package be.atbash.ee.security.octopus.sso.client.requestor;

import be.atbash.ee.security.octopus.config.Debug;
import be.atbash.ee.security.octopus.config.OctopusCoreConfiguration;
import be.atbash.ee.security.octopus.sso.client.OpenIdVariableClientData;
import be.atbash.ee.security.octopus.sso.client.config.OctopusSSOServerClientConfiguration;
import be.atbash.ee.security.octopus.sso.client.debug.CorrelationCounter;
import be.atbash.ee.security.octopus.sso.core.OctopusRetrievalException;
import be.atbash.ee.security.octopus.sso.core.rest.PrincipalUserInfoJSONProvider;
import be.atbash.ee.security.octopus.sso.core.token.OctopusSSOToken;
import be.atbash.ee.security.octopus.sso.core.token.OctopusSSOTokenConverter;
import be.atbash.util.exception.AtbashUnexpectedException;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.UserInfo;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;

/* loaded from: input_file:be/atbash/ee/security/octopus/sso/client/requestor/OctopusUserRequestor.class */
public class OctopusUserRequestor extends AbstractRequestor {
    private OctopusSSOTokenConverter octopusSSOTokenConverter;
    private PrincipalUserInfoJSONProvider userInfoJSONProvider;
    private CustomUserInfoValidator customUserInfoValidator;

    public OctopusUserRequestor(OctopusCoreConfiguration octopusCoreConfiguration, OctopusSSOServerClientConfiguration octopusSSOServerClientConfiguration, OctopusSSOTokenConverter octopusSSOTokenConverter, PrincipalUserInfoJSONProvider principalUserInfoJSONProvider, CustomUserInfoValidator customUserInfoValidator) {
        setConfiguration(octopusCoreConfiguration, octopusSSOServerClientConfiguration);
        this.octopusSSOTokenConverter = octopusSSOTokenConverter;
        this.userInfoJSONProvider = principalUserInfoJSONProvider;
        this.customUserInfoValidator = customUserInfoValidator;
    }

    public OctopusSSOToken getOctopusSSOToken(OpenIdVariableClientData openIdVariableClientData, BearerAccessToken bearerAccessToken) throws URISyntaxException, ParseException, JOSEException, java.text.ParseException, OctopusRetrievalException {
        UserInfo userInfo;
        HTTPRequest hTTPRequest = new UserInfoRequest(new URI(this.configuration.getUserInfoEndpoint()), bearerAccessToken).toHTTPRequest();
        int i = -1;
        if (this.coreConfiguration.showDebugFor().contains(Debug.SSO_REST)) {
            i = CorrelationCounter.VALUE.getAndIncrement();
            showRequest(i, hTTPRequest);
        }
        try {
            HTTPResponse send = hTTPRequest.send();
            if (this.coreConfiguration.showDebugFor().contains(Debug.SSO_REST)) {
                showResponse(i, send);
            }
            UserInfoErrorResponse parse = UserInfoResponse.parse(send);
            if (!parse.indicatesSuccess()) {
                throw new OctopusRetrievalException(parse.getErrorObject());
            }
            UserInfoSuccessResponse userInfoSuccessResponse = (UserInfoSuccessResponse) parse;
            if (userInfoSuccessResponse.getUserInfoJWT() != null) {
                SignedJWT userInfoJWT = userInfoSuccessResponse.getUserInfoJWT();
                if (!userInfoJWT.verify(new MACVerifier(this.configuration.getSSOIdTokenSecret()))) {
                    throw new OctopusRetrievalException(new ErrorObject("OCT-SSO-CLIENT-015", "JWT Signature Validation failed"));
                }
                userInfo = new UserInfo(userInfoJWT.getJWTClaimsSet());
            } else {
                userInfo = userInfoSuccessResponse.getUserInfo();
            }
            List<String> validateUserInfo = validateUserInfo(userInfo, openIdVariableClientData);
            if (this.customUserInfoValidator != null) {
                validateUserInfo = this.customUserInfoValidator.validateUserInfo(userInfo, openIdVariableClientData, validateUserInfo);
            }
            if (validateUserInfo.isEmpty()) {
                OctopusSSOToken fromUserInfo = this.octopusSSOTokenConverter.fromUserInfo(userInfo, this.userInfoJSONProvider);
                fromUserInfo.setBearerAccessToken(bearerAccessToken);
                return fromUserInfo;
            }
            StringBuilder sb = new StringBuilder();
            for (String str : validateUserInfo) {
                if (sb.length() > 0) {
                    sb.append(", ");
                }
                sb.append(str);
            }
            throw new OctopusRetrievalException(new ErrorObject("OCT-SSO-CLIENT-016", "JWT claim Validation failed : " + sb.toString()));
        } catch (IOException e) {
            throw new AtbashUnexpectedException(e);
        }
    }

    private List<String> validateUserInfo(UserInfo userInfo, OpenIdVariableClientData openIdVariableClientData) {
        ArrayList arrayList = new ArrayList();
        if (openIdVariableClientData.getRootURL() != null && !openIdVariableClientData.getNonce().equals(Nonce.parse(userInfo.getStringClaim("nonce")))) {
            arrayList.add("nonce");
        }
        if (!this.configuration.getOctopusSSOServer().equals(userInfo.getStringClaim("iss"))) {
            arrayList.add("iss");
        }
        if (userInfo.getDateClaim("exp") == null || userInfo.getDateClaim("exp").before(new Date())) {
            arrayList.add("exp");
        }
        if (openIdVariableClientData.getRootURL() != null && !this.configuration.getSSOClientId().equals(userInfo.getStringClaim("aud"))) {
            arrayList.add("aud");
        }
        return arrayList;
    }
}
