package org.wildfly.security.auth.realm.token.validator;

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Arrays;
import java.util.Base64;
import java.util.LinkedHashSet;
import java.util.Set;
import javax.json.Json;
import javax.json.JsonArray;
import javax.json.JsonObject;
import javax.json.JsonString;
import javax.json.JsonValue;
import org.wildfly.common.Assert;
import org.wildfly.security._private.ElytronMessages;
import org.wildfly.security.auth.realm.token.TokenValidator;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.authz.Attributes;
import org.wildfly.security.evidence.BearerTokenEvidence;
import org.wildfly.security.pem.Pem;
import org.wildfly.security.util.ByteIterator;
import org.wildfly.security.util.CodePointIterator;
import org.wildfly.security.util.JsonUtil;

/* loaded from: input_file:org/wildfly/security/auth/realm/token/validator/JwtValidator.class */
public class JwtValidator implements TokenValidator {
    private final Set<String> issuers;
    private final Set<String> audiences;
    private final PublicKey publicKey;

    /* loaded from: input_file:org/wildfly/security/auth/realm/token/validator/JwtValidator$Builder.class */
    public static class Builder {
        private Set<String> issuers;
        private Set<String> audience;
        private PublicKey publicKey;

        private Builder() {
            this.issuers = new LinkedHashSet();
            this.audience = new LinkedHashSet();
        }

        public Builder issuer(String... strArr) {
            this.issuers.addAll(Arrays.asList(strArr));
            return this;
        }

        public Builder audience(String... strArr) {
            this.audience.addAll(Arrays.asList(strArr));
            return this;
        }

        public Builder publicKey(byte[] bArr) {
            PublicKey publicKey = (PublicKey) Pem.parsePemContent(CodePointIterator.ofUtf8Bytes(bArr)).next().tryCast(PublicKey.class);
            if (publicKey == null) {
                throw ElytronMessages.log.tokenRealmJwtInvalidPublicKeyPem();
            }
            this.publicKey = publicKey;
            return this;
        }

        public Builder publicKey(PublicKey publicKey) {
            this.publicKey = publicKey;
            return this;
        }

        public JwtValidator build() {
            return new JwtValidator(this);
        }
    }

    public static Builder builder() {
        return new Builder();
    }

    JwtValidator(Builder builder) {
        this.issuers = (Set) Assert.checkNotNullParam("issuers", builder.issuers);
        this.audiences = (Set) Assert.checkNotNullParam("audience", builder.audience);
        this.publicKey = builder.publicKey;
        if (this.issuers.isEmpty()) {
            ElytronMessages.log.tokenRealmJwtWarnNoIssuerIgnoringIssuerCheck();
        }
        if (this.audiences.isEmpty()) {
            ElytronMessages.log.tokenRealmJwtWarnNoAudienceIgnoringAudienceCheck();
        }
        if (this.publicKey == null) {
            ElytronMessages.log.tokenRealmJwtWarnNoPublicKeyIgnoringSignatureCheck();
        }
    }

    @Override // org.wildfly.security.auth.realm.token.TokenValidator
    public Attributes validate(BearerTokenEvidence bearerTokenEvidence) throws RealmUnavailableException {
        Assert.checkNotNullParam("evidence", bearerTokenEvidence);
        String[] split = bearerTokenEvidence.getToken().split("\\.", -1);
        if (split.length < 3) {
            throw ElytronMessages.log.tokenRealmJwtInvalidFormat();
        }
        String str = split[0];
        String str2 = split[1];
        String str3 = split[2];
        JsonObject extractClaims = extractClaims(str2);
        if (verifySignature(str, str2, str3) && hasValidIssuer(extractClaims) && hasValidAudience(extractClaims) && verifyTimeConstraints(extractClaims)) {
            return JsonUtil.toAttributes(extractClaims);
        }
        return null;
    }

    private boolean verifyTimeConstraints(JsonObject jsonObject) {
        int currentTimeInSeconds = currentTimeInSeconds();
        if (currentTimeInSeconds > jsonObject.getInt("exp", -1)) {
            ElytronMessages.log.debug("Token expired");
            return false;
        }
        if (!jsonObject.containsKey("nbf")) {
            return true;
        }
        boolean z = currentTimeInSeconds >= jsonObject.getInt("nbf");
        if (z) {
            return true;
        }
        ElytronMessages.log.debugf("Token is before [%s]", Boolean.valueOf(z));
        return false;
    }

    private JsonObject extractClaims(String str) throws RealmUnavailableException {
        try {
            return Json.createReader(CodePointIterator.ofUtf8Bytes(Base64.getUrlDecoder().decode(str)).asUtf8().asInputStream()).readObject();
        } catch (Exception e) {
            throw ElytronMessages.log.tokenRealmJwtParseFailed(e);
        }
    }

    private boolean verifySignature(String str, String str2, String str3) throws RealmUnavailableException {
        if (this.publicKey == null) {
            return true;
        }
        try {
            boolean verify = ByteIterator.ofBytes(Base64.getUrlDecoder().decode(str3)).verify(createSignature(str, str2));
            if (!verify) {
                ElytronMessages.log.debug("Signature verification failed");
            }
            return verify;
        } catch (Exception e) {
            throw ElytronMessages.log.tokenRealmJwtSignatureCheckFailed(e);
        }
    }

    private boolean hasValidAudience(JsonObject jsonObject) throws RealmUnavailableException {
        if (this.audiences.isEmpty()) {
            return true;
        }
        JsonArray jsonArray = (JsonValue) jsonObject.get("aud");
        if (jsonArray == null) {
            ElytronMessages.log.debug("Token does not contain an audience claim");
            return false;
        }
        JsonArray build = JsonValue.ValueType.STRING.equals(jsonArray.getValueType()) ? Json.createArrayBuilder().add(jsonArray).build() : jsonArray;
        boolean anyMatch = build.stream().map(jsonValue -> {
            return (JsonString) jsonValue;
        }).anyMatch(jsonString -> {
            return this.audiences.contains(jsonString.getString());
        });
        if (!anyMatch) {
            ElytronMessages.log.debugf("Audience check failed. Provided [%s] but was expected [%s].", build.toArray(), this.audiences);
        }
        return anyMatch;
    }

    private boolean hasValidIssuer(JsonObject jsonObject) throws RealmUnavailableException {
        if (this.issuers.isEmpty()) {
            return true;
        }
        String string = jsonObject.getString("iss", (String) null);
        if (string == null) {
            ElytronMessages.log.debug("Token does not contain an issuer claim");
            return false;
        }
        boolean contains = this.issuers.contains(string);
        if (!contains) {
            ElytronMessages.log.debugf("Issuer check failed. Provided [%s] but was expected [%s].", string, this.issuers);
        }
        return contains;
    }

    private Signature createSignature(String str, String str2) throws NoSuchAlgorithmException, InvalidKeyException, SignatureException, RealmUnavailableException {
        Signature signature = Signature.getInstance(resolveAlgorithm(str));
        signature.initVerify(this.publicKey);
        signature.update((str + "." + str2).getBytes());
        return signature;
    }

    private String resolveAlgorithm(String str) throws RealmUnavailableException {
        JsonString jsonString = (JsonString) Json.createReader(ByteIterator.ofBytes(Base64.getUrlDecoder().decode(str)).asInputStream()).readObject().get("alg");
        if (jsonString == null) {
            throw ElytronMessages.log.tokenRealmJwtSignatureInvalidAlgorithm("not_provided");
        }
        String string = jsonString.getString();
        ElytronMessages.log.debugf("Token is using algorithm [%s]", string);
        boolean z = -1;
        switch (string.hashCode()) {
            case 78251122:
                if (string.equals("RS256")) {
                    z = false;
                    break;
                }
                break;
            case 78252174:
                if (string.equals("RS384")) {
                    z = true;
                    break;
                }
                break;
            case 78253877:
                if (string.equals("RS512")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return "SHA256withRSA";
            case true:
                return "SHA384withRSA";
            case true:
                return "SHA512withRSA";
            default:
                throw ElytronMessages.log.tokenRealmJwtSignatureInvalidAlgorithm(string);
        }
    }

    private int currentTimeInSeconds() {
        return (int) (System.currentTimeMillis() / 1000);
    }
}
