package org.pac4j.jwt.credentials.authenticator;

import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.crypto.DirectDecrypter;
import com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory;
import com.nimbusds.jose.proc.JWSVerifierFactory;
import com.nimbusds.jose.util.X509CertUtils;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import java.nio.charset.Charset;
import java.security.Key;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.text.ParseException;
import java.util.HashMap;
import java.util.List;
import javax.crypto.spec.SecretKeySpec;
import javax.xml.bind.DatatypeConverter;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.credentials.TokenCredentials;
import org.pac4j.core.credentials.authenticator.TokenAuthenticator;
import org.pac4j.core.exception.CredentialsException;
import org.pac4j.core.exception.HttpAction;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.profile.CommonProfile;
import org.pac4j.core.profile.ProfileHelper;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.core.util.InitializableWebObject;
import org.pac4j.jwt.JwtConstants;
import org.pac4j.jwt.profile.JwtGenerator;
import org.pac4j.jwt.profile.JwtProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/pac4j/jwt/credentials/authenticator/JwtAuthenticator.class */
public class JwtAuthenticator extends InitializableWebObject implements TokenAuthenticator {
    protected final Logger logger;
    private String encryptionSecret;
    private JWSVerifierFactory factory;
    private Key key;

    public JwtAuthenticator() {
        this.logger = LoggerFactory.getLogger(getClass());
        this.factory = new DefaultJWSVerifierFactory();
    }

    public JwtAuthenticator(String str) {
        this(str, str);
        warning();
    }

    private void warning() {
        this.logger.warn("Using the same key for signing and encryption may lead to security vulnerabilities. Consider using different keys");
    }

    public JwtAuthenticator(String str, String str2) {
        this.logger = LoggerFactory.getLogger(getClass());
        this.factory = new DefaultJWSVerifierFactory();
        setSigningSecret(str);
        this.encryptionSecret = str2;
    }

    public JwtAuthenticator(String str, String str2, String str3) throws NoSuchAlgorithmException, InvalidKeySpecException {
        this.logger = LoggerFactory.getLogger(getClass());
        this.factory = new DefaultJWSVerifierFactory();
        setSigningPem(str, str2);
        this.encryptionSecret = str3;
    }

    protected void internalInit(WebContext webContext) {
    }

    public CommonProfile validateToken(String str) {
        TokenCredentials tokenCredentials = new TokenCredentials(str, "(validateToken)Method");
        try {
            validate(tokenCredentials, (WebContext) null);
            return tokenCredentials.getUserProfile();
        } catch (HttpAction e) {
            throw new TechnicalException(e);
        }
    }

    public void validate(TokenCredentials tokenCredentials, WebContext webContext) throws HttpAction {
        JWT signedJWT;
        boolean verify;
        String token = tokenCredentials.getToken();
        try {
            JWT parse = JWTParser.parse(token);
            if (parse instanceof PlainJWT) {
                verify = true;
            } else {
                if (parse instanceof SignedJWT) {
                    this.logger.debug("JWT is signed");
                    signedJWT = (SignedJWT) parse;
                } else {
                    if (!(parse instanceof EncryptedJWT)) {
                        throw new TechnicalException("unsupported unsecured jwt");
                    }
                    CommonHelper.assertNotBlank("encryptionSecret", this.encryptionSecret);
                    JWEObject jWEObject = (JWEObject) parse;
                    jWEObject.decrypt(new DirectDecrypter(this.encryptionSecret.getBytes("UTF-8")));
                    signedJWT = jWEObject.getPayload().toSignedJWT();
                    parse = signedJWT;
                }
                CommonHelper.assertNotNull("key", this.key);
                verify = signedJWT.verify(this.factory.createJWSVerifier(signedJWT.getHeader(), this.key));
            }
            if (!verify) {
                throw new CredentialsException("JWT verification failed: " + token);
            }
            try {
                createJwtProfile(tokenCredentials, parse);
            } catch (Exception e) {
                throw new TechnicalException("Cannot get claimSet", e);
            }
        } catch (Exception e2) {
            throw new TechnicalException("Cannot decrypt / verify JWT", e2);
        }
    }

    private static void createJwtProfile(TokenCredentials tokenCredentials, JWT jwt) throws ParseException {
        JWTClaimsSet jWTClaimsSet = jwt.getJWTClaimsSet();
        String subject = jWTClaimsSet.getSubject();
        if (!subject.contains("#")) {
            subject = JwtProfile.class.getName() + "#" + subject;
        }
        HashMap hashMap = new HashMap(jWTClaimsSet.getClaims());
        hashMap.remove(JwtConstants.SUBJECT);
        List list = (List) hashMap.get(JwtGenerator.INTERNAL_ROLES);
        hashMap.remove(JwtGenerator.INTERNAL_ROLES);
        List list2 = (List) hashMap.get(JwtGenerator.INTERNAL_PERMISSIONS);
        hashMap.remove(JwtGenerator.INTERNAL_PERMISSIONS);
        CommonProfile buildProfile = ProfileHelper.buildProfile(subject, hashMap);
        if (list != null) {
            buildProfile.addRoles(list);
        }
        if (list2 != null) {
            buildProfile.addPermissions(list2);
        }
        tokenCredentials.setUserProfile(buildProfile);
    }

    public String getSigningSecret() {
        return new String(this.key.getEncoded(), Charset.forName("UTF-8"));
    }

    public void setSigningSecret(String str) {
        X509Certificate parse = X509CertUtils.parse(str);
        if (parse == null) {
            this.key = new SecretKeySpec(str.getBytes(Charset.forName("UTF-8")), "AES");
        } else {
            this.key = parse.getPublicKey();
        }
    }

    public void setSigningPem(String str, String str2) throws NoSuchAlgorithmException, InvalidKeySpecException {
        this.key = KeyFactory.getInstance(str2).generatePublic(new X509EncodedKeySpec(DatatypeConverter.parseBase64Binary(str.replaceAll("-----BEGIN PUBLIC KEY-----[\\r\\n]+", "").replace("-----END PUBLIC KEY-----", ""))));
    }

    public String getEncryptionSecret() {
        return this.encryptionSecret;
    }

    public void setEncryptionSecret(String str) {
        this.encryptionSecret = str;
    }

    public Key getKey() {
        return this.key;
    }

    public void setKey(Key key) {
        this.key = key;
    }
}
