package fish.payara.security.openid.controller;

import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
import fish.payara.security.openid.api.OpenIdConstant;
import fish.payara.security.openid.domain.OpenIdConfiguration;
import java.util.Date;
import java.util.List;
import java.util.Objects;

/* loaded from: input_file:MICRO-INF/runtime/openid-client-integration.jar:fish/payara/security/openid/controller/TokenClaimsSetVerifier.class */
public abstract class TokenClaimsSetVerifier implements JWTClaimsSetVerifier {
    protected final OpenIdConfiguration configuration;

    public TokenClaimsSetVerifier(OpenIdConfiguration openIdConfiguration) {
        this.configuration = openIdConfiguration;
    }

    @Override // com.nimbusds.jwt.proc.JWTClaimsSetVerifier
    public void verify(JWTClaimsSet jWTClaimsSet, SecurityContext securityContext) throws BadJWTException {
        int i = 60 * 1000;
        if (Objects.isNull(jWTClaimsSet.getIssuer())) {
            throw new IllegalStateException("Missing issuer (iss) claim");
        }
        if (!jWTClaimsSet.getIssuer().equals(this.configuration.getProviderMetadata().getIssuerURI())) {
            throw new IllegalStateException("Invalid issuer : " + this.configuration.getProviderMetadata().getIssuerURI());
        }
        if (Objects.isNull(jWTClaimsSet.getSubject())) {
            throw new IllegalStateException("Missing subject (sub) claim");
        }
        List<String> audience = jWTClaimsSet.getAudience();
        if (Objects.isNull(audience) || audience.isEmpty()) {
            throw new IllegalStateException("Missing audience (aud) claim");
        }
        if (!audience.contains(this.configuration.getClientId())) {
            throw new IllegalStateException("Invalid audience (aud) claim " + audience);
        }
        Object claim = jWTClaimsSet.getClaim(OpenIdConstant.AUTHORIZED_PARTY);
        if (audience.size() > 1 && Objects.isNull(claim)) {
            throw new IllegalStateException("Missing authorized party (azp) claim");
        }
        if (audience.size() > 1 && Objects.nonNull(claim) && !claim.equals(this.configuration.getClientId())) {
            throw new IllegalStateException("Invalid authorized party (azp) claim " + this.configuration.getClientId());
        }
        long currentTimeMillis = System.currentTimeMillis();
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        if (Objects.isNull(expirationTime)) {
            throw new IllegalStateException("Missing expiration time (exp) claim");
        }
        if (expirationTime.getTime() + i < currentTimeMillis) {
            throw new IllegalStateException("ID token is expired " + expirationTime);
        }
        Date issueTime = jWTClaimsSet.getIssueTime();
        if (Objects.isNull(issueTime)) {
            throw new IllegalStateException("Missing issue time (iat) claim");
        }
        if (issueTime.getTime() - i > currentTimeMillis) {
            throw new IllegalStateException("Issue time must be after current time " + issueTime);
        }
        verify(jWTClaimsSet);
    }

    public abstract void verify(JWTClaimsSet jWTClaimsSet) throws BadJWTException;
}
