package fish.payara.microprofile.jwtauth.jwt;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.io.StringReader;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.json.Json;
import javax.json.JsonNumber;
import javax.json.JsonReader;
import javax.json.JsonString;
import javax.json.JsonValue;
import org.eclipse.microprofile.jwt.Claims;

/* loaded from: input_file:MICRO-INF/runtime/microprofile-jwt-auth.jar:fish/payara/microprofile/jwtauth/jwt/JwtTokenParser.class */
public class JwtTokenParser {
    private static final String DEFAULT_NAMESPACE = "https://payara.fish/mp-jwt/";
    private final List<Claims> requiredClaims;
    private final boolean enableNamespacedClaims;
    private final Optional<String> customNamespace;
    private String rawToken;
    private SignedJWT signedJWT;

    public JwtTokenParser(Optional<Boolean> optional, Optional<String> optional2) {
        this.requiredClaims = Arrays.asList(Claims.iss, Claims.sub, Claims.exp, Claims.iat, Claims.jti, Claims.groups);
        this.enableNamespacedClaims = optional.orElse(false).booleanValue();
        this.customNamespace = optional2;
    }

    public JwtTokenParser() {
        this(Optional.empty(), Optional.empty());
    }

    /* JADX WARN: Multi-variable type inference failed */
    public void parse(String str) throws Exception {
        this.rawToken = str;
        this.signedJWT = SignedJWT.parse(this.rawToken);
        if (!checkIsJWT(this.signedJWT.getHeader())) {
            throw new IllegalStateException("Not JWT");
        }
    }

    public JsonWebTokenImpl verify(String str, PublicKey publicKey) throws Exception {
        if (this.signedJWT == null) {
            throw new IllegalStateException("No parsed SignedJWT.");
        }
        if (!this.signedJWT.getHeader().getAlgorithm().equals(JWSAlgorithm.RS256)) {
            throw new IllegalStateException("Not RS256");
        }
        JsonReader createReader = Json.createReader(new StringReader(this.signedJWT.getPayload().toString()));
        Throwable th = null;
        try {
            Map<String, JsonValue> handleNamespacedClaims = handleNamespacedClaims(new HashMap<>(createReader.readObject()));
            if (!checkRequiredClaimsPresent(handleNamespacedClaims)) {
                throw new IllegalStateException("Not all required claims present");
            }
            String callerPrincipalName = getCallerPrincipalName(handleNamespacedClaims);
            if (callerPrincipalName == null) {
                throw new IllegalStateException("One of upn, preferred_username or sub is required to be non null");
            }
            if (!checkIssuer(handleNamespacedClaims, str)) {
                throw new IllegalStateException("Bad issuer");
            }
            if (!checkNotExpired(handleNamespacedClaims)) {
                throw new IllegalStateException("Expired");
            }
            if (!this.signedJWT.verify(new RSASSAVerifier((RSAPublicKey) publicKey))) {
                throw new IllegalStateException("Signature invalid");
            }
            handleNamespacedClaims.put(Claims.raw_token.name(), Json.createObjectBuilder().add("token", this.rawToken).build().get("token"));
            JsonWebTokenImpl jsonWebTokenImpl = new JsonWebTokenImpl(callerPrincipalName, handleNamespacedClaims);
            if (createReader != null) {
                if (0 != 0) {
                    try {
                        createReader.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    createReader.close();
                }
            }
            return jsonWebTokenImpl;
        } catch (Throwable th3) {
            if (createReader != null) {
                if (0 != 0) {
                    try {
                        createReader.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    createReader.close();
                }
            }
            throw th3;
        }
    }

    public String getKeyID() {
        if (this.signedJWT == null) {
            throw new IllegalStateException("No parsed SignedJWT.");
        }
        return this.signedJWT.getHeader().getKeyID();
    }

    private Map<String, JsonValue> handleNamespacedClaims(Map<String, JsonValue> map) {
        if (!this.enableNamespacedClaims) {
            return map;
        }
        String orElse = this.customNamespace.orElse(DEFAULT_NAMESPACE);
        HashMap hashMap = new HashMap(map.size());
        for (Map.Entry<String, JsonValue> entry : map.entrySet()) {
            String key = entry.getKey();
            JsonValue value = entry.getValue();
            if (key.startsWith(orElse)) {
                key = key.substring(orElse.length());
            }
            hashMap.put(key, value);
        }
        return hashMap;
    }

    private boolean checkRequiredClaimsPresent(Map<String, JsonValue> map) {
        Iterator<Claims> it = this.requiredClaims.iterator();
        while (it.hasNext()) {
            if (map.get(it.next().name()) == null) {
                return false;
            }
        }
        return true;
    }

    private boolean checkNotExpired(Map<String, JsonValue> map) {
        return ((int) (System.currentTimeMillis() / 1000)) < ((JsonNumber) map.get(Claims.exp.name())).intValue();
    }

    private boolean checkIssuer(Map<String, JsonValue> map, String str) {
        if (map.get(Claims.iss.name()) instanceof JsonString) {
            return str.equals(((JsonString) map.get(Claims.iss.name())).getString());
        }
        return false;
    }

    private boolean checkIsJWT(JWSHeader jWSHeader) {
        return jWSHeader.getType().toString().equals("JWT");
    }

    private String getCallerPrincipalName(Map<String, JsonValue> map) {
        JsonString jsonString = (JsonString) map.get(Claims.upn.name());
        if (jsonString == null) {
            jsonString = (JsonString) map.get(Claims.preferred_username.name());
        }
        if (jsonString == null) {
            jsonString = (JsonString) map.get(Claims.sub.name());
        }
        if (jsonString == null) {
            return null;
        }
        return jsonString.getString();
    }
}
