package org.apereo.cas.oidc.authn;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation;
import com.nimbusds.oauth2.sdk.dpop.verifiers.DPoPIssuer;
import com.nimbusds.oauth2.sdk.dpop.verifiers.DPoPTokenRequestVerifier;
import com.nimbusds.oauth2.sdk.id.ClientID;
import java.net.URI;
import java.util.Set;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apereo.cas.audit.AuditableContext;
import org.apereo.cas.audit.AuditableExecution;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.oidc.discovery.OidcServerDiscoverySettings;
import org.apereo.cas.services.OidcRegisteredService;
import org.apereo.cas.services.ServicesManager;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.util.function.FunctionUtils;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.core.profile.CommonProfile;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/authn/OidcDPoPAuthenticator.class */
public class OidcDPoPAuthenticator implements Authenticator {
    protected final OidcServerDiscoverySettings oidcServerDiscoverySettings;
    protected final ServicesManager servicesManager;
    protected final AuditableExecution registeredServiceAccessStrategyEnforcer;
    protected final CasConfigurationProperties casProperties;

    @Override // org.pac4j.core.credentials.authenticator.Authenticator
    public void validate(Credentials credentials, WebContext webContext, SessionStore sessionStore) {
        webContext.getRequestHeader("DPoP").ifPresent(str -> {
            FunctionUtils.doAndHandle(obj -> {
                validateAccessToken(credentials, webContext, str);
            });
        });
    }

    /* JADX WARN: Type inference failed for: r0v9, types: [org.apereo.cas.audit.AuditableContext$AuditableContextBuilder] */
    protected void validateAccessToken(Credentials credentials, WebContext webContext, String str) throws Exception {
        String orElseThrow = webContext.getRequestParameter("client_id").orElseThrow();
        this.registeredServiceAccessStrategyEnforcer.execute(AuditableContext.builder().registeredService((OidcRegisteredService) OAuth20Utils.getRegisteredOAuthServiceByClientId(this.servicesManager, orElseThrow)).build()).throwExceptionIfNeeded();
        buildUserProfile(credentials, str, orElseThrow, verifyProofOfPossession(webContext, str, orElseThrow));
    }

    protected JWKThumbprintConfirmation verifyProofOfPossession(WebContext webContext, String str, String str2) throws Exception {
        return new DPoPTokenRequestVerifier((Set) this.oidcServerDiscoverySettings.getDPopSigningAlgValuesSupported().stream().map(JWSAlgorithm::parse).collect(Collectors.toSet()), new URI(webContext.getRequestURL()), Beans.newDuration(this.casProperties.getAuthn().getOidc().getCore().getSkew()).toSeconds(), null).verify(new DPoPIssuer(new ClientID(str2)), getSignedProofOfPosessionJwt(str));
    }

    protected void buildUserProfile(Credentials credentials, String str, String str2, JWKThumbprintConfirmation jWKThumbprintConfirmation) throws Exception {
        SignedJWT signedProofOfPosessionJwt = getSignedProofOfPosessionJwt(str);
        CommonProfile commonProfile = new CommonProfile(true);
        commonProfile.setId(str2);
        commonProfile.addAttributes(signedProofOfPosessionJwt.getJWTClaimsSet().getClaims());
        commonProfile.addAttribute("DPoP", str);
        commonProfile.addAttribute(OAuth20Constants.DPOP_CONFIRMATION, jWKThumbprintConfirmation.getValue().toString());
        credentials.setUserProfile(commonProfile);
    }

    protected SignedJWT getSignedProofOfPosessionJwt(String str) throws Exception {
        return SignedJWT.parse(str);
    }

    @Generated
    public OidcDPoPAuthenticator(OidcServerDiscoverySettings oidcServerDiscoverySettings, ServicesManager servicesManager, AuditableExecution auditableExecution, CasConfigurationProperties casConfigurationProperties) {
        this.oidcServerDiscoverySettings = oidcServerDiscoverySettings;
        this.servicesManager = servicesManager;
        this.registeredServiceAccessStrategyEnforcer = auditableExecution;
        this.casProperties = casConfigurationProperties;
    }
}
