package io.micronaut.security.oauth2.endpoint.token.response.validation;

import com.nimbusds.jwt.JWT;
import io.micronaut.context.annotation.Requires;
import io.micronaut.core.annotation.Internal;
import io.micronaut.core.annotation.NonNull;
import io.micronaut.core.annotation.Nullable;
import io.micronaut.core.async.annotation.SingleResult;
import io.micronaut.http.HttpRequest;
import io.micronaut.http.context.ServerRequestContext;
import io.micronaut.security.oauth2.client.OpenIdProviderMetadata;
import io.micronaut.security.oauth2.configuration.OauthClientConfiguration;
import io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims;
import io.micronaut.security.oauth2.endpoint.token.response.OpenIdTokenResponse;
import io.micronaut.security.token.jwt.validator.GenericJwtClaimsValidator;
import io.micronaut.security.token.jwt.validator.ReactiveJsonWebTokenValidator;
import jakarta.inject.Singleton;
import java.text.ParseException;
import java.util.Collection;
import java.util.stream.Collectors;
import org.reactivestreams.Publisher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import reactor.core.publisher.Mono;

@Singleton
@Requires(classes = {HttpRequest.class})
@Internal
/* loaded from: input_file:io/micronaut/security/oauth2/endpoint/token/response/validation/DefaultReactiveOpenIdTokenResponseValidator.class */
class DefaultReactiveOpenIdTokenResponseValidator implements ReactiveOpenIdTokenResponseValidator<JWT> {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultReactiveOpenIdTokenResponseValidator.class);
    private final Collection<OpenIdClaimsValidator> openIdClaimsValidators;
    private final Collection<GenericJwtClaimsValidator<HttpRequest<?>>> genericJwtClaimsValidators;
    private final NonceClaimValidator nonceClaimValidator;
    private final ReactiveJsonWebTokenValidator<JWT, HttpRequest<?>> jwtTokenValidator;

    public DefaultReactiveOpenIdTokenResponseValidator(@NonNull Collection<OpenIdClaimsValidator> collection, @NonNull Collection<GenericJwtClaimsValidator<HttpRequest<?>>> collection2, @Nullable NonceClaimValidator nonceClaimValidator, @NonNull ReactiveJsonWebTokenValidator<JWT, HttpRequest<?>> reactiveJsonWebTokenValidator) {
        this.openIdClaimsValidators = collection;
        this.genericJwtClaimsValidators = collection2;
        this.nonceClaimValidator = nonceClaimValidator;
        this.jwtTokenValidator = reactiveJsonWebTokenValidator;
    }

    @Override // io.micronaut.security.oauth2.endpoint.token.response.validation.ReactiveOpenIdTokenResponseValidator
    @SingleResult
    @NonNull
    public Publisher<JWT> validate(@NonNull OauthClientConfiguration oauthClientConfiguration, @NonNull OpenIdProviderMetadata openIdProviderMetadata, @NonNull OpenIdTokenResponse openIdTokenResponse, @Nullable String str) {
        if (LOG.isTraceEnabled()) {
            LOG.trace("Validating the JWT signature using the JWKS uri [{}]", openIdProviderMetadata.getJwksUri());
        }
        return Mono.from(this.jwtTokenValidator.validate(openIdTokenResponse.getIdToken(), (HttpRequest) ServerRequestContext.currentRequest().orElse(null))).filter(jwt -> {
            return validateClaims(oauthClientConfiguration, openIdProviderMetadata, jwt, str);
        });
    }

    @NonNull
    private boolean validateClaims(@NonNull OauthClientConfiguration oauthClientConfiguration, @NonNull OpenIdProviderMetadata openIdProviderMetadata, @NonNull JWT jwt, @Nullable String str) {
        try {
            JWTOpenIdClaims jWTOpenIdClaims = new JWTOpenIdClaims(jwt.getJWTClaimsSet());
            if (this.genericJwtClaimsValidators.stream().allMatch(genericJwtClaimsValidator -> {
                return genericJwtClaimsValidator.validate(jWTOpenIdClaims, (Object) null);
            })) {
                if (this.openIdClaimsValidators.stream().allMatch(openIdClaimsValidator -> {
                    return openIdClaimsValidator.validate(jWTOpenIdClaims, oauthClientConfiguration, openIdProviderMetadata);
                })) {
                    if (this.nonceClaimValidator == null) {
                        if (!LOG.isTraceEnabled()) {
                            return true;
                        }
                        LOG.trace("Skipping nonce validation because no bean of type {} present. ", NonceClaimValidator.class.getSimpleName());
                        return true;
                    }
                    if (this.nonceClaimValidator.validate(jWTOpenIdClaims, oauthClientConfiguration, openIdProviderMetadata, str)) {
                        return true;
                    }
                    if (LOG.isErrorEnabled()) {
                        LOG.error("Nonce {} validation failed for claims {}", str, jWTOpenIdClaims.getClaims().keySet().stream().map(str2 -> {
                            return str2 + "=" + jWTOpenIdClaims.getClaims().get(str2);
                        }).collect(Collectors.joining(", ", "{", "}")));
                    }
                } else if (LOG.isErrorEnabled()) {
                    LOG.error("JWT OpenID specific claims validation failed for provider [{}]", oauthClientConfiguration.getName());
                }
            } else if (LOG.isErrorEnabled()) {
                LOG.error("JWT generic claims validation failed for provider [{}]", oauthClientConfiguration.getName());
            }
            return false;
        } catch (ParseException e) {
            if (!LOG.isErrorEnabled()) {
                return false;
            }
            LOG.error("Failed to parse the JWT returned from provider [{}]", oauthClientConfiguration.getName(), e);
            return false;
        }
    }
}
