package org.pac4j.oidc.profile.creator;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.ParseException;
import com.nimbusds.oauth2.sdk.http.HTTPRequest;
import com.nimbusds.oauth2.sdk.http.HTTPResponse;
import com.nimbusds.oauth2.sdk.token.AccessToken;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import com.nimbusds.oauth2.sdk.token.RefreshToken;
import com.nimbusds.openid.connect.sdk.Nonce;
import com.nimbusds.openid.connect.sdk.UserInfoErrorResponse;
import com.nimbusds.openid.connect.sdk.UserInfoRequest;
import com.nimbusds.openid.connect.sdk.UserInfoResponse;
import com.nimbusds.openid.connect.sdk.UserInfoSuccessResponse;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import java.io.IOException;
import java.net.URI;
import java.util.Map;
import java.util.Optional;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.context.session.SessionStore;
import org.pac4j.core.credentials.Credentials;
import org.pac4j.core.credentials.TokenCredentials;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.profile.AttributeLocation;
import org.pac4j.core.profile.ProfileHelper;
import org.pac4j.core.profile.UserProfile;
import org.pac4j.core.profile.creator.ProfileCreator;
import org.pac4j.core.profile.definition.ProfileDefinitionAware;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.oidc.client.OidcClient;
import org.pac4j.oidc.config.OidcConfiguration;
import org.pac4j.oidc.credentials.OidcCredentials;
import org.pac4j.oidc.exceptions.UserInfoErrorResponseException;
import org.pac4j.oidc.profile.OidcProfile;
import org.pac4j.oidc.profile.OidcProfileDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:pac4j-oidc-5.7.2.jar:org/pac4j/oidc/profile/creator/OidcProfileCreator.class */
public class OidcProfileCreator extends ProfileDefinitionAware implements ProfileCreator {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) OidcProfileCreator.class);
    protected OidcConfiguration configuration;
    protected OidcClient client;

    public OidcProfileCreator(OidcConfiguration oidcConfiguration, OidcClient oidcClient) {
        this.configuration = oidcConfiguration;
        this.client = oidcClient;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.pac4j.core.util.InitializableObject
    public void internalInit(boolean z) {
        CommonHelper.assertNotNull("configuration", this.configuration);
        defaultProfileDefinition(new OidcProfileDefinition());
    }

    @Override // org.pac4j.core.profile.creator.ProfileCreator
    public Optional<UserProfile> create(Credentials credentials, WebContext webContext, SessionStore sessionStore) {
        AccessToken bearerAccessToken;
        init();
        OidcCredentials oidcCredentials = null;
        boolean z = credentials instanceof OidcCredentials;
        if (z) {
            oidcCredentials = (OidcCredentials) credentials;
            bearerAccessToken = oidcCredentials.getAccessToken();
        } else {
            bearerAccessToken = new BearerAccessToken(((TokenCredentials) credentials).getToken());
        }
        OidcProfile oidcProfile = (OidcProfile) getProfileDefinition().newProfile(new Object[0]);
        oidcProfile.setAccessToken(bearerAccessToken);
        if (oidcCredentials != null) {
            if (oidcCredentials.getIdToken() != null) {
                oidcProfile.setIdTokenString(oidcCredentials.getIdToken().getParsedString());
            }
            RefreshToken refreshToken = oidcCredentials.getRefreshToken();
            if (refreshToken != null && !refreshToken.getValue().isEmpty()) {
                oidcProfile.setRefreshToken(refreshToken);
                logger.debug("Refresh Token successful retrieved");
            }
        }
        try {
            Nonce nonce = this.configuration.isUseNonce() ? new Nonce((String) sessionStore.get(webContext, this.client.getNonceSessionAttributeName()).orElse(null)) : null;
            if (oidcCredentials != null && oidcCredentials.getIdToken() != null) {
                IDTokenClaimsSet validate = this.configuration.findTokenValidator().validate(oidcCredentials.getIdToken(), nonce);
                CommonHelper.assertNotNull("claimsSet", validate);
                oidcProfile.setId(ProfileHelper.sanitizeIdentifier(validate.getSubject()));
                String str = (String) validate.getClaim("sid");
                if (CommonHelper.isNotBlank(str)) {
                    this.configuration.findLogoutHandler().recordSession(webContext, sessionStore, str);
                }
            }
            if (this.configuration.isCallUserInfoEndpoint()) {
                try {
                    callUserInfoEndpoint(this.configuration.findProviderMetadata().getUserInfoEndpointURI(), bearerAccessToken, oidcProfile);
                } catch (UserInfoErrorResponseException e) {
                    if (!z) {
                        return Optional.empty();
                    }
                }
            }
            if (oidcCredentials != null && oidcCredentials.getIdToken() != null) {
                for (Map.Entry<String, Object> entry : oidcCredentials.getIdToken().getJWTClaimsSet().getClaims().entrySet()) {
                    String key = entry.getKey();
                    Object value = entry.getValue();
                    if (!"sub".equals(key) && oidcProfile.getAttribute(key) == null) {
                        getProfileDefinition().convertAndAdd(oidcProfile, AttributeLocation.PROFILE_ATTRIBUTE, key, value);
                    }
                }
            }
            if (oidcCredentials != null && this.configuration.isIncludeAccessTokenClaimsInProfile()) {
                collectClaimsFromAccessTokenIfAny(oidcCredentials, nonce, oidcProfile);
            }
            oidcProfile.setTokenExpirationAdvance(this.configuration.getTokenExpirationAdvance());
            return Optional.of(oidcProfile);
        } catch (JOSEException | BadJOSEException | ParseException | IOException | java.text.ParseException e2) {
            throw new TechnicalException(e2);
        }
    }

    public void callUserInfoEndpoint(URI uri, AccessToken accessToken, UserProfile userProfile) throws IOException, ParseException, java.text.ParseException, UserInfoErrorResponseException {
        if (uri == null || accessToken == null) {
            return;
        }
        HTTPRequest hTTPRequest = new UserInfoRequest(uri, accessToken).toHTTPRequest();
        this.configuration.configureHttpRequest(hTTPRequest);
        HTTPResponse send = hTTPRequest.send();
        logger.debug("User info response: status={}, content={}", Integer.valueOf(send.getStatusCode()), send.getContent());
        UserInfoResponse parse = UserInfoResponse.parse(send);
        if (parse instanceof UserInfoErrorResponse) {
            ErrorObject errorObject = ((UserInfoErrorResponse) parse).getErrorObject();
            logger.error("Bad User Info response, error={}", errorObject);
            throw new UserInfoErrorResponseException(errorObject.toString());
        }
        UserInfoSuccessResponse userInfoSuccessResponse = (UserInfoSuccessResponse) parse;
        JWTClaimsSet jWTClaimsSet = userInfoSuccessResponse.getUserInfo() != null ? userInfoSuccessResponse.getUserInfo().toJWTClaimsSet() : userInfoSuccessResponse.getUserInfoJWT().getJWTClaimsSet();
        if (jWTClaimsSet != null) {
            getProfileDefinition().convertAndAdd(userProfile, jWTClaimsSet.getClaims(), null);
        } else {
            logger.warn("Cannot retrieve claims from user info");
        }
    }

    private void collectClaimsFromAccessTokenIfAny(OidcCredentials oidcCredentials, Nonce nonce, OidcProfile oidcProfile) {
        try {
            AccessToken accessToken = oidcCredentials.getAccessToken();
            if (accessToken != null) {
                for (Map.Entry<String, Object> entry : this.configuration.findTokenValidator().validate(JWTParser.parse(accessToken.getValue()), nonce).toJWTClaimsSet().getClaims().entrySet()) {
                    String key = entry.getKey();
                    Object value = entry.getValue();
                    if (!"sub".equals(key) && oidcProfile.getAttribute(key) == null) {
                        getProfileDefinition().convertAndAdd(oidcProfile, AttributeLocation.PROFILE_ATTRIBUTE, key, value);
                    }
                }
            }
        } catch (JOSEException | BadJOSEException | ParseException | java.text.ParseException e) {
            logger.debug(e.getMessage(), (Throwable) e);
        } catch (Exception e2) {
            throw new TechnicalException(e2);
        }
    }
}
