package org.pac4j.oidc.profile.creator;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.JWT;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import java.io.IOException;
import java.net.MalformedURLException;
import java.util.List;
import java.util.Map;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.profile.AttributeLocation;
import org.pac4j.core.profile.ProfileHelper;
import org.pac4j.core.profile.creator.ProfileCreator;
import org.pac4j.core.profile.definition.ProfileDefinitionAware;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.oidc.config.OidcConfiguration;
import org.pac4j.oidc.credentials.OidcCredentials;
import org.pac4j.oidc.profile.OidcProfile;
import org.pac4j.oidc.profile.OidcProfileDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/pac4j-oidc-3.0.0-RC2.jar:org/pac4j/oidc/profile/creator/OidcProfileCreator.class */
public class OidcProfileCreator<U extends OidcProfile> extends ProfileDefinitionAware<U> implements ProfileCreator<OidcCredentials, U> {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) OidcProfileCreator.class);
    protected OidcConfiguration configuration;
    protected IDTokenValidator idTokenValidator;

    public OidcProfileCreator(OidcConfiguration oidcConfiguration) {
        this.configuration = oidcConfiguration;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.pac4j.core.util.InitializableObject
    public void internalInit() {
        JWSAlgorithm jWSAlgorithm;
        CommonHelper.assertNotNull("configuration", this.configuration);
        List<JWSAlgorithm> iDTokenJWSAlgs = this.configuration.findProviderMetadata().getIDTokenJWSAlgs();
        CommonHelper.assertTrue(CommonHelper.isNotEmpty(iDTokenJWSAlgs), "There must at least one JWS algorithm supported on the OpenID Connect provider side");
        JWSAlgorithm preferredJwsAlgorithm = this.configuration.getPreferredJwsAlgorithm();
        if (iDTokenJWSAlgs.contains(preferredJwsAlgorithm)) {
            jWSAlgorithm = preferredJwsAlgorithm;
        } else {
            jWSAlgorithm = iDTokenJWSAlgs.get(0);
            logger.warn("Preferred JWS algorithm: {} not available. Defaulting to: {}", preferredJwsAlgorithm, jWSAlgorithm);
        }
        if ("none".equals(jWSAlgorithm.getName())) {
            jWSAlgorithm = null;
        }
        ClientID clientID = new ClientID(this.configuration.getClientId());
        Secret secret = new Secret(this.configuration.getSecret());
        if (jWSAlgorithm == null) {
            this.idTokenValidator = new IDTokenValidator(this.configuration.findProviderMetadata().getIssuer(), clientID);
        } else if (CommonHelper.isNotBlank(this.configuration.getSecret()) && (JWSAlgorithm.HS256.equals(jWSAlgorithm) || JWSAlgorithm.HS384.equals(jWSAlgorithm) || JWSAlgorithm.HS512.equals(jWSAlgorithm))) {
            this.idTokenValidator = createHMACTokenValidator(jWSAlgorithm, clientID, secret);
        } else {
            this.idTokenValidator = createRSATokenValidator(jWSAlgorithm, clientID);
        }
        this.idTokenValidator.setMaxClockSkew(this.configuration.getMaxClockSkew());
        defaultProfileDefinition(new OidcProfileDefinition());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public IDTokenValidator createRSATokenValidator(JWSAlgorithm jWSAlgorithm, ClientID clientID) {
        try {
            return new IDTokenValidator(this.configuration.findProviderMetadata().getIssuer(), clientID, jWSAlgorithm, this.configuration.findProviderMetadata().getJWKSetURI().toURL(), this.configuration.findResourceRetriever());
        } catch (MalformedURLException e) {
            throw new TechnicalException(e);
        }
    }

    protected IDTokenValidator createHMACTokenValidator(JWSAlgorithm jWSAlgorithm, ClientID clientID, Secret secret) {
        return new IDTokenValidator(this.configuration.findProviderMetadata().getIssuer(), clientID, jWSAlgorithm, secret);
    }

    @Override // org.pac4j.core.profile.creator.ProfileCreator
    public U create(OidcCredentials oidcCredentials, WebContext webContext) {
        init();
        AccessToken accessToken = oidcCredentials.getAccessToken();
        U u = (U) getProfileDefinition().newProfile(new Object[0]);
        u.setAccessToken(accessToken);
        JWT idToken = oidcCredentials.getIdToken();
        u.setIdTokenString(idToken.getParsedString());
        RefreshToken refreshToken = oidcCredentials.getRefreshToken();
        if (refreshToken != null && !refreshToken.getValue().isEmpty()) {
            u.setRefreshToken(refreshToken);
            logger.debug("Refresh Token successful retrieved");
        }
        try {
            IDTokenClaimsSet validate = this.idTokenValidator.validate(idToken, this.configuration.isUseNonce() ? new Nonce((String) webContext.getSessionStore().get(webContext, OidcConfiguration.NONCE_SESSION_ATTRIBUTE)) : null);
            CommonHelper.assertNotNull("claimsSet", validate);
            u.setId(ProfileHelper.sanitizeIdentifier(u, validate.getSubject()));
            if (this.configuration.findProviderMetadata().getUserInfoEndpointURI() != null && accessToken != null) {
                HTTPRequest hTTPRequest = new UserInfoRequest(this.configuration.findProviderMetadata().getUserInfoEndpointURI(), (BearerAccessToken) accessToken).toHTTPRequest();
                hTTPRequest.setConnectTimeout(this.configuration.getConnectTimeout());
                hTTPRequest.setReadTimeout(this.configuration.getReadTimeout());
                HTTPResponse send = hTTPRequest.send();
                logger.debug("Token response: status={}, content={}", Integer.valueOf(send.getStatusCode()), send.getContent());
                UserInfoResponse parse = UserInfoResponse.parse(send);
                if (parse instanceof UserInfoErrorResponse) {
                    logger.error("Bad User Info response, error={}", ((UserInfoErrorResponse) parse).getErrorObject());
                } else {
                    UserInfoSuccessResponse userInfoSuccessResponse = (UserInfoSuccessResponse) parse;
                    getProfileDefinition().convertAndAdd(u, (userInfoSuccessResponse.getUserInfo() != null ? userInfoSuccessResponse.getUserInfo().toJWTClaimsSet() : userInfoSuccessResponse.getUserInfoJWT().getJWTClaimsSet()).getClaims(), null);
                }
            }
            for (Map.Entry<String, Object> entry : idToken.getJWTClaimsSet().getClaims().entrySet()) {
                String key = entry.getKey();
                Object value = entry.getValue();
                if (!"sub".equals(key) && u.getAttribute(key) == null) {
                    getProfileDefinition().convertAndAdd(u, AttributeLocation.PROFILE_ATTRIBUTE, key, value);
                }
            }
            u.setTokenExpirationAdvance(this.configuration.getTokenExpirationAdvance());
            return u;
        } catch (JOSEException | BadJOSEException | ParseException | IOException | java.text.ParseException e) {
            throw new TechnicalException(e);
        }
    }
}
