package com.nimbusds.openid.connect.sdk.federation.trust;

import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.util.CollectionUtils;
import com.nimbusds.openid.connect.sdk.federation.entities.EntityID;
import com.nimbusds.openid.connect.sdk.federation.entities.EntityStatement;
import com.nimbusds.openid.connect.sdk.federation.entities.EntityType;
import com.nimbusds.openid.connect.sdk.federation.entities.FederationEntityMetadata;
import com.nimbusds.openid.connect.sdk.federation.trust.constraints.TrustChainConstraints;
import java.net.URI;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;

/* loaded from: input_file:META-INF/bundled-dependencies/oauth2-oidc-sdk-10.7.1.jar:com/nimbusds/openid/connect/sdk/federation/trust/DefaultTrustChainRetriever.class */
class DefaultTrustChainRetriever implements TrustChainRetriever {
    private final EntityStatementRetriever retriever;
    private final TrustChainConstraints constraints;
    private final List<Throwable> accumulatedExceptions;
    private final Map<EntityID, JWKSet> accumulatedTrustAnchorJWKSets;

    DefaultTrustChainRetriever(EntityStatementRetriever entityStatementRetriever) {
        this(entityStatementRetriever, TrustChainConstraints.NO_CONSTRAINTS);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public DefaultTrustChainRetriever(EntityStatementRetriever entityStatementRetriever, TrustChainConstraints trustChainConstraints) {
        this.accumulatedExceptions = new LinkedList();
        this.accumulatedTrustAnchorJWKSets = new HashMap();
        if (entityStatementRetriever == null) {
            throw new IllegalArgumentException("The entity statement retriever must not be null");
        }
        this.retriever = entityStatementRetriever;
        if (trustChainConstraints == null) {
            throw new IllegalArgumentException("The trust chain constraints must not be null");
        }
        this.constraints = trustChainConstraints;
    }

    public TrustChainConstraints getConstraints() {
        return this.constraints;
    }

    @Override // com.nimbusds.openid.connect.sdk.federation.trust.TrustChainRetriever
    public TrustChainSet retrieve(EntityID entityID, EntityMetadataValidator entityMetadataValidator, Set<EntityID> set) throws InvalidEntityMetadataException {
        if (CollectionUtils.isEmpty(set)) {
            throw new IllegalArgumentException("The trust anchors must not be empty");
        }
        this.accumulatedExceptions.clear();
        this.accumulatedTrustAnchorJWKSets.clear();
        try {
            EntityStatement fetchEntityConfiguration = this.retriever.fetchEntityConfiguration(entityID);
            if (entityMetadataValidator != null) {
                EntityType type = entityMetadataValidator.getType();
                if (type == null) {
                    throw new IllegalArgumentException("The target metadata validation doesn't specify a federation entity type");
                }
                entityMetadataValidator.validate(entityID, fetchEntityConfiguration.getClaimsSet().getMetadata(type));
            }
            return retrieve(fetchEntityConfiguration, set);
        } catch (ResolveException e) {
            this.accumulatedExceptions.add(e);
            return new TrustChainSet();
        }
    }

    @Override // com.nimbusds.openid.connect.sdk.federation.trust.TrustChainRetriever
    public TrustChainSet retrieve(EntityStatement entityStatement, Set<EntityID> set) {
        if (CollectionUtils.isEmpty(set)) {
            throw new IllegalArgumentException("The trust anchors must not be empty");
        }
        this.accumulatedExceptions.clear();
        this.accumulatedTrustAnchorJWKSets.clear();
        List<EntityID> authorityHints = entityStatement.getClaimsSet().getAuthorityHints();
        if (CollectionUtils.isEmpty(authorityHints)) {
            this.accumulatedExceptions.add(new ResolveException("Entity " + entityStatement.getEntityID() + " has no authorities listed (authority_hints)"));
            return new TrustChainSet();
        }
        try {
            Set<List<EntityStatement>> fetchStatementsFromAuthorities = fetchStatementsFromAuthorities(EntityID.parse(entityStatement.getClaimsSet().getSubject()), authorityHints, set, Collections.emptyList());
            TrustChainSet trustChainSet = new TrustChainSet();
            Iterator<List<EntityStatement>> it = fetchStatementsFromAuthorities.iterator();
            while (it.hasNext()) {
                trustChainSet.add(new TrustChain(entityStatement, it.next()));
            }
            return trustChainSet;
        } catch (ParseException e) {
            this.accumulatedExceptions.add(new ResolveException("Entity " + entityStatement.getEntityID() + " subject is illegal: " + e.getMessage(), e));
            return new TrustChainSet();
        }
    }

    private Set<List<EntityStatement>> fetchStatementsFromAuthorities(EntityID entityID, List<EntityID> list, Set<EntityID> set, List<EntityStatement> list2) {
        HashSet<List> hashSet = new HashSet();
        HashMap hashMap = new HashMap();
        for (EntityID entityID2 : list) {
            if (entityID2 != null) {
                if (!this.constraints.isPermitted(list2.size())) {
                    this.accumulatedExceptions.add(new ResolveException("Reached max number of intermediates in chain at " + entityID));
                } else if (this.constraints.isPermitted(entityID2)) {
                    try {
                        EntityStatement fetchEntityConfiguration = this.retriever.fetchEntityConfiguration(entityID2);
                        hashMap.put(entityID2, fetchEntityConfiguration.getClaimsSet().getAuthorityHints());
                        if (set.contains(fetchEntityConfiguration.getEntityID())) {
                            this.accumulatedTrustAnchorJWKSets.put(fetchEntityConfiguration.getEntityID(), fetchEntityConfiguration.getClaimsSet().getJWKSet());
                        }
                        FederationEntityMetadata federationEntityMetadata = fetchEntityConfiguration.getClaimsSet().getFederationEntityMetadata();
                        if (federationEntityMetadata == null) {
                            this.accumulatedExceptions.add(new ResolveException("No federation entity metadata for " + entityID2));
                        } else {
                            URI federationFetchEndpointURI = federationEntityMetadata.getFederationFetchEndpointURI();
                            if (federationFetchEndpointURI == null) {
                                this.accumulatedExceptions.add(new ResolveException("No federation fetch URI in metadata for " + entityID2));
                            } else {
                                try {
                                    EntityStatement fetchEntityStatement = this.retriever.fetchEntityStatement(federationFetchEndpointURI, entityID2, entityID);
                                    LinkedList linkedList = new LinkedList(list2);
                                    linkedList.add(fetchEntityStatement);
                                    hashSet.add(Collections.unmodifiableList(linkedList));
                                } catch (ResolveException e) {
                                    this.accumulatedExceptions.add(new ResolveException("Couldn't fetch entity statement from " + federationFetchEndpointURI + ": " + e.getMessage(), e));
                                }
                            }
                        }
                    } catch (ResolveException e2) {
                        this.accumulatedExceptions.add(new ResolveException("Couldn't fetch entity configuration from " + entityID2 + ": " + e2.getMessage(), e2));
                    }
                } else {
                    this.accumulatedExceptions.add(new ResolveException("Reached authority which isn't permitted according to constraints: " + entityID2));
                }
            }
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        LinkedHashSet<List<EntityStatement>> linkedHashSet2 = new LinkedHashSet();
        for (List list3 : hashSet) {
            EntityStatement entityStatement = (EntityStatement) list3.get(list3.size() - 1);
            if (set.contains(entityStatement.getClaimsSet().getIssuerEntityID())) {
                linkedHashSet.add(list3);
            } else if (!CollectionUtils.isEmpty(entityStatement.getClaimsSet().getAuthorityHints())) {
                linkedHashSet2.add(list3);
            }
        }
        for (List<EntityStatement> list4 : linkedHashSet2) {
            EntityStatement entityStatement2 = list4.get(list4.size() - 1);
            List<EntityID> list5 = (List) hashMap.get(entityStatement2.getClaimsSet().getIssuerEntityID());
            if (!CollectionUtils.isEmpty(list5)) {
                linkedHashSet.addAll(fetchStatementsFromAuthorities(entityStatement2.getClaimsSet().getIssuerEntityID(), list5, set, list4));
            }
        }
        return linkedHashSet;
    }

    @Override // com.nimbusds.openid.connect.sdk.federation.trust.TrustChainRetriever
    public Map<EntityID, JWKSet> getAccumulatedTrustAnchorJWKSets() {
        return this.accumulatedTrustAnchorJWKSets;
    }

    @Override // com.nimbusds.openid.connect.sdk.federation.trust.TrustChainRetriever
    public List<Throwable> getAccumulatedExceptions() {
        return this.accumulatedExceptions;
    }
}
