package org.forgerock.openidconnect.restlet;

import java.util.Locale;
import java.util.Set;
import java.util.concurrent.ConcurrentMap;
import javax.inject.Inject;
import org.forgerock.http.protocol.Status;
import org.forgerock.json.JsonValue;
import org.forgerock.json.jose.exceptions.InvalidJwtException;
import org.forgerock.json.jose.jws.JwsAlgorithm;
import org.forgerock.json.jose.jws.JwsAlgorithmType;
import org.forgerock.json.jose.jws.SigningManager;
import org.forgerock.json.jose.jwt.JwtClaimsSet;
import org.forgerock.oauth2.core.ClientAuthenticator;
import org.forgerock.oauth2.core.OAuth2Jwt;
import org.forgerock.oauth2.core.OAuth2ProviderSettingsFactory;
import org.forgerock.oauth2.core.OAuth2Request;
import org.forgerock.oauth2.core.OAuth2RequestFactory;
import org.forgerock.oauth2.core.exceptions.BadRequestException;
import org.forgerock.oauth2.core.exceptions.InvalidClientException;
import org.forgerock.oauth2.core.exceptions.OAuth2Exception;
import org.forgerock.oauth2.restlet.ExceptionHandler;
import org.forgerock.oauth2.restlet.OAuth2RestletException;
import org.forgerock.openam.core.realms.Realm;
import org.forgerock.openam.core.realms.RealmLookupException;
import org.forgerock.openam.oauth2.OAuth2UrisFactory;
import org.forgerock.openam.utils.CollectionUtils;
import org.forgerock.openam.utils.StringUtils;
import org.forgerock.openidconnect.OpenIdConnectClientRegistration;
import org.forgerock.openidconnect.OpenIdConnectClientRegistrationStore;
import org.forgerock.openidconnect.OpenIdConnectToken;
import org.forgerock.util.annotations.VisibleForTesting;
import org.restlet.Request;
import org.restlet.ext.json.JsonRepresentation;
import org.restlet.ext.servlet.ServletUtils;
import org.restlet.representation.Representation;
import org.restlet.resource.Post;
import org.restlet.resource.ServerResource;

/* loaded from: input_file:org/forgerock/openidconnect/restlet/IdTokenInfo.class */
public class IdTokenInfo extends ServerResource {
    private final OpenIdConnectClientRegistrationStore clientRegistrationStore;
    private final OAuth2RequestFactory requestFactory;
    private final ExceptionHandler exceptionHandler;
    private final SigningManager signingManager = new SigningManager();
    private final OAuth2UrisFactory urisFactory;
    private final ClientAuthenticator clientAuthenticator;
    private final OAuth2ProviderSettingsFactory providerSettingsFactory;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/forgerock/openidconnect/restlet/IdTokenInfo$ValidateIdTokenRequest.class */
    public static class ValidateIdTokenRequest extends OAuth2Request {
        private final OAuth2Request delegate;
        private final String realm;

        ValidateIdTokenRequest(OAuth2Request oAuth2Request, String str) {
            super(null, null);
            this.delegate = oAuth2Request;
            this.realm = str;
        }

        @Override // org.forgerock.oauth2.core.OAuth2Request
        public Request getRequest() {
            return this.delegate.getRequest();
        }

        @Override // org.forgerock.oauth2.core.OAuth2Request
        public <T> T getParameter(String str) {
            return "realm".equals(str) ? (T) this.realm : (T) this.delegate.getParameter(str);
        }

        @Override // org.forgerock.oauth2.core.OAuth2Request
        public int getParameterCount(String str) {
            return this.delegate.getParameterCount(str);
        }

        @Override // org.forgerock.oauth2.core.OAuth2Request
        public Set<String> getParameterNames() {
            return this.delegate.getParameterNames();
        }

        @Override // org.forgerock.oauth2.core.OAuth2Request
        public JsonValue getBody() {
            return this.delegate.getBody();
        }

        @Override // org.forgerock.oauth2.core.OAuth2Request
        public Locale getLocale() {
            return this.delegate.getLocale();
        }
    }

    @Inject
    public IdTokenInfo(OpenIdConnectClientRegistrationStore openIdConnectClientRegistrationStore, OAuth2RequestFactory oAuth2RequestFactory, ExceptionHandler exceptionHandler, ClientAuthenticator clientAuthenticator, OAuth2UrisFactory oAuth2UrisFactory, OAuth2ProviderSettingsFactory oAuth2ProviderSettingsFactory) {
        this.clientRegistrationStore = openIdConnectClientRegistrationStore;
        this.requestFactory = oAuth2RequestFactory;
        this.exceptionHandler = exceptionHandler;
        this.clientAuthenticator = clientAuthenticator;
        this.urisFactory = oAuth2UrisFactory;
        this.providerSettingsFactory = oAuth2ProviderSettingsFactory;
    }

    @Post
    public Representation validateIdToken(Representation representation) throws OAuth2RestletException {
        try {
            OAuth2Request create = this.requestFactory.create(getRequest());
            return new JsonRepresentation(filterClaims(validateIdToken(create), create).build());
        } catch (InvalidClientException e) {
            throw new OAuth2RestletException(Status.BAD_REQUEST.getCode(), e.getError(), "no registered client matches audience of id_token", null);
        } catch (OAuth2Exception e2) {
            throw new OAuth2RestletException(e2.getStatusCode(), e2.getError(), e2.getMessage(), null);
        } catch (RealmLookupException e3) {
            throw new OAuth2RestletException(Status.BAD_REQUEST.getCode(), "Invalid realm", "Invalid realm: " + e3.getRealm(), null);
        }
    }

    @VisibleForTesting
    OAuth2Jwt validateIdToken(OAuth2Request oAuth2Request) throws OAuth2Exception, RealmLookupException {
        String str = (String) oAuth2Request.getParameter("id_token");
        if (StringUtils.isBlank(str)) {
            throw new BadRequestException("no id_token in request");
        }
        try {
            OAuth2Jwt create = OAuth2Jwt.create(str);
            oAuth2Request.setToken(OpenIdConnectToken.class, new OpenIdConnectToken(create.getSignedJwt().getClaimsSet()));
            String str2 = (String) CollectionUtils.getFirstItem(create.getSignedJwt().getClaimsSet().getAudience());
            String asString = create.getSignedJwt().getClaimsSet().get("realm").defaultTo("/").asString();
            setRealmOnRequest(oAuth2Request, asString);
            OpenIdConnectClientRegistration openIdConnectClientRegistration = this.clientRegistrationStore.get(str2, (OAuth2Request) new ValidateIdTokenRequest(oAuth2Request, asString));
            JwsAlgorithm valueOf = JwsAlgorithm.valueOf(openIdConnectClientRegistration.getIDTokenSignedResponseAlgorithm());
            if (this.providerSettingsFactory.get(oAuth2Request).isIdTokenInfoClientAuthenticationEnabled() && valueOf.getAlgorithmType().equals(JwsAlgorithmType.HMAC)) {
                this.clientAuthenticator.authenticate(oAuth2Request, this.urisFactory.get(oAuth2Request).getTokenEndpoint());
            }
            if (create.isExpired()) {
                throw new BadRequestException("id_token has expired");
            }
            if (openIdConnectClientRegistration.verifyJwtIdentity(create)) {
                return create;
            }
            throw new BadRequestException("invalid id_token");
        } catch (InvalidJwtException e) {
            throw new BadRequestException("invalid id_token: " + e.getMessage());
        }
    }

    private void setRealmOnRequest(OAuth2Request oAuth2Request, String str) throws RealmLookupException {
        ConcurrentMap attributes = oAuth2Request.getRequest().getAttributes();
        attributes.put("realm", str);
        attributes.put("realmObject", Realm.of(str));
        ServletUtils.getRequest(oAuth2Request.getRequest()).setAttribute("realm", str);
    }

    @VisibleForTesting
    JwtClaimsSet filterClaims(OAuth2Jwt oAuth2Jwt, OAuth2Request oAuth2Request) {
        String str = (String) oAuth2Request.getParameter("claims");
        JwtClaimsSet claimsSet = oAuth2Jwt.getSignedJwt().getClaimsSet();
        if (str == null) {
            return claimsSet;
        }
        JwtClaimsSet jwtClaimsSet = new JwtClaimsSet();
        for (String str2 : str.split(",")) {
            if (claimsSet.isDefined(str2)) {
                jwtClaimsSet.setClaim(str2, claimsSet.getClaim(str2));
            }
        }
        return jwtClaimsSet;
    }

    protected void doCatch(Throwable th) {
        this.exceptionHandler.handle(th, getResponse());
    }
}
