package no.nav.brukerdialog.security.oidc;

import java.security.Key;
import java.util.Optional;
import no.nav.brukerdialog.security.jwks.CacheMissAction;
import no.nav.brukerdialog.security.jwks.JwtHeader;
import no.nav.brukerdialog.security.oidc.provider.OidcProvider;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwx.JsonWebStructure;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:no/nav/brukerdialog/security/oidc/OidcTokenValidator.class */
public class OidcTokenValidator {
    private static final Logger logger = LoggerFactory.getLogger(OidcTokenValidator.class);
    private static final int ALLOWED_CLOCK_SKEW_IN_SECONDS = 30;

    public OidcTokenValidatorResult validate(String str, OidcProvider oidcProvider) {
        return validate(str, oidcProvider, CacheMissAction.REFRESH);
    }

    public OidcTokenValidatorResult validate(String str, OidcProvider oidcProvider, CacheMissAction cacheMissAction) {
        if (str == null) {
            return OidcTokenValidatorResult.invalid("Missing token (token was null)");
        }
        try {
            JwtHeader header = getHeader(str);
            Key orElse = oidcProvider.getVerificationKey(header, cacheMissAction).orElse(null);
            if (orElse == null) {
                return OidcTokenValidatorResult.invalid(String.format("Jwt (%s) is not in jwks", header));
            }
            String expectedIssuer = oidcProvider.getExpectedIssuer();
            if (expectedIssuer == null) {
                return OidcTokenValidatorResult.invalid("Expected issuer must be configured.");
            }
            String expectedAudience = oidcProvider.getExpectedAudience(str);
            try {
                JwtClaims processToClaims = new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(ALLOWED_CLOCK_SKEW_IN_SECONDS).setRequireSubject().setExpectedIssuer(expectedIssuer).setExpectedAudience(expectedAudience != null, new String[]{(String) Optional.ofNullable(expectedAudience).orElseGet(() -> {
                    return OidcTokenUtils.getTokenAud(str);
                })}).setVerificationKey(orElse).build().processToClaims(str);
                logger.debug("OIDC validation OK:" + processToClaims.getSubject());
                return OidcTokenValidatorResult.valid(processToClaims);
            } catch (InvalidJwtException e) {
                logger.info("Feil ved validering av token.", e);
                return OidcTokenValidatorResult.invalid(e.toString());
            } catch (MalformedClaimException e2) {
                return OidcTokenValidatorResult.invalid("Malformed claim: " + e2.toString());
            }
        } catch (InvalidJwtException e3) {
            return OidcTokenValidatorResult.invalid("Invalid OIDC " + e3.getMessage());
        }
    }

    private JwtHeader getHeader(String str) throws InvalidJwtException {
        JsonWebStructure jsonWebStructure = (JsonWebStructure) new JwtConsumerBuilder().setSkipAllValidators().setSkipAllDefaultValidators().setRelaxVerificationKeyValidation().setRelaxDecryptionKeyValidation().setDisableRequireSignature().setSkipSignatureVerification().build().process(str).getJoseObjects().iterator().next();
        String keyIdHeaderValue = jsonWebStructure.getKeyIdHeaderValue();
        if (keyIdHeaderValue == null) {
            keyIdHeaderValue = "";
        }
        return new JwtHeader(keyIdHeaderValue, jsonWebStructure.getAlgorithmHeaderValue());
    }
}
