package no.nav.security.mock.oauth2.token;

import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.oauth2.sdk.TokenRequest;
import java.time.Duration;
import java.time.Instant;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt;
import kotlin.collections.MapsKt;
import kotlin.jvm.JvmOverloads;
import kotlin.jvm.internal.DefaultConstructorMarker;
import kotlin.jvm.internal.Intrinsics;
import no.nav.security.mock.oauth2.OAuth2Exception;
import no.nav.security.mock.oauth2.extensions.HttpUrlExtensionsKt;
import no.nav.security.mock.oauth2.extensions.NimbusExtensionsKt;
import okhttp3.HttpUrl;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* compiled from: OAuth2TokenProvider.kt */
@Metadata(mv = {1, 7, 1}, k = 1, xi = 48, d1 = {"��r\n\u0002\u0018\u0002\n\u0002\u0010��\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\u000e\n��\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010 \n��\n\u0002\u0010$\n��\n\u0002\u0010\t\n\u0002\b\u0004\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\u0018��2\u00020\u0001B\u0011\b\u0007\u0012\b\b\u0002\u0010\u0002\u001a\u00020\u0003¢\u0006\u0002\u0010\u0004J*\u0010\u0005\u001a\u00020\u00062\u0006\u0010\u0007\u001a\u00020\b2\u0006\u0010\t\u001a\u00020\n2\u0006\u0010\u000b\u001a\u00020\f2\n\b\u0002\u0010\r\u001a\u0004\u0018\u00010\u000eJV\u0010\u000f\u001a\n \u0011*\u0004\u0018\u00010\u00100\u00102\u0006\u0010\t\u001a\u00020\n2\b\u0010\u0012\u001a\u0004\u0018\u00010\u000e2\f\u0010\u0013\u001a\b\u0012\u0004\u0012\u00020\u000e0\u00142\b\u0010\r\u001a\u0004\u0018\u00010\u000e2\u0012\u0010\u0015\u001a\u000e\u0012\u0004\u0012\u00020\u000e\u0012\u0004\u0012\u00020\u00010\u00162\u0006\u0010\u0017\u001a\u00020\u0018H\u0002J&\u0010\u0019\u001a\u00020\u00062\u0006\u0010\u0007\u001a\u00020\b2\u0006\u0010\t\u001a\u00020\n2\u0006\u0010\u001a\u001a\u00020\u00102\u0006\u0010\u000b\u001a\u00020\fJ*\u0010\u001b\u001a\u00020\u00062\u0006\u0010\u0007\u001a\u00020\b2\u0006\u0010\t\u001a\u00020\n2\u0006\u0010\u000b\u001a\u00020\f2\n\b\u0002\u0010\r\u001a\u0004\u0018\u00010\u000eJ \u0010\u001c\u001a\u00020\u001d2\u0006\u0010\u001e\u001a\u00020\u000e2\u0006\u0010\u001f\u001a\u00020\u000e2\u0006\u0010 \u001a\u00020!H\u0002J0\u0010\"\u001a\u00020\u00062\u0012\u0010#\u001a\u000e\u0012\u0004\u0012\u00020\u000e\u0012\u0004\u0012\u00020\u00010\u00162\b\b\u0002\u0010\u0017\u001a\u00020$2\b\b\u0002\u0010%\u001a\u00020\u000eH\u0007J\u0012\u0010&\u001a\u00020'2\b\b\u0002\u0010%\u001a\u00020\u000eH\u0007J\"\u0010(\u001a\u00020)*\u00020)2\u0014\b\u0002\u0010#\u001a\u000e\u0012\u0004\u0012\u00020\u000e\u0012\u0004\u0012\u00020\u00010\u0016H\u0002J\u001c\u0010*\u001a\u00020\u0006*\u00020\u00102\u0006\u0010%\u001a\u00020\u000e2\u0006\u0010\u001f\u001a\u00020\u000eH\u0002R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n��¨\u0006+"}, d2 = {"Lno/nav/security/mock/oauth2/token/OAuth2TokenProvider;", "", "keyProvider", "Lno/nav/security/mock/oauth2/token/KeyProvider;", "(Lno/nav/security/mock/oauth2/token/KeyProvider;)V", "accessToken", "Lcom/nimbusds/jwt/SignedJWT;", "tokenRequest", "Lcom/nimbusds/oauth2/sdk/TokenRequest;", "issuerUrl", "Lokhttp3/HttpUrl;", "oAuth2TokenCallback", "Lno/nav/security/mock/oauth2/token/OAuth2TokenCallback;", "nonce", "", "defaultClaims", "Lcom/nimbusds/jwt/JWTClaimsSet;", "kotlin.jvm.PlatformType", "subject", "audience", "", "additionalClaims", "", "expiry", "", "exchangeAccessToken", "claimsSet", "idToken", "jwsHeader", "Lcom/nimbusds/jose/JWSHeader;", "keyId", "type", "algorithm", "Lcom/nimbusds/jose/JWSAlgorithm;", "jwt", "claims", "Ljava/time/Duration;", "issuerId", "publicJwkSet", "Lcom/nimbusds/jose/jwk/JWKSet;", "addClaims", "Lcom/nimbusds/jwt/JWTClaimsSet$Builder;", "sign", "mock-oauth2-server"})
/* loaded from: input_file:no/nav/security/mock/oauth2/token/OAuth2TokenProvider.class */
public final class OAuth2TokenProvider {

    @NotNull
    private final KeyProvider keyProvider;

    @JvmOverloads
    public OAuth2TokenProvider(@NotNull KeyProvider keyProvider) {
        Intrinsics.checkNotNullParameter(keyProvider, "keyProvider");
        this.keyProvider = keyProvider;
    }

    public /* synthetic */ OAuth2TokenProvider(KeyProvider keyProvider, int i, DefaultConstructorMarker defaultConstructorMarker) {
        this((i & 1) != 0 ? new KeyProvider(null, null, 3, null) : keyProvider);
    }

    @JvmOverloads
    @NotNull
    public final JWKSet publicJwkSet(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "issuerId");
        JWKSet publicJWKSet = new JWKSet(this.keyProvider.signingKey(str)).toPublicJWKSet();
        Intrinsics.checkNotNullExpressionValue(publicJWKSet, "JWKSet(keyProvider.signi…suerId)).toPublicJWKSet()");
        return publicJWKSet;
    }

    public static /* synthetic */ JWKSet publicJwkSet$default(OAuth2TokenProvider oAuth2TokenProvider, String str, int i, Object obj) {
        if ((i & 1) != 0) {
            str = "default";
        }
        return oAuth2TokenProvider.publicJwkSet(str);
    }

    @NotNull
    public final SignedJWT idToken(@NotNull TokenRequest tokenRequest, @NotNull HttpUrl httpUrl, @NotNull OAuth2TokenCallback oAuth2TokenCallback, @Nullable String str) {
        Intrinsics.checkNotNullParameter(tokenRequest, "tokenRequest");
        Intrinsics.checkNotNullParameter(httpUrl, "issuerUrl");
        Intrinsics.checkNotNullParameter(oAuth2TokenCallback, "oAuth2TokenCallback");
        JWTClaimsSet defaultClaims = defaultClaims(httpUrl, oAuth2TokenCallback.subject(tokenRequest), CollectionsKt.listOf(NimbusExtensionsKt.clientIdAsString(tokenRequest)), str, oAuth2TokenCallback.addClaims(tokenRequest), oAuth2TokenCallback.tokenExpiry());
        Intrinsics.checkNotNullExpressionValue(defaultClaims, "defaultClaims(\n        i…lback.tokenExpiry()\n    )");
        return sign(defaultClaims, HttpUrlExtensionsKt.issuerId(httpUrl), oAuth2TokenCallback.typeHeader(tokenRequest));
    }

    public static /* synthetic */ SignedJWT idToken$default(OAuth2TokenProvider oAuth2TokenProvider, TokenRequest tokenRequest, HttpUrl httpUrl, OAuth2TokenCallback oAuth2TokenCallback, String str, int i, Object obj) {
        if ((i & 8) != 0) {
            str = null;
        }
        return oAuth2TokenProvider.idToken(tokenRequest, httpUrl, oAuth2TokenCallback, str);
    }

    @NotNull
    public final SignedJWT accessToken(@NotNull TokenRequest tokenRequest, @NotNull HttpUrl httpUrl, @NotNull OAuth2TokenCallback oAuth2TokenCallback, @Nullable String str) {
        Intrinsics.checkNotNullParameter(tokenRequest, "tokenRequest");
        Intrinsics.checkNotNullParameter(httpUrl, "issuerUrl");
        Intrinsics.checkNotNullParameter(oAuth2TokenCallback, "oAuth2TokenCallback");
        JWTClaimsSet defaultClaims = defaultClaims(httpUrl, oAuth2TokenCallback.subject(tokenRequest), oAuth2TokenCallback.audience(tokenRequest), str, oAuth2TokenCallback.addClaims(tokenRequest), oAuth2TokenCallback.tokenExpiry());
        Intrinsics.checkNotNullExpressionValue(defaultClaims, "defaultClaims(\n        i…lback.tokenExpiry()\n    )");
        return sign(defaultClaims, HttpUrlExtensionsKt.issuerId(httpUrl), oAuth2TokenCallback.typeHeader(tokenRequest));
    }

    public static /* synthetic */ SignedJWT accessToken$default(OAuth2TokenProvider oAuth2TokenProvider, TokenRequest tokenRequest, HttpUrl httpUrl, OAuth2TokenCallback oAuth2TokenCallback, String str, int i, Object obj) {
        if ((i & 8) != 0) {
            str = null;
        }
        return oAuth2TokenProvider.accessToken(tokenRequest, httpUrl, oAuth2TokenCallback, str);
    }

    @NotNull
    public final SignedJWT exchangeAccessToken(@NotNull TokenRequest tokenRequest, @NotNull HttpUrl httpUrl, @NotNull JWTClaimsSet jWTClaimsSet, @NotNull OAuth2TokenCallback oAuth2TokenCallback) {
        Intrinsics.checkNotNullParameter(tokenRequest, "tokenRequest");
        Intrinsics.checkNotNullParameter(httpUrl, "issuerUrl");
        Intrinsics.checkNotNullParameter(jWTClaimsSet, "claimsSet");
        Intrinsics.checkNotNullParameter(oAuth2TokenCallback, "oAuth2TokenCallback");
        Instant now = Instant.now();
        JWTClaimsSet.Builder audience = new JWTClaimsSet.Builder(jWTClaimsSet).issuer(httpUrl.toString()).expirationTime(Date.from(now.plusSeconds(oAuth2TokenCallback.tokenExpiry()))).notBeforeTime(Date.from(now)).issueTime(Date.from(now)).jwtID(UUID.randomUUID().toString()).audience(oAuth2TokenCallback.audience(tokenRequest));
        Intrinsics.checkNotNullExpressionValue(audience, "Builder(claimsSet)\n     …k.audience(tokenRequest))");
        JWTClaimsSet build = addClaims(audience, oAuth2TokenCallback.addClaims(tokenRequest)).build();
        Intrinsics.checkNotNullExpressionValue(build, "Builder(claimsSet)\n     …st))\n            .build()");
        return sign(build, HttpUrlExtensionsKt.issuerId(httpUrl), oAuth2TokenCallback.typeHeader(tokenRequest));
    }

    @JvmOverloads
    @NotNull
    public final SignedJWT jwt(@NotNull Map<String, ? extends Object> map, @NotNull Duration duration, @NotNull String str) {
        Intrinsics.checkNotNullParameter(map, "claims");
        Intrinsics.checkNotNullParameter(duration, "expiry");
        Intrinsics.checkNotNullParameter(str, "issuerId");
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        Instant now = Instant.now();
        builder.issueTime(Date.from(now)).notBeforeTime(Date.from(now)).expirationTime(Date.from(now.plusSeconds(duration.toSeconds())));
        addClaims(builder, map);
        JWTClaimsSet build = builder.build();
        Intrinsics.checkNotNullExpressionValue(build, "Builder().let { builder …builder.build()\n        }");
        String type = JOSEObjectType.JWT.getType();
        Intrinsics.checkNotNullExpressionValue(type, "JWT.type");
        return sign(build, str, type);
    }

    public static /* synthetic */ SignedJWT jwt$default(OAuth2TokenProvider oAuth2TokenProvider, Map map, Duration duration, String str, int i, Object obj) {
        if ((i & 2) != 0) {
            Duration ofHours = Duration.ofHours(1L);
            Intrinsics.checkNotNullExpressionValue(ofHours, "ofHours(1)");
            duration = ofHours;
        }
        if ((i & 4) != 0) {
            str = "default";
        }
        return oAuth2TokenProvider.jwt(map, duration, str);
    }

    private final SignedJWT sign(JWTClaimsSet jWTClaimsSet, String str, String str2) {
        JWK signingKey = this.keyProvider.signingKey(str);
        JWSAlgorithm algorithm = this.keyProvider.algorithm();
        String keyType = this.keyProvider.keyType();
        boolean isSupported = KeyGenerator.Companion.isSupported(algorithm);
        if (isSupported && Intrinsics.areEqual(keyType, KeyType.RSA.getValue())) {
            String keyID = signingKey.getKeyID();
            Intrinsics.checkNotNullExpressionValue(keyID, "key.keyID");
            SignedJWT signedJWT = new SignedJWT(jwsHeader(keyID, str2, algorithm), jWTClaimsSet);
            signedJWT.sign(new RSASSASigner(signingKey.toRSAKey().toPrivateKey()));
            return signedJWT;
        }
        if (!isSupported || !Intrinsics.areEqual(keyType, KeyType.EC.getValue())) {
            throw new OAuth2Exception("Unsupported algorithm: " + algorithm.getName());
        }
        String keyID2 = signingKey.getKeyID();
        Intrinsics.checkNotNullExpressionValue(keyID2, "key.keyID");
        SignedJWT signedJWT2 = new SignedJWT(jwsHeader(keyID2, str2, algorithm), jWTClaimsSet);
        signedJWT2.sign(new ECDSASigner(signingKey.toECKey().toECPrivateKey()));
        return signedJWT2;
    }

    private final JWSHeader jwsHeader(String str, String str2, JWSAlgorithm jWSAlgorithm) {
        JWSHeader build = new JWSHeader.Builder(jWSAlgorithm).keyID(str).type(new JOSEObjectType(str2)).build();
        Intrinsics.checkNotNullExpressionValue(build, "Builder(algorithm)\n     …ObjectType(type)).build()");
        return build;
    }

    private final JWTClaimsSet.Builder addClaims(JWTClaimsSet.Builder builder, Map<String, ? extends Object> map) {
        for (Map.Entry<String, ? extends Object> entry : map.entrySet()) {
            builder.claim(entry.getKey(), entry.getValue());
        }
        return builder;
    }

    static /* synthetic */ JWTClaimsSet.Builder addClaims$default(OAuth2TokenProvider oAuth2TokenProvider, JWTClaimsSet.Builder builder, Map map, int i, Object obj) {
        if ((i & 1) != 0) {
            map = MapsKt.emptyMap();
        }
        return oAuth2TokenProvider.addClaims(builder, map);
    }

    private final JWTClaimsSet defaultClaims(HttpUrl httpUrl, String str, List<String> list, String str2, Map<String, ? extends Object> map, long j) {
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        Instant now = Instant.now();
        builder.subject(str).audience(list).issuer(httpUrl.toString()).issueTime(Date.from(now)).notBeforeTime(Date.from(now)).expirationTime(Date.from(now.plusSeconds(j))).jwtID(UUID.randomUUID().toString());
        if (str2 != null) {
            builder.claim("nonce", str2);
        }
        addClaims(builder, map);
        return builder.build();
    }

    @JvmOverloads
    public OAuth2TokenProvider() {
        this(null, 1, null);
    }

    @JvmOverloads
    @NotNull
    public final JWKSet publicJwkSet() {
        return publicJwkSet$default(this, null, 1, null);
    }

    @JvmOverloads
    @NotNull
    public final SignedJWT jwt(@NotNull Map<String, ? extends Object> map, @NotNull Duration duration) {
        Intrinsics.checkNotNullParameter(map, "claims");
        Intrinsics.checkNotNullParameter(duration, "expiry");
        return jwt$default(this, map, duration, null, 4, null);
    }

    @JvmOverloads
    @NotNull
    public final SignedJWT jwt(@NotNull Map<String, ? extends Object> map) {
        Intrinsics.checkNotNullParameter(map, "claims");
        return jwt$default(this, map, null, null, 6, null);
    }
}
