package org.glassfish.soteria.mechanisms.openid.controller;

import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
import jakarta.security.enterprise.authentication.mechanism.http.openid.OpenIdConstant;
import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import org.glassfish.soteria.mechanisms.openid.domain.OpenIdConfiguration;

/* loaded from: input_file:org/glassfish/soteria/mechanisms/openid/controller/TokenClaimsSetVerifier.class */
public abstract class TokenClaimsSetVerifier implements JWTClaimsSetVerifier {
    protected final OpenIdConfiguration configuration;

    /* loaded from: input_file:org/glassfish/soteria/mechanisms/openid/controller/TokenClaimsSetVerifier$StandardVerifications.class */
    protected static class StandardVerifications {
        private final OpenIdConfiguration configuration;
        private final JWTClaimsSet claims;

        public StandardVerifications(OpenIdConfiguration openIdConfiguration, JWTClaimsSet jWTClaimsSet) {
            this.configuration = openIdConfiguration;
            this.claims = jWTClaimsSet;
        }

        public void requireSameIssuer() {
            if (Objects.isNull(this.claims.getIssuer())) {
                throw new IllegalStateException("Missing issuer (iss) claim");
            }
            if (!this.claims.getIssuer().equals(this.configuration.getProviderMetadata().getIssuerURI())) {
                throw new IllegalStateException("Invalid issuer : " + this.configuration.getProviderMetadata().getIssuerURI());
            }
        }

        public void requireSubject() {
            if (Objects.isNull(this.claims.getSubject())) {
                throw new IllegalStateException("Missing subject (sub) claim");
            }
        }

        public void requireAudience(String str) {
            List audience = this.claims.getAudience();
            if (Objects.isNull(audience) || audience.isEmpty()) {
                throw new IllegalStateException("Missing audience (aud) claim");
            }
            if (str != null && !audience.contains(str)) {
                throw new IllegalStateException("Invalid audience (aud) claim " + audience);
            }
        }

        public void assureAuthorizedParty(String str) {
            Object claim = this.claims.getClaim(OpenIdConstant.AUTHORIZED_PARTY);
            List audience = this.claims.getAudience();
            if (audience.size() > 1 && Objects.isNull(claim)) {
                throw new IllegalStateException("Missing authorized party (azp) claim");
            }
            if (audience.size() > 1 && !claim.equals(str)) {
                throw new IllegalStateException("Invalid authorized party (azp) claim " + claim);
            }
        }

        public void requireValidTimestamp() {
            long millis = TimeUnit.MINUTES.toMillis(1L);
            long currentTimeMillis = System.currentTimeMillis();
            Date expirationTime = this.claims.getExpirationTime();
            if (Objects.isNull(expirationTime)) {
                throw new IllegalStateException("Missing expiration time (exp) claim");
            }
            if (expirationTime.getTime() + millis < currentTimeMillis) {
                throw new IllegalStateException("Token is expired " + expirationTime);
            }
            Date issueTime = this.claims.getIssueTime();
            if (Objects.isNull(issueTime)) {
                throw new IllegalStateException("Missing issue time (iat) claim");
            }
            if (issueTime.getTime() - millis > currentTimeMillis) {
                throw new IllegalStateException("Issue time must be after current time " + issueTime);
            }
            Date notBeforeTime = this.claims.getNotBeforeTime();
            if (!Objects.isNull(notBeforeTime) && notBeforeTime.getTime() - millis > currentTimeMillis) {
                throw new IllegalStateException("Token is not valid before " + notBeforeTime);
            }
        }
    }

    public TokenClaimsSetVerifier(OpenIdConfiguration openIdConfiguration) {
        this.configuration = openIdConfiguration;
    }

    public void verify(JWTClaimsSet jWTClaimsSet, SecurityContext securityContext) throws BadJWTException {
        StandardVerifications standardVerifications = new StandardVerifications(this.configuration, jWTClaimsSet);
        standardVerifications.requireSameIssuer();
        standardVerifications.requireSubject();
        standardVerifications.requireAudience(this.configuration.getClientId());
        standardVerifications.assureAuthorizedParty(this.configuration.getClientId());
        standardVerifications.requireValidTimestamp();
        verify(jWTClaimsSet);
    }

    public abstract void verify(JWTClaimsSet jWTClaimsSet) throws BadJWTException;
}
