package io.personium.plugin.auth.oidc;

import com.fasterxml.jackson.core.JsonFactory;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.personium.plugin.base.auth.AuthPluginException;
import io.personium.plugin.base.auth.AuthPluginUtils;
import io.personium.plugin.base.utils.PluginUtils;
import java.io.IOException;
import java.security.Key;
import org.apache.commons.lang.StringUtils;
import org.apache.http.client.ClientProtocolException;
import org.json.simple.JSONObject;
import org.json.simple.parser.ParseException;

/* loaded from: input_file:io/personium/plugin/auth/oidc/OIDCTokenHandler.class */
public class OIDCTokenHandler {
    private String issuer;
    private String jwksURI;
    private JwkResolver jwkResolver;
    private static final int PART_COUNT_JWS = 3;
    private static final int PART_COUNT_JWE = 5;

    public OIDCTokenHandler(String str, String str2) {
        this.issuer = null;
        this.jwksURI = null;
        this.jwkResolver = null;
        if (StringUtils.isEmpty(str2)) {
            throw new IllegalArgumentException("jwksURI must not be empty");
        }
        this.issuer = str;
        this.jwksURI = str2;
        this.jwkResolver = new JwkResolver(new JwkSet());
    }

    public Claims parseIdToken(String str) throws AuthPluginException {
        String[] split = str.split("\\.");
        if (split.length != 3) {
            if (split.length == 5) {
                throw new IllegalArgumentException("JWE styled IdToken is not supported");
            }
            throw new IllegalArgumentException("Unknown IdToken");
        }
        try {
            JSONObject jSONObject = AuthPluginUtils.tokenToJSON(split[0]);
            String str2 = (String) jSONObject.get("kid");
            String str3 = (String) jSONObject.get("alg");
            Key resolveSigningKey = this.jwkResolver.resolveSigningKey(str2, str3);
            if (resolveSigningKey == null) {
                try {
                    this.jwkResolver = new JwkResolver(JwkSet.fetchJwks(this.jwksURI));
                    resolveSigningKey = this.jwkResolver.resolveSigningKey(str2, str3);
                    if (resolveSigningKey == null) {
                        throw OidcPluginException.INVALID_KEY.create("The key [" + str2 + "] is not contained in IdP JwkSet.");
                    }
                } catch (IOException e) {
                    throw OidcPluginException.UNEXPECTED_RESPONSE.create("GET", this.jwksURI, "");
                } catch (ParseException e2) {
                    throw OidcPluginException.UNEXPECTED_RESPONSE.create(this.jwksURI, JsonFactory.FORMAT_NAME_JSON);
                }
            }
            return Jwts.parserBuilder().setSigningKey(resolveSigningKey).build().parseClaimsJws(str).getBody();
        } catch (ParseException e3) {
            throw new IllegalArgumentException("JWS Header is broken", e3);
        }
    }

    public String getIssuer() {
        return this.issuer;
    }

    public static OIDCTokenHandler createFromOIDCConfigurationURL(String str) throws AuthPluginException {
        try {
            JSONObject httpJSON = PluginUtils.getHttpJSON(str);
            String str2 = (String) httpJSON.get("jwks_uri");
            String str3 = (String) httpJSON.get("issuer");
            if (str2 == null) {
                throw OidcPluginException.UNEXPECTED_RESPONSE.create(str2, "non-null `jwks_uri`");
            }
            if (str3 == null) {
                throw OidcPluginException.UNEXPECTED_RESPONSE.create(str3, "non-null `issuer`");
            }
            return new OIDCTokenHandler(str3, str2);
        } catch (ClientProtocolException e) {
            throw OidcPluginException.UNEXPECTED_RESPONSE.create(str, "proper HTTP response");
        } catch (IOException e2) {
            throw OidcPluginException.UNEXPECTED_RESPONSE.create("GET", str, "");
        } catch (ParseException e3) {
            throw OidcPluginException.UNEXPECTED_RESPONSE.create(str, JsonFactory.FORMAT_NAME_JSON);
        }
    }
}
