package io.micronaut.security.token.jwt.signature.jwks;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jwt.SignedJWT;
import io.micronaut.context.annotation.EachBean;
import io.micronaut.core.annotation.NonNull;
import io.micronaut.core.annotation.Nullable;
import io.micronaut.security.token.jwt.signature.SignatureConfiguration;
import jakarta.inject.Inject;
import java.io.IOException;
import java.net.URL;
import java.text.ParseException;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@EachBean(JwksSignatureConfiguration.class)
/* loaded from: input_file:io/micronaut/security/token/jwt/signature/jwks/JwksSignature.class */
public class JwksSignature implements JwksCache, SignatureConfiguration {

    @Deprecated
    public static final int DEFAULT_REFRESH_JWKS_ATTEMPTS = 1;
    private static final Logger LOG = LoggerFactory.getLogger(JwksSignature.class);
    private final JwkValidator jwkValidator;
    private final JwksSignatureConfiguration jwksSignatureConfiguration;
    private volatile Instant jwkSetCachedAt;
    private volatile JWKSet jwkSet;

    @Inject
    public JwksSignature(JwksSignatureConfiguration jwksSignatureConfiguration, JwkValidator jwkValidator) {
        this.jwksSignatureConfiguration = jwksSignatureConfiguration;
        this.jwkValidator = jwkValidator;
    }

    @Deprecated
    public JwksSignature(final String str, @Nullable final KeyType keyType, JwkValidator jwkValidator) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("JWT validation URL: {}", str);
        }
        this.jwksSignatureConfiguration = new JwksSignatureConfiguration() { // from class: io.micronaut.security.token.jwt.signature.jwks.JwksSignature.1
            @Override // io.micronaut.security.token.jwt.signature.jwks.JwksSignatureConfiguration
            @NonNull
            public String getUrl() {
                return str;
            }

            @Override // io.micronaut.security.token.jwt.signature.jwks.JwksSignatureConfiguration
            public KeyType getKeyType() {
                return keyType;
            }

            @Override // io.micronaut.security.token.jwt.signature.jwks.JwksSignatureConfiguration
            @NonNull
            public Integer getCacheExpiration() {
                return 60;
            }
        };
        this.jwkValidator = jwkValidator;
    }

    private Optional<JWKSet> computeJWKSet() {
        JWKSet jWKSet = this.jwkSet;
        if (jWKSet == null) {
            synchronized (this) {
                jWKSet = this.jwkSet;
                if (jWKSet == null) {
                    jWKSet = loadJwkSet(this.jwksSignatureConfiguration.getUrl());
                    this.jwkSet = jWKSet;
                    this.jwkSetCachedAt = Instant.now().plus(this.jwksSignatureConfiguration.getCacheExpiration().intValue(), (TemporalUnit) ChronoUnit.SECONDS);
                }
            }
        }
        return Optional.ofNullable(jWKSet);
    }

    private List<JWK> getJsonWebKeys() {
        return (List) computeJWKSet().map((v0) -> {
            return v0.getKeys();
        }).orElse(Collections.emptyList());
    }

    @Override // io.micronaut.security.token.jwt.signature.jwks.JwksCache
    public boolean isExpired() {
        Instant instant = this.jwkSetCachedAt;
        return instant != null && Instant.now().isAfter(instant);
    }

    @Override // io.micronaut.security.token.jwt.signature.jwks.JwksCache
    public void clear() {
        this.jwkSet = null;
        this.jwkSetCachedAt = null;
    }

    @Override // io.micronaut.security.token.jwt.signature.jwks.JwksCache
    public boolean isPresent() {
        return this.jwkSet != null;
    }

    @Override // io.micronaut.security.token.jwt.signature.jwks.JwksCache
    @NonNull
    public Optional<List<String>> getKeyIds() {
        return computeJWKSet().map((v0) -> {
            return v0.getKeys();
        }).map(list -> {
            return (List) list.stream().map((v0) -> {
                return v0.getKeyID();
            }).collect(Collectors.toList());
        });
    }

    @Override // io.micronaut.security.token.jwt.signature.SignatureConfiguration
    public String supportedAlgorithmsMessage() {
        return ((String) getJsonWebKeys().stream().map((v0) -> {
            return v0.getAlgorithm();
        }).map((v0) -> {
            return v0.getName();
        }).reduce((str, str2) -> {
            return str + ", " + str2;
        }).map(str3 -> {
            return "Only the " + str3;
        }).orElse("No")) + " algorithms are supported";
    }

    @Override // io.micronaut.security.token.jwt.signature.SignatureConfiguration
    public boolean supports(JWSAlgorithm jWSAlgorithm) {
        Stream<R> map = getJsonWebKeys().stream().map((v0) -> {
            return v0.getAlgorithm();
        });
        jWSAlgorithm.getClass();
        return map.anyMatch((v1) -> {
            return r1.equals(v1);
        });
    }

    @Override // io.micronaut.security.token.jwt.signature.SignatureConfiguration
    public boolean verify(SignedJWT signedJWT) throws JOSEException {
        List<JWK> matches = matches(signedJWT, computeJWKSet().orElse(null));
        if (LOG.isDebugEnabled()) {
            LOG.debug("Found {} matching JWKs", Integer.valueOf(matches.size()));
        }
        if (matches == null || matches.isEmpty()) {
            return false;
        }
        return verify(matches, signedJWT);
    }

    @Nullable
    protected JWKSet loadJwkSet(String str) {
        if (str == null) {
            return null;
        }
        try {
            return JWKSet.load(new URL(str));
        } catch (IOException | ParseException e) {
            if (!LOG.isErrorEnabled()) {
                return null;
            }
            LOG.error("Exception loading JWK from " + str + ". The JwksSignature will not be used to verify a JWT if further refresh attempts fail", e);
            return null;
        }
    }

    @Deprecated
    protected List<JWK> matches(SignedJWT signedJWT, @Nullable JWKSet jWKSet, int i) {
        return matches(signedJWT, jWKSet);
    }

    protected List<JWK> matches(SignedJWT signedJWT, @Nullable JWKSet jWKSet) {
        List<JWK> emptyList = Collections.emptyList();
        if (jWKSet != null) {
            JWKMatcher.Builder builder = new JWKMatcher.Builder();
            if (this.jwksSignatureConfiguration.getKeyType() != null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Key Type: {}", this.jwksSignatureConfiguration.getKeyType());
                }
                builder = builder.keyType(this.jwksSignatureConfiguration.getKeyType());
            }
            String keyID = signedJWT.getHeader().getKeyID();
            if (LOG.isDebugEnabled()) {
                LOG.debug("JWT Key ID: {}", keyID);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("JWK Set Key IDs: {}", String.join(",", getKeyIds().orElse(Collections.emptyList())));
            }
            if (keyID != null) {
                builder = builder.keyID(keyID);
            }
            emptyList = new JWKSelector(builder.build()).select(jWKSet);
        }
        return emptyList;
    }

    protected boolean verify(List<JWK> list, SignedJWT signedJWT) {
        return list.stream().anyMatch(jwk -> {
            return this.jwkValidator.validate(signedJWT, jwk);
        });
    }

    @Deprecated
    public int getRefreshJwksAttempts() {
        return 1;
    }

    @Deprecated
    public JwkValidator getJwkValidator() {
        return this.jwkValidator;
    }

    @Deprecated
    public JWKSet getJwkSet() {
        return this.jwkSet;
    }

    @Deprecated
    public KeyType getKeyType() {
        return this.jwksSignatureConfiguration.getKeyType();
    }

    @Deprecated
    public String getUrl() {
        return this.jwksSignatureConfiguration.getUrl();
    }
}
