package com.microsoft.azure.spring.autoconfigure.aad;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.jwk.source.JWKSetCache;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.net.MalformedURLException;
import java.net.URL;
import java.text.ParseException;
import java.util.HashSet;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/microsoft/azure/spring/autoconfigure/aad/UserPrincipalManager.class */
public class UserPrincipalManager {
    private static final Logger log = LoggerFactory.getLogger(UserPrincipalManager.class);
    private static final String LOGIN_MICROSOFT_ONLINE_ISSUER = "https://login.microsoftonline.com/";
    private static final String STS_WINDOWS_ISSUER = "https://sts.windows.net/";
    private static final String STS_CHINA_CLOUD_API_ISSUER = "https://sts.chinacloudapi.cn/";
    private final JWKSource<SecurityContext> keySource;
    private final AADAuthenticationProperties aadAuthProps;
    private final Boolean explicitAudienceCheck;
    private final Set<String> validAudiences;

    public UserPrincipalManager(JWKSource<SecurityContext> jWKSource) {
        this.validAudiences = new HashSet();
        this.keySource = jWKSource;
        this.explicitAudienceCheck = false;
        this.aadAuthProps = null;
    }

    public UserPrincipalManager(ServiceEndpointsProperties serviceEndpointsProperties, AADAuthenticationProperties aADAuthenticationProperties, ResourceRetriever resourceRetriever, boolean z) {
        this.validAudiences = new HashSet();
        this.aadAuthProps = aADAuthenticationProperties;
        this.explicitAudienceCheck = Boolean.valueOf(z);
        if (z) {
            this.validAudiences.add(this.aadAuthProps.getClientId());
            this.validAudiences.add(this.aadAuthProps.getAppIdUri());
        }
        try {
            this.keySource = new RemoteJWKSet(new URL(serviceEndpointsProperties.getServiceEndpoints(aADAuthenticationProperties.getEnvironment()).getAadKeyDiscoveryUri()), resourceRetriever);
        } catch (MalformedURLException e) {
            log.error("Failed to parse active directory key discovery uri.", e);
            throw new IllegalStateException("Failed to parse active directory key discovery uri.", e);
        }
    }

    public UserPrincipalManager(ServiceEndpointsProperties serviceEndpointsProperties, AADAuthenticationProperties aADAuthenticationProperties, ResourceRetriever resourceRetriever, boolean z, JWKSetCache jWKSetCache) {
        this.validAudiences = new HashSet();
        this.aadAuthProps = aADAuthenticationProperties;
        this.explicitAudienceCheck = Boolean.valueOf(z);
        if (z) {
            this.validAudiences.add(this.aadAuthProps.getClientId());
            this.validAudiences.add(this.aadAuthProps.getAppIdUri());
        }
        try {
            this.keySource = new RemoteJWKSet(new URL(serviceEndpointsProperties.getServiceEndpoints(aADAuthenticationProperties.getEnvironment()).getAadKeyDiscoveryUri()), resourceRetriever, jWKSetCache);
        } catch (MalformedURLException e) {
            log.error("Failed to parse active directory key discovery uri.", e);
            throw new IllegalStateException("Failed to parse active directory key discovery uri.", e);
        }
    }

    public UserPrincipal buildUserPrincipal(String str) throws ParseException, JOSEException, BadJOSEException {
        JWSObject parse = JWSObject.parse(str);
        ConfigurableJWTProcessor<SecurityContext> aadJwtTokenValidator = getAadJwtTokenValidator(parse.getHeader().getAlgorithm());
        JWTClaimsSet process = aadJwtTokenValidator.process(str, (SecurityContext) null);
        aadJwtTokenValidator.getJWTClaimsSetVerifier().verify(process, (SecurityContext) null);
        return new UserPrincipal(parse, process);
    }

    public boolean isTokenIssuedByAAD(String str) {
        try {
            return isAADIssuer(JWTParser.parse(str).getJWTClaimsSet().getIssuer());
        } catch (ParseException e) {
            log.info("Fail to parse JWT {}, exception {}", str, e);
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isAADIssuer(String str) {
        if (str == null) {
            return false;
        }
        return str.startsWith(LOGIN_MICROSOFT_ONLINE_ISSUER) || str.startsWith(STS_WINDOWS_ISSUER) || str.startsWith(STS_CHINA_CLOUD_API_ISSUER);
    }

    private ConfigurableJWTProcessor<SecurityContext> getAadJwtTokenValidator(JWSAlgorithm jWSAlgorithm) {
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(jWSAlgorithm, this.keySource));
        defaultJWTProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier<SecurityContext>() { // from class: com.microsoft.azure.spring.autoconfigure.aad.UserPrincipalManager.1
            public void verify(JWTClaimsSet jWTClaimsSet, SecurityContext securityContext) throws BadJWTException {
                super.verify(jWTClaimsSet, securityContext);
                if (!UserPrincipalManager.isAADIssuer(jWTClaimsSet.getIssuer())) {
                    throw new BadJWTException("Invalid token issuer");
                }
                if (UserPrincipalManager.this.explicitAudienceCheck.booleanValue()) {
                    Stream stream = jWTClaimsSet.getAudience().stream();
                    Set set = UserPrincipalManager.this.validAudiences;
                    set.getClass();
                    Optional findFirst = stream.filter((v1) -> {
                        return r1.contains(v1);
                    }).findFirst();
                    if (!findFirst.isPresent()) {
                        throw new BadJWTException("Invalid token audience. Provided value " + jWTClaimsSet.getAudience() + "does not match neither client-id nor AppIdUri.");
                    }
                    UserPrincipalManager.log.debug("Matched audience [{}]", findFirst.get());
                }
            }
        });
        return defaultJWTProcessor;
    }
}
