package fish.payara.microprofile.jwtauth.jwt;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;
import java.io.StringReader;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.json.Json;
import javax.json.JsonNumber;
import javax.json.JsonString;
import javax.json.JsonValue;
import org.eclipse.microprofile.jwt.Claims;

/* loaded from: input_file:fish/payara/microprofile/jwtauth/jwt/JwtTokenParser.class */
public class JwtTokenParser {
    private final List<Claims> requiredClaims = Arrays.asList(Claims.iss, Claims.sub, Claims.exp, Claims.iat, Claims.jti, Claims.groups);

    public JsonWebTokenImpl parse(String str, String str2, PublicKey publicKey) throws Exception {
        SignedJWT parse = SignedJWT.parse(str);
        if (!checkIsJWT(parse.getHeader())) {
            throw new IllegalStateException("Not JWT");
        }
        if (!parse.getHeader().getAlgorithm().equals(JWSAlgorithm.RS256)) {
            throw new IllegalStateException("Not RS256");
        }
        Map<String, JsonValue> hashMap = new HashMap<>(Json.createReader(new StringReader(parse.getPayload().toString())).readObject());
        if (!checkRequiredClaimsPresent(hashMap)) {
            throw new IllegalStateException("Not all required claims present");
        }
        String callerPrincipalName = getCallerPrincipalName(hashMap);
        if (callerPrincipalName == null) {
            throw new IllegalStateException("One of upn, preferred_username or sub is required to be non null");
        }
        if (!checkIssuer(hashMap, str2)) {
            throw new IllegalStateException("Bad issuer");
        }
        if (!checkNotExpired(hashMap)) {
            throw new IllegalStateException("Expired");
        }
        if (!parse.verify(new RSASSAVerifier((RSAPublicKey) publicKey))) {
            throw new IllegalStateException("Signature invalid");
        }
        hashMap.put(Claims.raw_token.name(), Json.createObjectBuilder().add("token", str).build().get("token"));
        return new JsonWebTokenImpl(callerPrincipalName, hashMap);
    }

    private boolean checkRequiredClaimsPresent(Map<String, JsonValue> map) {
        Iterator<Claims> it = this.requiredClaims.iterator();
        while (it.hasNext()) {
            if (map.get(it.next().name()) == null) {
                return false;
            }
        }
        return true;
    }

    private boolean checkNotExpired(Map<String, JsonValue> map) {
        return ((int) (System.currentTimeMillis() / 1000)) < ((JsonNumber) map.get(Claims.exp.name())).intValue();
    }

    private boolean checkIssuer(Map<String, JsonValue> map, String str) {
        if (map.get(Claims.iss.name()) instanceof JsonString) {
            return str.equals(((JsonString) map.get(Claims.iss.name())).getString());
        }
        return false;
    }

    private boolean checkIsJWT(JWSHeader jWSHeader) {
        return jWSHeader.getType().toString().equals("JWT");
    }

    private String getCallerPrincipalName(Map<String, JsonValue> map) {
        JsonString jsonString = (JsonString) map.get(Claims.upn.name());
        if (jsonString == null) {
            jsonString = (JsonString) map.get(Claims.preferred_username.name());
        }
        if (jsonString == null) {
            jsonString = (JsonString) map.get(Claims.sub.name());
        }
        if (jsonString == null) {
            return null;
        }
        return jsonString.getString();
    }
}
