package org.forgerock.openam.sso.providers.stateless;

import com.iplanet.dpro.session.share.SessionInfo;
import java.security.Key;
import java.util.Map;
import java.util.TreeMap;
import javax.annotation.Nonnull;
import javax.annotation.concurrent.Immutable;
import org.forgerock.openam.sdk.com.fasterxml.jackson.annotation.JsonInclude;
import org.forgerock.openam.sdk.com.fasterxml.jackson.core.type.TypeReference;
import org.forgerock.openam.sdk.com.fasterxml.jackson.databind.ObjectMapper;
import org.forgerock.openam.sdk.com.fasterxml.jackson.databind.SerializationFeature;
import org.forgerock.openam.sdk.org.forgerock.json.jose.builders.EncryptedJwtBuilder;
import org.forgerock.openam.sdk.org.forgerock.json.jose.builders.JwtBuilderFactory;
import org.forgerock.openam.sdk.org.forgerock.json.jose.exceptions.JwtRuntimeException;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jwe.CompressionAlgorithm;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jwe.EncryptedJwt;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jwe.EncryptionMethod;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jwe.JweAlgorithm;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jws.EncryptedThenSignedJwt;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jws.JwsAlgorithm;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jws.SignedJwt;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jws.handlers.SigningHandler;
import org.forgerock.openam.sdk.org.forgerock.json.jose.jwt.JwtClaimsSet;
import org.forgerock.openam.sdk.org.forgerock.util.Reject;
import org.forgerock.openam.sdk.org.forgerock.util.annotations.VisibleForTesting;

@Immutable
/* loaded from: input_file:WEB-INF/lib/openam-clientsdk-15.0.2.jar:org/forgerock/openam/sso/providers/stateless/JwtSessionMapper.class */
public final class JwtSessionMapper {
    private static final ObjectMapper MAPPER = new ObjectMapper().setSerializationInclusion(JsonInclude.Include.NON_DEFAULT).configure(SerializationFeature.INDENT_OUTPUT, false);
    private static final JwtBuilderFactory jwtBuilderFactory = new JwtBuilderFactory();
    private static final TypeReference<Map<String, Object>> MAP_TYPE = new TypeReference<Map<String, Object>>() { // from class: org.forgerock.openam.sso.providers.stateless.JwtSessionMapper.1
    };

    @VisibleForTesting
    final JwsAlgorithm jwsAlgorithm;

    @VisibleForTesting
    final SigningHandler signingHandler;

    @VisibleForTesting
    final SigningHandler verificationHandler;

    @VisibleForTesting
    final JweAlgorithm jweAlgorithm;
    private final EncryptionMethod encryptionMethod;

    @VisibleForTesting
    final Key encryptionKey;

    @VisibleForTesting
    final Key decryptionKey;

    @VisibleForTesting
    final CompressionAlgorithm compressionAlgorithm;

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtSessionMapper(@Nonnull JwtSessionMapperBuilder jwtSessionMapperBuilder) {
        this.jwsAlgorithm = jwtSessionMapperBuilder.jwsAlgorithm;
        this.signingHandler = jwtSessionMapperBuilder.signingHandler;
        this.verificationHandler = jwtSessionMapperBuilder.verificationHandler;
        this.encryptionKey = jwtSessionMapperBuilder.encryptionKey;
        this.decryptionKey = jwtSessionMapperBuilder.decryptionKey;
        this.jweAlgorithm = jwtSessionMapperBuilder.jweAlgorithm;
        this.encryptionMethod = jwtSessionMapperBuilder.encryptionMethod;
        this.compressionAlgorithm = jwtSessionMapperBuilder.compressionAlgorithm;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String asJwt(@Nonnull SessionInfo sessionInfo) {
        Reject.ifNull(sessionInfo, "sessionInfo must not be null.");
        JwtClaimsSet jwtClaimsSet = new JwtClaimsSet((Map) MAPPER.convertValue(sessionInfo, MAP_TYPE));
        if (this.jweAlgorithm == null) {
            return jwtBuilderFactory.jws(this.signingHandler).headers().alg(this.jwsAlgorithm).zip(this.compressionAlgorithm).done().claims(jwtClaimsSet).build();
        }
        EncryptedJwtBuilder claims = jwtBuilderFactory.jwe(this.encryptionKey).headers().alg(this.jweAlgorithm).enc(this.encryptionMethod).zip(this.compressionAlgorithm).done().claims(jwtClaimsSet);
        return this.jwsAlgorithm != JwsAlgorithm.NONE ? claims.signedWith(this.signingHandler, this.jwsAlgorithm).build() : claims.build();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SessionInfo fromJwt(@Nonnull String str) throws JwtRuntimeException {
        SignedJwt reconstruct;
        Reject.ifNull(str, "jwtString must not be null.");
        if (this.jweAlgorithm == null) {
            reconstruct = jwtBuilderFactory.reconstruct(str, SignedJwt.class);
            if (!doesJwtAlgorithmMatch(reconstruct) || !reconstruct.verify(this.verificationHandler)) {
                throw new JwtRuntimeException("Invalid JWT!");
            }
        } else {
            if (this.jwsAlgorithm == JwsAlgorithm.NONE) {
                EncryptedJwt reconstruct2 = jwtBuilderFactory.reconstruct(str, EncryptedJwt.class);
                reconstruct2.decrypt(this.decryptionKey);
                return fromJson(reconstruct2.getClaimsSet());
            }
            SignedJwt signedJwt = (EncryptedThenSignedJwt) jwtBuilderFactory.reconstruct(str, EncryptedThenSignedJwt.class);
            if (!doesJwtAlgorithmMatch(signedJwt) || !signedJwt.verify(this.verificationHandler)) {
                throw new JwtRuntimeException("Invalid JWT!");
            }
            signedJwt.decrypt(this.decryptionKey);
            reconstruct = signedJwt;
        }
        return fromJson(reconstruct.getClaimsSet());
    }

    private SessionInfo fromJson(JwtClaimsSet jwtClaimsSet) {
        return (SessionInfo) MAPPER.convertValue(toMap(jwtClaimsSet), SessionInfo.class);
    }

    private boolean doesJwtAlgorithmMatch(SignedJwt signedJwt) {
        try {
            return this.jwsAlgorithm.equals(signedJwt.getHeader().getAlgorithm());
        } catch (IllegalArgumentException e) {
            return false;
        }
    }

    private static Map<String, Object> toMap(JwtClaimsSet jwtClaimsSet) {
        TreeMap treeMap = new TreeMap();
        for (String str : jwtClaimsSet.keys()) {
            treeMap.put(str, jwtClaimsSet.get(str).getObject());
        }
        return treeMap;
    }
}
