package io.smallrye.jwt.auth.principal;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.eclipse.microprofile.jwt.Claims;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwe.JsonWebEncryption;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.keys.resolvers.DecryptionKeyResolver;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.lang.JoseException;
import org.jose4j.lang.UnresolvableKeyException;

/* loaded from: input_file:io/smallrye/jwt/auth/principal/DefaultJWTTokenParser.class */
public class DefaultJWTTokenParser {
    private static final String ROLE_MAPPINGS = "roleMappings";
    private static final Pattern CLAIM_PATH_PATTERN = Pattern.compile("\\/(?=(?:(?:[^\"]*\"){2})*[^\"]*$)");
    private volatile VerificationKeyResolver keyResolver;
    private volatile DecryptionKeyResolver decryptionKeyResolver;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:io/smallrye/jwt/auth/principal/DefaultJWTTokenParser$ProtectionLevel.class */
    public enum ProtectionLevel {
        SIGN,
        ENCRYPT,
        SIGN_ENCRYPT
    }

    public JwtContext parse(String str, JWTAuthContextInfo jWTAuthContextInfo) throws ParseException {
        String str2 = str;
        ProtectionLevel protectionLevel = getProtectionLevel(jWTAuthContextInfo);
        if (protectionLevel == ProtectionLevel.SIGN_ENCRYPT) {
            str2 = decryptSignedToken(str2, jWTAuthContextInfo);
            protectionLevel = ProtectionLevel.SIGN;
        }
        return parseClaims(str2, jWTAuthContextInfo, protectionLevel);
    }

    private String decryptSignedToken(String str, JWTAuthContextInfo jWTAuthContextInfo) throws ParseException {
        try {
            JsonWebEncryption jsonWebEncryption = new JsonWebEncryption();
            jsonWebEncryption.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, jWTAuthContextInfo.getKeyEncryptionAlgorithm().getAlgorithm()));
            if (jWTAuthContextInfo.getPrivateDecryptionKey() != null) {
                jsonWebEncryption.setKey(jWTAuthContextInfo.getPrivateDecryptionKey());
            } else if (jWTAuthContextInfo.getSecretDecryptionKey() != null) {
                jsonWebEncryption.setKey(jWTAuthContextInfo.getSecretDecryptionKey());
            } else {
                jsonWebEncryption.setKey(getDecryptionKeyResolver(jWTAuthContextInfo).resolveKey(jsonWebEncryption, null));
            }
            jsonWebEncryption.setCompactSerialization(str);
            return jsonWebEncryption.getPlaintextString();
        } catch (UnresolvableKeyException e) {
            PrincipalLogging.log.decryptionKeyUnresolvable();
            throw PrincipalMessages.msg.decryptionKeyUnresolvable();
        } catch (JoseException e2) {
            PrincipalLogging.log.encryptedTokenSequenceInvalid();
            throw PrincipalMessages.msg.encryptedTokenSequenceInvalid();
        }
    }

    private JwtContext parseClaims(String str, JWTAuthContextInfo jWTAuthContextInfo, ProtectionLevel protectionLevel) throws ParseException {
        try {
            JwtConsumerBuilder jwtConsumerBuilder = new JwtConsumerBuilder();
            if (protectionLevel == ProtectionLevel.SIGN) {
                if (jWTAuthContextInfo.getPublicVerificationKey() != null) {
                    jwtConsumerBuilder.setVerificationKey(jWTAuthContextInfo.getPublicVerificationKey());
                } else if (jWTAuthContextInfo.getSecretVerificationKey() != null) {
                    jwtConsumerBuilder.setVerificationKey(jWTAuthContextInfo.getSecretVerificationKey());
                } else {
                    jwtConsumerBuilder.setVerificationKeyResolver(getVerificationKeyResolver(jWTAuthContextInfo));
                }
                jwtConsumerBuilder.setJwsAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, jWTAuthContextInfo.getSignatureAlgorithm().getAlgorithm()));
            } else {
                jwtConsumerBuilder.setEnableRequireEncryption();
                jwtConsumerBuilder.setDisableRequireSignature();
                if (jWTAuthContextInfo.getPrivateDecryptionKey() != null) {
                    jwtConsumerBuilder.setDecryptionKey(jWTAuthContextInfo.getPrivateDecryptionKey());
                } else if (jWTAuthContextInfo.getSecretDecryptionKey() != null) {
                    jwtConsumerBuilder.setDecryptionKey(jWTAuthContextInfo.getSecretDecryptionKey());
                } else {
                    jwtConsumerBuilder.setDecryptionKeyResolver(getDecryptionKeyResolver(jWTAuthContextInfo));
                }
                jwtConsumerBuilder.setJweAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, jWTAuthContextInfo.getKeyEncryptionAlgorithm().getAlgorithm()));
            }
            jwtConsumerBuilder.setRequireExpirationTime();
            if (jWTAuthContextInfo.getMaxTimeToLiveSecs() != null) {
                jwtConsumerBuilder.setRequireIssuedAt();
            }
            if (jWTAuthContextInfo.getIssuedBy() != null) {
                jwtConsumerBuilder.setExpectedIssuer(jWTAuthContextInfo.getIssuedBy());
            }
            if (jWTAuthContextInfo.getExpGracePeriodSecs() > 0) {
                jwtConsumerBuilder.setAllowedClockSkewInSeconds(jWTAuthContextInfo.getExpGracePeriodSecs());
            } else {
                jwtConsumerBuilder.setEvaluationTime(NumericDate.fromSeconds(0L));
            }
            setExpectedAudience(jwtConsumerBuilder, jWTAuthContextInfo);
            if (jWTAuthContextInfo.isRelaxVerificationKeyValidation()) {
                jwtConsumerBuilder.setRelaxVerificationKeyValidation();
            }
            JwtContext process = jwtConsumerBuilder.build().process(str);
            JwtClaims jwtClaims = process.getJwtClaims();
            verifyTimeToLive(jWTAuthContextInfo, jwtClaims);
            verifyRequiredClaims(jWTAuthContextInfo, process);
            jwtClaims.setClaim(Claims.raw_token.name(), str);
            if (!jwtClaims.hasClaim(Claims.sub.name())) {
                jwtClaims.setClaim(Claims.sub.name(), findSubject(jWTAuthContextInfo, jwtClaims));
            }
            if (jWTAuthContextInfo.isRequireNamedPrincipal()) {
                checkNameClaims(process);
            }
            Object claimValue = jwtClaims.getClaimValue(Claims.groups.name());
            if (claimValue == null || (claimValue instanceof Map)) {
                jwtClaims.setClaim(Claims.groups.name(), findGroups(jWTAuthContextInfo, jwtClaims));
            } else if (claimValue instanceof String) {
                jwtClaims.setClaim(Claims.groups.name(), splitStringClaimValue(claimValue.toString(), jWTAuthContextInfo));
            }
            if (jwtClaims.hasClaim(ROLE_MAPPINGS)) {
                mapRoles(jwtClaims);
            }
            return process;
        } catch (InvalidJwtException e) {
            PrincipalLogging.log.tokenInvalid();
            throw PrincipalMessages.msg.failedToVerifyToken(e);
        } catch (UnresolvableKeyException e2) {
            PrincipalLogging.log.verificationKeyUnresolvable();
            throw PrincipalMessages.msg.failedToVerifyToken(e2);
        }
    }

    void setExpectedAudience(JwtConsumerBuilder jwtConsumerBuilder, JWTAuthContextInfo jWTAuthContextInfo) {
        Set<String> expectedAudience = jWTAuthContextInfo.getExpectedAudience();
        if (expectedAudience != null) {
            jwtConsumerBuilder.setExpectedAudience((String[]) expectedAudience.toArray(new String[0]));
        } else {
            jwtConsumerBuilder.setSkipDefaultAudienceValidation();
        }
    }

    private void checkNameClaims(JwtContext jwtContext) throws InvalidJwtException {
        JwtClaims jwtClaims = jwtContext.getJwtClaims();
        if (!((jwtClaims.getClaimValue(Claims.sub.name()) == null && jwtClaims.getClaimValue(Claims.upn.name()) == null && jwtClaims.getClaimValue(Claims.preferred_username.name()) == null) ? false : true)) {
            throw PrincipalMessages.msg.claimNotFound(str -> {
                return new InvalidJwtException(str, Collections.emptyList(), jwtContext);
            });
        }
    }

    private String findSubject(JWTAuthContextInfo jWTAuthContextInfo, JwtClaims jwtClaims) {
        if (jWTAuthContextInfo.getSubjectPath() != null) {
            Object findClaimValue = findClaimValue(jWTAuthContextInfo.getSubjectPath(), jwtClaims.getClaimsMap(), splitClaimPath(jWTAuthContextInfo.getSubjectPath()), 0);
            if (findClaimValue instanceof String) {
                return (String) findClaimValue;
            }
            PrincipalLogging.log.claimAtPathIsNotAString(jWTAuthContextInfo.getSubjectPath());
        }
        if (jWTAuthContextInfo.getDefaultSubjectClaim() != null) {
            return jWTAuthContextInfo.getDefaultSubjectClaim();
        }
        return null;
    }

    private List<String> findGroups(JWTAuthContextInfo jWTAuthContextInfo, JwtClaims jwtClaims) {
        if (jWTAuthContextInfo.getGroupsPath() != null) {
            Object findClaimValue = findClaimValue(jWTAuthContextInfo.getGroupsPath(), jwtClaims.getClaimsMap(), splitClaimPath(jWTAuthContextInfo.getGroupsPath()), 0);
            if (findClaimValue instanceof List) {
                try {
                    return Arrays.asList(((List) List.class.cast(findClaimValue)).toArray(new String[0]));
                } catch (ArrayStoreException e) {
                    PrincipalLogging.log.claimAtPathIsNotAnArrayOfStrings(jWTAuthContextInfo.getGroupsPath());
                }
            } else {
                if (findClaimValue instanceof String) {
                    return splitStringClaimValue(findClaimValue.toString(), jWTAuthContextInfo);
                }
                PrincipalLogging.log.claimAtPathIsNeitherAnArrayOfStringsNorString(jWTAuthContextInfo.getGroupsPath());
            }
        }
        if (jWTAuthContextInfo.getDefaultGroupsClaim() != null) {
            return Collections.singletonList(jWTAuthContextInfo.getDefaultGroupsClaim());
        }
        return null;
    }

    private List<String> splitStringClaimValue(String str, JWTAuthContextInfo jWTAuthContextInfo) {
        return Arrays.asList(str.split(jWTAuthContextInfo.getGroupsSeparator()));
    }

    private static String[] splitClaimPath(String str) {
        return str.indexOf(47) > 0 ? CLAIM_PATH_PATTERN.split(str) : new String[]{str};
    }

    private void mapRoles(JwtClaims jwtClaims) {
        try {
            Map map = (Map) jwtClaims.getClaimValue(ROLE_MAPPINGS, Map.class);
            List<String> stringListClaimValue = jwtClaims.getStringListClaimValue(Claims.groups.name());
            ArrayList arrayList = new ArrayList(stringListClaimValue);
            for (Map.Entry entry : map.entrySet()) {
                if (stringListClaimValue.contains(entry.getKey())) {
                    arrayList.add(entry.getValue());
                }
            }
            jwtClaims.setStringListClaim(Claims.groups.name(), arrayList);
            PrincipalLogging.log.updatedGroups(arrayList);
        } catch (Exception e) {
            PrincipalLogging.log.failedToAccessRolesMappingClaim(e);
        }
    }

    private Object findClaimValue(String str, Map<String, Object> map, String[] strArr, int i) {
        Object obj = map.get(strArr[i].replace("\"", ""));
        if (obj == null) {
            PrincipalLogging.log.claimNotFoundAtPathAtSegment(str, strArr[i]);
        } else if (i + 1 < strArr.length) {
            if (obj instanceof Map) {
                return findClaimValue(str, (Map) obj, strArr, i + 1);
            }
            PrincipalLogging.log.claimValueIsNotAJson(str);
            return null;
        }
        return obj;
    }

    private void verifyTimeToLive(JWTAuthContextInfo jWTAuthContextInfo, JwtClaims jwtClaims) throws ParseException {
        Long maxTimeToLiveSecs = jWTAuthContextInfo.getMaxTimeToLiveSecs();
        if (maxTimeToLiveSecs == null) {
            PrincipalLogging.log.noMaxTTLSpecified();
            return;
        }
        try {
            NumericDate issuedAt = jwtClaims.getIssuedAt();
            NumericDate expirationTime = jwtClaims.getExpirationTime();
            if (expirationTime.getValue() - issuedAt.getValue() > maxTimeToLiveSecs.longValue()) {
                throw PrincipalMessages.msg.expExceeded(expirationTime, maxTimeToLiveSecs.longValue(), issuedAt);
            }
        } catch (Exception e) {
            throw PrincipalMessages.msg.failedToVerifyMaxTTL(e);
        }
    }

    private void verifyRequiredClaims(JWTAuthContextInfo jWTAuthContextInfo, JwtContext jwtContext) throws InvalidJwtException {
        Set<String> requiredClaims = jWTAuthContextInfo.getRequiredClaims();
        if (requiredClaims == null || jwtContext.getJwtClaims().getClaimsMap().keySet().containsAll(requiredClaims)) {
            return;
        }
        if (PrincipalLogging.log.isDebugEnabled()) {
            PrincipalLogging.log.missingClaims((String) requiredClaims.stream().filter(str -> {
                return !jwtContext.getJwtClaims().getClaimsMap().containsKey(str);
            }).collect(Collectors.joining(",")));
        }
        throw PrincipalMessages.msg.missingClaims(str2 -> {
            return new InvalidJwtException(str2, Collections.emptyList(), jwtContext);
        });
    }

    protected VerificationKeyResolver getVerificationKeyResolver(JWTAuthContextInfo jWTAuthContextInfo) throws UnresolvableKeyException {
        if (this.keyResolver == null) {
            synchronized (this) {
                if (this.keyResolver == null) {
                    this.keyResolver = jWTAuthContextInfo.isVerifyCertificateThumbprint() ? new X509KeyLocationResolver(jWTAuthContextInfo) : new KeyLocationResolver(jWTAuthContextInfo);
                }
            }
        }
        return this.keyResolver;
    }

    protected DecryptionKeyResolver getDecryptionKeyResolver(JWTAuthContextInfo jWTAuthContextInfo) throws UnresolvableKeyException {
        if (this.decryptionKeyResolver == null) {
            synchronized (this) {
                if (this.decryptionKeyResolver == null) {
                    this.decryptionKeyResolver = new DecryptionKeyLocationResolver(jWTAuthContextInfo);
                }
            }
        }
        return this.decryptionKeyResolver;
    }

    protected ProtectionLevel getProtectionLevel(JWTAuthContextInfo jWTAuthContextInfo) {
        if (jWTAuthContextInfo.getDecryptionKeyLocation() == null && jWTAuthContextInfo.getDecryptionKeyContent() == null && jWTAuthContextInfo.getPrivateDecryptionKey() == null && jWTAuthContextInfo.getSecretDecryptionKey() == null) {
            return ProtectionLevel.SIGN;
        }
        return jWTAuthContextInfo.getPublicVerificationKey() != null || jWTAuthContextInfo.getSecretVerificationKey() != null || jWTAuthContextInfo.getPublicKeyContent() != null || jWTAuthContextInfo.getPublicKeyLocation() != null ? ProtectionLevel.SIGN_ENCRYPT : ProtectionLevel.ENCRYPT;
    }
}
