package io.smallrye.jwt.auth.principal;

import org.eclipse.microprofile.jwt.Claims;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.JwksVerificationKeyResolver;

/* loaded from: input_file:io/smallrye/jwt/auth/principal/DefaultJWTCallerPrincipalFactory.class */
public class DefaultJWTCallerPrincipalFactory extends JWTCallerPrincipalFactory {
    @Override // io.smallrye.jwt.auth.principal.JWTCallerPrincipalFactory
    public JWTCallerPrincipal parse(String str, JWTAuthContextInfo jWTAuthContextInfo) throws ParseException {
        try {
            JwtConsumerBuilder jwsAlgorithmConstraints = new JwtConsumerBuilder().setRequireExpirationTime().setRequireSubject().setSkipDefaultAudienceValidation().setJwsAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, new String[]{"RS256"}));
            if (jWTAuthContextInfo.isRequireIssuer()) {
                jwsAlgorithmConstraints.setExpectedIssuer(true, jWTAuthContextInfo.getIssuedBy());
            } else {
                jwsAlgorithmConstraints.setExpectedIssuer(false, (String) null);
            }
            if (jWTAuthContextInfo.getSignerKey() != null) {
                jwsAlgorithmConstraints.setVerificationKey(jWTAuthContextInfo.getSignerKey());
            } else if (jWTAuthContextInfo.isFollowMpJwt11Rules()) {
                jwsAlgorithmConstraints.setVerificationKeyResolver(new KeyLocationResolver(jWTAuthContextInfo.getJwksUri()));
            } else {
                jwsAlgorithmConstraints.setVerificationKeyResolver(new JwksVerificationKeyResolver(jWTAuthContextInfo.loadJsonWebKeys()));
            }
            if (jWTAuthContextInfo.getExpGracePeriodSecs() > 0) {
                jwsAlgorithmConstraints.setAllowedClockSkewInSeconds(jWTAuthContextInfo.getExpGracePeriodSecs());
            } else {
                jwsAlgorithmConstraints.setEvaluationTime(NumericDate.fromSeconds(0L));
            }
            JwtConsumer build = jwsAlgorithmConstraints.build();
            JwtContext process = build.process(str);
            String header = ((JsonWebStructure) process.getJoseObjects().get(0)).getHeader("typ");
            build.processContext(process);
            JwtClaims jwtClaims = process.getJwtClaims();
            String str2 = (String) jwtClaims.getClaimValue("upn", String.class);
            if (str2 == null) {
                str2 = (String) jwtClaims.getClaimValue("preferred_username", String.class);
                if (str2 == null) {
                    str2 = jwtClaims.getSubject();
                }
            }
            jwtClaims.setClaim(Claims.raw_token.name(), str);
            return new DefaultJWTCallerPrincipal(str, header, jwtClaims, str2);
        } catch (InvalidJwtException e) {
            throw new ParseException("Failed to verify token", e);
        } catch (MalformedClaimException e2) {
            throw new ParseException("Failed to verify token claims", e2);
        }
    }
}
