package com.sap.cloud.security.token.validation.validators;

import com.sap.cloud.security.config.OAuth2ServiceConfiguration;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.xsuaa.client.DefaultOidcConfigurationService;
import com.sap.cloud.security.xsuaa.client.OAuth2ServiceEndpointsProvider;
import com.sap.cloud.security.xsuaa.client.OAuth2ServiceException;
import java.net.URI;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.util.HashMap;
import javax.annotation.Nonnull;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/sap/cloud/security/token/validation/validators/SapIdJwtSignatureValidator.class */
public class SapIdJwtSignatureValidator extends JwtSignatureValidator {
    private boolean isTenantIdCheckEnabled;

    /* JADX INFO: Access modifiers changed from: package-private */
    public SapIdJwtSignatureValidator(OAuth2ServiceConfiguration oAuth2ServiceConfiguration, OAuth2TokenKeyServiceWithCache oAuth2TokenKeyServiceWithCache, OidcConfigurationServiceWithCache oidcConfigurationServiceWithCache) {
        super(oAuth2ServiceConfiguration, oAuth2TokenKeyServiceWithCache, oidcConfigurationServiceWithCache);
        this.isTenantIdCheckEnabled = true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void disableTenantIdCheck() {
        this.isTenantIdCheckEnabled = false;
    }

    @Override // com.sap.cloud.security.token.validation.validators.JwtSignatureValidator
    protected PublicKey getPublicKey(Token token, JwtSignatureAlgorithm jwtSignatureAlgorithm) throws OAuth2ServiceException {
        String str = JsonWebKey.DEFAULT_KEY_ID;
        if (token.hasHeaderParameter("kid")) {
            str = token.getHeaderParameterAsString("kid");
        }
        URI jwksUri = getJwksUri(token);
        HashMap hashMap = new HashMap(3, 1.0f);
        hashMap.put("x-app_tid", token.getAppTid());
        hashMap.put("x-client_id", this.configuration.getClientId());
        hashMap.put("x-azp", token.getClaimAsString("azp"));
        try {
            return this.tokenKeyService.getPublicKey(jwtSignatureAlgorithm, str, jwksUri, hashMap);
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new IllegalArgumentException(e);
        }
    }

    private URI getJwksUri(Token token) throws OAuth2ServiceException {
        String issuer = token.getIssuer();
        if (issuer == null) {
            throw new IllegalArgumentException("Token does not contain mandatory iss header.");
        }
        if (this.isTenantIdCheckEnabled && !issuer.equals("" + this.configuration.getUrl()) && token.getAppTid() == null) {
            throw new IllegalArgumentException("OIDC token must provide the app_tid claim for tenant validation when issuer is not the same as the url from the service credentials.");
        }
        return getOidcJwksUri(issuer);
    }

    @Nonnull
    private URI getOidcJwksUri(String str) throws OAuth2ServiceException {
        OAuth2ServiceEndpointsProvider orRetrieveEndpoints = this.oidcConfigurationService.getOrRetrieveEndpoints(DefaultOidcConfigurationService.getDiscoveryEndpointUri(str));
        if (orRetrieveEndpoints == null) {
            throw new OAuth2ServiceException("OIDC .well-known configuration could not be retrieved.");
        }
        URI jwksUri = orRetrieveEndpoints.getJwksUri();
        if (jwksUri == null) {
            throw new IllegalArgumentException("OIDC .well-known response did not contain JWKS URI.");
        }
        return jwksUri;
    }
}
