package com.microsoft.azure.spring.autoconfigure.aad;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.net.MalformedURLException;
import java.net.URL;
import java.text.ParseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/microsoft/azure/spring/autoconfigure/aad/UserPrincipalManager.class */
public class UserPrincipalManager {
    private static final Logger LOG = LoggerFactory.getLogger(UserPrincipalManager.class);
    private final ServiceEndpoints serviceEndpoints;
    private final ConfigurableJWTProcessor<SecurityContext> validator = getAadJwtTokenValidator();
    private final ResourceRetriever resourceRetriever;

    public UserPrincipalManager(ServiceEndpoints serviceEndpoints, ResourceRetriever resourceRetriever) {
        this.serviceEndpoints = serviceEndpoints;
        this.resourceRetriever = resourceRetriever;
    }

    public UserPrincipal buildUserPrincipal(String str) throws ParseException, JOSEException, BadJOSEException {
        JWTClaimsSet process = this.validator.process(str, (SecurityContext) null);
        this.validator.getJWTClaimsSetVerifier().verify(process, (SecurityContext) null);
        return new UserPrincipal(JWSObject.parse(str), process);
    }

    private ConfigurableJWTProcessor<SecurityContext> getAadJwtTokenValidator() {
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        try {
            defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(JWSAlgorithm.RS256, new RemoteJWKSet(new URL(this.serviceEndpoints.getAadKeyDiscoveryUri()), this.resourceRetriever)));
            defaultJWTProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<SecurityContext>() { // from class: com.microsoft.azure.spring.autoconfigure.aad.UserPrincipalManager.1
                public void verify(JWTClaimsSet jWTClaimsSet, SecurityContext securityContext) throws BadJWTException {
                    super.verify(jWTClaimsSet, securityContext);
                    String issuer = jWTClaimsSet.getIssuer();
                    if (issuer == null || !(issuer.contains("https://sts.windows.net/") || issuer.contains("https://sts.chinacloudapi.cn/"))) {
                        throw new BadJWTException("Invalid token issuer");
                    }
                }
            });
            return defaultJWTProcessor;
        } catch (MalformedURLException e) {
            LOG.error("Failed to parse active directory key discovery uri.", e);
            throw new IllegalStateException("Failed to parse active directory key discovery uri.", e);
        }
    }
}
