package io.smallrye.jwt.auth.principal;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.lang.UnresolvableKeyException;

/* loaded from: input_file:io/smallrye/jwt/auth/principal/DefaultJWTTokenParser.class */
public class DefaultJWTTokenParser {
    private static final String ROLE_MAPPINGS = "roleMappings";
    private volatile VerificationKeyResolver keyResolver;
    private static final Logger LOGGER = Logger.getLogger(DefaultJWTTokenParser.class);
    private static final Pattern CLAIM_PATH_PATTERN = Pattern.compile("\\/(?=(?:(?:[^\"]*\"){2})*[^\"]*$)");

    public JwtContext parse(String str, JWTAuthContextInfo jWTAuthContextInfo) throws ParseException {
        try {
            JwtConsumerBuilder requireExpirationTime = new JwtConsumerBuilder().setRequireExpirationTime();
            if (jWTAuthContextInfo.getMaxTimeToLiveSecs() != null) {
                requireExpirationTime.setRequireIssuedAt();
            }
            requireExpirationTime.setJwsAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, new String[]{jWTAuthContextInfo.getSignatureAlgorithm().getAlgorithm()}));
            if (jWTAuthContextInfo.isRequireIssuer()) {
                requireExpirationTime.setExpectedIssuer(true, jWTAuthContextInfo.getIssuedBy());
            } else {
                requireExpirationTime.setExpectedIssuer(false, (String) null);
            }
            if (jWTAuthContextInfo.getSignerKey() != null) {
                requireExpirationTime.setVerificationKey(jWTAuthContextInfo.getSignerKey());
            } else {
                requireExpirationTime.setVerificationKeyResolver(getKeyResolver(jWTAuthContextInfo));
            }
            if (jWTAuthContextInfo.getExpGracePeriodSecs() > 0) {
                requireExpirationTime.setAllowedClockSkewInSeconds(jWTAuthContextInfo.getExpGracePeriodSecs());
            } else {
                requireExpirationTime.setEvaluationTime(NumericDate.fromSeconds(0L));
            }
            setExpectedAudience(requireExpirationTime, jWTAuthContextInfo);
            JwtContext process = requireExpirationTime.build().process(str);
            JwtClaims jwtClaims = process.getJwtClaims();
            verifyTimeToLive(jWTAuthContextInfo, jwtClaims);
            jwtClaims.setClaim(Claims.raw_token.name(), str);
            if (!jwtClaims.hasClaim(Claims.sub.name())) {
                jwtClaims.setClaim(Claims.sub.name(), findSubject(jWTAuthContextInfo, jwtClaims));
            }
            if (jWTAuthContextInfo.isRequireNamedPrincipal()) {
                checkNameClaims(process);
            }
            if (!jwtClaims.hasClaim(Claims.groups.name())) {
                jwtClaims.setClaim(Claims.groups.name(), findGroups(jWTAuthContextInfo, jwtClaims));
            }
            if (jwtClaims.hasClaim(ROLE_MAPPINGS)) {
                mapRoles(jwtClaims);
            }
            return process;
        } catch (UnresolvableKeyException e) {
            LOGGER.debug("Verification key is unresolvable");
            throw new ParseException("Failed to verify a token", e);
        } catch (InvalidJwtException e2) {
            LOGGER.debug("Token is invalid");
            throw new ParseException("Failed to verify a token", e2);
        }
    }

    void setExpectedAudience(JwtConsumerBuilder jwtConsumerBuilder, JWTAuthContextInfo jWTAuthContextInfo) {
        Set<String> expectedAudience = jWTAuthContextInfo.getExpectedAudience();
        if (expectedAudience != null) {
            jwtConsumerBuilder.setExpectedAudience((String[]) expectedAudience.toArray(new String[0]));
        } else {
            jwtConsumerBuilder.setSkipDefaultAudienceValidation();
        }
    }

    private void checkNameClaims(JwtContext jwtContext) throws InvalidJwtException {
        JwtClaims jwtClaims = jwtContext.getJwtClaims();
        if (!((jwtClaims.getClaimValue(Claims.sub.name()) == null && jwtClaims.getClaimValue(Claims.upn.name()) == null && jwtClaims.getClaimValue(Claims.preferred_username.name()) == null) ? false : true)) {
            throw new InvalidJwtException("No claim exists in sub, upn or preferred_username", Collections.emptyList(), jwtContext);
        }
    }

    private String findSubject(JWTAuthContextInfo jWTAuthContextInfo, JwtClaims jwtClaims) {
        if (jWTAuthContextInfo.getSubjectPath() != null) {
            Object findClaimValue = findClaimValue(jWTAuthContextInfo.getSubjectPath(), jwtClaims.getClaimsMap(), splitClaimPath(jWTAuthContextInfo.getSubjectPath()), 0);
            if (findClaimValue instanceof String) {
                return (String) findClaimValue;
            }
            LOGGER.debugf("Claim value at the path %s is not a String", jWTAuthContextInfo.getSubjectPath());
        }
        if (jWTAuthContextInfo.getDefaultSubjectClaim() != null) {
            return jWTAuthContextInfo.getDefaultSubjectClaim();
        }
        return null;
    }

    private List<String> findGroups(JWTAuthContextInfo jWTAuthContextInfo, JwtClaims jwtClaims) {
        if (jWTAuthContextInfo.getGroupsPath() != null) {
            Object findClaimValue = findClaimValue(jWTAuthContextInfo.getGroupsPath(), jwtClaims.getClaimsMap(), splitClaimPath(jWTAuthContextInfo.getGroupsPath()), 0);
            if (findClaimValue instanceof List) {
                try {
                    return Arrays.asList(((List) List.class.cast(findClaimValue)).toArray(new String[0]));
                } catch (ArrayStoreException e) {
                    LOGGER.debugf("Claim value at the path %s is not an array of strings", jWTAuthContextInfo.getGroupsPath());
                }
            } else {
                if (findClaimValue instanceof String) {
                    return Arrays.asList(((String) findClaimValue).split(jWTAuthContextInfo.getGroupsSeparator()));
                }
                LOGGER.debugf("Claim value at the path %s is neither an array of strings nor string", jWTAuthContextInfo.getGroupsPath());
            }
        }
        if (jWTAuthContextInfo.getDefaultGroupsClaim() != null) {
            return Collections.singletonList(jWTAuthContextInfo.getDefaultGroupsClaim());
        }
        return null;
    }

    private static String[] splitClaimPath(String str) {
        return str.indexOf(47) > 0 ? CLAIM_PATH_PATTERN.split(str) : new String[]{str};
    }

    private void mapRoles(JwtClaims jwtClaims) {
        try {
            Map map = (Map) jwtClaims.getClaimValue(ROLE_MAPPINGS, Map.class);
            List stringListClaimValue = jwtClaims.getStringListClaimValue(Claims.groups.name());
            ArrayList arrayList = new ArrayList(stringListClaimValue);
            for (Map.Entry entry : map.entrySet()) {
                if (stringListClaimValue.contains(entry.getKey())) {
                    arrayList.add(entry.getValue());
                }
            }
            jwtClaims.setStringListClaim(Claims.groups.name(), arrayList);
            LOGGER.tracef("Updated groups to: %s", arrayList);
        } catch (Exception e) {
            LOGGER.debug("Failed to access rolesMapping claim", e);
        }
    }

    private Object findClaimValue(String str, Map<String, Object> map, String[] strArr, int i) {
        Object obj = map.get(strArr[i].replace("\"", ""));
        if (obj == null) {
            LOGGER.debugf("No claim exists at the path %s at segment %s", str, strArr[i]);
        } else if (i + 1 < strArr.length) {
            if (obj instanceof Map) {
                return findClaimValue(str, (Map) obj, strArr, i + 1);
            }
            LOGGER.debugf("Claim value at the path %s is not a json object", str);
            return null;
        }
        return obj;
    }

    private void verifyTimeToLive(JWTAuthContextInfo jWTAuthContextInfo, JwtClaims jwtClaims) throws ParseException {
        Long maxTimeToLiveSecs = jWTAuthContextInfo.getMaxTimeToLiveSecs();
        if (maxTimeToLiveSecs == null) {
            LOGGER.debugf("No max TTL has been specified in configuration", new Object[0]);
            return;
        }
        try {
            NumericDate issuedAt = jwtClaims.getIssuedAt();
            NumericDate expirationTime = jwtClaims.getExpirationTime();
            if (expirationTime.getValue() - issuedAt.getValue() > maxTimeToLiveSecs.longValue()) {
                throw new ParseException("The Expiration Time (exp=" + expirationTime + ") claim value cannot be more than " + maxTimeToLiveSecs + " minutes in the future relative to Issued At (iat=" + issuedAt + ")");
            }
        } catch (Exception e) {
            throw new ParseException("Failed to verify max TTL", e);
        }
    }

    protected VerificationKeyResolver getKeyResolver(JWTAuthContextInfo jWTAuthContextInfo) throws UnresolvableKeyException {
        if (this.keyResolver == null) {
            synchronized (this) {
                if (this.keyResolver == null) {
                    this.keyResolver = new KeyLocationResolver(jWTAuthContextInfo);
                }
            }
        }
        return this.keyResolver;
    }
}
