package com.nimbusds.openid.connect.provider.spi.impl.nativesso.handlers;

import com.nimbusds.oauth2.sdk.GeneralException;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Subject;
import com.nimbusds.openid.connect.provider.spi.InitContext;
import com.nimbusds.openid.connect.provider.spi.grants.AccessTokenSpec;
import com.nimbusds.openid.connect.provider.spi.grants.ClaimsSpec;
import com.nimbusds.openid.connect.provider.spi.grants.IDTokenSpec;
import com.nimbusds.openid.connect.provider.spi.grants.RefreshTokenSpec;
import com.nimbusds.openid.connect.provider.spi.grants.TokenRequestParameters;
import com.nimbusds.openid.connect.provider.spi.impl.common.ClientMetadataFilter;
import com.nimbusds.openid.connect.provider.spi.impl.common.Loggers;
import com.nimbusds.openid.connect.provider.spi.impl.common.ScopeUtils;
import com.nimbusds.openid.connect.provider.spi.internal.sessionstore.SubjectSession;
import com.nimbusds.openid.connect.provider.spi.nativesso.DeviceSSOBackChannelAuthorization;
import com.nimbusds.openid.connect.provider.spi.nativesso.DeviceSSOHandler;
import com.nimbusds.openid.connect.provider.spi.nativesso.DeviceSSOHandlerContext;
import com.nimbusds.openid.connect.sdk.OIDCError;
import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
import com.nimbusds.openid.connect.sdk.claims.ClaimsTransport;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import com.nimbusds.openid.connect.sdk.rp.OIDCClientMetadata;
import java.io.InputStream;
import java.time.Instant;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Properties;
import net.jcip.annotations.ThreadSafe;
import net.minidev.json.JSONObject;

@ThreadSafe
/* loaded from: input_file:com/nimbusds/openid/connect/provider/spi/impl/nativesso/handlers/LocalDeviceSSOHandler.class */
public class LocalDeviceSSOHandler implements DeviceSSOHandler {
    public static final String CONFIG_FILE_PATH = "/WEB-INF/deviceSSOHandler.properties";
    private Configuration config;
    static final /* synthetic */ boolean $assertionsDisabled;

    public void init(InitContext initContext) throws Exception {
        Properties properties = new Properties();
        InputStream resourceAsStream = initContext.getResourceAsStream(CONFIG_FILE_PATH);
        Loggers.MAIN.debug("[DS1000] Loading {}: File {}found", CONFIG_FILE_PATH, resourceAsStream != null ? "" : "not ");
        if (resourceAsStream != null) {
            properties.load(resourceAsStream);
            Loggers.MAIN.debug("[DS1001] Loaded {} properties: {}", CONFIG_FILE_PATH, properties);
        }
        this.config = new Configuration(properties);
        this.config.log();
    }

    public boolean isEnabled() {
        return this.config.enable;
    }

    Configuration getConfiguration() {
        return this.config;
    }

    public DeviceSSOBackChannelAuthorization processBackChannelRequest(Subject subject, IDTokenClaimsSet iDTokenClaimsSet, SubjectSession subjectSession, TokenRequestParameters tokenRequestParameters, ClientID clientID, boolean z, OIDCClientMetadata oIDCClientMetadata, DeviceSSOHandlerContext deviceSSOHandlerContext) throws GeneralException {
        if (!this.config.enable) {
            throw new GeneralException("Device SSO handler disabled", OAuth2Error.UNSUPPORTED_GRANT_TYPE);
        }
        Scope resolveAuthorizedScope = ScopeUtils.resolveAuthorizedScope(tokenRequestParameters.getScope(), oIDCClientMetadata.getScope());
        if (!$assertionsDisabled && this.config.scopeRequiringInteraction == null) {
            throw new AssertionError();
        }
        Iterator it = this.config.scopeRequiringInteraction.iterator();
        while (it.hasNext()) {
            if (resolveAuthorizedScope.contains((Scope.Value) it.next())) {
                throw new GeneralException(OIDCError.INTERACTION_REQUIRED.setHTTPStatusCode(400));
            }
        }
        if (oIDCClientMetadata.getDefaultMaxAge() > -1) {
            if (oIDCClientMetadata.getDefaultMaxAge() == 0) {
                throw new GeneralException(OIDCError.INTERACTION_REQUIRED.setHTTPStatusCode(400).setDescription("Login required"));
            }
            if (subjectSession.getSubjectAuthentication().getTime().plusSeconds(oIDCClientMetadata.getDefaultMaxAge()).isBefore(Instant.now())) {
                throw new GeneralException(OIDCError.INTERACTION_REQUIRED.setHTTPStatusCode(400).setDescription("Login required"));
            }
        }
        if (!$assertionsDisabled && this.config.accessToken == null) {
            throw new AssertionError();
        }
        if (!$assertionsDisabled && this.config.refreshToken == null) {
            throw new AssertionError();
        }
        boolean contains = resolveAuthorizedScope.contains(OIDCScopeValue.OPENID);
        return new DeviceSSOBackChannelAuthorization(resolveAuthorizedScope, new AccessTokenSpec(this.config.accessToken.lifetime, this.config.accessToken.audienceList, this.config.accessToken.encoding, this.config.accessToken.encrypt), new RefreshTokenSpec(this.config.refreshToken.issue, this.config.refreshToken.lifetime, this.config.refreshToken.maxIdleTime, this.config.refreshToken.rotate), new IDTokenSpec(contains, 0L, oIDCClientMetadata.requiresAuthTime() ? resolveSubjectAuthTime(subjectSession) : null, subjectSession.getSubjectAuthentication().getACR(), subjectSession.getSubjectAuthentication().getAMRList(), (Subject) null), new ClaimsSpec(deviceSSOHandlerContext.resolveClaimNames(resolveAuthorizedScope), (List) null, (JSONObject) null, (JSONObject) null, contains ? this.config.claimsTransport : ClaimsTransport.USERINFO), new ClientMetadataFilter(this.config.accessToken.includeClientMetadataFields).filter(oIDCClientMetadata));
    }

    private static Date resolveSubjectAuthTime(SubjectSession subjectSession) {
        Instant time = subjectSession.getSubjectAuthentication().getTime();
        if (time == null) {
            return null;
        }
        return Date.from(time);
    }

    static {
        $assertionsDisabled = !LocalDeviceSSOHandler.class.desiredAssertionStatus();
    }
}
