package org.pac4j.jwt.credentials.authenticator;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.pac4j.core.context.Pac4jConstants;
import org.pac4j.core.context.WebContext;
import org.pac4j.core.credentials.TokenCredentials;
import org.pac4j.core.credentials.authenticator.Authenticator;
import org.pac4j.core.exception.CredentialsException;
import org.pac4j.core.exception.HttpAction;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.profile.CommonProfile;
import org.pac4j.core.profile.ProfileHelper;
import org.pac4j.core.profile.definition.CommonProfileDefinition;
import org.pac4j.core.profile.definition.ProfileDefinitionAware;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.jwt.config.encryption.EncryptionConfiguration;
import org.pac4j.jwt.config.signature.SignatureConfiguration;
import org.pac4j.jwt.profile.JwtGenerator;
import org.pac4j.jwt.profile.JwtProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/pac4j-jwt-3.4.0.jar:org/pac4j/jwt/credentials/authenticator/JwtAuthenticator.class */
public class JwtAuthenticator extends ProfileDefinitionAware<JwtProfile> implements Authenticator<TokenCredentials> {
    protected final Logger logger;
    private List<EncryptionConfiguration> encryptionConfigurations;
    private List<SignatureConfiguration> signatureConfigurations;
    private String realmName;
    private Date expirationTime;

    public JwtAuthenticator() {
        this.logger = LoggerFactory.getLogger(getClass());
        this.encryptionConfigurations = new ArrayList();
        this.signatureConfigurations = new ArrayList();
        this.realmName = Pac4jConstants.DEFAULT_REALM_NAME;
    }

    public JwtAuthenticator(List<SignatureConfiguration> list) {
        this.logger = LoggerFactory.getLogger(getClass());
        this.encryptionConfigurations = new ArrayList();
        this.signatureConfigurations = new ArrayList();
        this.realmName = Pac4jConstants.DEFAULT_REALM_NAME;
        this.signatureConfigurations = list;
    }

    public JwtAuthenticator(List<SignatureConfiguration> list, List<EncryptionConfiguration> list2) {
        this.logger = LoggerFactory.getLogger(getClass());
        this.encryptionConfigurations = new ArrayList();
        this.signatureConfigurations = new ArrayList();
        this.realmName = Pac4jConstants.DEFAULT_REALM_NAME;
        this.signatureConfigurations = list;
        this.encryptionConfigurations = list2;
    }

    public JwtAuthenticator(SignatureConfiguration signatureConfiguration) {
        this.logger = LoggerFactory.getLogger(getClass());
        this.encryptionConfigurations = new ArrayList();
        this.signatureConfigurations = new ArrayList();
        this.realmName = Pac4jConstants.DEFAULT_REALM_NAME;
        setSignatureConfiguration(signatureConfiguration);
    }

    public JwtAuthenticator(SignatureConfiguration signatureConfiguration, EncryptionConfiguration encryptionConfiguration) {
        this.logger = LoggerFactory.getLogger(getClass());
        this.encryptionConfigurations = new ArrayList();
        this.signatureConfigurations = new ArrayList();
        this.realmName = Pac4jConstants.DEFAULT_REALM_NAME;
        setSignatureConfiguration(signatureConfiguration);
        setEncryptionConfiguration(encryptionConfiguration);
    }

    @Override // org.pac4j.core.util.InitializableObject
    protected void internalInit() {
        CommonHelper.assertNotBlank("realmName", this.realmName);
        defaultProfileDefinition(new CommonProfileDefinition(objArr -> {
            return new JwtProfile();
        }));
        if (this.signatureConfigurations.isEmpty()) {
            this.logger.warn("No signature configurations have been defined: non-signed JWT will be accepted!");
        }
    }

    public Map<String, Object> validateTokenAndGetClaims(String str) {
        CommonProfile validateToken = validateToken(str);
        HashMap hashMap = new HashMap(validateToken.getAttributes());
        hashMap.put("sub", validateToken.getId());
        return hashMap;
    }

    public CommonProfile validateToken(String str) {
        TokenCredentials tokenCredentials = new TokenCredentials(str);
        try {
            validate(tokenCredentials, (WebContext) null);
            return tokenCredentials.getUserProfile();
        } catch (CredentialsException e) {
            this.logger.info("Failed to retrieve or validate credentials: {}", e.getMessage());
            this.logger.debug("Failed to retrieve or validate credentials", (Throwable) e);
            return null;
        } catch (HttpAction e2) {
            throw new TechnicalException(e2);
        }
    }

    @Override // org.pac4j.core.credentials.authenticator.Authenticator
    public void validate(TokenCredentials tokenCredentials, WebContext webContext) {
        init();
        String token = tokenCredentials.getToken();
        if (webContext != null) {
            webContext.setResponseHeader("WWW-Authenticate", "Bearer realm=\"" + this.realmName + "\"");
        }
        try {
            JWT parse = JWTParser.parse(token);
            if (!(parse instanceof PlainJWT)) {
                SignedJWT signedJWT = parse instanceof SignedJWT ? (SignedJWT) parse : null;
                if (parse instanceof EncryptedJWT) {
                    this.logger.debug("JWT is encrypted");
                    EncryptedJWT encryptedJWT = (EncryptedJWT) parse;
                    boolean z = false;
                    JWEHeader header = encryptedJWT.getHeader();
                    JWEAlgorithm algorithm = header.getAlgorithm();
                    EncryptionMethod encryptionMethod = header.getEncryptionMethod();
                    Iterator<EncryptionConfiguration> it = this.encryptionConfigurations.iterator();
                    while (true) {
                        if (!it.hasNext()) {
                            break;
                        }
                        EncryptionConfiguration next = it.next();
                        if (next.supports(algorithm, encryptionMethod)) {
                            this.logger.debug("Using encryption configuration: {}", next);
                            try {
                                next.decrypt(encryptedJWT);
                                signedJWT = encryptedJWT.getPayload().toSignedJWT();
                                if (signedJWT != null) {
                                    parse = signedJWT;
                                }
                                z = true;
                            } catch (JOSEException e) {
                                this.logger.debug("Decryption fails with encryption configuration: {}, passing to the next one", next);
                            }
                        }
                    }
                    if (!z) {
                        throw new CredentialsException("No encryption algorithm found for JWT: " + token);
                    }
                }
                if (signedJWT != null) {
                    this.logger.debug("JWT is signed");
                    boolean z2 = false;
                    boolean z3 = false;
                    JWSAlgorithm algorithm2 = signedJWT.getHeader().getAlgorithm();
                    for (SignatureConfiguration signatureConfiguration : this.signatureConfigurations) {
                        if (signatureConfiguration.supports(algorithm2)) {
                            this.logger.debug("Using signature configuration: {}", signatureConfiguration);
                            try {
                                z2 = signatureConfiguration.verify(signedJWT);
                                z3 = true;
                                if (z2) {
                                    break;
                                }
                            } catch (JOSEException e2) {
                                this.logger.debug("Verification fails with signature configuration: {}, passing to the next one", signatureConfiguration);
                            }
                        }
                    }
                    if (!z3) {
                        throw new CredentialsException("No signature algorithm found for JWT: " + token);
                    }
                    if (!z2) {
                        throw new CredentialsException("JWT verification failed: " + token);
                    }
                }
            } else {
                if (!this.signatureConfigurations.isEmpty()) {
                    throw new CredentialsException("A non-signed JWT cannot be accepted as signature configurations have been defined");
                }
                this.logger.debug("JWT is not signed and no signature configurations -> verified");
            }
            createJwtProfile(tokenCredentials, parse);
        } catch (ParseException e3) {
            throw new CredentialsException("Cannot decrypt / verify JWT", e3);
        }
    }

    protected void createJwtProfile(TokenCredentials tokenCredentials, JWT jwt) throws ParseException {
        JWTClaimsSet jWTClaimsSet = jwt.getJWTClaimsSet();
        String subject = jWTClaimsSet.getSubject();
        if (subject == null) {
            throw new TechnicalException("JWT must contain a subject ('sub' claim)");
        }
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        if (expirationTime != null) {
            if (expirationTime.before(new Date())) {
                this.logger.error("The JWT is expired: no profile is built");
                return;
            } else if (this.expirationTime != null && expirationTime.after(this.expirationTime)) {
                this.logger.error("The JWT is expired: no profile is built");
                return;
            }
        }
        HashMap hashMap = new HashMap(jWTClaimsSet.getClaims());
        hashMap.remove("sub");
        List list = (List) hashMap.get(JwtGenerator.INTERNAL_ROLES);
        hashMap.remove(JwtGenerator.INTERNAL_ROLES);
        List list2 = (List) hashMap.get(JwtGenerator.INTERNAL_PERMISSIONS);
        hashMap.remove(JwtGenerator.INTERNAL_PERMISSIONS);
        CommonProfile restoreOrBuildProfile = ProfileHelper.restoreOrBuildProfile(getProfileDefinition(), subject, hashMap, null, new Object[0]);
        if (list != null) {
            restoreOrBuildProfile.addRoles(list);
        }
        if (list2 != null) {
            restoreOrBuildProfile.addPermissions(list2);
        }
        tokenCredentials.setUserProfile(restoreOrBuildProfile);
    }

    public List<SignatureConfiguration> getSignatureConfigurations() {
        return this.signatureConfigurations;
    }

    public void setSignatureConfiguration(SignatureConfiguration signatureConfiguration) {
        addSignatureConfiguration(signatureConfiguration);
    }

    public void addSignatureConfiguration(SignatureConfiguration signatureConfiguration) {
        CommonHelper.assertNotNull("signatureConfiguration", signatureConfiguration);
        this.signatureConfigurations.add(signatureConfiguration);
    }

    public void setSignatureConfigurations(List<SignatureConfiguration> list) {
        CommonHelper.assertNotNull("signatureConfigurations", list);
        this.signatureConfigurations = list;
    }

    public List<EncryptionConfiguration> getEncryptionConfigurations() {
        return this.encryptionConfigurations;
    }

    public void setEncryptionConfiguration(EncryptionConfiguration encryptionConfiguration) {
        addEncryptionConfiguration(encryptionConfiguration);
    }

    public void addEncryptionConfiguration(EncryptionConfiguration encryptionConfiguration) {
        CommonHelper.assertNotNull("encryptionConfiguration", encryptionConfiguration);
        this.encryptionConfigurations.add(encryptionConfiguration);
    }

    public void setEncryptionConfigurations(List<EncryptionConfiguration> list) {
        CommonHelper.assertNotNull("encryptionConfigurations", list);
        this.encryptionConfigurations = list;
    }

    public String getRealmName() {
        return this.realmName;
    }

    public void setRealmName(String str) {
        this.realmName = str;
    }

    public void setExpirationTime(Date date) {
        this.expirationTime = new Date(date.getTime());
    }

    public Date getExpirationTime() {
        return new Date(this.expirationTime.getTime());
    }

    public String toString() {
        return CommonHelper.toNiceString(getClass(), "signatureConfigurations", this.signatureConfigurations, "encryptionConfigurations", this.encryptionConfigurations, "realmName", this.realmName);
    }
}
