package com.atlassian.stride.auth;

import com.atlassian.stride.auth.config.IssuerContextConfigSupplier;
import com.atlassian.stride.auth.exception.InvalidTokenException;
import com.atlassian.stride.auth.model.StrideJwtToken;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import java.util.Objects;
import net.minidev.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/stride/auth/TokenVerifierHelper.class */
public class TokenVerifierHelper {
    private static final Logger log = LoggerFactory.getLogger(TokenVerifierHelper.class);

    public static StrideJwtToken verifyAuthorizationToken(String str, IssuerContextConfigSupplier issuerContextConfigSupplier) throws InvalidTokenException {
        try {
            SignedJWT parse = SignedJWT.parse(str);
            log.debug("Parsed token: {}", parse.getParsedString());
            StrideJwtToken strideJwt = toStrideJwt(parse);
            verifySignedJwt(parse, issuerContextConfigSupplier.forIssuer(strideJwt.getIss()).orElseThrow(() -> {
                log.error("Cannot find credentials for issuer {}", strideJwt.getIss());
                return new InvalidTokenException("Token 'iss' does not match any known issuer: " + strideJwt.getIss());
            }).secret());
            return strideJwt;
        } catch (ParseException e) {
            throw new InvalidTokenException("Failed to parse token", e);
        }
    }

    public static StrideJwtToken toStrideJwt(SignedJWT signedJWT) throws InvalidTokenException {
        try {
            JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
            log.debug("Token: {}, claims: {}", signedJWT, jWTClaimsSet);
            StrideJwtToken.StrideJwtTokenBuilder sub = StrideJwtToken.builder().iss(jWTClaimsSet.getIssuer()).exp(Long.valueOf(jWTClaimsSet.getExpirationTime().getTime())).iat(Long.valueOf(jWTClaimsSet.getIssueTime().getTime())).jtw(jWTClaimsSet.getJWTID()).sub(jWTClaimsSet.getSubject());
            try {
                JSONObject jSONObjectClaim = jWTClaimsSet.getJSONObjectClaim("context");
                if (jSONObjectClaim != null) {
                    sub.context(new StrideJwtToken.Context(Objects.toString(jSONObjectClaim.get("cloudId"), null), Objects.toString(jSONObjectClaim.get("resourceType"), null), Objects.toString(jSONObjectClaim.get("resourceId"), null)));
                }
                return sub.build();
            } catch (ParseException e) {
                throw new InvalidTokenException("Failed to parse claim context", e);
            }
        } catch (ParseException e2) {
            throw new InvalidTokenException("Failed to parse claim set", e2);
        }
    }

    public static void verifySignedJwt(SignedJWT signedJWT, String str) throws InvalidTokenException {
        try {
            if (signedJWT.verify(new MACVerifier(str))) {
                log.debug("Authorized to {} - Token: {}", signedJWT.getJWTClaimsSet().getIssuer());
            } else {
                log.debug("Invalid token: {}", signedJWT);
                throw new InvalidTokenException("Token is invalid");
            }
        } catch (ParseException | JOSEException e) {
            throw new InvalidTokenException("Could not verify token", e);
        }
    }
}
