package org.apereo.cas.oidc.web.controllers.profile;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.dpop.JWKThumbprintConfirmation;
import com.nimbusds.oauth2.sdk.dpop.verifiers.DPoPIssuer;
import com.nimbusds.oauth2.sdk.dpop.verifiers.DPoPProtectedResourceRequestVerifier;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.DPoPAccessToken;
import java.net.URI;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apereo.cas.configuration.support.Beans;
import org.apereo.cas.oidc.OidcConfigurationContext;
import org.apereo.cas.oidc.OidcConstants;
import org.apereo.cas.support.oauth.OAuth20Constants;
import org.apereo.cas.support.oauth.util.OAuth20Utils;
import org.apereo.cas.support.oauth.web.endpoints.OAuth20UserProfileEndpointController;
import org.apereo.cas.ticket.accesstoken.OAuth20AccessToken;
import org.apereo.cas.util.CollectionUtils;
import org.jooq.lambda.Unchecked;
import org.pac4j.jee.context.JEEContext;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.util.Assert;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;

/* loaded from: input_file:WEB-INF/lib/cas-server-support-oidc-core-api-6.6.15.jar:org/apereo/cas/oidc/web/controllers/profile/OidcUserProfileEndpointController.class */
public class OidcUserProfileEndpointController extends OAuth20UserProfileEndpointController<OidcConfigurationContext> {
    public OidcUserProfileEndpointController(OidcConfigurationContext oidcConfigurationContext) {
        super(oidcConfigurationContext);
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // org.apereo.cas.support.oauth.web.endpoints.OAuth20UserProfileEndpointController
    @GetMapping(value = {"/oidc/profile", "/**/oidcProfile"}, produces = {"application/json", OidcConstants.CONTENT_TYPE_JWT})
    public ResponseEntity<String> handleGetRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        return !((OidcConfigurationContext) getConfigurationContext()).getIssuerService().validateIssuer(new JEEContext(httpServletRequest, httpServletResponse), OidcConstants.PROFILE_URL) ? new ResponseEntity<>(OAuth20Utils.toJson(OAuth20Utils.getErrorResponseBody("invalid_request", "Invalid issuer")), HttpStatus.BAD_REQUEST) : super.handleGetRequest(httpServletRequest, httpServletResponse);
    }

    @Override // org.apereo.cas.support.oauth.web.endpoints.OAuth20UserProfileEndpointController
    @PostMapping(value = {"/oidc/profile", "/**/oidcProfile"}, produces = {"application/json", OidcConstants.CONTENT_TYPE_JWT})
    public ResponseEntity<String> handlePostRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        return handleGetRequest(httpServletRequest, httpServletResponse);
    }

    @Override // org.apereo.cas.support.oauth.web.endpoints.OAuth20UserProfileEndpointController
    protected void validateAccessToken(String str, OAuth20AccessToken oAuth20AccessToken, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String header = httpServletRequest.getHeader("DPoP");
        if (oAuth20AccessToken.getAuthentication().containsAttribute(OAuth20Constants.DPOP_CONFIRMATION)) {
            CollectionUtils.firstElement(oAuth20AccessToken.getAuthentication().getAttributes().get(OAuth20Constants.DPOP_CONFIRMATION)).ifPresent(Unchecked.consumer(obj -> {
                JWKThumbprintConfirmation jWKThumbprintConfirmation = new JWKThumbprintConfirmation(new Base64URL(obj.toString()));
                DPoPProtectedResourceRequestVerifier dPoPProtectedResourceRequestVerifier = new DPoPProtectedResourceRequestVerifier((Set) ((OidcConfigurationContext) getConfigurationContext()).getDiscoverySettings().getDPopSigningAlgValuesSupported().stream().map(JWSAlgorithm::parse).collect(Collectors.toSet()), Beans.newDuration(((OidcConfigurationContext) getConfigurationContext()).getCasProperties().getAuthn().getOidc().getCore().getSkew()).toSeconds(), null);
                SignedJWT parse = SignedJWT.parse(header);
                DPoPIssuer dPoPIssuer = new DPoPIssuer(new ClientID(oAuth20AccessToken.getClientId()));
                Assert.notNull(JWTParser.parse(str), "Provided access token id must be a (signed) JWT");
                dPoPProtectedResourceRequestVerifier.verify(httpServletRequest.getMethod(), new URI(httpServletRequest.getRequestURL().toString()), dPoPIssuer, parse, new DPoPAccessToken(str), jWKThumbprintConfirmation);
            }));
        }
    }
}
