package org.pac4j.oidc.metadata;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.util.IOUtils;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.IOException;
import java.io.InputStream;
import java.net.Proxy;
import java.security.PrivateKey;
import java.security.Provider;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import lombok.Generated;
import org.pac4j.core.resource.SpringResourceHelper;
import org.pac4j.core.resource.SpringResourceLoader;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.oidc.config.OidcConfiguration;
import org.pac4j.oidc.config.PrivateKeyJWTClientAuthnMethodConfig;
import org.pac4j.oidc.exceptions.OidcException;
import org.pac4j.oidc.exceptions.OidcUnsupportedClientAuthMethodException;
import org.pac4j.oidc.profile.creator.TokenValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.io.Resource;

/* loaded from: input_file:org/pac4j/oidc/metadata/OidcOpMetadataResolver.class */
public class OidcOpMetadataResolver extends SpringResourceLoader<OIDCProviderMetadata> {

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(OidcOpMetadataResolver.class);
    private static final Collection<ClientAuthenticationMethod> SUPPORTED_METHODS = Arrays.asList(ClientAuthenticationMethod.CLIENT_SECRET_POST, ClientAuthenticationMethod.CLIENT_SECRET_BASIC, ClientAuthenticationMethod.PRIVATE_KEY_JWT, ClientAuthenticationMethod.NONE);
    protected final OidcConfiguration configuration;
    protected ClientAuthentication clientAuthentication;
    protected TokenValidator tokenValidator;

    public OidcOpMetadataResolver(OidcConfiguration oidcConfiguration) {
        super(buildResource(oidcConfiguration));
        this.configuration = oidcConfiguration;
    }

    private static Resource buildResource(OidcConfiguration oidcConfiguration) {
        if (oidcConfiguration == null || oidcConfiguration.getDiscoveryURI() == null) {
            return null;
        }
        return SpringResourceHelper.buildResourceFromPath(oidcConfiguration.getDiscoveryURI());
    }

    protected void internalLoad() {
        this.loaded = retrieveMetadata();
        this.clientAuthentication = computeClientAuthentication();
        this.tokenValidator = createTokenValidator();
    }

    protected OIDCProviderMetadata retrieveMetadata() {
        try {
            InputStream resourceInputStream = SpringResourceHelper.getResourceInputStream(this.resource, (Proxy) null, this.configuration.getSslSocketFactory(), this.configuration.getHostnameVerifier(), this.configuration.getConnectTimeout(), this.configuration.getReadTimeout());
            try {
                OIDCProviderMetadata parse = OIDCProviderMetadata.parse(IOUtils.readInputStreamToString(resourceInputStream));
                if (resourceInputStream != null) {
                    resourceInputStream.close();
                }
                return parse;
            } catch (Throwable th) {
                if (resourceInputStream != null) {
                    try {
                        resourceInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (IOException | ParseException e) {
            throw new OidcException("Error getting OP metadata", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ClientAuthentication computeClientAuthentication() {
        ClientAuthenticationMethod clientAuthenticationMethod;
        ClientID clientID = new ClientID(this.configuration.getClientId());
        if (this.configuration.getSecret() == null && this.configuration.getPrivateKeyJWTClientAuthnMethodConfig() == null) {
            return null;
        }
        List tokenEndpointAuthMethods = ((OIDCProviderMetadata) this.loaded).getTokenEndpointAuthMethods();
        ClientAuthenticationMethod preferredAuthenticationMethod = getPreferredAuthenticationMethod(this.configuration);
        if (!CommonHelper.isNotEmpty(tokenEndpointAuthMethods)) {
            clientAuthenticationMethod = preferredAuthenticationMethod != null ? preferredAuthenticationMethod : ClientAuthenticationMethod.getDefault();
            LOGGER.info("Provider metadata does not provide Token endpoint authentication methods. Using: {}", clientAuthenticationMethod);
        } else if (preferredAuthenticationMethod == null) {
            clientAuthenticationMethod = firstSupportedMethod(tokenEndpointAuthMethods, this.configuration.getSupportedClientAuthenticationMethods());
        } else {
            if (!tokenEndpointAuthMethods.contains(preferredAuthenticationMethod)) {
                throw new OidcUnsupportedClientAuthMethodException("Preferred authentication method (" + String.valueOf(preferredAuthenticationMethod) + ") not supported by provider according to provider metadata (" + String.valueOf(tokenEndpointAuthMethods) + ").");
            }
            clientAuthenticationMethod = preferredAuthenticationMethod;
        }
        if (ClientAuthenticationMethod.CLIENT_SECRET_POST.equals(clientAuthenticationMethod)) {
            return new ClientSecretPost(clientID, new Secret(this.configuration.getSecret()));
        }
        if (ClientAuthenticationMethod.CLIENT_SECRET_BASIC.equals(clientAuthenticationMethod)) {
            return new ClientSecretBasic(clientID, new Secret(this.configuration.getSecret()));
        }
        if (!ClientAuthenticationMethod.PRIVATE_KEY_JWT.equals(clientAuthenticationMethod)) {
            throw new OidcUnsupportedClientAuthMethodException("Unsupported client authentication method: " + String.valueOf(clientAuthenticationMethod));
        }
        PrivateKeyJWTClientAuthnMethodConfig privateKeyJWTClientAuthnMethodConfig = this.configuration.getPrivateKeyJWTClientAuthnMethodConfig();
        CommonHelper.assertNotNull("privateKeyJwtConfig", privateKeyJWTClientAuthnMethodConfig);
        JWSAlgorithm jwsAlgorithm = privateKeyJWTClientAuthnMethodConfig.getJwsAlgorithm();
        CommonHelper.assertNotNull("privateKeyJwtConfig.getJwsAlgorithm()", jwsAlgorithm);
        PrivateKey privateKey = privateKeyJWTClientAuthnMethodConfig.getPrivateKey();
        CommonHelper.assertNotNull("privateKeyJwtConfig.getPrivateKey()", privateKey);
        try {
            return new PrivateKeyJWT(clientID, ((OIDCProviderMetadata) this.loaded).getTokenEndpointURI(), jwsAlgorithm, privateKey, privateKeyJWTClientAuthnMethodConfig.getKeyID(), (Provider) null);
        } catch (JOSEException e) {
            throw new OidcException("Cannot instantiate private key JWT client authentication method", e);
        }
    }

    private static ClientAuthenticationMethod getPreferredAuthenticationMethod(OidcConfiguration oidcConfiguration) {
        ClientAuthenticationMethod clientAuthenticationMethod = oidcConfiguration.getClientAuthenticationMethod();
        if (clientAuthenticationMethod == null) {
            return null;
        }
        if (SUPPORTED_METHODS.contains(clientAuthenticationMethod)) {
            return clientAuthenticationMethod;
        }
        throw new OidcUnsupportedClientAuthMethodException("Configured authentication method (" + String.valueOf(clientAuthenticationMethod) + ") is not supported.");
    }

    private static ClientAuthenticationMethod firstSupportedMethod(Collection<ClientAuthenticationMethod> collection, Collection<ClientAuthenticationMethod> collection2) {
        Collection<ClientAuthenticationMethod> collection3 = collection2 != null ? collection2 : SUPPORTED_METHODS;
        Stream<ClientAuthenticationMethod> stream = collection.stream();
        Objects.requireNonNull(collection3);
        Optional<ClientAuthenticationMethod> findFirst = stream.filter((v1) -> {
            return r1.contains(v1);
        }).findFirst();
        if (findFirst.isPresent()) {
            return findFirst.get();
        }
        throw new OidcUnsupportedClientAuthMethodException("None of the Token endpoint provider metadata authentication methods are supported: " + String.valueOf(collection));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TokenValidator createTokenValidator() {
        return new TokenValidator(this.configuration, (OIDCProviderMetadata) this.loaded);
    }

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    public ClientAuthentication getClientAuthentication() {
        return this.clientAuthentication;
    }

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    public TokenValidator getTokenValidator() {
        return this.tokenValidator;
    }
}
