package fish.payara.security.openid;

import fish.payara.security.openid.api.AccessTokenCallerPrincipal;
import fish.payara.security.openid.api.AccessTokenCredential;
import fish.payara.security.openid.controller.JWTValidator;
import fish.payara.security.openid.controller.TokenClaimsSetVerifier;
import fish.payara.security.openid.domain.AccessTokenImpl;
import fish.payara.security.openid.domain.OpenIdConfiguration;
import fish.payara.security.openid.domain.OpenIdContextImpl;
import fish.payara.security.shaded.nimbusds.jose.proc.SecurityContext;
import fish.payara.security.shaded.nimbusds.jwt.JWTClaimsSet;
import fish.payara.security.shaded.nimbusds.jwt.proc.BadJWTException;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.enterprise.context.ContextNotActiveException;
import jakarta.enterprise.context.SessionScoped;
import jakarta.enterprise.inject.Typed;
import jakarta.enterprise.inject.spi.BeanManager;
import jakarta.inject.Inject;
import jakarta.security.enterprise.identitystore.CredentialValidationResult;
import jakarta.security.enterprise.identitystore.IdentityStore;
import java.text.ParseException;
import java.util.Collections;
import java.util.Objects;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;

@ApplicationScoped
@Typed({AccessTokenIdentityStore.class})
/* loaded from: input_file:fish/payara/security/openid/AccessTokenIdentityStore.class */
public class AccessTokenIdentityStore implements IdentityStore {
    private static final Logger LOGGER = Logger.getLogger(AccessTokenIdentityStore.class.getName());

    @Inject
    OpenIdContextImpl context;

    @Inject
    OpenIdConfiguration configuration;

    @Inject
    JWTValidator validator;

    @Inject
    BeanManager beanManager;

    /* loaded from: input_file:fish/payara/security/openid/AccessTokenIdentityStore$BearerVerifier.class */
    static class BearerVerifier extends TokenClaimsSetVerifier {
        public BearerVerifier(OpenIdConfiguration openIdConfiguration) {
            super(openIdConfiguration);
        }

        @Override // fish.payara.security.openid.controller.TokenClaimsSetVerifier, fish.payara.security.shaded.nimbusds.jwt.proc.JWTClaimsSetVerifier
        public void verify(JWTClaimsSet jWTClaimsSet, SecurityContext securityContext) throws BadJWTException {
            TokenClaimsSetVerifier.StandardVerifications standardVerifications = new TokenClaimsSetVerifier.StandardVerifications(this.configuration, jWTClaimsSet);
            standardVerifications.requireIssuer(this.configuration.getProviderMetadata().getAccessTokenIssuerURI());
            standardVerifications.requireSubject();
            standardVerifications.requireValidTimestamp();
        }

        @Override // fish.payara.security.openid.controller.TokenClaimsSetVerifier
        public void verify(JWTClaimsSet jWTClaimsSet) throws BadJWTException {
        }
    }

    @Override // jakarta.security.enterprise.identitystore.IdentityStore
    public Set<IdentityStore.ValidationType> validationTypes() {
        return Collections.singleton(IdentityStore.ValidationType.VALIDATE);
    }

    public CredentialValidationResult validate(AccessTokenCredential accessTokenCredential) {
        try {
            AccessTokenImpl forBearerToken = AccessTokenImpl.forBearerToken(this.configuration, accessTokenCredential.getAccessToken(), new BearerVerifier(this.configuration), this.validator);
            if (isSessionActive()) {
                this.context.setAccessToken(forBearerToken);
                this.context.setCallerName(forBearerToken.getJwtClaims().getStringClaim(this.configuration.getClaimsConfiguration().getCallerNameClaim()).orElse(forBearerToken.getJwtClaims().getSubject().orElse(null)));
            }
            OpenIdContextImpl openIdContextImpl = this.context;
            Objects.requireNonNull(openIdContextImpl);
            return new CredentialValidationResult(new AccessTokenCallerPrincipal(forBearerToken, openIdContextImpl::getClaims));
        } catch (RuntimeException | ParseException e) {
            LOGGER.log(Level.WARNING, "Cannot parse access token " + accessTokenCredential.getAccessToken(), e);
            return CredentialValidationResult.INVALID_RESULT;
        }
    }

    private boolean isSessionActive() {
        try {
            return this.beanManager.getContext(SessionScoped.class).isActive();
        } catch (ContextNotActiveException e) {
            return false;
        }
    }
}
