package org.mitre.openid.connect.assertion;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.Date;
import java.util.HashSet;
import org.mitre.jwt.signer.service.JwtSigningAndValidationService;
import org.mitre.jwt.signer.service.impl.JWKSetCacheService;
import org.mitre.jwt.signer.service.impl.SymmetricCacheService;
import org.mitre.oauth2.model.ClientDetailsEntity;
import org.mitre.oauth2.service.ClientDetailsEntityService;
import org.mitre.openid.connect.config.ConfigurationPropertiesBean;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.oauth2.common.exceptions.InvalidClientException;

/* loaded from: input_file:org/mitre/openid/connect/assertion/JwtBearerAuthenticationProvider.class */
public class JwtBearerAuthenticationProvider implements AuthenticationProvider {
    private static final Logger logger = LoggerFactory.getLogger(JwtBearerAuthenticationProvider.class);
    private static final GrantedAuthority ROLE_CLIENT = new SimpleGrantedAuthority("ROLE_CLIENT");

    @Autowired
    private JWKSetCacheService validators;

    @Autowired
    private SymmetricCacheService symmetricCacheService;
    private int timeSkewAllowance = 300;

    @Autowired
    private ClientDetailsEntityService clientService;

    @Autowired
    private ConfigurationPropertiesBean config;

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        JwtBearerAssertionAuthenticationToken jwtBearerAssertionAuthenticationToken = (JwtBearerAssertionAuthenticationToken) authentication;
        try {
            ClientDetailsEntity loadClientByClientId = this.clientService.loadClientByClientId(jwtBearerAssertionAuthenticationToken.getClientId());
            SignedJWT jwt = jwtBearerAssertionAuthenticationToken.getJwt();
            ReadOnlyJWTClaimsSet jWTClaimsSet = jwt.getJWTClaimsSet();
            if (jwt instanceof SignedJWT) {
                SignedJWT signedJWT = jwt;
                JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
                if (loadClientByClientId.getTokenEndpointAuthSigningAlg() != null && !loadClientByClientId.getTokenEndpointAuthSigningAlg().equals(algorithm)) {
                    throw new InvalidClientException("Client's registered request object signing algorithm (" + loadClientByClientId.getRequestObjectSigningAlg() + ") does not match request object's actual algorithm (" + algorithm.getName() + ")");
                }
                if (loadClientByClientId.getTokenEndpointAuthMethod() == null || loadClientByClientId.getTokenEndpointAuthMethod().equals(ClientDetailsEntity.AuthMethod.NONE) || loadClientByClientId.getTokenEndpointAuthMethod().equals(ClientDetailsEntity.AuthMethod.SECRET_BASIC) || loadClientByClientId.getTokenEndpointAuthMethod().equals(ClientDetailsEntity.AuthMethod.SECRET_POST)) {
                    throw new AuthenticationServiceException("Client does not support this authentication method.");
                }
                if (loadClientByClientId.getTokenEndpointAuthMethod().equals(ClientDetailsEntity.AuthMethod.PRIVATE_KEY) && (algorithm.equals(JWSAlgorithm.RS256) || algorithm.equals(JWSAlgorithm.RS384) || algorithm.equals(JWSAlgorithm.RS512))) {
                    JwtSigningAndValidationService validator = this.validators.getValidator(loadClientByClientId.getJwksUri());
                    if (validator == null) {
                        throw new AuthenticationServiceException("Unable to create signature validator for client's JWKS URI: " + loadClientByClientId.getJwksUri());
                    }
                    if (!validator.validateSignature(signedJWT)) {
                        throw new AuthenticationServiceException("Signature did not validate for presented JWT authentication.");
                    }
                } else if (loadClientByClientId.getTokenEndpointAuthMethod().equals(ClientDetailsEntity.AuthMethod.SECRET_JWT) && (algorithm.equals(JWSAlgorithm.HS256) || algorithm.equals(JWSAlgorithm.HS384) || algorithm.equals(JWSAlgorithm.HS512))) {
                    JwtSigningAndValidationService symmetricValidtor = this.symmetricCacheService.getSymmetricValidtor(loadClientByClientId);
                    if (symmetricValidtor == null) {
                        throw new AuthenticationServiceException("Unable to create signature validator for client's secret: " + loadClientByClientId.getClientSecret());
                    }
                    if (!symmetricValidtor.validateSignature(signedJWT)) {
                        throw new AuthenticationServiceException("Signature did not validate for presented JWT authentication.");
                    }
                }
            }
            if (jWTClaimsSet.getIssuer() == null) {
                throw new AuthenticationServiceException("Assertion Token Issuer is null");
            }
            if (!jWTClaimsSet.getIssuer().equals(loadClientByClientId.getClientId())) {
                throw new AuthenticationServiceException("Issuers do not match, expected " + loadClientByClientId.getClientId() + " got " + jWTClaimsSet.getIssuer());
            }
            if (jWTClaimsSet.getExpirationTime() == null) {
                throw new AuthenticationServiceException("Assertion Token does not have required expiration claim");
            }
            if (new Date(System.currentTimeMillis() - (this.timeSkewAllowance * 1000)).after(jWTClaimsSet.getExpirationTime())) {
                throw new AuthenticationServiceException("Assertion Token is expired: " + jWTClaimsSet.getExpirationTime());
            }
            if (jWTClaimsSet.getNotBeforeTime() != null && new Date(System.currentTimeMillis() + (this.timeSkewAllowance * 1000)).before(jWTClaimsSet.getNotBeforeTime())) {
                throw new AuthenticationServiceException("Assertion Token not valid untill: " + jWTClaimsSet.getNotBeforeTime());
            }
            if (jWTClaimsSet.getIssueTime() != null && new Date(System.currentTimeMillis() + (this.timeSkewAllowance * 1000)).before(jWTClaimsSet.getIssueTime())) {
                throw new AuthenticationServiceException("Assertion Token was issued in the future: " + jWTClaimsSet.getIssueTime());
            }
            if (jWTClaimsSet.getAudience() == null) {
                throw new AuthenticationServiceException("Assertion token audience is null");
            }
            if (!jWTClaimsSet.getAudience().contains(this.config.getIssuer()) && !jWTClaimsSet.getAudience().contains(this.config.getIssuer() + "token")) {
                throw new AuthenticationServiceException("Audience does not match, expected " + this.config.getIssuer() + " or " + this.config.getIssuer() + "token got " + jWTClaimsSet.getAudience());
            }
            HashSet hashSet = new HashSet(loadClientByClientId.getAuthorities());
            hashSet.add(ROLE_CLIENT);
            return new JwtBearerAssertionAuthenticationToken(loadClientByClientId.getClientId(), jwt, hashSet);
        } catch (InvalidClientException e) {
            throw new UsernameNotFoundException("Could not find client: " + jwtBearerAssertionAuthenticationToken.getClientId());
        } catch (ParseException e2) {
            logger.error("Failure during authentication, error was: ", e2);
            throw new AuthenticationServiceException("Invalid JWT format");
        }
    }

    public boolean supports(Class<?> cls) {
        return JwtBearerAssertionAuthenticationToken.class.isAssignableFrom(cls);
    }
}
