package edu.uiuc.ncsa.security.oauth_2_0.client;

import au.com.bytecode.opencsv.CSVWriter;
import edu.uiuc.ncsa.security.core.exceptions.GeneralException;
import edu.uiuc.ncsa.security.core.exceptions.NFWException;
import edu.uiuc.ncsa.security.delegation.client.request.BasicRequest;
import edu.uiuc.ncsa.security.oauth_2_0.JWTUtil;
import edu.uiuc.ncsa.security.oauth_2_0.OA2Constants;
import edu.uiuc.ncsa.security.oauth_2_0.server.claims.OA2Claims;
import edu.uiuc.ncsa.security.servlet.ServiceClient;
import edu.uiuc.ncsa.security.util.jwk.JSONWebKeys;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URL;
import net.sf.json.JSONObject;
import net.sf.json.util.JSONUtils;

/* loaded from: input_file:WEB-INF/lib/ncsa-security-oauth-2.0-4.1.jar:edu/uiuc/ncsa/security/oauth_2_0/client/TokenAwareServer.class */
public abstract class TokenAwareServer extends ASImpl {
    ServiceClient serviceClient;
    String wellKnown;

    public ServiceClient getServiceClient() {
        return this.serviceClient;
    }

    public TokenAwareServer(ServiceClient serviceClient, String str) {
        super(serviceClient.host(new URI[0]));
        this.wellKnown = null;
        this.serviceClient = serviceClient;
        this.wellKnown = str;
    }

    public JSONWebKeys getJsonWebKeys() {
        if (this.wellKnown == null) {
            throw new NFWException("Error: no well-known URI has been configured. Please add this to the configuration file.");
        }
        return JWTUtil.getJsonWebKeys(getServiceClient(), this.wellKnown);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public JSONObject getAndCheckResponse(String str) {
        if (str.startsWith("<") || str.startsWith(CSVWriter.DEFAULT_LINE_END)) {
            throw new GeneralException("Error: Response from server was html: " + str);
        }
        JSONObject fromObject = JSONObject.fromObject(str);
        if (fromObject.getString(OA2Constants.TOKEN_TYPE).equals(OA2Constants.BEARER_TOKEN_TYPE)) {
            return fromObject;
        }
        throw new GeneralException("Error: incorrect token type");
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public JSONObject getAndCheckIDToken(JSONObject jSONObject, BasicRequest basicRequest) {
        URL url;
        URL url2;
        JSONWebKeys jsonWebKeys = getJsonWebKeys();
        if (!jSONObject.containsKey(OA2Constants.ID_TOKEN)) {
            throw new GeneralException("Error: Missing id token.");
        }
        JSONObject verifyAndReadJWT = JWTUtil.verifyAndReadJWT(jSONObject.getString(OA2Constants.ID_TOKEN), jsonWebKeys);
        if (verifyAndReadJWT.isNullObject()) {
            return new JSONObject();
        }
        if (!verifyAndReadJWT.getString(OA2Claims.AUDIENCE).equals(basicRequest.getClient().getIdentifierString())) {
            throw new GeneralException("Error: Audience is incorrect");
        }
        try {
            url = getAddress().toURL();
            url2 = new URL(verifyAndReadJWT.getString(OA2Claims.ISSUER));
        } catch (MalformedURLException e) {
            e.printStackTrace();
        }
        if (!url.getProtocol().equals(url2.getProtocol()) || !url.getHost().equals(url2.getHost()) || url.getPort() != url2.getPort()) {
            throw new GeneralException("Error: Issuer is incorrect. Got \"" + url2 + "\", expected \"" + url + JSONUtils.DOUBLE_QUOTE);
        }
        if (!verifyAndReadJWT.containsKey("exp")) {
            throw new GeneralException("Error: Claims failed to have required expiration");
        }
        if (Long.parseLong(verifyAndReadJWT.getString("exp")) * 1000 <= System.currentTimeMillis()) {
            throw new GeneralException("Error: expired claim.");
        }
        return verifyAndReadJWT;
    }
}
