package org.keycloak;

import java.security.PublicKey;
import java.util.Arrays;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.SecretKey;
import org.keycloak.common.VerificationException;
import org.keycloak.crypto.SignatureVerifierContext;
import org.keycloak.exceptions.TokenNotActiveException;
import org.keycloak.exceptions.TokenSignatureInvalidException;
import org.keycloak.jose.jws.AlgorithmType;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.jose.jws.JWSInput;
import org.keycloak.jose.jws.JWSInputException;
import org.keycloak.jose.jws.crypto.HMACProvider;
import org.keycloak.jose.jws.crypto.RSAProvider;
import org.keycloak.representations.JsonWebToken;
import org.keycloak.util.TokenUtil;

/* loaded from: input_file:BOOT-INF/lib/keycloak-core-20.0.2.jar:org/keycloak/TokenVerifier.class */
public class TokenVerifier<T extends JsonWebToken> {
    private static final Logger LOG = Logger.getLogger(TokenVerifier.class.getName());
    public static final Predicate<JsonWebToken> SUBJECT_EXISTS_CHECK = new Predicate<JsonWebToken>() { // from class: org.keycloak.TokenVerifier.1
        @Override // org.keycloak.TokenVerifier.Predicate
        public boolean test(JsonWebToken jsonWebToken) throws VerificationException {
            if (jsonWebToken.getSubject() == null) {
                throw new VerificationException("Subject missing in token");
            }
            return true;
        }
    };
    public static final Predicate<JsonWebToken> IS_ACTIVE = new Predicate<JsonWebToken>() { // from class: org.keycloak.TokenVerifier.2
        @Override // org.keycloak.TokenVerifier.Predicate
        public boolean test(JsonWebToken jsonWebToken) throws VerificationException {
            if (jsonWebToken.isActive()) {
                return true;
            }
            throw new TokenNotActiveException(jsonWebToken, "Token is not active");
        }
    };
    private String tokenString;
    private Class<? extends T> clazz;
    private PublicKey publicKey;
    private SecretKey secretKey;
    private String realmUrl;
    private JWSInput jws;
    private T token;
    private String expectedTokenType = TokenUtil.TOKEN_TYPE_BEARER;
    private boolean checkTokenType = true;
    private boolean checkRealmUrl = true;
    private final LinkedList<Predicate<? super T>> checks = new LinkedList<>();
    private SignatureVerifierContext verifier = null;

    /* loaded from: input_file:BOOT-INF/lib/keycloak-core-20.0.2.jar:org/keycloak/TokenVerifier$AudienceCheck.class */
    public static class AudienceCheck implements Predicate<JsonWebToken> {
        private final String expectedAudience;

        public AudienceCheck(String str) {
            this.expectedAudience = str;
        }

        @Override // org.keycloak.TokenVerifier.Predicate
        public boolean test(JsonWebToken jsonWebToken) throws VerificationException {
            if (this.expectedAudience == null) {
                throw new VerificationException("Missing expectedAudience");
            }
            if (jsonWebToken.getAudience() == null) {
                throw new VerificationException("No audience in the token");
            }
            if (jsonWebToken.hasAudience(this.expectedAudience)) {
                return true;
            }
            throw new VerificationException("Expected audience not available in the token");
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/keycloak-core-20.0.2.jar:org/keycloak/TokenVerifier$IssuedForCheck.class */
    public static class IssuedForCheck implements Predicate<JsonWebToken> {
        private final String expectedIssuedFor;

        public IssuedForCheck(String str) {
            this.expectedIssuedFor = str;
        }

        @Override // org.keycloak.TokenVerifier.Predicate
        public boolean test(JsonWebToken jsonWebToken) throws VerificationException {
            if (this.expectedIssuedFor == null) {
                throw new VerificationException("Missing expectedIssuedFor");
            }
            if (this.expectedIssuedFor.equals(jsonWebToken.getIssuedFor())) {
                return true;
            }
            throw new VerificationException("Expected issuedFor doesn't match");
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/keycloak-core-20.0.2.jar:org/keycloak/TokenVerifier$Predicate.class */
    public interface Predicate<T extends JsonWebToken> {
        boolean test(T t) throws VerificationException;
    }

    /* loaded from: input_file:BOOT-INF/lib/keycloak-core-20.0.2.jar:org/keycloak/TokenVerifier$RealmUrlCheck.class */
    public static class RealmUrlCheck implements Predicate<JsonWebToken> {
        private static final RealmUrlCheck NULL_INSTANCE = new RealmUrlCheck(null);
        private final String realmUrl;

        public RealmUrlCheck(String str) {
            this.realmUrl = str;
        }

        @Override // org.keycloak.TokenVerifier.Predicate
        public boolean test(JsonWebToken jsonWebToken) throws VerificationException {
            if (this.realmUrl == null) {
                throw new VerificationException("Realm URL not set");
            }
            if (this.realmUrl.equals(jsonWebToken.getIssuer())) {
                return true;
            }
            throw new VerificationException("Invalid token issuer. Expected '" + this.realmUrl + "', but was '" + jsonWebToken.getIssuer() + "'");
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/keycloak-core-20.0.2.jar:org/keycloak/TokenVerifier$TokenTypeCheck.class */
    public static class TokenTypeCheck implements Predicate<JsonWebToken> {
        private static final TokenTypeCheck INSTANCE_BEARER = new TokenTypeCheck(TokenUtil.TOKEN_TYPE_BEARER);
        private final String tokenType;

        public TokenTypeCheck(String str) {
            this.tokenType = str;
        }

        @Override // org.keycloak.TokenVerifier.Predicate
        public boolean test(JsonWebToken jsonWebToken) throws VerificationException {
            if (this.tokenType.equalsIgnoreCase(jsonWebToken.getType())) {
                return true;
            }
            throw new VerificationException("Token type is incorrect. Expected '" + this.tokenType + "' but was '" + jsonWebToken.getType() + "'");
        }
    }

    public TokenVerifier<T> verifierContext(SignatureVerifierContext signatureVerifierContext) {
        this.verifier = signatureVerifierContext;
        return this;
    }

    /* JADX WARN: Multi-variable type inference failed */
    protected TokenVerifier(String str, Class<T> cls) {
        this.tokenString = str;
        this.clazz = cls;
    }

    protected TokenVerifier(T t) {
        this.token = t;
    }

    public static <T extends JsonWebToken> TokenVerifier<T> create(String str, Class<T> cls) {
        return new TokenVerifier<>(str, cls);
    }

    public static <T extends JsonWebToken> TokenVerifier<T> createWithoutSignature(T t) {
        return new TokenVerifier<>(t);
    }

    public TokenVerifier<T> withDefaultChecks() {
        return withChecks(RealmUrlCheck.NULL_INSTANCE, SUBJECT_EXISTS_CHECK, TokenTypeCheck.INSTANCE_BEARER, IS_ACTIVE);
    }

    private void removeCheck(Class<? extends Predicate<?>> cls) {
        Iterator<Predicate<? super T>> it = this.checks.iterator();
        while (it.hasNext()) {
            if (it.next().getClass() == cls) {
                it.remove();
            }
        }
    }

    private void removeCheck(Predicate<? super T> predicate) {
        this.checks.remove(predicate);
    }

    private <P extends Predicate<? super T>> TokenVerifier<T> replaceCheck(Class<? extends Predicate<?>> cls, boolean z, P... pArr) {
        removeCheck(cls);
        if (z) {
            this.checks.addAll(Arrays.asList(pArr));
        }
        return this;
    }

    private <P extends Predicate<? super T>> TokenVerifier<T> replaceCheck(Predicate<? super T> predicate, boolean z, P... pArr) {
        removeCheck(predicate);
        if (z) {
            this.checks.addAll(Arrays.asList(pArr));
        }
        return this;
    }

    @SafeVarargs
    public final TokenVerifier<T> withChecks(Predicate<? super T>... predicateArr) {
        if (predicateArr != null) {
            this.checks.addAll(Arrays.asList(predicateArr));
        }
        return this;
    }

    public TokenVerifier<T> publicKey(PublicKey publicKey) {
        this.publicKey = publicKey;
        return this;
    }

    public TokenVerifier<T> secretKey(SecretKey secretKey) {
        this.secretKey = secretKey;
        return this;
    }

    public TokenVerifier<T> realmUrl(String str) {
        this.realmUrl = str;
        return replaceCheck(RealmUrlCheck.class, this.checkRealmUrl, new RealmUrlCheck(str));
    }

    public TokenVerifier<T> checkTokenType(boolean z) {
        this.checkTokenType = z;
        return replaceCheck(TokenTypeCheck.class, this.checkTokenType, new TokenTypeCheck(this.expectedTokenType));
    }

    public TokenVerifier<T> tokenType(String str) {
        this.expectedTokenType = str;
        return replaceCheck(TokenTypeCheck.class, this.checkTokenType, new TokenTypeCheck(this.expectedTokenType));
    }

    public TokenVerifier<T> checkActive(boolean z) {
        return replaceCheck(IS_ACTIVE, z, IS_ACTIVE);
    }

    public TokenVerifier<T> checkRealmUrl(boolean z) {
        this.checkRealmUrl = z;
        return replaceCheck(RealmUrlCheck.class, this.checkRealmUrl, new RealmUrlCheck(this.realmUrl));
    }

    public TokenVerifier<T> audience(String... strArr) {
        if (strArr == null || strArr.length == 0) {
            return replaceCheck(AudienceCheck.class, true, (Predicate[]) new AudienceCheck[]{new AudienceCheck(null)});
        }
        AudienceCheck[] audienceCheckArr = new AudienceCheck[strArr.length];
        for (int i = 0; i < strArr.length; i++) {
            audienceCheckArr[i] = new AudienceCheck(strArr[i]);
        }
        return replaceCheck(AudienceCheck.class, true, (Predicate[]) audienceCheckArr);
    }

    public TokenVerifier<T> issuedFor(String str) {
        return replaceCheck(IssuedForCheck.class, true, (Predicate[]) new IssuedForCheck[]{new IssuedForCheck(str)});
    }

    public TokenVerifier<T> parse() throws VerificationException {
        if (this.jws == null) {
            if (this.tokenString == null) {
                throw new VerificationException("Token not set");
            }
            try {
                this.jws = new JWSInput(this.tokenString);
                try {
                    this.token = (T) this.jws.readJsonContent(this.clazz);
                } catch (JWSInputException e) {
                    throw new VerificationException("Failed to read access token from JWT", e);
                }
            } catch (JWSInputException e2) {
                throw new VerificationException("Failed to parse JWT", e2);
            }
        }
        return this;
    }

    public T getToken() throws VerificationException {
        if (this.token == null) {
            parse();
        }
        return this.token;
    }

    public JWSHeader getHeader() throws VerificationException {
        parse();
        return this.jws.getHeader();
    }

    public void verifySignature() throws VerificationException {
        if (this.verifier != null) {
            try {
                if (this.verifier.verify(this.jws.getEncodedSignatureInput().getBytes("UTF-8"), this.jws.getSignature())) {
                    return;
                } else {
                    throw new TokenSignatureInvalidException(this.token, "Invalid token signature");
                }
            } catch (Exception e) {
                throw new VerificationException(e);
            }
        }
        AlgorithmType type = getHeader().getAlgorithm().getType();
        if (null == type) {
            throw new VerificationException("Unknown or unsupported token algorithm");
        }
        switch (type) {
            case RSA:
                if (this.publicKey == null) {
                    throw new VerificationException("Public key not set");
                }
                if (!RSAProvider.verify(this.jws, this.publicKey)) {
                    throw new TokenSignatureInvalidException(this.token, "Invalid token signature");
                }
                return;
            case HMAC:
                if (this.secretKey == null) {
                    throw new VerificationException("Secret key not set");
                }
                if (!HMACProvider.verify(this.jws, this.secretKey)) {
                    throw new TokenSignatureInvalidException(this.token, "Invalid token signature");
                }
                return;
            default:
                throw new VerificationException("Unknown or unsupported token algorithm");
        }
    }

    public TokenVerifier<T> verify() throws VerificationException {
        if (getToken() == null) {
            parse();
        }
        if (this.jws != null) {
            verifySignature();
        }
        Iterator<Predicate<? super T>> it = this.checks.iterator();
        while (it.hasNext()) {
            Predicate<? super T> next = it.next();
            if (!next.test(getToken())) {
                throw new VerificationException("JWT check failed for check " + next);
            }
        }
        return this;
    }

    public static <T extends JsonWebToken> Predicate<T> optional(final Predicate<T> predicate) {
        return (Predicate<T>) new Predicate<T>() { // from class: org.keycloak.TokenVerifier.3
            @Override // org.keycloak.TokenVerifier.Predicate
            public boolean test(T t) throws VerificationException {
                try {
                    if (Predicate.this.test(t)) {
                        return true;
                    }
                    TokenVerifier.LOG.finer("[optional] predicate failed: " + Predicate.this);
                    return true;
                } catch (VerificationException e) {
                    TokenVerifier.LOG.log(Level.FINER, "[optional] predicate " + Predicate.this + " failed.", (Throwable) e);
                    return true;
                }
            }
        };
    }

    @SafeVarargs
    public static <T extends JsonWebToken> Predicate<T> alternative(final Predicate<? super T>... predicateArr) {
        return (Predicate<T>) new Predicate<T>() { // from class: org.keycloak.TokenVerifier.4
            @Override // org.keycloak.TokenVerifier.Predicate
            public boolean test(T t) {
                for (Predicate predicate : predicateArr) {
                    try {
                    } catch (VerificationException e) {
                        TokenVerifier.LOG.log(Level.FINER, "[alternative] predicate " + predicate + " failed.", (Throwable) e);
                    }
                    if (predicate.test(t)) {
                        return true;
                    }
                    TokenVerifier.LOG.finer("[alternative] predicate failed: " + predicate);
                }
                return false;
            }
        };
    }
}
