package io.micronaut.security.oauth2.endpoint.authorization.response;

import com.nimbusds.jwt.JWT;
import io.micronaut.context.annotation.Requires;
import io.micronaut.security.authentication.AuthenticationFailed;
import io.micronaut.security.authentication.AuthenticationResponse;
import io.micronaut.security.oauth2.client.OpenIdProviderMetadata;
import io.micronaut.security.oauth2.configuration.OauthClientConfiguration;
import io.micronaut.security.oauth2.endpoint.SecureEndpoint;
import io.micronaut.security.oauth2.endpoint.authorization.state.InvalidStateException;
import io.micronaut.security.oauth2.endpoint.authorization.state.validation.StateValidator;
import io.micronaut.security.oauth2.endpoint.token.request.TokenEndpointClient;
import io.micronaut.security.oauth2.endpoint.token.request.context.OpenIdCodeTokenRequestContext;
import io.micronaut.security.oauth2.endpoint.token.response.DefaultOpenIdUserDetailsMapper;
import io.micronaut.security.oauth2.endpoint.token.response.JWTOpenIdClaims;
import io.micronaut.security.oauth2.endpoint.token.response.OpenIdUserDetailsMapper;
import io.micronaut.security.oauth2.endpoint.token.response.validation.OpenIdTokenResponseValidator;
import io.micronaut.security.oauth2.url.OauthRouteUrlBuilder;
import io.reactivex.BackpressureStrategy;
import io.reactivex.Flowable;
import java.text.ParseException;
import java.util.Optional;
import javax.annotation.Nullable;
import javax.inject.Singleton;
import org.reactivestreams.Publisher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
@Requires(configuration = "io.micronaut.security.token.jwt")
/* loaded from: input_file:io/micronaut/security/oauth2/endpoint/authorization/response/DefaultOpenIdAuthorizationResponseHandler.class */
public class DefaultOpenIdAuthorizationResponseHandler implements OpenIdAuthorizationResponseHandler {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultOpenIdAuthorizationResponseHandler.class);
    private final OpenIdTokenResponseValidator tokenResponseValidator;
    private final OpenIdUserDetailsMapper defaultUserDetailsMapper;
    private final TokenEndpointClient tokenEndpointClient;
    private final OauthRouteUrlBuilder oauthRouteUrlBuilder;

    @Nullable
    private final StateValidator stateValidator;

    public DefaultOpenIdAuthorizationResponseHandler(OpenIdTokenResponseValidator openIdTokenResponseValidator, DefaultOpenIdUserDetailsMapper defaultOpenIdUserDetailsMapper, TokenEndpointClient tokenEndpointClient, OauthRouteUrlBuilder oauthRouteUrlBuilder, @Nullable StateValidator stateValidator) {
        this.tokenResponseValidator = openIdTokenResponseValidator;
        this.defaultUserDetailsMapper = defaultOpenIdUserDetailsMapper;
        this.tokenEndpointClient = tokenEndpointClient;
        this.oauthRouteUrlBuilder = oauthRouteUrlBuilder;
        this.stateValidator = stateValidator;
    }

    @Override // io.micronaut.security.oauth2.endpoint.authorization.response.OpenIdAuthorizationResponseHandler
    public Publisher<AuthenticationResponse> handle(OpenIdAuthorizationResponse openIdAuthorizationResponse, OauthClientConfiguration oauthClientConfiguration, OpenIdProviderMetadata openIdProviderMetadata, @Nullable OpenIdUserDetailsMapper openIdUserDetailsMapper, SecureEndpoint secureEndpoint) {
        if (this.stateValidator != null) {
            if (LOG.isTraceEnabled()) {
                LOG.trace("Validating state found in the authorization response from provider [{}]", oauthClientConfiguration.getName());
            }
            try {
                this.stateValidator.validate(openIdAuthorizationResponse.getCallbackRequest(), openIdAuthorizationResponse.getState());
            } catch (InvalidStateException e) {
                return Flowable.just(new AuthenticationFailed("State validation failed: " + e.getMessage()));
            }
        } else if (LOG.isTraceEnabled()) {
            LOG.trace("Skipping state validation, no state validator found");
        }
        String nonce = openIdAuthorizationResponse.getNonce();
        return Flowable.fromPublisher(this.tokenEndpointClient.sendRequest(new OpenIdCodeTokenRequestContext(openIdAuthorizationResponse, this.oauthRouteUrlBuilder, secureEndpoint, oauthClientConfiguration))).switchMap(openIdTokenResponse -> {
            if (LOG.isTraceEnabled()) {
                LOG.trace("Token endpoint returned a success response. Validating the JWT");
            }
            return Flowable.create(flowableEmitter -> {
                Optional<JWT> validate = this.tokenResponseValidator.validate(oauthClientConfiguration, openIdProviderMetadata, openIdTokenResponse, nonce);
                if (!validate.isPresent()) {
                    if (LOG.isTraceEnabled()) {
                        LOG.trace("Token validation failed. Failing authentication");
                    }
                    flowableEmitter.onNext(new AuthenticationFailed("JWT validation failed"));
                    flowableEmitter.onComplete();
                    return;
                }
                try {
                    if (LOG.isTraceEnabled()) {
                        LOG.trace("Token validation succeeded. Creating a user details");
                    }
                    flowableEmitter.onNext((openIdUserDetailsMapper != null ? openIdUserDetailsMapper : this.defaultUserDetailsMapper).createUserDetails(oauthClientConfiguration.getName(), openIdTokenResponse, new JWTOpenIdClaims(validate.get().getJWTClaimsSet())));
                    flowableEmitter.onComplete();
                } catch (ParseException e2) {
                    flowableEmitter.onError(e2);
                }
            }, BackpressureStrategy.ERROR);
        });
    }
}
