package io.micronaut.security.oauth2.client;

import io.micronaut.context.annotation.Requirements;
import io.micronaut.context.annotation.Requires;
import io.micronaut.core.annotation.NonNull;
import io.micronaut.core.annotation.Nullable;
import io.micronaut.security.oauth2.client.clientcredentials.propagation.ClientCredentialsHeaderTokenPropagator;
import io.micronaut.security.oauth2.configuration.OauthClientConfiguration;
import io.micronaut.security.oauth2.configuration.OpenIdClientConfiguration;
import io.micronaut.security.token.Claims;
import io.micronaut.security.token.jwt.validator.GenericJwtClaimsValidator;
import jakarta.inject.Singleton;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Requirements({@Requires(property = "micronaut.security.authentication", value = "idtoken"), @Requires(property = "micronaut.security.token.jwt.claims-validators.openid-idtoken", notEquals = "false")})
@Singleton
/* loaded from: input_file:io/micronaut/security/oauth2/client/IdTokenClaimsValidator.class */
public class IdTokenClaimsValidator<T> implements GenericJwtClaimsValidator<T> {
    protected static final Logger LOG = LoggerFactory.getLogger(IdTokenClaimsValidator.class);
    protected static final String AUTHORIZED_PARTY = "azp";
    protected final Collection<OauthClientConfiguration> oauthClientConfigurations;

    public IdTokenClaimsValidator(Collection<OauthClientConfiguration> collection) {
        this.oauthClientConfigurations = collection;
    }

    public boolean validate(@NonNull Claims claims, @Nullable T t) {
        Optional<String> parseIssuerClaim = parseIssuerClaim(claims);
        if (!parseIssuerClaim.isPresent()) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug("issuer claim not present");
            return false;
        }
        String str = parseIssuerClaim.get();
        Optional<List<String>> parseAudiences = parseAudiences(claims);
        if (parseAudiences.isPresent()) {
            return validateIssuerAudienceAndAzp(claims, str, parseAudiences.get());
        }
        if (!LOG.isDebugEnabled()) {
            return false;
        }
        LOG.debug("audiences claim not present");
        return false;
    }

    protected Optional<String> parseIssuerClaim(Claims claims) {
        return parseClaimString(claims, "iss");
    }

    protected Optional<Object> parseClaim(Claims claims, String str) {
        Object obj = claims.get(str);
        if (obj != null) {
            return Optional.of(obj);
        }
        if (LOG.isTraceEnabled()) {
            LOG.trace("{} claim not present", str);
        }
        return Optional.empty();
    }

    protected Optional<String> parseClaimString(Claims claims, String str) {
        return parseClaim(claims, str).map((v0) -> {
            return v0.toString();
        });
    }

    protected Optional<List<String>> parseClaimList(Claims claims, String str) {
        Optional<Object> parseClaim = parseClaim(claims, str);
        if (!parseClaim.isPresent()) {
            return Optional.empty();
        }
        Object obj = parseClaim.get();
        ArrayList arrayList = new ArrayList();
        if (obj instanceof List) {
            Iterator it = ((List) obj).iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().toString());
            }
        } else {
            arrayList.add(obj.toString());
        }
        return Optional.of(arrayList);
    }

    protected Optional<List<String>> parseAudiences(Claims claims) {
        return parseClaimList(claims, "aud");
    }

    protected boolean validateIssuerAudienceAndAzp(@NonNull Claims claims, @NonNull String str, @NonNull List<String> list) {
        return this.oauthClientConfigurations.stream().anyMatch(oauthClientConfiguration -> {
            return validateIssuerAudienceAndAzp(claims, str, list, oauthClientConfiguration);
        });
    }

    protected boolean validateIssuerAudienceAndAzp(@NonNull Claims claims, @NonNull String str, @NonNull List<String> list, @NonNull OauthClientConfiguration oauthClientConfiguration) {
        Optional<OpenIdClientConfiguration> openid = oauthClientConfiguration.getOpenid();
        if (!openid.isPresent()) {
            return false;
        }
        return validateIssuerAudienceAndAzp(claims, str, list, oauthClientConfiguration.getClientId(), openid.get());
    }

    protected boolean validateIssuerAudienceAndAzp(@NonNull Claims claims, @NonNull String str, @NonNull List<String> list, @NonNull String str2, @NonNull OpenIdClientConfiguration openIdClientConfiguration) {
        if (!matchesIssuer(openIdClientConfiguration, str).orElse(false).booleanValue()) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug("configuration issuer '{}' does not match claim issuer '{}'", openIdClientConfiguration.getIssuer().map((v0) -> {
                return v0.toString();
            }).orElse(""), str);
            return false;
        }
        if (!list.contains(str2)) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug("audiences '{}' does not contain client id '{}'", String.join(ClientCredentialsHeaderTokenPropagator.SPACE, list), str2);
            return false;
        }
        if (validateAzp(claims, str2, list)) {
            return true;
        }
        if (!LOG.isDebugEnabled()) {
            return false;
        }
        LOG.debug("azp not valid");
        return false;
    }

    @NonNull
    protected Optional<Boolean> matchesIssuer(@NonNull OpenIdClientConfiguration openIdClientConfiguration, @NonNull String str) {
        return openIdClientConfiguration.getIssuer().map((v0) -> {
            return v0.toString();
        }).map(str2 -> {
            return Boolean.valueOf(str2.equalsIgnoreCase(str));
        });
    }

    protected Optional<String> parseAzpClaim(Claims claims) {
        return parseClaimString(claims, "azp");
    }

    protected boolean validateAzp(@NonNull Claims claims, @NonNull String str, @NonNull List<String> list) {
        if (list.size() < 2) {
            if (!LOG.isTraceEnabled()) {
                return true;
            }
            LOG.trace("{} claim is not required for single audiences", "azp");
            return true;
        }
        Optional<String> parseAzpClaim = parseAzpClaim(claims);
        if (!parseAzpClaim.isPresent()) {
            if (!LOG.isDebugEnabled()) {
                return false;
            }
            LOG.debug("azp claim not present");
            return false;
        }
        boolean equalsIgnoreCase = parseAzpClaim.get().equalsIgnoreCase(str);
        if (!equalsIgnoreCase && LOG.isDebugEnabled()) {
            LOG.debug("{} claim does not match client id {}", "azp", str);
        }
        return equalsIgnoreCase;
    }
}
