package org.geant.idpextension.oidc.token.support;

import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.openid.connect.sdk.ClaimsRequest;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.claims.ACR;
import com.nimbusds.openid.connect.sdk.claims.ClaimsSet;
import java.net.URI;
import java.text.ParseException;
import java.time.Instant;
import java.util.Date;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import net.shibboleth.utilities.java.support.security.DataSealer;
import net.shibboleth.utilities.java.support.security.DataSealerException;
import net.shibboleth.utilities.java.support.security.IdentifierGenerationStrategy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/geant/idpextension/oidc/token/support/TokenClaimsSet.class */
public class TokenClaimsSet {
    public static final String KEY_AC_ID = "jti";
    public static final String KEY_TYPE = "type";
    public static final String KEY_ISSUER = "iss";
    public static final String KEY_USER_PRINCIPAL = "prncpl";
    public static final String KEY_SUBJECT = "sub";
    public static final String KEY_CLIENTID = "clid";
    public static final String KEY_EXPIRATION_TIME = "exp";
    public static final String KEY_ISSUED_AT = "iat";
    public static final String KEY_ACR = "acr";
    public static final String KEY_NONCE = "nonce";
    public static final String KEY_AUTH_TIME = "auth_time";
    public static final String KEY_REDIRECT_URI = "redirect_uri";
    public static final String KEY_SCOPE = "scope";
    public static final String KEY_CLAIMS = "claims";
    public static final String KEY_DELIVERY_CLAIMS = "dl_claims";
    public static final String KEY_DELIVERY_CLAIMS_IDTOKEN = "dl_claims_id";
    public static final String KEY_DELIVERY_CLAIMS_USERINFO = "dl_claims_ui";
    public static final String KEY_CONSENTABLE_CLAIMS = "cnsntbl_claims";
    public static final String KEY_CONSENTED_CLAIMS = "cnsntd_claims";
    public static final String KEY_CODE_CHALLENGE = "cc";
    protected JWTClaimsSet tokenClaimsSet;

    @Nonnull
    private Logger log = LoggerFactory.getLogger(TokenClaimsSet.class);

    /* loaded from: input_file:org/geant/idpextension/oidc/token/support/TokenClaimsSet$Builder.class */
    public static abstract class Builder<T extends TokenClaimsSet> {

        @Nonnull
        protected IdentifierGenerationStrategy idGen;

        @Nonnull
        protected ClientID rpId;

        @Nonnull
        protected String iss;

        @Nonnull
        protected String usrPrincipal;

        @Nonnull
        protected String sub;

        @Nonnull
        protected ACR acr;

        @Nonnull
        protected Instant iat;

        @Nonnull
        protected Instant exp;

        @Nonnull
        protected Instant authTime;

        @Nonnull
        protected URI redirect;

        @Nonnull
        protected Scope reqScope;

        @Nullable
        protected Nonce nonce;

        @Nullable
        protected ClaimsRequest claims;

        @Nullable
        protected ClaimsSet dlClaims;

        @Nullable
        protected ClaimsSet dlClaimsID;

        @Nullable
        protected ClaimsSet dlClaimsUI;

        @Nullable
        protected JSONArray cnsntlClaims;

        @Nullable
        protected JSONArray cnsntdClaims;

        @Nullable
        protected String codeChallenge;

        /* JADX INFO: Access modifiers changed from: protected */
        public Builder(@Nonnull IdentifierGenerationStrategy identifierGenerationStrategy, @Nonnull ClientID clientID, @Nonnull String str, @Nonnull String str2, @Nonnull String str3, @Nonnull Instant instant, @Nonnull Instant instant2, @Nonnull Instant instant3, @Nonnull URI uri, @Nonnull Scope scope) {
            this.idGen = identifierGenerationStrategy;
            this.rpId = clientID;
            this.iss = str;
            this.usrPrincipal = str2;
            this.sub = str3;
            this.iat = instant;
            this.exp = instant2;
            this.authTime = instant3;
            this.redirect = uri;
            this.reqScope = scope;
        }

        public Builder<T> setACR(@Nullable ACR acr) {
            this.acr = acr;
            return this;
        }

        public Builder<T> setNonce(@Nullable Nonce nonce) {
            this.nonce = nonce;
            return this;
        }

        public Builder<T> setClaims(@Nullable ClaimsRequest claimsRequest) {
            this.claims = claimsRequest;
            return this;
        }

        public Builder<T> setDlClaims(@Nullable ClaimsSet claimsSet) {
            this.dlClaims = claimsSet;
            return this;
        }

        public Builder<T> setDlClaimsID(@Nullable ClaimsSet claimsSet) {
            this.dlClaimsID = claimsSet;
            return this;
        }

        public Builder<T> setDlClaimsUI(@Nullable ClaimsSet claimsSet) {
            this.dlClaimsUI = claimsSet;
            return this;
        }

        public Builder<T> setConsentableClaims(@Nullable JSONArray jSONArray) {
            this.cnsntlClaims = jSONArray;
            return this;
        }

        public Builder<T> setConsentedClaims(@Nullable JSONArray jSONArray) {
            this.cnsntdClaims = jSONArray;
            return this;
        }

        public Builder<T> setCodeChallenge(@Nullable String str) {
            this.codeChallenge = str;
            return this;
        }

        public abstract T build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TokenClaimsSet() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TokenClaimsSet(@Nonnull String str, @Nonnull String str2, @Nonnull ClientID clientID, @Nonnull String str3, @Nonnull String str4, @Nonnull String str5, @Nullable ACR acr, @Nonnull Instant instant, @Nonnull Instant instant2, @Nullable Nonce nonce, @Nonnull Instant instant3, @Nonnull URI uri, @Nonnull Scope scope, @Nullable ClaimsRequest claimsRequest, @Nullable ClaimsSet claimsSet, @Nullable ClaimsSet claimsSet2, @Nullable ClaimsSet claimsSet3, @Nullable JSONArray jSONArray, @Nullable JSONArray jSONArray2, @Nullable String str6) {
        if (str == null || str2 == null || clientID == null || str3 == null || str4 == null || instant == null || instant2 == null || instant3 == null || uri == null || scope == null || str5 == null) {
            throw new RuntimeException("Invalid parameters, programming error");
        }
        this.tokenClaimsSet = new JWTClaimsSet.Builder().claim(KEY_TYPE, str).jwtID(str2).claim(KEY_CLIENTID, clientID.getValue()).issuer(str3).subject(str5).claim(KEY_USER_PRINCIPAL, str4).claim(KEY_ACR, acr == null ? null : acr.getValue()).issueTime(Date.from(instant)).expirationTime(Date.from(instant2)).claim(KEY_NONCE, nonce == null ? null : nonce.getValue()).claim(KEY_AUTH_TIME, Date.from(instant3)).claim(KEY_REDIRECT_URI, uri.toString()).claim(KEY_SCOPE, scope.toString()).claim(KEY_CLAIMS, claimsRequest == null ? null : claimsRequest.toJSONObject()).claim(KEY_DELIVERY_CLAIMS, claimsSet == null ? null : claimsSet.toJSONObject()).claim(KEY_DELIVERY_CLAIMS_IDTOKEN, claimsSet2 == null ? null : claimsSet2.toJSONObject()).claim(KEY_DELIVERY_CLAIMS_USERINFO, claimsSet3 == null ? null : claimsSet3.toJSONObject()).claim(KEY_CONSENTABLE_CLAIMS, jSONArray).claim(KEY_CONSENTED_CLAIMS, jSONArray2).claim(KEY_CODE_CHALLENGE, str6).build();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void verifyParsedClaims(@Nonnull String str, @Nonnull JWTClaimsSet jWTClaimsSet) throws ParseException {
        if (!str.equals(jWTClaimsSet.getClaims().get(KEY_TYPE))) {
            throw new ParseException("claim type value not matching", 0);
        }
        if (jWTClaimsSet.getStringClaim(KEY_ISSUER) == null) {
            throw new ParseException("claim iss must exist and not be null", 0);
        }
        if (jWTClaimsSet.getStringClaim(KEY_USER_PRINCIPAL) == null) {
            throw new ParseException("claim prncpl must exist and not be null", 0);
        }
        if (jWTClaimsSet.getStringClaim(KEY_SUBJECT) == null) {
            throw new ParseException("claim sub must exist and not be null", 0);
        }
        if (jWTClaimsSet.getStringClaim(KEY_CLIENTID) == null) {
            throw new ParseException("claim clid must exist and not be null", 0);
        }
        if (jWTClaimsSet.getDateClaim(KEY_EXPIRATION_TIME) == null) {
            throw new ParseException("claim exp must exist and not be null", 0);
        }
        if (jWTClaimsSet.getDateClaim(KEY_ISSUED_AT) == null) {
            throw new ParseException("claim iat must exist and not be null", 0);
        }
        if (jWTClaimsSet.getStringClaim(KEY_AC_ID) == null) {
            throw new ParseException("claim jti must exist and not be null", 0);
        }
        if (jWTClaimsSet.getDateClaim(KEY_AUTH_TIME) == null) {
            throw new ParseException("claim auth_time must exist and not be null", 0);
        }
        if (jWTClaimsSet.getStringClaim(KEY_REDIRECT_URI) == null) {
            throw new ParseException("claim redirect_uri must exist and not be null", 0);
        }
        if (jWTClaimsSet.getStringClaim(KEY_SCOPE) == null) {
            throw new ParseException("claim scope must exist and not be null", 0);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_ACR)) {
            jWTClaimsSet.getStringClaim(KEY_ACR);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_CONSENTABLE_CLAIMS) && !(jWTClaimsSet.getClaim(KEY_CONSENTABLE_CLAIMS) instanceof JSONArray)) {
            throw new ParseException("consentable claims is of wrong type", 0);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_CONSENTED_CLAIMS) && !(jWTClaimsSet.getClaim(KEY_CONSENTED_CLAIMS) instanceof JSONArray)) {
            throw new ParseException("consented claims is of wrong type", 0);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_CLAIMS)) {
            jWTClaimsSet.getJSONObjectClaim(KEY_CLAIMS);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_DELIVERY_CLAIMS)) {
            jWTClaimsSet.getJSONObjectClaim(KEY_DELIVERY_CLAIMS);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_DELIVERY_CLAIMS_IDTOKEN)) {
            jWTClaimsSet.getJSONObjectClaim(KEY_DELIVERY_CLAIMS_IDTOKEN);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_DELIVERY_CLAIMS_USERINFO)) {
            jWTClaimsSet.getJSONObjectClaim(KEY_DELIVERY_CLAIMS_USERINFO);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_NONCE)) {
            jWTClaimsSet.getStringClaim(KEY_NONCE);
        }
        if (jWTClaimsSet.getClaims().containsKey(KEY_CODE_CHALLENGE)) {
            jWTClaimsSet.getStringClaim(KEY_CODE_CHALLENGE);
        }
    }

    public String serialize() {
        return this.tokenClaimsSet.toJSONObject().toJSONString();
    }

    public String serialize(@Nonnull DataSealer dataSealer) throws DataSealerException {
        return dataSealer.wrap(serialize(), Instant.ofEpochMilli(this.tokenClaimsSet.getExpirationTime().getTime()));
    }

    @Nonnull
    public JWTClaimsSet getClaimsSet() {
        return this.tokenClaimsSet;
    }

    public boolean isExpired() {
        return this.tokenClaimsSet.getExpirationTime().before(new Date());
    }

    @Nonnull
    public Instant getExp() {
        return this.tokenClaimsSet.getExpirationTime().toInstant();
    }

    @Nonnull
    public URI getRedirectURI() {
        try {
            return URI.create(this.tokenClaimsSet.getStringClaim(KEY_REDIRECT_URI));
        } catch (ParseException e) {
            this.log.error("error parsing redirect uri from token", e.getMessage());
            return null;
        }
    }

    @Nonnull
    public String getACR() {
        return (String) this.tokenClaimsSet.getClaim(KEY_ACR);
    }

    @Nonnull
    public String getType() {
        return (String) this.tokenClaimsSet.getClaim(KEY_TYPE);
    }

    @Nonnull
    public String getPrincipal() {
        return (String) this.tokenClaimsSet.getClaim(KEY_USER_PRINCIPAL);
    }

    @Nonnull
    public Instant getAuthenticationTime() {
        try {
            return this.tokenClaimsSet.getDateClaim(KEY_AUTH_TIME).toInstant();
        } catch (ParseException e) {
            this.log.error("Error parsing auth time {}", this.tokenClaimsSet.getClaim(KEY_AUTH_TIME));
            return null;
        }
    }

    @Nonnull
    public Nonce getNonce() {
        if (this.tokenClaimsSet.getClaim(KEY_NONCE) == null) {
            return null;
        }
        return new Nonce((String) this.tokenClaimsSet.getClaim(KEY_NONCE));
    }

    @Nullable
    public ClaimsRequest getClaimsRequest() {
        if (this.tokenClaimsSet.getClaim(KEY_CLAIMS) == null) {
            return null;
        }
        try {
            return ClaimsRequest.parse(this.tokenClaimsSet.getJSONObjectClaim(KEY_CLAIMS));
        } catch (ParseException e) {
            this.log.error("Error parsing claims request {}", this.tokenClaimsSet.getClaim(KEY_CLAIMS));
            return null;
        }
    }

    public ClaimsSet getDeliveryClaims() {
        TokenDeliveryClaimsClaimsSet tokenDeliveryClaimsClaimsSet = new TokenDeliveryClaimsClaimsSet();
        try {
            JSONObject jSONObjectClaim = this.tokenClaimsSet.getJSONObjectClaim(KEY_DELIVERY_CLAIMS);
            if (jSONObjectClaim == null) {
                return null;
            }
            tokenDeliveryClaimsClaimsSet.putAll(jSONObjectClaim);
            return tokenDeliveryClaimsClaimsSet;
        } catch (ParseException e) {
            this.log.error("Error parsing delivery claims {}", this.tokenClaimsSet.getClaim(KEY_DELIVERY_CLAIMS));
            return null;
        }
    }

    public ClaimsSet getIDTokenDeliveryClaims() {
        TokenDeliveryClaimsClaimsSet tokenDeliveryClaimsClaimsSet = new TokenDeliveryClaimsClaimsSet();
        try {
            JSONObject jSONObjectClaim = this.tokenClaimsSet.getJSONObjectClaim(KEY_DELIVERY_CLAIMS_IDTOKEN);
            if (jSONObjectClaim == null) {
                return null;
            }
            tokenDeliveryClaimsClaimsSet.putAll(jSONObjectClaim);
            return tokenDeliveryClaimsClaimsSet;
        } catch (ParseException e) {
            this.log.error("Error parsing id token delivery claims {}", this.tokenClaimsSet.getClaim(KEY_DELIVERY_CLAIMS_IDTOKEN));
            return null;
        }
    }

    public ClaimsSet getUserinfoDeliveryClaims() {
        TokenDeliveryClaimsClaimsSet tokenDeliveryClaimsClaimsSet = new TokenDeliveryClaimsClaimsSet();
        try {
            JSONObject jSONObjectClaim = this.tokenClaimsSet.getJSONObjectClaim(KEY_DELIVERY_CLAIMS_USERINFO);
            if (jSONObjectClaim == null) {
                return null;
            }
            tokenDeliveryClaimsClaimsSet.putAll(jSONObjectClaim);
            return tokenDeliveryClaimsClaimsSet;
        } catch (ParseException e) {
            this.log.error("Error parsing id token delivery claims {}", this.tokenClaimsSet.getClaim(KEY_DELIVERY_CLAIMS_USERINFO));
            return null;
        }
    }

    public JSONArray getConsentableClaims() {
        return (JSONArray) this.tokenClaimsSet.getClaim(KEY_CONSENTABLE_CLAIMS);
    }

    public JSONArray getConsentedClaims() {
        return (JSONArray) this.tokenClaimsSet.getClaim(KEY_CONSENTED_CLAIMS);
    }

    @Nonnull
    public Scope getScope() {
        try {
            return Scope.parse(this.tokenClaimsSet.getStringClaim(KEY_SCOPE));
        } catch (ParseException e) {
            this.log.error("Error parsing scope in request {}", this.tokenClaimsSet.getClaim(KEY_SCOPE));
            return null;
        }
    }

    @Nonnull
    public String getCodeChallenge() {
        if (this.tokenClaimsSet.getClaim(KEY_CODE_CHALLENGE) == null) {
            return null;
        }
        return (String) this.tokenClaimsSet.getClaim(KEY_CODE_CHALLENGE);
    }

    @Nonnull
    public String getID() {
        return this.tokenClaimsSet.getJWTID();
    }

    @Nonnull
    public ClientID getClientID() {
        return new ClientID((String) this.tokenClaimsSet.getClaim(KEY_CLIENTID));
    }
}
