package org.apache.cxf.rs.security.oidc.rp;

import java.util.Arrays;
import java.util.List;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.core.MultivaluedMap;
import javax.ws.rs.core.Response;
import javax.ws.rs.core.SecurityContext;
import javax.ws.rs.core.UriBuilder;
import javax.ws.rs.core.UriInfo;
import org.apache.cxf.common.util.StringUtils;
import org.apache.cxf.jaxrs.utils.ExceptionUtils;
import org.apache.cxf.rs.security.oauth2.client.ClientCodeRequestFilter;
import org.apache.cxf.rs.security.oauth2.client.ClientTokenContext;
import org.apache.cxf.rs.security.oauth2.common.ClientAccessToken;
import org.apache.cxf.rs.security.oidc.common.IdToken;

/* loaded from: input_file:org/apache/cxf/rs/security/oidc/rp/OidcClientCodeRequestFilter.class */
public class OidcClientCodeRequestFilter extends ClientCodeRequestFilter {
    private static final String ACR_PARAMETER = "acr_values";
    private static final String PROMPT_PARAMETER = "prompt";
    private static final String MAX_AGE_PARAMETER = "max_age";
    private static final List<String> PROMPTS = Arrays.asList("none", "consent", "login", "select_account");
    private IdTokenReader idTokenReader;
    private List<String> authenticationContextRef;
    private String promptLogin;
    private Long maxAgeOffset;
    private String claims;
    private String claimsLocales;

    public void setAuthenticationContextRef(String str) {
        this.authenticationContextRef = Arrays.asList(StringUtils.split(str, " "));
    }

    protected ClientTokenContext createTokenContext(ContainerRequestContext containerRequestContext, ClientAccessToken clientAccessToken, MultivaluedMap<String, String> multivaluedMap) {
        if (containerRequestContext.getSecurityContext() instanceof OidcSecurityContext) {
            return ((OidcSecurityContext) containerRequestContext.getSecurityContext()).getOidcContext();
        }
        OidcClientTokenContextImpl oidcClientTokenContextImpl = new OidcClientTokenContextImpl();
        if (clientAccessToken != null) {
            IdToken idToken = this.idTokenReader.getIdToken(clientAccessToken, getConsumer().getKey());
            validateIdToken(idToken, multivaluedMap);
            oidcClientTokenContextImpl.setIdToken(idToken);
            if (this.idTokenReader instanceof UserInfoClient) {
                oidcClientTokenContextImpl.setUserInfo(((UserInfoClient) this.idTokenReader).getUserInfo(clientAccessToken, oidcClientTokenContextImpl.getIdToken()));
            }
            containerRequestContext.setSecurityContext(new OidcSecurityContext(oidcClientTokenContextImpl));
        }
        return oidcClientTokenContextImpl;
    }

    protected MultivaluedMap<String, String> toCodeRequestState(ContainerRequestContext containerRequestContext, UriInfo uriInfo) {
        MultivaluedMap<String, String> codeRequestState = super.toCodeRequestState(containerRequestContext, uriInfo);
        if (this.maxAgeOffset != null) {
            codeRequestState.putSingle(MAX_AGE_PARAMETER, Long.toString(System.currentTimeMillis() + this.maxAgeOffset.longValue()));
        }
        return codeRequestState;
    }

    private void validateIdToken(IdToken idToken, MultivaluedMap<String, String> multivaluedMap) {
        String str = (String) multivaluedMap.getFirst(IdToken.NONCE_CLAIM);
        String nonce = idToken.getNonce();
        if (str != null && (nonce == null || !str.equals(nonce))) {
            throw ExceptionUtils.toNotAuthorizedException((Throwable) null, (Response) null);
        }
        if (this.maxAgeOffset != null) {
            if (idToken.getAuthenticationTime().longValue() > Long.valueOf(Long.parseLong((String) multivaluedMap.getFirst(MAX_AGE_PARAMETER))).longValue()) {
                throw ExceptionUtils.toNotAuthorizedException((Throwable) null, (Response) null);
            }
        }
        String authenticationContextRef = idToken.getAuthenticationContextRef();
        if (authenticationContextRef != null && this.authenticationContextRef != null && !this.authenticationContextRef.contains(authenticationContextRef)) {
            throw ExceptionUtils.toNotAuthorizedException((Throwable) null, (Response) null);
        }
    }

    public void setIdTokenReader(IdTokenReader idTokenReader) {
        this.idTokenReader = idTokenReader;
    }

    protected void checkSecurityContextStart(ContainerRequestContext containerRequestContext) {
        SecurityContext securityContext = containerRequestContext.getSecurityContext();
        if (!(securityContext instanceof OidcSecurityContext) && securityContext.getUserPrincipal() != null) {
            throw ExceptionUtils.toNotAuthorizedException((Throwable) null, (Response) null);
        }
    }

    protected void setAdditionalCodeRequestParams(UriBuilder uriBuilder, MultivaluedMap<String, String> multivaluedMap) {
        if (this.claims != null) {
            uriBuilder.queryParam("claims", new Object[]{this.claims});
        }
        if (this.claimsLocales != null) {
            uriBuilder.queryParam("claims_locales", new Object[]{this.claimsLocales});
        }
        if (multivaluedMap != null) {
            if (multivaluedMap.getFirst(IdToken.NONCE_CLAIM) != null) {
                uriBuilder.queryParam(IdToken.NONCE_CLAIM, new Object[]{multivaluedMap.getFirst(IdToken.NONCE_CLAIM)});
            }
            if (multivaluedMap.getFirst(MAX_AGE_PARAMETER) != null) {
                uriBuilder.queryParam(MAX_AGE_PARAMETER, new Object[]{multivaluedMap.getFirst(MAX_AGE_PARAMETER)});
            }
        }
        if (this.authenticationContextRef != null) {
            uriBuilder.queryParam(ACR_PARAMETER, new Object[]{this.authenticationContextRef});
        }
        if (this.promptLogin != null) {
            uriBuilder.queryParam(PROMPT_PARAMETER, new Object[]{this.promptLogin});
        }
    }

    public void setPromptLogin(String str) {
        if (!PROMPTS.contains(str)) {
            throw new IllegalArgumentException("Illegal prompt value");
        }
        this.promptLogin = str;
    }

    public void setMaxAgeOffset(Long l) {
        this.maxAgeOffset = l;
    }

    public void setClaims(String str) {
        this.claims = str;
    }

    public void setClaimsLocales(String str) {
        this.claimsLocales = str;
    }
}
