package org.modelio.vbasic.oidc.flows;

import com.nimbusds.jose.Header;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.SerializeException;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.TokenResponse;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.nimbusds.openid.connect.sdk.op.ReadOnlyOIDCProviderMetadata;
import com.nimbusds.openid.connect.sdk.token.OIDCTokens;
import com.nimbusds.openid.connect.sdk.validators.IDTokenClaimsVerifier;
import java.io.IOException;
import java.net.MalformedURLException;
import java.text.MessageFormat;
import java.text.ParseException;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Date;
import java.util.HashSet;
import java.util.concurrent.TimeUnit;
import org.modelio.vbasic.files.FileUtils;
import org.modelio.vbasic.log.Log;
import org.modelio.vbasic.net.HttpErrorMapper;
import org.modelio.vbasic.net.HttpUriAuthenticationException;
import org.modelio.vbasic.oidc.IOidcAuthenticationFlow;

/* loaded from: input_file:org/modelio/vbasic/oidc/flows/NimbusHelper.class */
public class NimbusHelper {
    private NimbusHelper() {
    }

    public static IOidcAuthenticationFlow.AuthResponse requestOidcTokens(ReadOnlyOIDCProviderMetadata readOnlyOIDCProviderMetadata, TokenRequest tokenRequest) throws IOException {
        HTTPRequest hTTPRequest = tokenRequest.toHTTPRequest();
        try {
            hTTPRequest.setConnectTimeout(10000);
            hTTPRequest.setReadTimeout(Header.MAX_HEADER_STRING_LENGTH);
            HTTPResponse send = hTTPRequest.send();
            Log.trace("NimbusHelper: Received OIDC HTTP %d response.", Integer.valueOf(send.getStatusCode()));
            try {
                TokenResponse parse = OIDCTokenResponseParser.parse(send);
                if (parse instanceof TokenErrorResponse) {
                    ErrorObject errorObject = parse.toErrorResponse().getErrorObject();
                    throw HttpErrorMapper.create(send.getStatusCode(), tokenRequest.getEndpointURI().toString(), MessageFormat.format("HTTP {0}: {1}", Integer.valueOf(errorObject.getHTTPStatusCode()), NimbusDumper.prettyPrint(errorObject.toJSONObject())), null);
                }
                try {
                    return createAuthResponse(readOnlyOIDCProviderMetadata, ((OIDCTokenResponse) parse).getOIDCTokens());
                } catch (JOSEException | BadJOSEException | ParseException e) {
                    throw new HttpUriAuthenticationException(0, e, tokenRequest.getEndpointURI().toString(), e.getLocalizedMessage());
                }
            } catch (com.nimbusds.oauth2.sdk.ParseException e2) {
                throw HttpErrorMapper.create(send.getStatusCode(), tokenRequest.getEndpointURI().toString(), MessageFormat.format("HTTP {0} {1}: non parseable: {2}", Integer.valueOf(send.getStatusCode()), send.getStatusMessage(), send.getContent()), e2);
            }
        } catch (SerializeException e3) {
            throw new IOException("Failed serializing token request: " + e3.getLocalizedMessage(), e3);
        } catch (IOException e4) {
            throw new IOException("Failed sending token request: " + FileUtils.getLocalizedMessage(e4), e4);
        }
    }

    private static DefaultJWTProcessor<SecurityContext> createJwtProcessor(ReadOnlyOIDCProviderMetadata readOnlyOIDCProviderMetadata) throws MalformedURLException {
        DefaultJWTProcessor<SecurityContext> defaultJWTProcessor = new DefaultJWTProcessor<>();
        defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(new HashSet(readOnlyOIDCProviderMetadata.getAuthorizationJWSAlgs()), new RemoteJWKSet(readOnlyOIDCProviderMetadata.getJWKSetURI().toURL())));
        defaultJWTProcessor.setJWEKeySelector(null);
        return defaultJWTProcessor;
    }

    private static void validateIdToken(OIDCTokens oIDCTokens, ReadOnlyOIDCProviderMetadata readOnlyOIDCProviderMetadata, ClientID clientID, Nonce nonce) throws IOException {
        JWT iDToken = oIDCTokens.getIDToken();
        if (iDToken != null) {
            try {
                IDTokenClaimsVerifier iDTokenClaimsVerifier = new IDTokenClaimsVerifier(readOnlyOIDCProviderMetadata.getIssuer(), clientID, nonce, (int) TimeUnit.MINUTES.toSeconds(5L));
                DefaultJWTProcessor<SecurityContext> createJwtProcessor = createJwtProcessor(readOnlyOIDCProviderMetadata);
                createJwtProcessor.setJWTClaimsSetVerifier(iDTokenClaimsVerifier);
                createJwtProcessor.process(iDToken, (JWT) null);
            } catch (JOSEException e) {
                throw new IOException(e.getLocalizedMessage(), e);
            } catch (BadJOSEException e2) {
                throw new IOException(e2.getLocalizedMessage(), e2);
            }
        }
    }

    private static IOidcAuthenticationFlow.AuthResponse createAuthResponse(ReadOnlyOIDCProviderMetadata readOnlyOIDCProviderMetadata, OIDCTokens oIDCTokens) throws ParseException, MalformedURLException, BadJOSEException, JOSEException {
        Date expirationTime;
        Log.trace("NimbusHelper: Validating OIDC tokens...");
        Instant instant = null;
        DefaultJWTProcessor<SecurityContext> createJwtProcessor = createJwtProcessor(readOnlyOIDCProviderMetadata);
        if (oIDCTokens.getIDToken() != null && (expirationTime = createJwtProcessor.process(oIDCTokens.getIDToken(), (JWT) null).getExpirationTime()) != null) {
            Log.trace("NimbusHelper: Expiration found in ID token: %s", expirationTime);
            instant = expirationTime.toInstant();
        }
        AccessToken accessToken = oIDCTokens.getAccessToken();
        if (accessToken != null) {
            Date expirationTime2 = createJwtProcessor.process(accessToken.getValue(), (String) null).getExpirationTime();
            if (expirationTime2 != null) {
                Log.trace("NimbusHelper: Expiration found in Access token JWT claims: %s", expirationTime2);
                instant = expirationTime2.toInstant();
            } else {
                long lifetime = accessToken.getLifetime();
                if (lifetime > 0) {
                    Log.trace("NimbusHelper: Lifetime found in Access token: %s", expirationTime2);
                    instant = Instant.now().plusSeconds(lifetime);
                }
            }
        }
        if (instant == null) {
            Log.warning("NimbusHelper: No expiration information found either in Id token, access token claims or access token response, default to 5 minutes");
            instant = Instant.now().plus(5L, (TemporalUnit) ChronoUnit.MINUTES);
        }
        return new IOidcAuthenticationFlow.AuthResponse(oIDCTokens, instant);
    }

    public static String getSubject(OIDCTokens oIDCTokens) throws IOException {
        if (oIDCTokens.getIDToken() != null) {
            try {
                return oIDCTokens.getIDToken().getJWTClaimsSet().getSubject();
            } catch (ParseException e) {
                throw new IOException("ID token is not valid JWT: " + e.getLocalizedMessage(), e);
            }
        }
        AccessToken accessToken = oIDCTokens.getAccessToken();
        if (accessToken == null) {
            throw new IOException("No ID token nor access token");
        }
        try {
            return JWTParser.parse(accessToken.getValue()).getJWTClaimsSet().getSubject();
        } catch (ParseException e2) {
            throw new IOException("Access token is not a valid JWT: " + e2.getLocalizedMessage(), e2);
        }
    }

    public static JWTClaimsSet getJWT(OIDCTokens oIDCTokens) throws IOException {
        if (oIDCTokens.getIDToken() != null) {
            try {
                return oIDCTokens.getIDToken().getJWTClaimsSet();
            } catch (ParseException e) {
                throw new IOException("ID token is not valid JWT: " + e.getLocalizedMessage(), e);
            }
        }
        AccessToken accessToken = oIDCTokens.getAccessToken();
        if (accessToken == null) {
            throw new IOException("No ID token nor access token");
        }
        try {
            return JWTParser.parse(accessToken.getValue()).getJWTClaimsSet();
        } catch (ParseException e2) {
            throw new IOException("Access token is not a valid JWT: " + e2.getLocalizedMessage(), e2);
        }
    }
}
