package org.eclipse.jetty.security.openid;

import java.io.Serializable;
import java.net.URI;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.eclipse.jetty.client.api.Request;
import org.eclipse.jetty.client.util.BasicAuthentication;
import org.eclipse.jetty.client.util.FormRequestContent;
import org.eclipse.jetty.util.Fields;
import org.eclipse.jetty.util.ajax.JSON;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/jetty/security/openid/OpenIdCredentials.class */
public class OpenIdCredentials implements Serializable {
    private static final Logger LOG = LoggerFactory.getLogger(OpenIdCredentials.class);
    private static final long serialVersionUID = 4766053233370044796L;
    private final String redirectUri;
    private String authCode;
    private Map<String, Object> response;
    private Map<String, Object> claims;
    private boolean verified;

    /* loaded from: input_file:org/eclipse/jetty/security/openid/OpenIdCredentials$AuthenticationException.class */
    public static class AuthenticationException extends Exception {
        public AuthenticationException(String str) {
            super(str);
        }
    }

    public OpenIdCredentials(Map<String, Object> map) {
        this.verified = false;
        this.redirectUri = null;
        this.authCode = null;
        this.claims = map;
    }

    public OpenIdCredentials(String str, String str2) {
        this.verified = false;
        this.authCode = str;
        this.redirectUri = str2;
    }

    public String getUserId() {
        return (String) this.claims.get("sub");
    }

    public Map<String, Object> getClaims() {
        return this.claims;
    }

    public Map<String, Object> getResponse() {
        return this.response;
    }

    public void redeemAuthCode(OpenIdConfiguration openIdConfiguration) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("redeemAuthCode() {}", this);
        }
        if (this.authCode != null) {
            try {
                this.response = claimAuthCode(openIdConfiguration);
                if (LOG.isDebugEnabled()) {
                    LOG.debug("response: {}", this.response);
                }
                String str = (String) this.response.get("id_token");
                if (str == null) {
                    throw new AuthenticationException("no id_token");
                }
                if (((String) this.response.get("access_token")) == null) {
                    throw new AuthenticationException("no access_token");
                }
                if (!"Bearer".equalsIgnoreCase((String) this.response.get("token_type"))) {
                    throw new AuthenticationException("invalid token_type");
                }
                this.claims = JwtDecoder.decode(str);
                if (LOG.isDebugEnabled()) {
                    LOG.debug("claims {}", this.claims);
                }
            } finally {
                this.authCode = null;
            }
        }
        if (this.verified) {
            return;
        }
        validateClaims(openIdConfiguration);
        this.verified = true;
    }

    private void validateClaims(OpenIdConfiguration openIdConfiguration) throws Exception {
        if (!openIdConfiguration.getIssuer().equals(this.claims.get("iss"))) {
            throw new AuthenticationException("Issuer Identifier MUST exactly match the iss Claim");
        }
        validateAudience(openIdConfiguration);
        Object obj = this.claims.get("azp");
        if (obj != null && !openIdConfiguration.getClientId().equals(obj)) {
            throw new AuthenticationException("Authorized party claim value should be the client_id");
        }
        if (((float) System.currentTimeMillis()) / 1000.0f > ((Long) this.claims.get("exp")).longValue()) {
            throw new AuthenticationException("ID Token has expired");
        }
    }

    private void validateAudience(OpenIdConfiguration openIdConfiguration) throws AuthenticationException {
        Object obj = this.claims.get("aud");
        String clientId = openIdConfiguration.getClientId();
        boolean z = obj instanceof String;
        boolean z2 = obj instanceof Object[];
        boolean z3 = z || z2;
        if (z && !clientId.equals(obj)) {
            throw new AuthenticationException("Audience Claim MUST contain the client_id value");
        }
        if (!z2) {
            if (!z3) {
                throw new AuthenticationException("Audience claim was not valid");
            }
            return;
        }
        List asList = Arrays.asList((Object[]) obj);
        if (!asList.contains(clientId)) {
            throw new AuthenticationException("Audience Claim MUST contain the client_id value");
        }
        if (asList.size() > 1 && this.claims.get("azp") == null) {
            throw new AuthenticationException("A multi-audience ID token needs to contain an azp claim");
        }
    }

    private Map<String, Object> claimAuthCode(OpenIdConfiguration openIdConfiguration) throws Exception {
        Fields fields = new Fields();
        fields.add("code", this.authCode);
        fields.add("redirect_uri", this.redirectUri);
        fields.add("grant_type", "authorization_code");
        Request POST = openIdConfiguration.getHttpClient().POST(openIdConfiguration.getTokenEndpoint());
        String authMethod = openIdConfiguration.getAuthMethod();
        boolean z = -1;
        switch (authMethod.hashCode()) {
            case -2034587045:
                if (authMethod.equals("client_secret_post")) {
                    z = true;
                    break;
                }
                break;
            case 1338964435:
                if (authMethod.equals("client_secret_basic")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                new BasicAuthentication.BasicResult(URI.create(openIdConfiguration.getTokenEndpoint()), openIdConfiguration.getClientId(), openIdConfiguration.getClientSecret()).apply(POST);
                break;
            case true:
                fields.add("client_id", openIdConfiguration.getClientId());
                fields.add("client_secret", openIdConfiguration.getClientSecret());
                break;
            default:
                throw new IllegalStateException(openIdConfiguration.getAuthMethod());
        }
        String contentAsString = POST.body(new FormRequestContent(fields)).timeout(10L, TimeUnit.SECONDS).send().getContentAsString();
        if (LOG.isDebugEnabled()) {
            LOG.debug("Authentication response: {}", contentAsString);
        }
        Object fromJSON = new JSON().fromJSON(contentAsString);
        if (fromJSON instanceof Map) {
            return (Map) fromJSON;
        }
        throw new AuthenticationException("Malformed response from OpenID Provider");
    }
}
