package fr.paris.lutece.plugins.franceconnect.oidc.jwt;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.ReadOnlyJWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import fr.paris.lutece.plugins.franceconnect.oidc.AuthClientConf;
import fr.paris.lutece.plugins.franceconnect.oidc.AuthServerConf;
import fr.paris.lutece.plugins.franceconnect.oidc.IDToken;
import fr.paris.lutece.plugins.franceconnect.oidc.Token;
import fr.paris.lutece.plugins.franceconnect.web.Constants;
import java.text.ParseException;
import java.util.Date;
import org.apache.log4j.Logger;

/* loaded from: input_file:fr/paris/lutece/plugins/franceconnect/oidc/jwt/MitreJWTParser.class */
public class MitreJWTParser implements JWTParser {
    private int _nTimeSkewAllowance = 300;

    @Override // fr.paris.lutece.plugins.franceconnect.oidc.jwt.JWTParser
    public void parseJWT(Token token, AuthClientConf authClientConf, AuthServerConf authServerConf, String str, Logger logger) throws TokenValidationException {
        IDToken iDToken = new IDToken();
        try {
            JWT parse = com.nimbusds.jwt.JWTParser.parse(token.getIdTokenString());
            try {
                ReadOnlyJWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
                Algorithm algorithm = parse.getHeader().getAlgorithm();
                Algorithm idTokenSignedResponseAlg = authClientConf.getIdTokenSignedResponseAlg();
                if (idTokenSignedResponseAlg != null && !idTokenSignedResponseAlg.equals(algorithm)) {
                    throw new TokenValidationException("Token algorithm " + algorithm + " does not match expected algorithm " + idTokenSignedResponseAlg);
                }
                if (parse instanceof PlainJWT) {
                    logger.debug("ID token is a Plain JWT");
                    if (idTokenSignedResponseAlg == null) {
                        throw new TokenValidationException("Unsigned ID tokens can only be used if explicitly configured in client.");
                    }
                    if (algorithm != null && !algorithm.equals(JWSAlgorithm.NONE)) {
                        throw new TokenValidationException("Unsigned token received, expected signature with " + algorithm);
                    }
                } else if (parse instanceof SignedJWT) {
                    logger.debug("ID token is a signed JWT");
                }
                if (jWTClaimsSet.getIssuer() == null) {
                    throw new TokenValidationException("Id Token Issuer is null");
                }
                if (!jWTClaimsSet.getIssuer().equals(authServerConf.getIssuer())) {
                    throw new TokenValidationException("Issuers do not match, expected " + authServerConf.getIssuer() + " got " + jWTClaimsSet.getIssuer());
                }
                if (jWTClaimsSet.getExpirationTime() == null) {
                    throw new TokenValidationException("Id Token does not have required expiration claim");
                }
                if (new Date(System.currentTimeMillis() - (this._nTimeSkewAllowance * 1000)).after(jWTClaimsSet.getExpirationTime())) {
                    throw new TokenValidationException("Id Token is expired: " + jWTClaimsSet.getExpirationTime());
                }
                if (jWTClaimsSet.getNotBeforeTime() != null && new Date(System.currentTimeMillis() + (this._nTimeSkewAllowance * 1000)).before(jWTClaimsSet.getNotBeforeTime())) {
                    throw new TokenValidationException("Id Token not valid untill: " + jWTClaimsSet.getNotBeforeTime());
                }
                if (jWTClaimsSet.getIssueTime() == null) {
                    throw new TokenValidationException("Id Token does not have required issued-at claim");
                }
                if (new Date(System.currentTimeMillis() + (this._nTimeSkewAllowance * 1000)).before(jWTClaimsSet.getIssueTime())) {
                    throw new TokenValidationException("Id Token was issued in the future: " + jWTClaimsSet.getIssueTime());
                }
                if (jWTClaimsSet.getAudience() == null) {
                    throw new TokenValidationException("Id token audience is null");
                }
                if (!jWTClaimsSet.getAudience().contains(authClientConf.getClientId())) {
                    throw new TokenValidationException("Audience does not match, expected " + authClientConf.getClientId() + " got " + jWTClaimsSet.getAudience());
                }
                try {
                    String stringClaim = jWTClaimsSet.getStringClaim("nonce");
                    if (stringClaim == null || stringClaim.equals("")) {
                        logger.error("ID token did not contain a nonce claim.");
                        throw new TokenValidationException("ID token did not contain a nonce claim.");
                    }
                    if (!stringClaim.equals(str)) {
                        logger.error("Possible replay attack detected! The comparison of the nonce in the returned ID Token to the session nonce failed. Expected " + str + " got " + stringClaim + ".");
                        throw new TokenValidationException("Possible replay attack detected! The comparison of the nonce in the returned ID Token to the session nonce failed. Expected " + str + " got " + stringClaim + ".");
                    }
                    logger.debug("Nonce has been validated");
                    try {
                        String stringClaim2 = jWTClaimsSet.getStringClaim(Constants.CLAIM_IDP);
                        try {
                            String stringClaim3 = jWTClaimsSet.getStringClaim(Constants.CLAIM_ACR);
                            iDToken.setNonce(stringClaim);
                            iDToken.setSubject(jWTClaimsSet.getSubject());
                            iDToken.setIdProvider(stringClaim2);
                            iDToken.setExpiration(String.valueOf(jWTClaimsSet.getExpirationTime().getTime() / 1000));
                            iDToken.setIssueAt(String.valueOf(jWTClaimsSet.getIssueTime().getTime() / 1000));
                            iDToken.setIssuer(jWTClaimsSet.getIssuer());
                            iDToken.setAudience((String) jWTClaimsSet.getAudience().get(0));
                            iDToken.setAcr(stringClaim3);
                            logger.debug("ID Token retrieved : " + iDToken);
                            token.setIdToken(iDToken);
                        } catch (ParseException e) {
                            throw new TokenValidationException("ID token did not contain an acr claim.", e);
                        }
                    } catch (ParseException e2) {
                        throw new TokenValidationException("ID token did not contain an idp claim.", e2);
                    }
                } catch (ParseException e3) {
                    throw new TokenValidationException("ID token did not contain a nonce claim.");
                }
            } catch (ParseException e4) {
                throw new TokenValidationException("Unable to get Claims set from JWT : " + e4.getMessage(), e4);
            }
        } catch (ParseException e5) {
            throw new TokenValidationException("Unable to parse JWT : " + e5.getMessage(), e5);
        }
    }
}
