package com.nimbusds.oauth2.sdk.jarm;

import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.AuthorizationResponse;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.ResponseMode;
import com.nimbusds.oauth2.sdk.as.AuthorizationServerMetadata;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import com.nimbusds.oauth2.sdk.util.MultivaluedMapUtils;
import java.util.Arrays;
import java.util.Collections;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:applicationinsights-agent-3.4.0-BETA.jar:inst/com/nimbusds/oauth2/sdk/jarm/JARMUtils.classdata */
public final class JARMUtils {
    public static final Set<ResponseMode> RESPONSE_MODES = new HashSet(Arrays.asList(ResponseMode.JWT, ResponseMode.QUERY_JWT, ResponseMode.FRAGMENT_JWT, ResponseMode.FORM_POST_JWT));

    public static boolean supportsJARM(AuthorizationServerMetadata authorizationServerMetadata) {
        if (CollectionUtils.isEmpty(authorizationServerMetadata.getAuthorizationJWSAlgs()) || CollectionUtils.isEmpty(authorizationServerMetadata.getResponseModes())) {
            return false;
        }
        Iterator<ResponseMode> it = RESPONSE_MODES.iterator();
        while (it.hasNext()) {
            if (authorizationServerMetadata.getResponseModes().contains(it.next())) {
                return true;
            }
        }
        return false;
    }

    public static JWTClaimsSet toJWTClaimsSet(Issuer issuer, ClientID clientID, Date date, AuthorizationResponse authorizationResponse) {
        if (date == null) {
            throw new IllegalArgumentException("The expiration time must not be null");
        }
        JWTClaimsSet.Builder expirationTime = new JWTClaimsSet.Builder().issuer(issuer.getValue()).audience(clientID.getValue()).expirationTime(date);
        for (Map.Entry entry : MultivaluedMapUtils.toSingleValuedMap(authorizationResponse.toParameters()).entrySet()) {
            if (!"response".equals(entry.getKey())) {
                if ("iss".equals(entry.getKey()) && !issuer.getValue().equals(entry.getValue())) {
                    throw new IllegalArgumentException("Authorization response iss doesn't match JWT iss claim: " + entry.getValue());
                }
                expirationTime = expirationTime.claim((String) entry.getKey(), entry.getValue() + "");
            }
        }
        return expirationTime.build();
    }

    public static Map<String, List<String>> toMultiValuedStringParameters(JWTClaimsSet jWTClaimsSet) {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, Object> entry : jWTClaimsSet.getClaims().entrySet()) {
            hashMap.put(entry.getKey(), Collections.singletonList(entry.getValue() + ""));
        }
        return hashMap;
    }

    public static boolean impliesAuthorizationErrorResponse(String str) throws ParseException {
        try {
            return impliesAuthorizationErrorResponse(JWTParser.parse(str));
        } catch (java.text.ParseException e) {
            throw new ParseException("Invalid JWT-secured authorization response: " + e.getMessage(), e);
        }
    }

    public static boolean impliesAuthorizationErrorResponse(JWT jwt) throws ParseException {
        if (jwt instanceof PlainJWT) {
            throw new ParseException("Invalid JWT-secured authorization response: The JWT must not be plain (unsecured)");
        }
        if (jwt instanceof EncryptedJWT) {
            return false;
        }
        if (!(jwt instanceof SignedJWT)) {
            throw new ParseException("Unexpected JWT type");
        }
        try {
            return ((SignedJWT) jwt).getJWTClaimsSet().getStringClaim("error") != null;
        } catch (java.text.ParseException e) {
            throw new ParseException("Invalid JWT claims set: " + e.getMessage());
        }
    }

    private JARMUtils() {
    }
}
