jwt")).build(), accessTokenClaimsSet.getClaimsSet());
        signedJWT.sign(signer);
        return new BearerAccessToken(signedJWT.serialize());
    }

    private JWSSigner getSigner(PrivateKey privateKey, Algorithm algorithm) throws JOSEException {
        if (JWSAlgorithm.Family.EC.contains(algorithm)) {
            return new ECDSASigner((ECPrivateKey) privateKey);
        }
        if (JWSAlgorithm.Family.RSA.contains(algorithm)) {
            return new RSASSASigner(privateKey);
        }
        throw new JOSEException("Unsupported algorithm " + algorithm.getName());
    }
}
