package org.wildfly.security.http.oidc;

import java.nio.charset.StandardCharsets;
import java.security.AccessController;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivilegedAction;
import java.util.Arrays;
import javax.crypto.SecretKey;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.ErrorCodeValidator;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.jwx.JsonWebStructure;
import org.wildfly.common.Assert;
import org.wildfly.common.iteration.ByteIterator;
import org.wildfly.security.jose.jwk.JWKUtil;

/* loaded from: input_file:org/wildfly/security/http/oidc/TokenValidator.class */
public class TokenValidator {
    static final boolean DISABLE_TYP_CLAIM_VALIDATION_PROPERTY = ((Boolean) AccessController.doPrivileged(new PrivilegedAction<Boolean>() { // from class: org.wildfly.security.http.oidc.TokenValidator.1
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.security.PrivilegedAction
        public Boolean run() {
            return Boolean.valueOf(Boolean.parseBoolean(System.getProperty(Oidc.DISABLE_TYP_CLAIM_VALIDATION_PROPERTY_NAME, "false")));
        }
    })).booleanValue();
    private static final int HEADER_INDEX = 0;
    private JwtConsumerBuilder jwtConsumerBuilder;
    private OidcClientConfiguration clientConfiguration;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/wildfly/security/http/oidc/TokenValidator$AtHashValidator.class */
    public static class AtHashValidator implements ErrorCodeValidator {
        private final String accessTokenString;
        private final String jwsAlgorithm;

        public AtHashValidator(String str, String str2) {
            this.accessTokenString = str;
            this.jwsAlgorithm = str2;
        }

        public ErrorCodeValidator.Error validate(JwtContext jwtContext) throws MalformedClaimException {
            JwtClaims jwtClaims = jwtContext.getJwtClaims();
            boolean z = true;
            if (jwtClaims.hasClaim(IDToken.AT_HASH)) {
                try {
                    z = jwtClaims.getStringClaimValue(IDToken.AT_HASH).equals(TokenValidator.getAccessTokenHash(this.accessTokenString, this.jwsAlgorithm));
                } catch (Exception e) {
                    z = TokenValidator.HEADER_INDEX;
                }
            }
            if (z) {
                return null;
            }
            return new ErrorCodeValidator.Error(-2, ElytronMessages.log.unexpectedValueForAtHashClaim());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/wildfly/security/http/oidc/TokenValidator$AzpValidator.class */
    public static class AzpValidator implements ErrorCodeValidator {
        public static final String AZP = "azp";
        private final String issuedFor;

        public AzpValidator(String str) {
            this.issuedFor = str;
        }

        public ErrorCodeValidator.Error validate(JwtContext jwtContext) throws MalformedClaimException {
            JwtClaims jwtClaims = jwtContext.getJwtClaims();
            boolean z = TokenValidator.HEADER_INDEX;
            if (jwtClaims.getAudience().size() <= 1) {
                z = true;
            } else if (jwtClaims.hasClaim(AZP)) {
                z = jwtClaims.getStringClaimValue(AZP) != null && jwtClaims.getClaimValueAsString(AZP).equals(this.issuedFor);
            }
            if (z) {
                return null;
            }
            return new ErrorCodeValidator.Error(-1, ElytronMessages.log.unexpectedValueForIssuedForClaim());
        }
    }

    /* loaded from: input_file:org/wildfly/security/http/oidc/TokenValidator$Builder.class */
    public static class Builder {
        private OidcClientConfiguration clientConfiguration;
        private String expectedIssuer;
        private String clientId;
        private String expectedJwsAlgorithm;
        private PublicKeyLocator publicKeyLocator;
        private SecretKey clientSecretKey;
        private JwtConsumerBuilder jwtConsumerBuilder;

        Builder(OidcClientConfiguration oidcClientConfiguration) {
            Assert.checkNotNullParam("clientConfiguration", oidcClientConfiguration);
            this.clientConfiguration = oidcClientConfiguration;
        }

        public TokenValidator build() throws IllegalArgumentException {
            this.expectedIssuer = this.clientConfiguration.getIssuerUrl();
            if (this.expectedIssuer == null || this.expectedIssuer.length() == 0) {
                throw ElytronMessages.log.noExpectedIssuerGiven();
            }
            this.clientId = this.clientConfiguration.getResourceName();
            if (this.clientId == null || this.clientId.length() == 0) {
                throw ElytronMessages.log.noClientIDGiven();
            }
            this.expectedJwsAlgorithm = this.clientConfiguration.getTokenSignatureAlgorithm();
            if (this.expectedJwsAlgorithm == null || this.expectedJwsAlgorithm.length() == 0) {
                throw ElytronMessages.log.noExpectedJwsAlgorithmGiven();
            }
            this.publicKeyLocator = this.clientConfiguration.getPublicKeyLocator();
            if (this.clientConfiguration.getClientAuthenticator() instanceof ClientSecretCredentialsProvider) {
                this.clientSecretKey = ((ClientSecretCredentialsProvider) this.clientConfiguration.getClientAuthenticator()).getClientSecret();
            }
            if (this.publicKeyLocator == null && this.clientSecretKey == null) {
                throw ElytronMessages.log.noJwksPublicKeyOrClientSecretKeyGiven();
            }
            this.jwtConsumerBuilder = new JwtConsumerBuilder().setExpectedIssuer(this.expectedIssuer).setJwsAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, new String[]{this.expectedJwsAlgorithm})).setRequireExpirationTime();
            return new TokenValidator(this);
        }
    }

    /* loaded from: input_file:org/wildfly/security/http/oidc/TokenValidator$TypeValidator.class */
    private static class TypeValidator implements ErrorCodeValidator {
        public static final String TYPE = "typ";
        private final String expectedType;

        public TypeValidator(String str) {
            this.expectedType = str;
        }

        public ErrorCodeValidator.Error validate(JwtContext jwtContext) throws MalformedClaimException {
            JwtClaims jwtClaims = jwtContext.getJwtClaims();
            boolean z = TokenValidator.HEADER_INDEX;
            if (jwtClaims.hasClaim(TYPE)) {
                z = jwtClaims.getStringClaimValue(TYPE).equals(this.expectedType);
            }
            if (z) {
                return null;
            }
            return new ErrorCodeValidator.Error(-3, ElytronMessages.log.unexpectedValueForTypeClaim());
        }
    }

    /* loaded from: input_file:org/wildfly/security/http/oidc/TokenValidator$VerifiedTokens.class */
    public static class VerifiedTokens {
        private final AccessToken accessToken;
        private final IDToken idToken;

        public VerifiedTokens(IDToken iDToken, AccessToken accessToken) {
            this.idToken = iDToken;
            this.accessToken = accessToken;
        }

        public AccessToken getAccessToken() {
            return this.accessToken;
        }

        public IDToken getIdToken() {
            return this.idToken;
        }
    }

    private TokenValidator(Builder builder) {
        this.jwtConsumerBuilder = builder.jwtConsumerBuilder;
        this.clientConfiguration = builder.clientConfiguration;
    }

    public VerifiedTokens parseAndVerifyToken(String str, String str2) throws OidcException {
        try {
            JwtContext verificationKey = setVerificationKey(str, this.jwtConsumerBuilder);
            this.jwtConsumerBuilder.setExpectedAudience(new String[]{this.clientConfiguration.getResourceName()});
            this.jwtConsumerBuilder.registerValidator(new AzpValidator(this.clientConfiguration.getResourceName()));
            this.jwtConsumerBuilder.registerValidator(new AtHashValidator(str2, this.clientConfiguration.getTokenSignatureAlgorithm()));
            this.jwtConsumerBuilder.build().processContext(verificationKey);
            JwtClaims jwtClaims = verificationKey.getJwtClaims();
            if (jwtClaims == null) {
                throw ElytronMessages.log.invalidIDTokenClaims();
            }
            return new VerifiedTokens(new IDToken(jwtClaims), new AccessToken(new JwtConsumerBuilder().setSkipSignatureVerification().setSkipAllValidators().build().processToClaims(str2)));
        } catch (InvalidJwtException e) {
            ElytronMessages.log.tracef("Problem parsing ID token: " + str, e);
            throw ElytronMessages.log.invalidIDToken(e);
        }
    }

    public AccessToken parseAndVerifyToken(String str) throws OidcException {
        try {
            JwtContext verificationKey = setVerificationKey(str, this.jwtConsumerBuilder);
            this.jwtConsumerBuilder.setRequireSubject();
            if (!DISABLE_TYP_CLAIM_VALIDATION_PROPERTY) {
                this.jwtConsumerBuilder.registerValidator(new TypeValidator("Bearer"));
            }
            if (this.clientConfiguration.isVerifyTokenAudience()) {
                this.jwtConsumerBuilder.setExpectedAudience(new String[]{this.clientConfiguration.getResourceName()});
            } else {
                this.jwtConsumerBuilder.setSkipDefaultAudienceValidation();
            }
            this.jwtConsumerBuilder.build().processContext(verificationKey);
            JwtClaims jwtClaims = verificationKey.getJwtClaims();
            if (jwtClaims == null) {
                throw ElytronMessages.log.invalidBearerTokenClaims();
            }
            return new AccessToken(jwtClaims);
        } catch (InvalidJwtException e) {
            ElytronMessages.log.tracef("Problem parsing bearer token: " + str, e);
            throw ElytronMessages.log.invalidBearerToken(e);
        }
    }

    private JwtContext setVerificationKey(String str, JwtConsumerBuilder jwtConsumerBuilder) throws InvalidJwtException {
        JwtContext process = new JwtConsumerBuilder().setSkipAllValidators().setDisableRequireSignature().setSkipSignatureVerification().build().process(str);
        String keyIdHeaderValue = ((JsonWebStructure) process.getJoseObjects().get(HEADER_INDEX)).getKeyIdHeaderValue();
        if (keyIdHeaderValue == null || this.clientConfiguration.getPublicKeyLocator() == null) {
            jwtConsumerBuilder.setVerificationKey(((ClientSecretCredentialsProvider) this.clientConfiguration.getClientAuthenticator()).getClientSecret());
        } else {
            jwtConsumerBuilder.setVerificationKey(this.clientConfiguration.getPublicKeyLocator().getPublicKey(keyIdHeaderValue, this.clientConfiguration));
        }
        return process;
    }

    public static Builder builder(OidcClientConfiguration oidcClientConfiguration) {
        return new Builder(oidcClientConfiguration);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getAccessTokenHash(String str, String str2) throws NoSuchAlgorithmException {
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        MessageDigest messageDigest = MessageDigest.getInstance(Oidc.getJavaAlgorithmForHash(str2));
        messageDigest.update(bytes);
        byte[] digest = messageDigest.digest();
        return ByteIterator.ofBytes(Arrays.copyOf(digest, digest.length / 2)).base64Encode(JWKUtil.BASE64_URL, false).drainToString();
    }
}
