package com.vaadin.sso.starter;

import java.net.URL;
import java.time.Clock;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.core.OAuth2Error;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidatorResult;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.util.Assert;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:BOOT-INF/lib/sso-kit-starter-1.0.auth-keycloak-theme-SNAPSHOT.jar:com/vaadin/sso/starter/OidcLogoutTokenValidator.class */
public final class OidcLogoutTokenValidator implements OAuth2TokenValidator<Jwt> {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OidcLogoutTokenValidator.class);
    private static final Duration DEFAULT_CLOCK_SKEW = Duration.ofSeconds(60);
    private static final String ID_TOKEN_SIGNED_RESPONSE_ALG = "id_token_signed_response_alg";
    private static final String ALG_HEADER = "alg";
    private static final String ALG_RS256 = "RS256";
    private static final String BC_LOGOUT_EVENT = "http://schemas.openid.net/event/backchannel-logout";
    private final ClientRegistration clientRegistration;
    private Duration clockSkew = DEFAULT_CLOCK_SKEW;
    private Clock clock = Clock.systemUTC();

    public OidcLogoutTokenValidator(ClientRegistration clientRegistration) {
        Assert.notNull(clientRegistration, "clientRegistration cannot be null");
        this.clientRegistration = clientRegistration;
    }

    @Override // org.springframework.security.oauth2.core.OAuth2TokenValidator
    public OAuth2TokenValidatorResult validate(Jwt jwt) {
        Map<String, Object> validateRequiredClaims = validateRequiredClaims(jwt);
        if (!validateRequiredClaims.isEmpty()) {
            LOGGER.warn("Logout token validation failed because of missing claims: {}", validateRequiredClaims);
            return OAuth2TokenValidatorResult.failure(invalidLogoutTokenClaims(validateRequiredClaims));
        }
        ClientRegistration.ProviderDetails providerDetails = this.clientRegistration.getProviderDetails();
        Map<String, Object> configurationMetadata = providerDetails.getConfigurationMetadata();
        String str = (String) jwt.getHeaders().get("alg");
        if (!Objects.equals(str, configurationMetadata.getOrDefault(ID_TOKEN_SIGNED_RESPONSE_ALG, "RS256"))) {
            return OAuth2TokenValidatorResult.failure(invalidLogoutTokenAlgorithm(str));
        }
        if (!Objects.equals(providerDetails.getIssuerUri(), jwt.getIssuer().toExternalForm())) {
            validateRequiredClaims.put("iss", jwt.getIssuer());
        }
        if (!jwt.getAudience().contains(this.clientRegistration.getClientId())) {
            validateRequiredClaims.put("aud", jwt.getAudience());
        }
        if (Instant.now(this.clock).plus((TemporalAmount) this.clockSkew).isBefore(jwt.getIssuedAt())) {
            validateRequiredClaims.put("iat", jwt.getIssuedAt());
        }
        String subject = jwt.getSubject();
        String claimAsString = jwt.getClaimAsString("sid");
        if (subject == null && claimAsString == null) {
            validateRequiredClaims.put("sub", subject);
            validateRequiredClaims.put("sid", claimAsString);
        }
        Map<String, Object> claimAsMap = jwt.getClaimAsMap("events");
        if (claimAsMap == null || !claimAsMap.containsKey("http://schemas.openid.net/event/backchannel-logout")) {
            validateRequiredClaims.put("events", claimAsMap);
        }
        Object claim = jwt.getClaim("nonce");
        if (claim != null) {
            validateRequiredClaims.put("nonce", claim);
        }
        if (validateRequiredClaims.isEmpty()) {
            LOGGER.debug("Logout token validation succeded");
            return OAuth2TokenValidatorResult.success();
        }
        LOGGER.warn("Logout token validation failed because of invalid claims: {}", validateRequiredClaims);
        return OAuth2TokenValidatorResult.failure(invalidLogoutTokenClaims(validateRequiredClaims));
    }

    public void setClockSkew(Duration duration) {
        Assert.notNull(duration, "clockSkew cannot be null");
        Assert.isTrue(duration.getSeconds() >= 0, "clockSkew must be >= 0");
        this.clockSkew = duration;
    }

    public void setClock(Clock clock) {
        Assert.notNull(clock, "clock cannot be null");
        this.clock = clock;
    }

    private static OAuth2Error invalidLogoutTokenAlgorithm(String str) {
        return new OAuth2Error("invalid_request", "The Logout Token algorithm is invalid: " + str, "https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation");
    }

    private static OAuth2Error invalidLogoutTokenClaims(Map<String, Object> map) {
        return new OAuth2Error("invalid_request", "The Logout Token contains invalid claims: " + map, "https://openid.net/specs/openid-connect-backchannel-1_0.html#Validation");
    }

    private static Map<String, Object> validateRequiredClaims(Jwt jwt) {
        HashMap hashMap = new HashMap();
        URL issuer = jwt.getIssuer();
        if (issuer == null) {
            hashMap.put("iss", issuer);
        }
        Instant issuedAt = jwt.getIssuedAt();
        if (issuedAt == null) {
            hashMap.put("iat", issuedAt);
        }
        List<String> audience = jwt.getAudience();
        if (CollectionUtils.isEmpty(audience)) {
            hashMap.put("aud", audience);
        }
        return hashMap;
    }
}
