package org.intermine.webservice.server;

import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.util.Iterator;
import java.util.Properties;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import org.intermine.web.logic.config.HeaderConfigTitle;
import org.intermine.web.security.KeySourceException;
import org.intermine.web.security.PublicKeySource;
import org.json.JSONException;
import org.json.JSONObject;

/* loaded from: input_file:org/intermine/webservice/server/JWTVerifier.class */
public class JWTVerifier {
    public static final String VERIFYAUDIENCE = "jwt.verifyaudience";
    public static final String VERIFICATION_STRATEGY = "jwt.verification.strategy";
    public static final String WHITELIST = "jwt.alias.whitelist";
    private static final String EMAIL_CLAIM = "http://wso2.org/claims/emailaddress";
    private static final String NOT_FOR_US = "This token was issued for %s. We are %s";
    private static final String NO_PUBLIC_IDENTITY = "Could not verify audience - no public identity";
    private final Properties options;
    private final PublicKeySource publicKeys;
    private final String strategy;
    private static final Logger LOG = Logger.getLogger(JWTVerifier.class);

    /* loaded from: input_file:org/intermine/webservice/server/JWTVerifier$Verification.class */
    public static final class Verification {
        private final String identity;
        private final String issuer;
        private final String email;

        private Verification(String str, String str2, String str3) {
            this.issuer = str;
            this.identity = str2;
            this.email = str3;
        }

        public String getIssuer() {
            return this.issuer;
        }

        public String getIdentity() {
            return this.identity;
        }

        public String getEmail() {
            return this.email;
        }
    }

    /* loaded from: input_file:org/intermine/webservice/server/JWTVerifier$VerificationError.class */
    public static final class VerificationError extends Exception {
        private static final long serialVersionUID = 1215260310118002737L;

        public VerificationError(String str) {
            super(str);
        }
    }

    public JWTVerifier(PublicKeySource publicKeySource, Properties properties) {
        this.publicKeys = publicKeySource;
        this.options = properties;
        if (publicKeySource == null) {
            throw new NullPointerException("publicKeys must not be null");
        }
        if (properties == null) {
            throw new NullPointerException("options must not be null");
        }
        this.strategy = this.options.getProperty(VERIFICATION_STRATEGY, "NAMED_ALIAS");
    }

    public Verification verify(String str) throws VerificationError {
        Base64 base64 = new Base64();
        if (StringUtils.isBlank(str)) {
            throw new VerificationError("token is blank");
        }
        String[] split = str.split("\\.");
        if (split.length != 3) {
            throw new VerificationError("Illegal JWT token.");
        }
        try {
            JSONObject jSONObject = new JSONObject(new String(base64.decode(split[0])));
            JSONObject jSONObject2 = new JSONObject(new String(base64.decode(split[1])));
            long j = jSONObject2.getLong("exp");
            String string = jSONObject2.getString("iss");
            verifyAudience(jSONObject2.optString("aud"));
            long currentTimeMillis = (System.currentTimeMillis() / 1000) - j;
            if (currentTimeMillis >= 0) {
                throw new VerificationError(String.format("This token expired %d seconds ago", Long.valueOf(currentTimeMillis)));
            }
            if (canVerify(jSONObject, jSONObject2, split[0] + "." + split[1], base64.decode(split[2]))) {
                return new Verification(string, getPrincipal(jSONObject2), getEmail(jSONObject2));
            }
            throw new VerificationError("Could not verify signature.");
        } catch (JSONException e) {
            throw new VerificationError("Could not parse token: " + e.getMessage());
        }
    }

    private void verifyAudience(String str) throws VerificationError {
        if ("true".equalsIgnoreCase(this.options.getProperty(VERIFYAUDIENCE, "true")) && StringUtils.isNotBlank(str)) {
            String property = this.options.getProperty("jwt.publicidentity");
            if (property == null) {
                throw new VerificationError(NO_PUBLIC_IDENTITY);
            }
            if (!property.equals(str)) {
                throw new VerificationError(String.format(NOT_FOR_US, str, property));
            }
        }
    }

    private String getKeyAlias(String str) {
        return this.options.getProperty("security.keystore.alias." + str);
    }

    private String getPrincipal(JSONObject jSONObject) throws VerificationError {
        try {
            String string = jSONObject.getString("iss");
            return this.options.containsKey(new StringBuilder().append("jwt.key.sub.").append(string).toString()) ? jSONObject.getString(this.options.getProperty("jwt.key.sub." + string)) : jSONObject.getString(HeaderConfigTitle.SUB);
        } catch (JSONException e) {
            throw new VerificationError("Could not read principal: " + e.getMessage());
        }
    }

    private String getEmail(JSONObject jSONObject) throws VerificationError {
        try {
            String property = this.options.getProperty("jwt.key.email." + jSONObject.getString("iss"), EMAIL_CLAIM);
            if (jSONObject.has(property)) {
                return jSONObject.getString(property);
            }
            return null;
        } catch (JSONException e) {
            throw new VerificationError("Could not read email: " + e.getMessage());
        }
    }

    private boolean canVerify(JSONObject jSONObject, JSONObject jSONObject2, String str, byte[] bArr) throws VerificationError {
        if (bArr == null || bArr.length == 0) {
            throw new VerificationError("Cannot verify an unsigned token");
        }
        try {
            String string = jSONObject2.getString("iss");
            String string2 = jSONObject.getString("alg");
            if (!string2.endsWith("withRSA")) {
                throw new VerificationError("Unsupported signing algorithm: " + string2);
            }
            LOG.debug("Verifying using " + this.strategy + " strategy");
            try {
                if ("NAMED_ALIAS".equals(this.strategy)) {
                    return verifyNamedAlias(str, bArr, string, string2);
                }
                if ("ANY".equals(this.strategy)) {
                    return verifyAnyAlias(str, bArr, string2);
                }
                if ("WHITELIST".equals(this.strategy)) {
                    return verifyWhitelistedAliases(str, bArr, string2);
                }
                throw new VerificationError("Unknown verification strategy: " + this.strategy);
            } catch (KeySourceException e) {
                throw new VerificationError("Could not retrieve public key");
            }
        } catch (JSONException e2) {
            throw new VerificationError("Missing required property: " + e2.getMessage());
        }
    }

    private boolean verifyWhitelistedAliases(String str, byte[] bArr, String str2) throws VerificationError, KeySourceException {
        String[] split = this.options.getProperty(WHITELIST, "").split(",");
        LOG.debug("Using any of " + StringUtils.join(split, ", ") + " to verify JWT");
        Iterator<PublicKey> it = this.publicKeys.getSome(split).iterator();
        while (it.hasNext()) {
            if (verifySignature(it.next(), str2, str, bArr)) {
                return true;
            }
        }
        return false;
    }

    private boolean verifyAnyAlias(String str, byte[] bArr, String str2) throws VerificationError, KeySourceException {
        Iterator<PublicKey> it = this.publicKeys.getAll().iterator();
        while (it.hasNext()) {
            if (verifySignature(it.next(), str2, str, bArr)) {
                return true;
            }
        }
        return false;
    }

    private boolean verifyNamedAlias(String str, byte[] bArr, String str2, String str3) throws VerificationError, KeySourceException {
        String keyAlias = getKeyAlias(str2);
        if (StringUtils.isBlank(keyAlias)) {
            throw new VerificationError("Unknown identity issuer: " + str2);
        }
        LOG.debug("Using key aliased as " + keyAlias + " to verify JWT");
        return verifySignature(this.publicKeys.get(keyAlias), str3, str, bArr);
    }

    private boolean verifySignature(PublicKey publicKey, String str, String str2, byte[] bArr) throws VerificationError {
        try {
            Signature signature = Signature.getInstance(str);
            try {
                signature.initVerify(publicKey);
                try {
                    signature.update(str2.getBytes());
                    try {
                        return signature.verify(bArr);
                    } catch (SignatureException e) {
                        throw new VerificationError("Error during verification: " + e.getMessage());
                    }
                } catch (SignatureException e2) {
                    throw new VerificationError("Error creating signature: " + e2.getMessage());
                }
            } catch (InvalidKeyException e3) {
                throw new VerificationError("Key is invalid. " + e3.getMessage());
            }
        } catch (NoSuchAlgorithmException e4) {
            throw new VerificationError(e4.getMessage());
        }
    }
}
