package com.ubirch.auth.oidcutil;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SimpleSecurityContext;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.oauth2.sdk.AuthorizationCode;
import com.nimbusds.oauth2.sdk.AuthorizationCodeGrant;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.SerializeException;
import com.nimbusds.oauth2.sdk.TokenErrorResponse;
import com.nimbusds.oauth2.sdk.TokenRequest;
import com.nimbusds.oauth2.sdk.auth.ClientSecretPost;
import com.nimbusds.oauth2.sdk.auth.Secret;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponse;
import com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser;
import com.typesafe.scalalogging.slf4j.Logger;
import com.typesafe.scalalogging.slf4j.StrictLogging;
import com.ubirch.auth.model.db.ContextProviderConfig;
import com.ubirch.auth.model.db.OidcProviderConfig;
import java.io.IOException;
import java.net.URI;
import java.net.URL;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Predef$;
import scala.Some;
import scala.StringContext;
import scala.collection.immutable.Nil$;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;

/* compiled from: TokenUtil.scala */
/* loaded from: input_file:com/ubirch/auth/oidcutil/TokenUtil$.class */
public final class TokenUtil$ implements StrictLogging {
    public static final TokenUtil$ MODULE$ = null;
    private final Logger logger;

    static {
        new TokenUtil$();
    }

    /* renamed from: logger, reason: merged with bridge method [inline-methods] */
    public Logger m3logger() {
        return this.logger;
    }

    public void com$typesafe$scalalogging$slf4j$StrictLogging$_setter_$logger_$eq(Logger logger) {
        this.logger = logger;
    }

    public Option<TokenUserId> verifyCodeWith3rdParty(ContextProviderConfig contextProviderConfig, OidcProviderConfig oidcProviderConfig, String str) {
        None$ none$;
        None$ none$2;
        None$ some;
        None$ none$3;
        Some sendTokenRequest = sendTokenRequest(contextProviderConfig, oidcProviderConfig, str);
        if (None$.MODULE$.equals(sendTokenRequest)) {
            none$2 = None$.MODULE$;
        } else {
            try {
            } catch (ParseException e) {
                if (m3logger().underlying().isErrorEnabled()) {
                    m3logger().underlying().error(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"oidc code verification failed (failed to parse response from provider)"})).s(Nil$.MODULE$), e);
                    BoxedUnit boxedUnit = BoxedUnit.UNIT;
                } else {
                    BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
                }
                none$ = None$.MODULE$;
            }
            if (!(sendTokenRequest instanceof Some)) {
                throw new MatchError(sendTokenRequest);
            }
            HTTPResponse hTTPResponse = (HTTPResponse) sendTokenRequest.x();
            TokenErrorResponse parse = OIDCTokenResponseParser.parse(hTTPResponse);
            if (parse instanceof TokenErrorResponse) {
                TokenErrorResponse tokenErrorResponse = parse;
                if (m3logger().underlying().isErrorEnabled()) {
                    m3logger().underlying().error(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"oidc code verification failed (provider replied with an error): ", " - ", " - ", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{BoxesRunTime.boxToInteger(hTTPResponse.getStatusCode()), hTTPResponse.getContent(), tokenErrorResponse.toJSONObject().toJSONString()})));
                    BoxedUnit boxedUnit3 = BoxedUnit.UNIT;
                } else {
                    BoxedUnit boxedUnit4 = BoxedUnit.UNIT;
                }
                none$3 = None$.MODULE$;
            } else {
                if (!(parse instanceof OIDCTokenResponse)) {
                    throw new MatchError(parse);
                }
                OIDCTokenResponse oIDCTokenResponse = (OIDCTokenResponse) parse;
                AccessToken accessToken = oIDCTokenResponse.getOIDCTokens().getAccessToken();
                JWT iDToken = oIDCTokenResponse.getOIDCTokens().getIDToken();
                String context = contextProviderConfig.context();
                String provider = contextProviderConfig.provider();
                Some verifyIdToken = verifyIdToken(oidcProviderConfig, iDToken);
                if (None$.MODULE$.equals(verifyIdToken)) {
                    if (m3logger().underlying().isErrorEnabled()) {
                        m3logger().underlying().error(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"failed to get verified token: context=", ", provider=", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{context, provider})));
                        BoxedUnit boxedUnit5 = BoxedUnit.UNIT;
                    } else {
                        BoxedUnit boxedUnit6 = BoxedUnit.UNIT;
                    }
                    if (m3logger().underlying().isDebugEnabled()) {
                        m3logger().underlying().debug(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"accessToken=", ", userId=", ", idToken=", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{accessToken, None$.MODULE$, iDToken.getParsedString()})));
                        BoxedUnit boxedUnit7 = BoxedUnit.UNIT;
                    } else {
                        BoxedUnit boxedUnit8 = BoxedUnit.UNIT;
                    }
                    some = None$.MODULE$;
                } else {
                    if (!(verifyIdToken instanceof Some)) {
                        throw new MatchError(verifyIdToken);
                    }
                    JWTClaimsSet jWTClaimsSet = (JWTClaimsSet) verifyIdToken.x();
                    if (m3logger().underlying().isDebugEnabled()) {
                        m3logger().underlying().debug(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"claims=", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{jWTClaimsSet})));
                        BoxedUnit boxedUnit9 = BoxedUnit.UNIT;
                    } else {
                        BoxedUnit boxedUnit10 = BoxedUnit.UNIT;
                    }
                    String subject = jWTClaimsSet.getSubject();
                    String extractUserName = extractUserName(jWTClaimsSet);
                    String extractLanguage = extractLanguage(jWTClaimsSet);
                    if (m3logger().underlying().isDebugEnabled()) {
                        m3logger().underlying().debug(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"got verified token: context=", ", provider=", ", userId=", ", accessToken=", ", userId=", ", idToken=", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{context, provider, subject, accessToken, subject, iDToken.getParsedString()})));
                        BoxedUnit boxedUnit11 = BoxedUnit.UNIT;
                    } else {
                        BoxedUnit boxedUnit12 = BoxedUnit.UNIT;
                    }
                    if (m3logger().underlying().isInfoEnabled()) {
                        m3logger().underlying().info(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"got verified token from provider=", " (context=", ")"})).s(Predef$.MODULE$.genericWrapArray(new Object[]{provider, context})));
                        BoxedUnit boxedUnit13 = BoxedUnit.UNIT;
                    } else {
                        BoxedUnit boxedUnit14 = BoxedUnit.UNIT;
                    }
                    some = new Some(new TokenUserId(accessToken.getValue(), subject, extractUserName, extractLanguage));
                }
                none$3 = some;
            }
            none$ = none$3;
            none$2 = none$;
        }
        return none$2;
    }

    private Option<HTTPResponse> sendTokenRequest(ContextProviderConfig contextProviderConfig, OidcProviderConfig oidcProviderConfig, String str) {
        try {
            return new Some(tokenRequest(contextProviderConfig, oidcProviderConfig, str).toHTTPRequest().send());
        } catch (SerializeException e) {
            if (m3logger().underlying().isErrorEnabled()) {
                m3logger().underlying().error(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"failed to send oidc code verification request (SerializeException)"})).s(Nil$.MODULE$), e);
                BoxedUnit boxedUnit = BoxedUnit.UNIT;
            } else {
                BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
            }
            return None$.MODULE$;
        } catch (IOException e2) {
            if (m3logger().underlying().isErrorEnabled()) {
                m3logger().underlying().error(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"failed to send oidc code verification request (SerializeException)"})).s(Nil$.MODULE$), e2);
                BoxedUnit boxedUnit3 = BoxedUnit.UNIT;
            } else {
                BoxedUnit boxedUnit4 = BoxedUnit.UNIT;
            }
            return None$.MODULE$;
        }
    }

    private TokenRequest tokenRequest(ContextProviderConfig contextProviderConfig, OidcProviderConfig oidcProviderConfig, String str) {
        AuthorizationCodeGrant authorizationCodeGrant = new AuthorizationCodeGrant(new AuthorizationCode(str), contextProviderConfig.callbackUrl());
        URI uri = new URI(oidcProviderConfig.endpoints().token());
        if (m3logger().underlying().isDebugEnabled()) {
            m3logger().underlying().debug(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"token endpoint: provider=", ", url=", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{oidcProviderConfig.id(), uri})));
            BoxedUnit boxedUnit = BoxedUnit.UNIT;
        } else {
            BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
        }
        return new TokenRequest(uri, new ClientSecretPost(new ClientID(contextProviderConfig.clientId()), new Secret(contextProviderConfig.clientSecret())), authorizationCodeGrant);
    }

    private Option<JWTClaimsSet> verifyIdToken(OidcProviderConfig oidcProviderConfig, JWT jwt) {
        None$ none$;
        None$ none$2;
        Some jwtProcessor = jwtProcessor(oidcProviderConfig, jwt);
        if (None$.MODULE$.equals(jwtProcessor)) {
            if (m3logger().underlying().isErrorEnabled()) {
                m3logger().underlying().error(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"failed to load jwtProcessor: provider=", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{oidcProviderConfig.id()})));
                BoxedUnit boxedUnit = BoxedUnit.UNIT;
            } else {
                BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
            }
            none$2 = None$.MODULE$;
        } else {
            try {
            } catch (BadJOSEException e) {
                if (m3logger().underlying().isErrorEnabled()) {
                    m3logger().underlying().error("verifyIdToken() failed with a BadJOSEException", e);
                    BoxedUnit boxedUnit3 = BoxedUnit.UNIT;
                } else {
                    BoxedUnit boxedUnit4 = BoxedUnit.UNIT;
                }
                none$ = None$.MODULE$;
            } catch (JOSEException e2) {
                if (m3logger().underlying().isErrorEnabled()) {
                    m3logger().underlying().error("verifyIdToken() failed with a JOSEException", e2);
                    BoxedUnit boxedUnit5 = BoxedUnit.UNIT;
                } else {
                    BoxedUnit boxedUnit6 = BoxedUnit.UNIT;
                }
                none$ = None$.MODULE$;
            }
            if (!(jwtProcessor instanceof Some)) {
                throw new MatchError(jwtProcessor);
            }
            none$ = new Some(((DefaultJWTProcessor) jwtProcessor.x()).process(jwt, new SimpleSecurityContext()));
            none$2 = none$;
        }
        return none$2;
    }

    private Option<DefaultJWTProcessor<SimpleSecurityContext>> jwtProcessor(OidcProviderConfig oidcProviderConfig, JWT jwt) {
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        RemoteJWKSet remoteJWKSet = new RemoteJWKSet(new URL(oidcProviderConfig.endpoints().jwks()));
        Algorithm algorithm = jwt.getHeader().getAlgorithm();
        if (!oidcProviderConfig.tokenSigningAlgorithms().contains(algorithm.getName())) {
            if (m3logger().underlying().isErrorEnabled()) {
                m3logger().underlying().error(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"signing algorithm does not match those allowed by our configuration: provider=", ", algorithm=", ""})).s(Predef$.MODULE$.genericWrapArray(new Object[]{oidcProviderConfig.id(), algorithm})));
                BoxedUnit boxedUnit = BoxedUnit.UNIT;
            } else {
                BoxedUnit boxedUnit2 = BoxedUnit.UNIT;
            }
            return None$.MODULE$;
        }
        try {
            defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(new JWSAlgorithm(algorithm.getName(), algorithm.getRequirement()), remoteJWKSet));
            return new Some(defaultJWTProcessor);
        } catch (IllegalArgumentException e) {
            if (m3logger().underlying().isErrorEnabled()) {
                m3logger().underlying().error("jwtProcessor() failed with an IllegalArgumentException", e);
                BoxedUnit boxedUnit3 = BoxedUnit.UNIT;
            } else {
                BoxedUnit boxedUnit4 = BoxedUnit.UNIT;
            }
            return None$.MODULE$;
        }
    }

    private String extractUserName(JWTClaimsSet jWTClaimsSet) {
        return jWTClaimsSet.getClaim("preferred_username") == null ? jWTClaimsSet.getClaim("name") == null ? "null" : jWTClaimsSet.getClaim("name").toString() : jWTClaimsSet.getClaim("preferred_username").toString();
    }

    private String extractLanguage(JWTClaimsSet jWTClaimsSet) {
        return jWTClaimsSet.getClaim("locale") == null ? "en" : jWTClaimsSet.getClaim("locale").toString();
    }

    private TokenUtil$() {
        MODULE$ = this;
        StrictLogging.class.$init$(this);
    }
}
