package fish.payara.microprofile.jwtauth.eesecurity;

import fish.payara.microprofile.jwtauth.jwt.JsonWebTokenImpl;
import fish.payara.microprofile.jwtauth.jwt.JwtTokenParser;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.StringReader;
import java.math.BigInteger;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.spec.RSAPublicKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Objects;
import java.util.Optional;
import java.util.Properties;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.enterprise.inject.spi.DeploymentException;
import javax.json.Json;
import javax.json.JsonArray;
import javax.json.JsonObject;
import javax.json.JsonReader;
import javax.json.JsonValue;
import javax.security.enterprise.identitystore.CredentialValidationResult;
import javax.security.enterprise.identitystore.IdentityStore;
import org.eclipse.microprofile.config.Config;
import org.eclipse.microprofile.config.ConfigProvider;
import org.eclipse.microprofile.jwt.config.Names;
import org.glassfish.grizzly.http.server.Constants;
import org.snmp4j.util.SnmpConfigurator;

/* loaded from: input_file:fish/payara/microprofile/jwtauth/eesecurity/SignedJWTIdentityStore.class */
public class SignedJWTIdentityStore implements IdentityStore {
    private static final Logger LOGGER = Logger.getLogger(SignedJWTIdentityStore.class.getName());
    private static final String RSA_ALGORITHM = "RSA";
    private final String acceptedIssuer;
    private final Optional<Boolean> enabledNamespace;
    private final Optional<String> customNamespace;
    private final Config config = ConfigProvider.getConfig();

    public SignedJWTIdentityStore() {
        Optional<Properties> readVendorProperties = readVendorProperties();
        this.acceptedIssuer = readVendorIssuer(readVendorProperties).orElseGet(() -> {
            return (String) this.config.getOptionalValue(Names.ISSUER, String.class).orElseThrow(() -> {
                return new IllegalStateException("No issuer found");
            });
        });
        this.enabledNamespace = readEnabledNamespace(readVendorProperties);
        this.customNamespace = readCustomNamespace(readVendorProperties);
    }

    public CredentialValidationResult validate(SignedJWTCredential signedJWTCredential) {
        JwtTokenParser jwtTokenParser = new JwtTokenParser(this.enabledNamespace, this.customNamespace);
        try {
            jwtTokenParser.parse(signedJWTCredential.getSignedJWT());
            String keyID = jwtTokenParser.getKeyID();
            Optional<PublicKey> readDefaultPublicKey = readDefaultPublicKey();
            if (!readDefaultPublicKey.isPresent()) {
                readDefaultPublicKey = readMPEmbeddedPublicKey(keyID);
            }
            if (!readDefaultPublicKey.isPresent()) {
                readDefaultPublicKey = readMPPublicKeyFromLocation(keyID);
            }
            if (!readDefaultPublicKey.isPresent()) {
                throw new IllegalStateException("No PublicKey found");
            }
            JsonWebTokenImpl verify = jwtTokenParser.verify(this.acceptedIssuer, readDefaultPublicKey.get());
            return new CredentialValidationResult(verify, new HashSet(new ArrayList((Collection) verify.getClaim("groups"))));
        } catch (Exception e) {
            LOGGER.log(Level.FINEST, "Exception trying to parse JWT token.", (Throwable) e);
            return CredentialValidationResult.INVALID_RESULT;
        }
    }

    private Optional<Properties> readVendorProperties() {
        URL resource = Thread.currentThread().getContextClassLoader().getResource("/payara-mp-jwt.properties");
        Properties properties = null;
        if (resource != null) {
            try {
                properties = new Properties();
                properties.load(resource.openStream());
            } catch (IOException e) {
                throw new IllegalStateException("Failed to load Vendor properties from resource file", e);
            }
        }
        return Optional.ofNullable(properties);
    }

    private Optional<String> readVendorIssuer(Optional<Properties> optional) {
        return optional.isPresent() ? Optional.ofNullable(optional.get().getProperty("accepted.issuer")) : Optional.empty();
    }

    private Optional<Boolean> readEnabledNamespace(Optional<Properties> optional) {
        return optional.isPresent() ? Optional.ofNullable(Boolean.valueOf(optional.get().getProperty("enable.namespace", "false"))) : Optional.empty();
    }

    private Optional<String> readCustomNamespace(Optional<Properties> optional) {
        return optional.isPresent() ? Optional.ofNullable(optional.get().getProperty("custom.namespace", null)) : Optional.empty();
    }

    private Optional<PublicKey> readDefaultPublicKey() throws Exception {
        return readPublicKeyFromLocation("/publicKey.pem", null);
    }

    private Optional<PublicKey> readMPEmbeddedPublicKey(String str) throws Exception {
        Optional optionalValue = this.config.getOptionalValue(Names.VERIFIER_PUBLIC_KEY, String.class);
        return !optionalValue.isPresent() ? Optional.empty() : createPublicKey((String) optionalValue.get(), str);
    }

    private Optional<PublicKey> readMPPublicKeyFromLocation(String str) throws Exception {
        Optional optionalValue = this.config.getOptionalValue(Names.VERIFIER_PUBLIC_KEY_LOCATION, String.class);
        return !optionalValue.isPresent() ? Optional.empty() : readPublicKeyFromLocation((String) optionalValue.get(), str);
    }

    private Optional<PublicKey> readPublicKeyFromLocation(String str, String str2) throws Exception {
        URL resource = Thread.currentThread().getContextClassLoader().getResource(str);
        if (resource == null) {
            try {
                resource = new URL(str);
            } catch (MalformedURLException e) {
                resource = null;
            }
        }
        if (resource == null) {
            return Optional.empty();
        }
        byte[] bArr = new byte[16384];
        InputStream openStream = resource.openStream();
        Throwable th = null;
        try {
            Optional<PublicKey> createPublicKey = createPublicKey(new String(bArr, 0, openStream.read(bArr)), str2);
            if (openStream != null) {
                if (0 != 0) {
                    try {
                        openStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    openStream.close();
                }
            }
            return createPublicKey;
        } catch (Throwable th3) {
            if (openStream != null) {
                if (0 != 0) {
                    try {
                        openStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    openStream.close();
                }
            }
            throw th3;
        }
    }

    private Optional<PublicKey> createPublicKey(String str, String str2) throws Exception {
        try {
            return Optional.of(createPublicKeyFromPem(str));
        } catch (Exception e) {
            try {
                return Optional.of(createPublicKeyFromJWKS(str, str2));
            } catch (Exception e2) {
                throw new DeploymentException(e2);
            }
        }
    }

    private PublicKey createPublicKeyFromPem(String str) throws Exception {
        return KeyFactory.getInstance(RSA_ALGORITHM).generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(str.replaceAll("-----BEGIN (.*)-----", "").replaceAll("-----END (.*)----", "").replaceAll(Constants.CRLF, "").replaceAll("\n", "").trim())));
    }

    private PublicKey createPublicKeyFromJWKS(String str, String str2) throws Exception {
        JsonObject parseJwks = parseJwks(str);
        JsonArray jsonArray = parseJwks.getJsonArray("keys");
        JsonObject findJwk = jsonArray != null ? findJwk(jsonArray, str2) : parseJwks;
        return KeyFactory.getInstance(RSA_ALGORITHM).generatePublic(new RSAPublicKeySpec(new BigInteger(1, Base64.getUrlDecoder().decode(findJwk.getString(SnmpConfigurator.O_CONTEXT_NAME))), new BigInteger(1, Base64.getUrlDecoder().decode(findJwk.getString(SnmpConfigurator.O_AUTHORITATIVE_ENGINE_ID)))));
    }

    private JsonObject parseJwks(String str) throws Exception {
        JsonObject readObject;
        try {
            JsonReader createReader = Json.createReader(new StringReader(str));
            Throwable th = null;
            try {
                try {
                    readObject = createReader.readObject();
                    if (createReader != null) {
                        if (0 != 0) {
                            try {
                                createReader.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            createReader.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(Base64.getDecoder().decode(str));
            Throwable th3 = null;
            try {
                JsonReader createReader2 = Json.createReader(byteArrayInputStream);
                Throwable th4 = null;
                try {
                    try {
                        readObject = createReader2.readObject();
                        if (createReader2 != null) {
                            if (0 != 0) {
                                try {
                                    createReader2.close();
                                } catch (Throwable th5) {
                                    th4.addSuppressed(th5);
                                }
                            } else {
                                createReader2.close();
                            }
                        }
                    } finally {
                    }
                } catch (Throwable th6) {
                    if (createReader2 != null) {
                        if (th4 != null) {
                            try {
                                createReader2.close();
                            } catch (Throwable th7) {
                                th4.addSuppressed(th7);
                            }
                        } else {
                            createReader2.close();
                        }
                    }
                    throw th6;
                }
            } finally {
                if (byteArrayInputStream != null) {
                    if (0 != 0) {
                        try {
                            byteArrayInputStream.close();
                        } catch (Throwable th8) {
                            th3.addSuppressed(th8);
                        }
                    } else {
                        byteArrayInputStream.close();
                    }
                }
            }
        }
        return readObject;
    }

    private JsonObject findJwk(JsonArray jsonArray, String str) {
        if (Objects.isNull(str) && jsonArray.size() > 0) {
            return jsonArray.getJsonObject(0);
        }
        Iterator<JsonValue> it = jsonArray.iterator();
        while (it.hasNext()) {
            JsonObject asJsonObject = it.next().asJsonObject();
            if (Objects.equals(str, asJsonObject.getString("kid"))) {
                return asJsonObject;
            }
        }
        throw new IllegalStateException("No matching JWK for KeyID.");
    }
}
