package com.nimbusds.openid.connect.provider.spi.reg.statement;

import com.nimbusds.common.contenttype.ContentType;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.RemoteKeySourceException;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.client.RegistrationError;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.util.StringUtils;
import com.nimbusds.openid.connect.provider.spi.InitContext;
import com.nimbusds.openid.connect.provider.spi.reg.InterceptorContext;
import com.nimbusds.openid.connect.provider.spi.reg.RegistrationInterceptor;
import com.nimbusds.openid.connect.provider.spi.reg.WrappedHTTPResponseException;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import com.nimbusds.openid.connect.sdk.rp.statement.InvalidSoftwareStatementException;
import com.nimbusds.openid.connect.sdk.rp.statement.SoftwareStatementProcessor;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Properties;
import net.jcip.annotations.ThreadSafe;
import net.minidev.json.JSONObject;
import org.apache.logging.log4j.Logger;
import org.apache.logging.log4j.util.Supplier;

@ThreadSafe
/* loaded from: input_file:com/nimbusds/openid/connect/provider/spi/reg/statement/SoftwareStatementVerifier.class */
public class SoftwareStatementVerifier implements RegistrationInterceptor {
    private static final URL DUMMY_URL;
    private Configuration config;
    private SoftwareStatementProcessor<?> statementProcessor;
    private DefaultJWTProcessor<?> requestJWTProcessorWithStaticJWKSetURL;
    private DefaultJWTProcessor<SoftwareStatementContext> requestJWTProcessorWithStatementReferencedJWKSetURL;

    private static Configuration loadConfiguration(InitContext initContext) throws IOException {
        Properties properties = new Properties();
        InputStream resourceAsStream = initContext.getResourceAsStream(Configuration.FILE_PATH);
        if (resourceAsStream != null) {
            properties.load(resourceAsStream);
        }
        return new Configuration(properties);
    }

    public void init(InitContext initContext) throws Exception {
        this.config = loadConfiguration(initContext);
        this.config.log();
        if (this.config.enable) {
            this.statementProcessor = new SoftwareStatementProcessor<>(this.config.issuer, false, this.config.jwsAlgorithms, this.config.issuerJWKSetURL, this.config.httpConnectTimeout, this.config.httpReadTimeout, 100000);
            if (this.config.requestType.equals(RequestType.JWT)) {
                DefaultResourceRetriever defaultResourceRetriever = new DefaultResourceRetriever(this.config.httpConnectTimeout, this.config.httpReadTimeout);
                if (this.config.requestJWT_jwkSetSource.getStaticURL() != null) {
                    this.requestJWTProcessorWithStaticJWKSetURL = new DefaultJWTProcessor<>();
                    this.requestJWTProcessorWithStaticJWKSetURL.setJWSKeySelector(new JWSVerificationKeySelector(this.config.requestJWT_jwsAlgorithms, new RemoteJWKSet(this.config.requestJWT_jwkSetSource.getStaticURL(), defaultResourceRetriever)));
                    this.requestJWTProcessorWithStaticJWKSetURL.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier((JWTClaimsSet) null, this.config.requestJWT_requiredClaims));
                } else {
                    if (this.config.requestJWT_jwkSetSource.getURLClaimName() == null) {
                        throw new IllegalStateException();
                    }
                    this.requestJWTProcessorWithStatementReferencedJWKSetURL = new DefaultJWTProcessor<>();
                    this.requestJWTProcessorWithStatementReferencedJWKSetURL.setJWSKeySelector(new SoftwareStatementBasedKeySelector(this.config.requestJWT_jwkSetSource.getURLClaimName(), defaultResourceRetriever));
                    this.requestJWTProcessorWithStatementReferencedJWKSetURL.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier((JWTClaimsSet) null, this.config.requestJWT_requiredClaims));
                }
            }
        }
    }

    public Configuration getConfiguration() {
        return this.config;
    }

    public boolean isEnabled() {
        return this.config.enable;
    }

    HTTPRequest passThrough(HTTPRequest hTTPRequest, String str) {
        Loggers.REGISTRATION.info("[SSV0109] Original HTTP request passed through: {}", str);
        return hTTPRequest;
    }

    OIDCClientMetadata applyTransforms(OIDCClientMetadata oIDCClientMetadata) {
        JSONObject jSONObject = oIDCClientMetadata.toJSONObject();
        Iterator<String> it = this.config.transforms_remove.iterator();
        while (it.hasNext()) {
            JSONObjectTransforms.remove(jSONObject, it.next());
        }
        for (Map.Entry<String, String> entry : this.config.transforms_rename.entrySet()) {
            JSONObjectTransforms.rename(jSONObject, entry.getKey(), entry.getValue());
        }
        Iterator<String> it2 = this.config.transforms_moveIntoData.iterator();
        while (it2.hasNext()) {
            JSONObjectTransforms.moveIntoData(jSONObject, it2.next());
        }
        try {
            return OIDCClientMetadata.parse(jSONObject);
        } catch (ParseException e) {
            String str = "Error reconstructing client metadata after applying JSON transforms: " + e.getMessage();
            Loggers.REGISTRATION.error("[SSV0122] {}", str);
            throw new RuntimeException(str, e);
        }
    }

    public HTTPRequest interceptPostRequest(HTTPRequest hTTPRequest, InterceptorContext interceptorContext) throws WrappedHTTPResponseException {
        JSONObject queryAsJSONObject;
        if (!isEnabled()) {
            return hTTPRequest;
        }
        if (this.config.clientX509Certificate_require) {
            if (hTTPRequest.getClientX509Certificate() == null) {
                return passThrough(hTTPRequest, "Client X.509 certificate missing");
            }
            Loggers.REGISTRATION.info("[SSV0113] Received client X.509 certificate: iss={} sub={}", hTTPRequest.getClientX509Certificate().getIssuerDN(), hTTPRequest.getClientX509Certificate().getSubjectDN());
            if (this.config.clientX509Certificate_rootDN != null) {
                String clientX509CertificateRootDN = hTTPRequest.getClientX509CertificateRootDN();
                if (!this.config.clientX509Certificate_rootDN.equalsIgnoreCase(clientX509CertificateRootDN)) {
                    return passThrough(hTTPRequest, "Client X.509 certificate doesn't have required root DN: " + clientX509CertificateRootDN);
                }
            }
        }
        SignedJWT signedJWT = null;
        if (!this.config.requestType.equals(RequestType.JWT)) {
            try {
                queryAsJSONObject = hTTPRequest.getQueryAsJSONObject();
            } catch (ParseException e) {
                Loggers.REGISTRATION.info("[SSV0114] Invalid registration request: {}", e.getMessage());
                throw new WrappedHTTPResponseException(e.getMessage(), OAuth2Error.INVALID_REQUEST.setHTTPStatusCode(400).setDescription("Invalid JSON: " + e.getMessage()).toHTTPResponse());
            }
        } else {
            if (ContentType.APPLICATION_JSON.equals(hTTPRequest.getEntityContentType()) || StringUtils.isBlank(hTTPRequest.getQuery()) || hTTPRequest.getQuery().startsWith("{")) {
                return passThrough(hTTPRequest, "No registration request JWT found");
            }
            try {
                signedJWT = SignedJWT.parse(hTTPRequest.getQuery());
                queryAsJSONObject = signedJWT.getJWTClaimsSet().toJSONObject();
                if (this.config.requestJWT_requiredClaims.contains("aud")) {
                    Object obj = queryAsJSONObject.get("aud");
                    if (!interceptorContext.getIssuer().getValue().equals(obj)) {
                        String str = "Invalid registration JWT: Audience not accepted: " + (obj != null ? obj : "Missing claim");
                        Loggers.REGISTRATION.info("[SSV0119] {}", str);
                        throw new WrappedHTTPResponseException(str, OAuth2Error.INVALID_REQUEST.setHTTPStatusCode(400).setDescription(str).toHTTPResponse());
                    }
                }
                if (this.requestJWTProcessorWithStaticJWKSetURL != null) {
                    try {
                        this.requestJWTProcessorWithStaticJWKSetURL.process(signedJWT, (SecurityContext) null);
                    } catch (JOSEException e2) {
                        Loggers.REGISTRATION.error("[SSV0117] {}", e2.getMessage(), e2);
                        throw new RuntimeException((Throwable) e2);
                    } catch (BadJOSEException e3) {
                        String str2 = "Invalid registration JWT: " + e3.getMessage();
                        Loggers.REGISTRATION.info("[SSV0116] {}", str2);
                        throw new WrappedHTTPResponseException(e3.getMessage(), OAuth2Error.INVALID_REQUEST.setHTTPStatusCode(400).setDescription(str2).toHTTPResponse());
                    } catch (RemoteKeySourceException e4) {
                        String str3 = "Registration JWT validation failed: " + e4.getMessage();
                        Loggers.REGISTRATION.info("[SSV0121] {}", str3);
                        throw new WrappedHTTPResponseException(str3, OAuth2Error.INVALID_REQUEST.setHTTPStatusCode(400).setDescription(str3).toHTTPResponse());
                    }
                }
            } catch (java.text.ParseException e5) {
                Loggers.REGISTRATION.info("[SSV0112] Invalid registration JWT: {}", e5.getMessage());
                throw new WrappedHTTPResponseException(e5.getMessage(), OAuth2Error.INVALID_REQUEST.setHTTPStatusCode(400).setDescription("The request must be a signed JWT").toHTTPResponse());
            }
        }
        try {
            OIDCClientMetadata parse = OIDCClientMetadata.parse(queryAsJSONObject);
            Logger logger = Loggers.REGISTRATION;
            Objects.requireNonNull(parse);
            logger.debug("[SSV0106] Received client metadata: {}", new Supplier[]{parse::toString});
            SignedJWT softwareStatement = parse.getSoftwareStatement();
            if (softwareStatement == null) {
                if (signedJWT == null) {
                    return passThrough(hTTPRequest, "No software statement found");
                }
                Loggers.REGISTRATION.info("[SSV0115] {}", "Missing required software statement in JWT");
                throw new WrappedHTTPResponseException("Missing required software statement in JWT", OAuth2Error.INVALID_REQUEST.setDescription("Missing required software statement in JWT").toHTTPResponse());
            }
            try {
                JWTClaimsSet jWTClaimsSet = softwareStatement.getJWTClaimsSet();
                for (String str4 : this.config.additionalRequiredClaims) {
                    if (!jWTClaimsSet.getClaims().containsKey(str4)) {
                        String str5 = "Missing required software statement JWT claim: " + str4;
                        Loggers.REGISTRATION.info("[SSV0108] {}", str5);
                        throw new WrappedHTTPResponseException(str5, RegistrationError.INVALID_SOFTWARE_STATEMENT.setDescription(str5).toHTTPResponse());
                    }
                }
                parse.setScope((Scope) null);
                parse.setCustomFields(new JSONObject());
                try {
                    OIDCClientMetadata process = this.statementProcessor.process(parse);
                    if (this.requestJWTProcessorWithStatementReferencedJWKSetURL != null) {
                        try {
                            this.requestJWTProcessorWithStatementReferencedJWKSetURL.process(signedJWT, new SoftwareStatementContext(jWTClaimsSet));
                        } catch (JOSEException e6) {
                            Loggers.REGISTRATION.error("[SSV0117] {}", e6.getMessage(), e6);
                            throw new RuntimeException((Throwable) e6);
                        } catch (BadJOSEException e7) {
                            String str6 = "Invalid registration JWT: " + e7.getMessage();
                            Loggers.REGISTRATION.info("[SSV0116] {}", str6);
                            throw new WrappedHTTPResponseException(e7.getMessage(), OAuth2Error.INVALID_REQUEST.setHTTPStatusCode(400).setDescription(str6).toHTTPResponse());
                        } catch (RemoteKeySourceException e8) {
                            String str7 = "Registration JWT validation failed: " + e8.getMessage();
                            Loggers.REGISTRATION.info("[SSV0121] {}", str7);
                            throw new WrappedHTTPResponseException(str7, OAuth2Error.INVALID_REQUEST.setHTTPStatusCode(400).setDescription(str7).toHTTPResponse());
                        }
                    }
                    OIDCClientMetadata applyTransforms = applyTransforms(process);
                    HTTPRequest hTTPRequest2 = new HTTPRequest(HTTPRequest.Method.POST, DUMMY_URL);
                    hTTPRequest2.setAuthorization(this.config.registrationAccessToken.toAuthorizationHeader());
                    hTTPRequest2.setEntityContentType(ContentType.APPLICATION_JSON);
                    String oIDCClientMetadata = applyTransforms.toString();
                    hTTPRequest2.setQuery(oIDCClientMetadata);
                    Loggers.REGISTRATION.info("[SSV0100] Applied verified software statement to client metadata:{}", createSoftwareStatementClaimsLogString(jWTClaimsSet));
                    Loggers.REGISTRATION.debug("[SSV0105] Final client metadata: {}", oIDCClientMetadata);
                    return hTTPRequest2;
                } catch (InvalidSoftwareStatementException e9) {
                    Loggers.REGISTRATION.info("[SSV0102] Invalid software statement: {}", e9.getMessage());
                    throw new WrappedHTTPResponseException(e9.getMessage(), e9.getErrorObject().toHTTPResponse());
                } catch (RemoteKeySourceException e10) {
                    String str8 = "Software statement JWT validation failed: " + e10.getMessage();
                    Loggers.REGISTRATION.info("[SSV0120] {}", str8);
                    throw new WrappedHTTPResponseException(str8, RegistrationError.INVALID_SOFTWARE_STATEMENT.setDescription(str8).toHTTPResponse());
                } catch (JOSEException e11) {
                    Loggers.REGISTRATION.info("[SSV0103] Internal JOSE error: {}", e11.getMessage());
                    throw new RuntimeException(e11.getMessage(), e11);
                }
            } catch (java.text.ParseException e12) {
                Loggers.REGISTRATION.info("[SSV0107] Invalid software statement JWT claims set: {}", e12.getMessage());
                throw new WrappedHTTPResponseException("Invalid software statement JWT claims set", RegistrationError.INVALID_SOFTWARE_STATEMENT.setDescription("Invalid software statement JWT claims set").toHTTPResponse());
            }
        } catch (ParseException e13) {
            Loggers.REGISTRATION.info("[SSV0104] Invalid client metadata: {}", e13.getMessage());
            throw new WrappedHTTPResponseException(e13.getMessage(), e13.getErrorObject().toHTTPResponse());
        }
    }

    private String createSoftwareStatementClaimsLogString(JWTClaimsSet jWTClaimsSet) {
        StringBuilder sb = new StringBuilder();
        for (String str : this.config.logClaims) {
            sb.append(" ");
            sb.append(str).append("=").append(jWTClaimsSet.getClaim(str));
        }
        return sb.toString();
    }

    public void shutdown() {
        Loggers.MAIN.info("[SSV0199] Shutting down ...");
    }

    static {
        try {
            DUMMY_URL = new URL("http:///");
        } catch (MalformedURLException e) {
            throw new RuntimeException(e);
        }
    }
}
