package no.nav.security.mock.oauth2.grant;

import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
import com.nimbusds.oauth2.sdk.JWTBearerGrant;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.TokenRequest;
import java.util.HashSet;
import java.util.UUID;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.Intrinsics;
import no.nav.security.mock.oauth2.OAuth2Exception;
import no.nav.security.mock.oauth2.extensions.NimbusExtensionsKt;
import no.nav.security.mock.oauth2.http.OAuth2TokenResponse;
import no.nav.security.mock.oauth2.token.OAuth2TokenCallback;
import no.nav.security.mock.oauth2.token.OAuth2TokenProvider;
import okhttp3.HttpUrl;
import org.jetbrains.annotations.NotNull;

/* compiled from: JwtBearerGrantHandler.kt */
@Metadata(mv = {1, 4, 0}, bv = {1, 0, 3}, k = 1, d1 = {"��6\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\u000e\n��\u0018��2\u00020\u0001B\r\u0012\u0006\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J\u0010\u0010\u0005\u001a\u00020\u00062\u0006\u0010\u0007\u001a\u00020\bH\u0002J \u0010\t\u001a\u00020\n2\u0006\u0010\u0007\u001a\u00020\b2\u0006\u0010\u000b\u001a\u00020\f2\u0006\u0010\r\u001a\u00020\u000eH\u0016J\u0018\u0010\u000f\u001a\u00020\u00062\u0006\u0010\u000b\u001a\u00020\f2\u0006\u0010\u0005\u001a\u00020\u0010H\u0002R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n��¨\u0006\u0011"}, d2 = {"Lno/nav/security/mock/oauth2/grant/JwtBearerGrantHandler;", "Lno/nav/security/mock/oauth2/grant/GrantHandler;", "tokenProvider", "Lno/nav/security/mock/oauth2/token/OAuth2TokenProvider;", "(Lno/nav/security/mock/oauth2/token/OAuth2TokenProvider;)V", "assertion", "Lcom/nimbusds/jwt/JWTClaimsSet;", "tokenRequest", "Lcom/nimbusds/oauth2/sdk/TokenRequest;", "tokenResponse", "Lno/nav/security/mock/oauth2/http/OAuth2TokenResponse;", "issuerUrl", "Lokhttp3/HttpUrl;", "oAuth2TokenCallback", "Lno/nav/security/mock/oauth2/token/OAuth2TokenCallback;", "verifyAssertion", "", "mock-oauth2-server"})
/* loaded from: input_file:no/nav/security/mock/oauth2/grant/JwtBearerGrantHandler.class */
public final class JwtBearerGrantHandler implements GrantHandler {
    private final OAuth2TokenProvider tokenProvider;

    @Override // no.nav.security.mock.oauth2.grant.GrantHandler
    @NotNull
    public OAuth2TokenResponse tokenResponse(@NotNull TokenRequest tokenRequest, @NotNull HttpUrl httpUrl, @NotNull OAuth2TokenCallback oAuth2TokenCallback) {
        Intrinsics.checkNotNullParameter(tokenRequest, "tokenRequest");
        Intrinsics.checkNotNullParameter(httpUrl, "issuerUrl");
        Intrinsics.checkNotNullParameter(oAuth2TokenCallback, "oAuth2TokenCallback");
        SignedJWT onBehalfOfAccessToken = this.tokenProvider.onBehalfOfAccessToken(assertion(tokenRequest), tokenRequest, oAuth2TokenCallback);
        return new OAuth2TokenResponse("Bearer", null, onBehalfOfAccessToken.serialize(), UUID.randomUUID().toString(), NimbusExtensionsKt.expiresIn(onBehalfOfAccessToken), tokenRequest.getScope().toString());
    }

    private final JWTClaimsSet assertion(TokenRequest tokenRequest) {
        AuthorizationGrant authorizationGrant = tokenRequest.getAuthorizationGrant();
        if (!(authorizationGrant instanceof JWTBearerGrant)) {
            authorizationGrant = null;
        }
        JWTBearerGrant jWTBearerGrant = (JWTBearerGrant) authorizationGrant;
        if (jWTBearerGrant != null) {
            JWT jWTAssertion = jWTBearerGrant.getJWTAssertion();
            if (jWTAssertion != null) {
                JWTClaimsSet jWTClaimsSet = jWTAssertion.getJWTClaimsSet();
                if (jWTClaimsSet != null) {
                    return jWTClaimsSet;
                }
            }
        }
        throw new OAuth2Exception(OAuth2Error.INVALID_REQUEST, "missing required parameter assertion");
    }

    private final JWTClaimsSet verifyAssertion(HttpUrl httpUrl, String str) {
        ConfigurableJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier(new JOSEObjectType[]{new JOSEObjectType("at+jwt")}));
        defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(JWSAlgorithm.RS256, new ImmutableJWKSet(this.tokenProvider.publicJwkSet())));
        defaultJWTProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier(new JWTClaimsSet.Builder().issuer(httpUrl.toString()).build(), new HashSet(CollectionsKt.listOf(new String[]{"sub", "iat", "exp", "aud"}))));
        try {
            JWTClaimsSet process = defaultJWTProcessor.process(str, (SecurityContext) null);
            Intrinsics.checkNotNullExpressionValue(process, "jwtProcessor.process(assertion, null)");
            return process;
        } catch (Exception e) {
            throw new OAuth2Exception(OAuth2Error.INVALID_REQUEST, "invalid assertion.", e);
        }
    }

    public JwtBearerGrantHandler(@NotNull OAuth2TokenProvider oAuth2TokenProvider) {
        Intrinsics.checkNotNullParameter(oAuth2TokenProvider, "tokenProvider");
        this.tokenProvider = oAuth2TokenProvider;
    }
}
