package io.micronaut.security.oauth2.client;

import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import io.micronaut.context.annotation.Requirements;
import io.micronaut.context.annotation.Requires;
import io.micronaut.http.HttpRequest;
import io.micronaut.security.oauth2.configuration.OauthClientConfiguration;
import io.micronaut.security.oauth2.configuration.OpenIdClientConfiguration;
import io.micronaut.security.token.jwt.generator.claims.JwtClaims;
import io.micronaut.security.token.jwt.validator.GenericJwtClaimsValidator;
import java.net.URL;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import javax.inject.Singleton;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Requirements({@Requires(property = "micronaut.security.authentication", value = "idtoken"), @Requires(property = "micronaut.security.token.jwt.claims-validators.openid-idtoken", notEquals = "false")})
@Singleton
/* loaded from: input_file:io/micronaut/security/oauth2/client/IdTokenClaimsValidator.class */
public class IdTokenClaimsValidator implements GenericJwtClaimsValidator {
    private static final Logger LOG = LoggerFactory.getLogger(IdTokenClaimsValidator.class);
    private static final String AUTHORIZED_PARTY = "azp";
    private final Collection<OauthClientConfiguration> oauthClientConfigurations;

    public IdTokenClaimsValidator(Collection<OauthClientConfiguration> collection) {
        this.oauthClientConfigurations = collection;
    }

    public boolean validate(JwtClaims jwtClaims) {
        return validate(jwtClaims, null);
    }

    public boolean validate(@NonNull JwtClaims jwtClaims, @Nullable HttpRequest<?> httpRequest) {
        Object obj = jwtClaims.get("iss");
        if (obj == null) {
            if (!LOG.isTraceEnabled()) {
                return false;
            }
            LOG.trace("{} claim not present", "iss");
            return false;
        }
        String obj2 = obj.toString();
        Object obj3 = jwtClaims.get("aud");
        if (obj3 == null) {
            if (!LOG.isTraceEnabled()) {
                return false;
            }
            LOG.trace("{} claim not present", "aud");
            return false;
        }
        ArrayList arrayList = new ArrayList();
        if (obj3 instanceof List) {
            Iterator it = ((List) obj3).iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().toString());
            }
        } else {
            arrayList.add(obj3.toString());
        }
        for (OauthClientConfiguration oauthClientConfiguration : this.oauthClientConfigurations) {
            Optional<OpenIdClientConfiguration> openid = oauthClientConfiguration.getOpenid();
            if (openid.isPresent()) {
                OpenIdClientConfiguration openIdClientConfiguration = openid.get();
                if (openIdClientConfiguration.getIssuer().isPresent()) {
                    Optional<URL> issuer = openIdClientConfiguration.getIssuer();
                    if (issuer.isPresent()) {
                        String url = issuer.get().toString();
                        String clientId = oauthClientConfiguration.getClientId();
                        if (url.equalsIgnoreCase(obj2)) {
                            return true;
                        }
                        if (arrayList.contains(clientId) && validateAzp(clientId, jwtClaims, arrayList)) {
                            return true;
                        }
                    } else {
                        continue;
                    }
                } else {
                    continue;
                }
            }
        }
        return false;
    }

    private boolean validateAzp(@NonNull String str, @NonNull JwtClaims jwtClaims, @NonNull List<String> list) {
        if (list.size() < 2) {
            if (!LOG.isTraceEnabled()) {
                return true;
            }
            LOG.trace("{} claim is not required for single audiences", "azp");
            return true;
        }
        Object obj = jwtClaims.get("azp");
        if (obj == null) {
            if (!LOG.isTraceEnabled()) {
                return false;
            }
            LOG.trace("{} claim not present", "azp");
            return false;
        }
        boolean equalsIgnoreCase = obj.toString().equalsIgnoreCase(str);
        if (!equalsIgnoreCase && LOG.isTraceEnabled()) {
            LOG.trace("{} claim does not match client id {}", "azp", str);
        }
        return equalsIgnoreCase;
    }
}
