package no.nav.security.token.support.core.validation;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.validators.IDTokenValidator;
import java.net.URL;
import java.text.ParseException;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import no.nav.security.token.support.core.exceptions.JwtTokenValidatorException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:no/nav/security/token/support/core/validation/DefaultJwtTokenValidator.class */
public class DefaultJwtTokenValidator implements JwtTokenValidator {
    private static final Logger LOG = LoggerFactory.getLogger(DefaultJwtTokenValidator.class);
    private static final JWSAlgorithm JWSALG = JWSAlgorithm.RS256;
    private final Map<String, IDTokenValidator> audienceValidatorMap;

    public DefaultJwtTokenValidator(String str, List<String> list, URL url, ResourceRetriever resourceRetriever) {
        this.audienceValidatorMap = initializeMap(str, list, url, resourceRetriever);
    }

    @Override // no.nav.security.token.support.core.validation.JwtTokenValidator
    public void assertValidToken(String str) throws JwtTokenValidatorException {
        assertValidToken(str, null);
    }

    public void assertValidToken(String str, String str2) throws JwtTokenValidatorException {
        JWT jwt = null;
        try {
            jwt = JWTParser.parse(str);
            get(jwt).validate(jwt, str2 != null ? new Nonce(str2) : null);
        } catch (Throwable th) {
            throw new JwtTokenValidatorException("Token validation failed", expiryDate(jwt), th);
        }
    }

    protected IDTokenValidator get(JWT jwt) throws ParseException, JwtTokenValidatorException {
        List<String> audience = jwt.getJWTClaimsSet().getAudience();
        for (String str : audience) {
            if (this.audienceValidatorMap.containsKey(str)) {
                return this.audienceValidatorMap.get(str);
            }
        }
        LOG.warn("Could not find validator for token audience {}", audience);
        throw new JwtTokenValidatorException("Could not find appropriate validator to validate token. check your config.");
    }

    protected IDTokenValidator createValidator(String str, String str2, URL url, ResourceRetriever resourceRetriever) {
        return new IDTokenValidator(new Issuer(str), new ClientID(str2), JWSALG, url, resourceRetriever);
    }

    private static Date expiryDate(JWT jwt) {
        if (jwt == null) {
            return null;
        }
        try {
            return jwt.getJWTClaimsSet().getExpirationTime();
        } catch (ParseException e) {
            return null;
        }
    }

    private Map<String, IDTokenValidator> initializeMap(String str, List<String> list, URL url, ResourceRetriever resourceRetriever) {
        if (list == null || list.isEmpty()) {
            throw new IllegalArgumentException("Accepted audience cannot be null or empty in validator config.");
        }
        HashMap hashMap = new HashMap();
        for (String str2 : list) {
            hashMap.put(str2, createValidator(str, str2, url, resourceRetriever));
        }
        return hashMap;
    }
}
