package io.micronaut.security.token.jwt.nimbus;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jwt.SignedJWT;
import io.micronaut.context.annotation.EachBean;
import io.micronaut.core.async.annotation.SingleResult;
import io.micronaut.security.token.jwt.signature.ReactiveSignatureConfiguration;
import io.micronaut.security.token.jwt.signature.jwks.JwkSetFetcher;
import io.micronaut.security.token.jwt.signature.jwks.JwkValidator;
import io.micronaut.security.token.jwt.signature.jwks.JwksSignatureConfiguration;
import io.micronaut.security.token.jwt.signature.jwks.JwksSignatureUtils;
import org.reactivestreams.Publisher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import reactor.core.publisher.Mono;

@EachBean(JwksSignatureConfiguration.class)
/* loaded from: input_file:io/micronaut/security/token/jwt/nimbus/ReactiveJwksSignature.class */
public class ReactiveJwksSignature implements ReactiveSignatureConfiguration<SignedJWT> {
    private static final Logger LOG = LoggerFactory.getLogger(ReactiveJwksSignature.class);
    private final JwkValidator jwkValidator;
    private final JwksSignatureConfiguration jwksSignatureConfiguration;
    private final JwkSetFetcher<JWKSet> jwkSetFetcher;

    public ReactiveJwksSignature(JwksSignatureConfiguration jwksSignatureConfiguration, JwkValidator jwkValidator, JwkSetFetcher<JWKSet> jwkSetFetcher) {
        this.jwksSignatureConfiguration = jwksSignatureConfiguration;
        this.jwkValidator = jwkValidator;
        this.jwkSetFetcher = jwkSetFetcher;
    }

    @Override // io.micronaut.security.token.jwt.signature.ReactiveSignatureConfiguration
    @SingleResult
    public Publisher<Boolean> verify(SignedJWT signedJWT) {
        return Mono.from(this.jwkSetFetcher.fetch(this.jwksSignatureConfiguration.getName(), this.jwksSignatureConfiguration.getUrl())).map(jWKSet -> {
            try {
                boolean verify = JwksSignatureUtils.verify(signedJWT, jWKSet, this.jwkValidator);
                if (LOG.isDebugEnabled()) {
                    if (verify) {
                        LOG.debug("JWT Signature verified: {}", signedJWT.getParsedString());
                    } else {
                        LOG.debug("JWT Signature not verified: {}", signedJWT.getParsedString());
                        if (!JwksSignatureUtils.supports(signedJWT.getHeader().getAlgorithm(), jWKSet)) {
                            LOG.debug("JWT Signature algorithm {} not supported by JWK Set. {} ", signedJWT.getHeader().getAlgorithm(), JwksSignatureUtils.supportedAlgorithmsMessage(jWKSet));
                        }
                    }
                }
                return Boolean.valueOf(verify);
            } catch (JOSEException e) {
                if (LOG.isErrorEnabled()) {
                    LOG.error("Error verifying JWT signature", e);
                }
                return false;
            }
        });
    }
}
