package org.apache.cxf.sts.token.validator.jwt;

import java.util.Properties;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.common.security.SimplePrincipal;
import org.apache.cxf.rs.security.jose.common.JoseConstants;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
import org.apache.cxf.sts.STSPropertiesMBean;
import org.apache.cxf.sts.request.ReceivedToken;
import org.apache.cxf.sts.token.realm.JWTRealmCodec;
import org.apache.cxf.sts.token.validator.TokenValidator;
import org.apache.cxf.sts.token.validator.TokenValidatorParameters;
import org.apache.cxf.sts.token.validator.TokenValidatorResponse;
import org.apache.cxf.ws.security.sts.provider.STSException;
import org.apache.wss4j.common.crypto.Crypto;
import org.apache.wss4j.common.crypto.Merlin;
import org.dozer.util.DozerConstants;
import org.w3c.dom.Element;

/* loaded from: input_file:META-INF/repository/fuse-eap-distro-6.3.0.redhat-516-01.zip:modules/system/layers/fuse/org/apache/cxf/3.1/cxf-services-sts-core-3.1.5.redhat-630516-01.jar:org/apache/cxf/sts/token/validator/jwt/JWTTokenValidator.class */
public class JWTTokenValidator implements TokenValidator {
    private static final Logger LOG = LogUtils.getL7dLogger(JWTTokenValidator.class);
    private int clockOffset;
    private int ttl;
    private JWTRoleParser roleParser;
    private JWTRealmCodec realmCodec;

    @Override // org.apache.cxf.sts.token.validator.TokenValidator
    public boolean canHandleToken(ReceivedToken receivedToken) {
        return canHandleToken(receivedToken, null);
    }

    @Override // org.apache.cxf.sts.token.validator.TokenValidator
    public boolean canHandleToken(ReceivedToken receivedToken, String str) {
        Object token = receivedToken.getToken();
        if (!(token instanceof Element)) {
            return false;
        }
        Element element = (Element) token;
        if (element.getFirstChild().getNodeType() != 3) {
            return false;
        }
        try {
            return new JwsJwtCompactConsumer(element.getTextContent()).getJwtToken() != null;
        } catch (RuntimeException e) {
            return false;
        }
    }

    @Override // org.apache.cxf.sts.token.validator.TokenValidator
    public TokenValidatorResponse validateToken(TokenValidatorParameters tokenValidatorParameters) {
        LOG.fine("Validating JWT Token");
        STSPropertiesMBean stsProperties = tokenValidatorParameters.getStsProperties();
        TokenValidatorResponse tokenValidatorResponse = new TokenValidatorResponse();
        ReceivedToken token = tokenValidatorParameters.getToken();
        token.setState(ReceivedToken.STATE.INVALID);
        tokenValidatorResponse.setToken(token);
        String textContent = ((Element) token.getToken()).getTextContent();
        if (textContent == null || "".equals(textContent)) {
            return tokenValidatorResponse;
        }
        if (textContent.split(DozerConstants.DEEP_FIELD_DELIMITER_REGEXP).length != 3) {
            LOG.log(Level.WARNING, "JWT Token appears not to be signed. Validation has failed");
            return tokenValidatorResponse;
        }
        JwsJwtCompactConsumer jwsJwtCompactConsumer = new JwsJwtCompactConsumer(textContent);
        JwtToken jwtToken = jwsJwtCompactConsumer.getJwtToken();
        Properties properties = new Properties();
        Crypto signatureCrypto = stsProperties.getSignatureCrypto();
        String signatureUsername = stsProperties.getSignatureUsername();
        if (signatureUsername != null) {
            properties.put(JoseConstants.RSSEC_KEY_STORE_ALIAS, signatureUsername);
        }
        if (!(signatureCrypto instanceof Merlin)) {
            throw new STSException("Can't get the keystore", STSException.REQUEST_FAILED);
        }
        properties.put(JoseConstants.RSSEC_KEY_STORE, ((Merlin) signatureCrypto).getKeyStore());
        if (!jwsJwtCompactConsumer.verifySignatureWith(JwsUtils.loadSignatureVerifier(properties, jwtToken.getJwsHeaders()))) {
            return tokenValidatorResponse;
        }
        try {
            validateToken(jwtToken);
            if (this.realmCodec != null) {
                tokenValidatorResponse.setTokenRealm(this.realmCodec.getRealmFromToken(jwtToken));
            }
            if (isVerifiedWithAPublicKey(jwtToken)) {
                SimplePrincipal simplePrincipal = new SimplePrincipal(jwtToken.getClaims().getSubject());
                tokenValidatorResponse.setPrincipal(simplePrincipal);
                if (this.roleParser != null) {
                    tokenValidatorResponse.setRoles(this.roleParser.parseRolesFromToken(simplePrincipal, null, jwtToken));
                }
            }
            token.setState(ReceivedToken.STATE.VALID);
            LOG.fine("JWT Token successfully validated");
            return tokenValidatorResponse;
        } catch (RuntimeException e) {
            LOG.log(Level.WARNING, "JWT token validation failed", (Throwable) e);
            return tokenValidatorResponse;
        }
    }

    private boolean isVerifiedWithAPublicKey(JwtToken jwtToken) {
        return SignatureAlgorithm.isPublicKeyAlgorithm(SignatureAlgorithm.getAlgorithm((String) jwtToken.getJwsHeader("alg")));
    }

    protected void validateToken(JwtToken jwtToken) {
        JwtUtils.validateTokenClaims(jwtToken.getClaims(), this.ttl, this.clockOffset, false);
    }

    public int getClockOffset() {
        return this.clockOffset;
    }

    public void setClockOffset(int i) {
        this.clockOffset = i;
    }

    public int getTtl() {
        return this.ttl;
    }

    public void setTtl(int i) {
        this.ttl = i;
    }

    public JWTRoleParser getRoleParser() {
        return this.roleParser;
    }

    public void setRoleParser(JWTRoleParser jWTRoleParser) {
        this.roleParser = jWTRoleParser;
    }

    public JWTRealmCodec getRealmCodec() {
        return this.realmCodec;
    }

    public void setRealmCodec(JWTRealmCodec jWTRealmCodec) {
        this.realmCodec = jWTRealmCodec;
    }
}
