package no.nav.security.mock.oauth2.extensions;

import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.AuthorizationGrant;
import com.nimbusds.oauth2.sdk.GrantType;
import com.nimbusds.oauth2.sdk.OAuth2Error;
import com.nimbusds.oauth2.sdk.Scope;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.pkce.CodeChallenge;
import com.nimbusds.oauth2.sdk.pkce.CodeVerifier;
import com.nimbusds.openid.connect.sdk.AuthenticationRequest;
import com.nimbusds.openid.connect.sdk.OIDCScopeValue;
import com.nimbusds.openid.connect.sdk.Prompt;
import java.time.Duration;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import kotlin.KotlinNothingValueException;
import kotlin.Metadata;
import kotlin.Unit;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.Intrinsics;
import kotlin.jvm.internal.SourceDebugExtension;
import mu.KLogger;
import mu.KotlinLogging;
import no.nav.security.mock.oauth2.OAuth2Exception;
import no.nav.security.mock.oauth2.OAuth2ExceptionKt;
import no.nav.security.mock.oauth2.grant.TokenExchangeGrant;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* compiled from: NimbusExtensions.kt */
@Metadata(mv = {2, 0, 0}, k = 2, xi = 48, d1 = {"��\u0086\u0001\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010\u000b\n\u0002\u0018\u0002\n��\n\u0002\u0010\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0010 \n\u0002\u0010\u000e\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\b\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\t\n��\u001a\n\u0010\u0002\u001a\u00020\u0003*\u00020\u0004\u001a\u0012\u0010\u0005\u001a\u00020\u0006*\u00020\u00042\u0006\u0010\u0007\u001a\u00020\b\u001a\n\u0010\t\u001a\u00020\n*\u00020\b\u001a\u0018\u0010\u000b\u001a\u0010\u0012\f\u0012\n \u000e*\u0004\u0018\u00010\r0\r0\f*\u00020\b\u001a\f\u0010\u000f\u001a\u0004\u0018\u00010\u0010*\u00020\b\u001a\n\u0010\u0011\u001a\u00020\u0012*\u00020\b\u001a,\u0010\u0013\u001a\u0002H\u0014\"\n\b��\u0010\u0014\u0018\u0001*\u00020\u0015*\u00020\b2\f\u0010\u0016\u001a\b\u0012\u0004\u0012\u0002H\u00140\u0017H\u0086\b¢\u0006\u0002\u0010\u0018\u001a\n\u0010\u0019\u001a\u00020\r*\u00020\b\u001a\n\u0010\u001a\u001a\u00020\u001b*\u00020\u001c\u001a$\u0010\u001d\u001a\u00020\u001e*\u00020\u001c2\u0006\u0010\u001f\u001a\u00020 2\u0006\u0010!\u001a\u00020\"2\b\b\u0002\u0010#\u001a\u00020$\u001a\n\u0010%\u001a\u00020&*\u00020'\u001a\u001a\u0010(\u001a\u00020)*\u00020&2\u0006\u0010*\u001a\u00020\r2\u0006\u0010+\u001a\u00020,\"\u000e\u0010��\u001a\u00020\u0001X\u0082\u0004¢\u0006\u0002\n��¨\u0006-"}, d2 = {"log", "Lmu/KLogger;", "isPrompt", "", "Lcom/nimbusds/openid/connect/sdk/AuthenticationRequest;", "verifyPkce", "", "tokenRequest", "Lcom/nimbusds/oauth2/sdk/TokenRequest;", "grantType", "Lcom/nimbusds/oauth2/sdk/GrantType;", "scopesWithoutOidcScopes", "", "", "kotlin.jvm.PlatformType", "tokenExchangeGrantOrNull", "Lno/nav/security/mock/oauth2/grant/TokenExchangeGrant;", "authorizationCode", "Lcom/nimbusds/oauth2/sdk/AuthorizationCode;", "grant", "T", "Lcom/nimbusds/oauth2/sdk/AuthorizationGrant;", "type", "Ljava/lang/Class;", "(Lcom/nimbusds/oauth2/sdk/TokenRequest;Ljava/lang/Class;)Lcom/nimbusds/oauth2/sdk/AuthorizationGrant;", "clientIdAsString", "expiresIn", "", "Lcom/nimbusds/jwt/SignedJWT;", "verifySignatureAndIssuer", "Lcom/nimbusds/jwt/JWTClaimsSet;", "issuer", "Lcom/nimbusds/oauth2/sdk/id/Issuer;", "jwkSet", "Lcom/nimbusds/jose/jwk/JWKSet;", "jwsAlgorithm", "Lcom/nimbusds/jose/JWSAlgorithm;", "clientAuthentication", "Lcom/nimbusds/oauth2/sdk/auth/ClientAuthentication;", "Lcom/nimbusds/oauth2/sdk/http/HTTPRequest;", "requirePrivateKeyJwt", "Lcom/nimbusds/oauth2/sdk/auth/PrivateKeyJWT;", "requiredAudience", "maxLifetimeSeconds", "", "mock-oauth2-server"})
@SourceDebugExtension({"SMAP\nNimbusExtensions.kt\nKotlin\n*S Kotlin\n*F\n+ 1 NimbusExtensions.kt\nno/nav/security/mock/oauth2/extensions/NimbusExtensionsKt\n+ 2 _Collections.kt\nkotlin/collections/CollectionsKt___CollectionsKt\n+ 3 _Arrays.kt\nkotlin/collections/ArraysKt___ArraysKt\n+ 4 fake.kt\nkotlin/jvm/internal/FakeKt\n*L\n1#1,126:1\n75#1,2:130\n1755#2,3:127\n827#2:132\n855#2:133\n856#2:138\n11102#3:134\n11437#3,3:135\n1#4:139\n*S KotlinDebug\n*F\n+ 1 NimbusExtensions.kt\nno/nav/security/mock/oauth2/extensions/NimbusExtensionsKt\n*L\n46#1:130,2\n41#1:127,3\n62#1:132\n62#1:133\n62#1:138\n63#1:134\n63#1:135,3\n*E\n"})
/* loaded from: input_file:no/nav/security/mock/oauth2/extensions/NimbusExtensionsKt.class */
public final class NimbusExtensionsKt {

    @NotNull
    private static final KLogger log = KotlinLogging.INSTANCE.logger(NimbusExtensionsKt::log$lambda$0);

    public static final boolean isPrompt(@NotNull AuthenticationRequest authenticationRequest) {
        Intrinsics.checkNotNullParameter(authenticationRequest, "<this>");
        Iterable prompt = authenticationRequest.getPrompt();
        if (prompt == null) {
            return false;
        }
        Iterable<Prompt.Type> iterable = prompt;
        if ((iterable instanceof Collection) && ((Collection) iterable).isEmpty()) {
            return false;
        }
        for (Prompt.Type type : iterable) {
            if (type == Prompt.Type.LOGIN || type == Prompt.Type.CONSENT || type == Prompt.Type.SELECT_ACCOUNT) {
                return true;
            }
        }
        return false;
    }

    public static final void verifyPkce(@NotNull AuthenticationRequest authenticationRequest, @NotNull TokenRequest tokenRequest) {
        Intrinsics.checkNotNullParameter(authenticationRequest, "<this>");
        Intrinsics.checkNotNullParameter(tokenRequest, "tokenRequest");
        AuthorizationGrant authorizationGrant = tokenRequest.getAuthorizationGrant();
        if (!(authorizationGrant instanceof AuthorizationCodeGrant)) {
            authorizationGrant = null;
        }
        AuthorizationCodeGrant authorizationCodeGrant = (AuthorizationGrant) ((AuthorizationCodeGrant) authorizationGrant);
        if (authorizationCodeGrant == null) {
            throw new OAuth2Exception(OAuth2Error.INVALID_GRANT, "expected grant of type " + AuthorizationCodeGrant.class);
        }
        CodeVerifier codeVerifier = authorizationCodeGrant.getCodeVerifier();
        if (codeVerifier == null) {
            log.debug("no code_verifier found in token request, nothing to compare");
        } else if (!Intrinsics.areEqual(CodeChallenge.compute(authenticationRequest.getCodeChallengeMethod(), codeVerifier), authenticationRequest.getCodeChallenge())) {
            throw new OAuth2Exception(OAuth2Error.INVALID_GRANT.setDescription("invalid_pkce: code_verifier does not compute to code_challenge from request"), "invalid_pkce: code_verifier does not compute to code_challenge from request");
        }
    }

    @NotNull
    public static final GrantType grantType(@NotNull TokenRequest tokenRequest) {
        Intrinsics.checkNotNullParameter(tokenRequest, "<this>");
        AuthorizationGrant authorizationGrant = tokenRequest.getAuthorizationGrant();
        if (authorizationGrant != null) {
            GrantType type = authorizationGrant.getType();
            if (type != null) {
                return type;
            }
        }
        throw new OAuth2Exception(OAuth2Error.INVALID_REQUEST, "missing required parameter grant_type");
    }

    @NotNull
    public static final List<String> scopesWithoutOidcScopes(@NotNull TokenRequest tokenRequest) {
        List stringList;
        Intrinsics.checkNotNullParameter(tokenRequest, "<this>");
        Scope scope = tokenRequest.getScope();
        if (scope == null || (stringList = scope.toStringList()) == null) {
            return CollectionsKt.emptyList();
        }
        List list = stringList;
        ArrayList arrayList = new ArrayList();
        for (Object obj : list) {
            String str = (String) obj;
            OIDCScopeValue[] values = OIDCScopeValue.values();
            Intrinsics.checkNotNullExpressionValue(values, "values(...)");
            OIDCScopeValue[] oIDCScopeValueArr = values;
            ArrayList arrayList2 = new ArrayList(oIDCScopeValueArr.length);
            for (OIDCScopeValue oIDCScopeValue : oIDCScopeValueArr) {
                arrayList2.add(oIDCScopeValue.toString());
            }
            if (!arrayList2.contains(str)) {
                arrayList.add(obj);
            }
        }
        return arrayList;
    }

    @Nullable
    public static final TokenExchangeGrant tokenExchangeGrantOrNull(@NotNull TokenRequest tokenRequest) {
        Intrinsics.checkNotNullParameter(tokenRequest, "<this>");
        AuthorizationGrant authorizationGrant = tokenRequest.getAuthorizationGrant();
        if (authorizationGrant instanceof TokenExchangeGrant) {
            return (TokenExchangeGrant) authorizationGrant;
        }
        return null;
    }

    @NotNull
    public static final AuthorizationCode authorizationCode(@NotNull TokenRequest tokenRequest) {
        AuthorizationCode authorizationCode;
        Intrinsics.checkNotNullParameter(tokenRequest, "<this>");
        AuthorizationCodeGrant authorizationGrant = tokenRequest.getAuthorizationGrant();
        if (authorizationGrant != null) {
            AuthorizationCodeGrant authorizationCodeGrant = authorizationGrant instanceof AuthorizationCodeGrant ? authorizationGrant : null;
            if (authorizationCodeGrant != null && (authorizationCode = authorizationCodeGrant.getAuthorizationCode()) != null) {
                return authorizationCode;
            }
        }
        throw new OAuth2Exception(OAuth2Error.INVALID_GRANT, "code cannot be null");
    }

    public static final /* synthetic */ <T extends AuthorizationGrant> T grant(TokenRequest tokenRequest, Class<T> cls) {
        Intrinsics.checkNotNullParameter(tokenRequest, "<this>");
        Intrinsics.checkNotNullParameter(cls, "type");
        AuthorizationGrant authorizationGrant = tokenRequest.getAuthorizationGrant();
        Intrinsics.reifiedOperationMarker(2, "T");
        AuthorizationGrant authorizationGrant2 = authorizationGrant;
        if (authorizationGrant2 != null) {
            return (T) authorizationGrant2;
        }
        throw new OAuth2Exception(OAuth2Error.INVALID_GRANT, "expected grant of type " + cls);
    }

    /* JADX WARN: Code restructure failed: missing block: B:6:0x0019, code lost:
    
        if (r0 == null) goto L9;
     */
    @org.jetbrains.annotations.NotNull
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public static final java.lang.String clientIdAsString(@org.jetbrains.annotations.NotNull com.nimbusds.oauth2.sdk.TokenRequest r5) {
        /*
            r0 = r5
            java.lang.String r1 = "<this>"
            kotlin.jvm.internal.Intrinsics.checkNotNullParameter(r0, r1)
            r0 = r5
            com.nimbusds.oauth2.sdk.auth.ClientAuthentication r0 = r0.getClientAuthentication()
            r1 = r0
            if (r1 == 0) goto L1c
            com.nimbusds.oauth2.sdk.id.ClientID r0 = r0.getClientID()
            r1 = r0
            if (r1 == 0) goto L1c
            java.lang.String r0 = r0.getValue()
            r1 = r0
            if (r1 != 0) goto L40
        L1c:
        L1d:
            r0 = r5
            com.nimbusds.oauth2.sdk.id.ClientID r0 = r0.getClientID()
            r1 = r0
            if (r1 == 0) goto L2b
            java.lang.String r0 = r0.getValue()
            goto L2d
        L2b:
            r0 = 0
        L2d:
            r1 = r0
            if (r1 != 0) goto L40
        L32:
            no.nav.security.mock.oauth2.OAuth2Exception r0 = new no.nav.security.mock.oauth2.OAuth2Exception
            r1 = r0
            com.nimbusds.oauth2.sdk.ErrorObject r2 = com.nimbusds.oauth2.sdk.OAuth2Error.INVALID_CLIENT
            java.lang.String r3 = "client_id cannot be null"
            r1.<init>(r2, r3)
            throw r0
        L40:
            return r0
        */
        throw new UnsupportedOperationException("Method not decompiled: no.nav.security.mock.oauth2.extensions.NimbusExtensionsKt.clientIdAsString(com.nimbusds.oauth2.sdk.TokenRequest):java.lang.String");
    }

    public static final int expiresIn(@NotNull SignedJWT signedJWT) {
        Intrinsics.checkNotNullParameter(signedJWT, "<this>");
        return (int) Duration.between(Instant.now(), signedJWT.getJWTClaimsSet().getExpirationTime().toInstant()).getSeconds();
    }

    @NotNull
    public static final JWTClaimsSet verifySignatureAndIssuer(@NotNull SignedJWT signedJWT, @NotNull Issuer issuer, @NotNull JWKSet jWKSet, @NotNull JWSAlgorithm jWSAlgorithm) {
        Intrinsics.checkNotNullParameter(signedJWT, "<this>");
        Intrinsics.checkNotNullParameter(issuer, "issuer");
        Intrinsics.checkNotNullParameter(jWKSet, "jwkSet");
        Intrinsics.checkNotNullParameter(jWSAlgorithm, "jwsAlgorithm");
        ConfigurableJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier(new JOSEObjectType[]{new JOSEObjectType("JWT")}));
        defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(jWSAlgorithm, new ImmutableJWKSet(jWKSet)));
        defaultJWTProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier(new JWTClaimsSet.Builder().issuer(issuer.toString()).build(), new HashSet(CollectionsKt.listOf(new String[]{"sub", "iat", "exp"}))));
        JWTClaimsSet process = defaultJWTProcessor.process(signedJWT, (SecurityContext) null);
        Intrinsics.checkNotNullExpressionValue(process, "process(...)");
        return process;
    }

    public static /* synthetic */ JWTClaimsSet verifySignatureAndIssuer$default(SignedJWT signedJWT, Issuer issuer, JWKSet jWKSet, JWSAlgorithm jWSAlgorithm, int i, Object obj) {
        if ((i & 4) != 0) {
            jWSAlgorithm = JWSAlgorithm.RS256;
        }
        return verifySignatureAndIssuer(signedJWT, issuer, jWKSet, jWSAlgorithm);
    }

    @NotNull
    public static final ClientAuthentication clientAuthentication(@NotNull HTTPRequest hTTPRequest) {
        Intrinsics.checkNotNullParameter(hTTPRequest, "<this>");
        ClientAuthentication parse = ClientAuthentication.parse(hTTPRequest);
        if (parse == null) {
            throw new OAuth2Exception(OAuth2Error.INVALID_REQUEST, "request must contain some form of ClientAuthentication.");
        }
        return parse;
    }

    @NotNull
    public static final PrivateKeyJWT requirePrivateKeyJwt(@NotNull ClientAuthentication clientAuthentication, @NotNull String str, long j) {
        Intrinsics.checkNotNullParameter(clientAuthentication, "<this>");
        Intrinsics.checkNotNullParameter(str, "requiredAudience");
        PrivateKeyJWT privateKeyJWT = clientAuthentication instanceof PrivateKeyJWT ? (PrivateKeyJWT) clientAuthentication : null;
        if (privateKeyJWT == null) {
            throw new OAuth2Exception(OAuth2Error.INVALID_REQUEST, "request must contain a valid client_assertion.");
        }
        Intrinsics.checkNotNullExpressionValue(privateKeyJWT.getClientAssertion(), "getClientAssertion(...)");
        if (expiresIn(r0) > j) {
            OAuth2ExceptionKt.invalidRequest("invalid client_assertion: client_assertion expiry is too long( should be < " + j + ")");
            throw new KotlinNothingValueException();
        }
        if (privateKeyJWT.getClientAssertion().getJWTClaimsSet().getAudience().contains(str)) {
            return privateKeyJWT;
        }
        OAuth2ExceptionKt.invalidRequest("invalid client_assertion: client_assertion must contain required audience '" + str + "'");
        throw new KotlinNothingValueException();
    }

    private static final Unit log$lambda$0() {
        return Unit.INSTANCE;
    }
}
