package com.nimbusds.openid.connect.provider.spi.grants.handlers.web.tokenexchange;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.oauth2.sdk.GeneralException;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.TokenTypeURI;
import com.nimbusds.oauth2.sdk.tokenexchange.TokenExchangeGrant;
import com.nimbusds.openid.connect.provider.spi.InitContext;
import com.nimbusds.openid.connect.provider.spi.InvocationContext;
import com.nimbusds.openid.connect.provider.spi.grants.TokenExchangeAuthorization;
import com.nimbusds.openid.connect.provider.spi.grants.TokenExchangeGrantHandler;
import com.nimbusds.openid.connect.provider.spi.grants.TokenIntrospection;
import com.nimbusds.openid.connect.provider.spi.grants.TokenIssueHelpers;
import com.nimbusds.openid.connect.provider.spi.grants.TokenRequestParameters;
import com.nimbusds.openid.connect.provider.spi.grants.handlers.web.BaseGrantDelegator;
import com.nimbusds.openid.connect.provider.spi.grants.handlers.web.Utils;
import com.nimbusds.openid.connect.provider.spi.tokens.AccessTokenAuthorization;
import com.nimbusds.openid.connect.provider.spi.tokens.introspection.DefaultTokenIntrospectionResponseComposer;
import com.nimbusds.openid.connect.provider.spi.tokens.introspection.TokenIntrospectionContext;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.text.ParseException;
import java.util.Properties;

/* loaded from: input_file:com/nimbusds/openid/connect/provider/spi/grants/handlers/web/tokenexchange/TokenExchangeGrantDelegator.class */
public class TokenExchangeGrantDelegator extends BaseGrantDelegator implements TokenExchangeGrantHandler {
    public static final String CONFIG_FILE_PATH = "/WEB-INF/tokenExchangeGrantHandlerWebAPI.properties";
    private RemoteAccessTokenIntrospectionClient introspectionClient;
    private JWTVerifier jwtVerifier;

    public TokenExchangeGrantDelegator() {
        super(CONFIG_FILE_PATH);
    }

    @Override // com.nimbusds.openid.connect.provider.spi.grants.handlers.web.BaseGrantDelegator
    public TokenExchangeGrantHandlerConfiguration loadConfiguration(Properties properties) {
        return new TokenExchangeGrantHandlerConfiguration(properties);
    }

    @Override // com.nimbusds.openid.connect.provider.spi.grants.handlers.web.BaseGrantDelegator
    public void init(InitContext initContext) throws Exception {
        super.init(initContext);
        if (getConfiguration().enable) {
            this.jwtVerifier = new JWTVerifier(getConfiguration().subjectToken_jwtVerification);
            this.introspectionClient = new RemoteAccessTokenIntrospectionClient(getConfiguration().subjectToken_accessTokenIntrospection_remote);
        }
    }

    @Override // com.nimbusds.openid.connect.provider.spi.grants.handlers.web.BaseGrantDelegator
    public TokenExchangeGrantHandlerConfiguration getConfiguration() {
        return (TokenExchangeGrantHandlerConfiguration) this.config;
    }

    public GrantType getGrantType() {
        return GrantType.TOKEN_EXCHANGE;
    }

    protected void ensureAcceptedTokenTypes(TokenExchangeGrant tokenExchangeGrant) throws GeneralException {
        if (getConfiguration().subjectToken_types != null && !getConfiguration().subjectToken_types.contains(tokenExchangeGrant.getSubjectTokenType())) {
            throw new GeneralException(OAuth2Error.INVALID_REQUEST.setDescription("subject_token_type value not accepted"));
        }
        if (tokenExchangeGrant.getActorTokenType() != null && getConfiguration().actorToken_types != null && !getConfiguration().actorToken_types.contains(tokenExchangeGrant.getActorTokenType())) {
            throw new GeneralException(OAuth2Error.INVALID_REQUEST.setDescription("actor_token_type value not accepted"));
        }
        if (tokenExchangeGrant.getRequestedTokenType() != null && getConfiguration().requestedToken_types != null && !getConfiguration().requestedToken_types.contains(tokenExchangeGrant.getRequestedTokenType())) {
            throw new GeneralException(OAuth2Error.INVALID_REQUEST.setDescription("requested_token_type value not accepted"));
        }
    }

    static boolean infersAccessToken(TokenTypeURI tokenTypeURI) {
        return TokenTypeURI.ACCESS_TOKEN.equals(tokenTypeURI);
    }

    static boolean infersJWT(TokenTypeURI tokenTypeURI) {
        return TokenTypeURI.JWT.equals(tokenTypeURI) || TokenTypeURI.ACCESS_TOKEN.equals(tokenTypeURI) || TokenTypeURI.ID_TOKEN.equals(tokenTypeURI);
    }

    public TokenExchangeAuthorization processGrant(TokenExchangeGrant tokenExchangeGrant, TokenRequestParameters tokenRequestParameters, ClientID clientID, boolean z, OIDCClientMetadata oIDCClientMetadata, TokenIntrospection tokenIntrospection, TokenIssueHelpers tokenIssueHelpers, InvocationContext invocationContext) throws GeneralException {
        ensureEnabled();
        ensureAcceptedTokenTypes(tokenExchangeGrant);
        AccessTokenIntrospection accessTokenIntrospection = null;
        if (getConfiguration().subjectToken_accessTokenIntrospection_local_enable && infersAccessToken(tokenExchangeGrant.getSubjectTokenType())) {
            AccessTokenAuthorization accessTokenAuthorization = tokenIntrospection.getAccessTokenAuthorization();
            if (accessTokenAuthorization != null) {
                accessTokenIntrospection = new AccessTokenIntrospection(null, new DefaultTokenIntrospectionResponseComposer().compose(accessTokenAuthorization, (TokenIntrospectionContext) null));
                tokenEndpointLog.debug("[{}0205] {} grant handler: Validated subject_token as local access token", this.config.logPrefix, this.config.grantShortName);
            } else {
                tokenEndpointLog.debug("[{}0204] {} grant handler: subject_token not a valid local access token", this.config.logPrefix, this.config.grantShortName);
            }
        }
        if (accessTokenIntrospection == null && infersAccessToken(tokenExchangeGrant.getSubjectTokenType()) && this.introspectionClient.isConfigured()) {
            try {
                accessTokenIntrospection = this.introspectionClient.introspect(tokenExchangeGrant.getSubjectToken());
                tokenEndpointLog.debug("[{}0207] {} grant handler: Validated subject_token as 3rd party access token", this.config.logPrefix, this.config.grantShortName);
            } catch (GeneralException e) {
                tokenEndpointLog.debug("[{}0203] {} grant handler: subject_token not a valid 3rd party access token: {}", this.config.logPrefix, this.config.grantShortName, e.getMessage());
            } catch (ClientException e2) {
                tokenEndpointLog.error("[{}0206] {} grant handler: subject_token remote introspection error: {}", this.config.logPrefix, this.config.grantShortName, e2.getMessage());
                throw new GeneralException(OAuth2Error.SERVER_ERROR);
            }
        }
        if (accessTokenIntrospection == null && getConfiguration().subjectToken_accessTokenIntrospection_mustPass) {
            throw new GeneralException(OAuth2Error.INVALID_REQUEST.setDescription("Invalid subject_token"));
        }
        JWTVerification jWTVerification = null;
        if (accessTokenIntrospection == null && infersJWT(tokenExchangeGrant.getSubjectTokenType()) && this.jwtVerifier.isConfigured()) {
            try {
                jWTVerification = this.jwtVerifier.verify(tokenExchangeGrant.getSubjectToken());
                tokenEndpointLog.debug("[{}0208] {} grant handler: Validated subject_token as JWT", this.config.logPrefix, this.config.grantShortName);
            } catch (ParseException | BadJOSEException e3) {
                tokenEndpointLog.debug("[{}0201] {} grant handler: Invalid subject_token JWT: {}", this.config.logPrefix, this.config.grantShortName, e3.getMessage());
                if (getConfiguration().subjectToken_jwtVerification_mustPass) {
                    throw new GeneralException(OAuth2Error.INVALID_REQUEST.setDescription("Invalid subject_token"));
                }
            } catch (JOSEException e4) {
                tokenEndpointLog.error("[{}0202] {} grant handler: subject_token JWT verification error: {}", this.config.logPrefix, this.config.grantShortName, e4.getMessage());
                throw new GeneralException(OAuth2Error.SERVER_ERROR);
            }
        }
        try {
            return TokenExchangeAuthorization.parse(send(new TokenExchangeGrantHandlerRequest(invocationContext.getIssuer(), getConfiguration().url, getConfiguration().apiAccessToken, tokenExchangeGrant, keepAllowedCustomParams(tokenRequestParameters), accessTokenIntrospection, jWTVerification, clientID, z, Utils.extractSelectedParameters(oIDCClientMetadata, getConfiguration().clientMetadata))));
        } catch (Exception e5) {
            tokenEndpointLog.error("[{}0200] {} grant handler: Invalid response: {}", this.config.logPrefix, this.config.grantShortName, e5.getMessage(), e5);
            throw new GeneralException(OAuth2Error.SERVER_ERROR);
        }
    }
}
