package org.apache.cxf.rs.security.oidc.rp;

import java.util.concurrent.ConcurrentHashMap;
import org.apache.cxf.jaxrs.client.WebClient;
import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
import org.apache.cxf.rs.security.jose.jwe.JweJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jwe.JweUtils;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKeys;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;

/* loaded from: input_file:org/apache/cxf/rs/security/oidc/rp/AbstractTokenValidator.class */
public abstract class AbstractTokenValidator {
    private static final String SELF_ISSUED_ISSUER = "https://self-issued.me";
    private JweDecryptionProvider jweDecryptor;
    private JwsSignatureVerifier jwsVerifier;
    private String issuerId;
    private int issuedAtRange;
    private int clockOffset;
    private WebClient jwkSetClient;
    private boolean supportSelfIssuedProvider;
    private ConcurrentHashMap<String, JsonWebKey> keyMap = new ConcurrentHashMap<>();

    /* JADX INFO: Access modifiers changed from: protected */
    public JwtToken getJwtToken(String str, boolean z) {
        if (str == null) {
            throw new SecurityException("ID Token is missing");
        }
        if (getInitializedDecryptionProvider(z) != null) {
            if (z) {
                return new JweJwtCompactConsumer(str).decryptWith(this.jweDecryptor);
            }
            str = this.jweDecryptor.decrypt(str).getContentText();
        }
        JwsJwtCompactConsumer jwsJwtCompactConsumer = new JwsJwtCompactConsumer(str);
        JwtToken jwtToken = jwsJwtCompactConsumer.getJwtToken();
        return validateToken(jwsJwtCompactConsumer, jwtToken, getInitializedSigVerifier(jwtToken));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void validateJwtClaims(JwtClaims jwtClaims, String str, boolean z) {
        String issuer = jwtClaims.getIssuer();
        if (issuer == null && z) {
            throw new SecurityException("Invalid provider");
        }
        if (this.supportSelfIssuedProvider && this.issuerId == null && issuer != null && SELF_ISSUED_ISSUER.equals(issuer)) {
            return;
        }
        if (issuer != null && !issuer.equals(this.issuerId)) {
            throw new SecurityException("Invalid provider");
        }
        if (jwtClaims.getSubject() == null) {
            throw new SecurityException("Invalid subject");
        }
        String audience = jwtClaims.getAudience();
        if ((audience == null && z) || (audience != null && !str.equals(audience))) {
            throw new SecurityException("Invalid audience");
        }
        JwtUtils.validateJwtTimeClaims(jwtClaims, this.clockOffset, this.issuedAtRange, z);
    }

    protected JwtToken validateToken(JwsJwtCompactConsumer jwsJwtCompactConsumer, JwtToken jwtToken, JwsSignatureVerifier jwsSignatureVerifier) {
        if (jwsJwtCompactConsumer.verifySignatureWith(jwsSignatureVerifier)) {
            return jwtToken;
        }
        throw new SecurityException("Invalid Signature");
    }

    public void setJweDecryptor(JweDecryptionProvider jweDecryptionProvider) {
        this.jweDecryptor = jweDecryptionProvider;
    }

    public void setJweVerifier(JwsSignatureVerifier jwsSignatureVerifier) {
        this.jwsVerifier = jwsSignatureVerifier;
    }

    public void setIssuerId(String str) {
        this.issuerId = str;
    }

    public void setJwkSetClient(WebClient webClient) {
        this.jwkSetClient = webClient;
    }

    public void setIssuedAtRange(int i) {
        this.issuedAtRange = i;
    }

    protected JweDecryptionProvider getInitializedDecryptionProvider(boolean z) {
        return this.jweDecryptor != null ? this.jweDecryptor : JweUtils.loadDecryptionProvider(z);
    }

    protected JwsSignatureVerifier getInitializedSigVerifier(JwtToken jwtToken) {
        if (this.jwsVerifier != null) {
            return this.jwsVerifier;
        }
        JwsSignatureVerifier loadSignatureVerifier = JwsUtils.loadSignatureVerifier(false);
        if (loadSignatureVerifier != null) {
            return loadSignatureVerifier;
        }
        String keyId = jwtToken.getHeaders().getKeyId();
        JsonWebKey jsonWebKey = keyId != null ? this.keyMap.get(keyId) : null;
        if (jsonWebKey == null) {
            if (this.jwkSetClient == null) {
                throw new SecurityException("Provider Jwk Set Client is not available");
            }
            JsonWebKeys jsonWebKeys = (JsonWebKeys) this.jwkSetClient.get(JsonWebKeys.class);
            if (keyId != null) {
                jsonWebKey = jsonWebKeys.getKey(keyId);
            } else if (jsonWebKeys.getKeys().size() == 1) {
                jsonWebKey = (JsonWebKey) jsonWebKeys.getKeys().get(0);
            }
            this.keyMap.putAll(jsonWebKeys.getKeyIdMap());
        }
        if (jsonWebKey == null) {
            throw new SecurityException("JWK key with the key id: \"" + keyId + "\" is not available");
        }
        JwsSignatureVerifier signatureVerifier = JwsUtils.getSignatureVerifier(jsonWebKey);
        if (signatureVerifier == null) {
            throw new SecurityException("JWS Verifier is not available");
        }
        return signatureVerifier;
    }

    public void setClockOffset(int i) {
        this.clockOffset = i;
    }

    public void setSupportSelfIssuedProvider(boolean z) {
        this.supportSelfIssuedProvider = z;
    }
}
