package com.solutionappliance.support.jwt;

import com.solutionappliance.core.data.int8.ByteArray;
import com.solutionappliance.core.data.int8.codec.TextCodec;
import com.solutionappliance.core.lang.Level;
import com.solutionappliance.core.lang.MultiPartName;
import com.solutionappliance.core.system.ActorContext;
import com.solutionappliance.core.system.credential.Identity;
import com.solutionappliance.core.text.entity.TextEntity;
import com.solutionappliance.core.text.json.JsonWriter;
import com.solutionappliance.core.text.writer.TextPrinter;
import com.solutionappliance.core.text.writer.format.Indent;
import com.solutionappliance.core.text.writer.spi.TextPrintable;
import com.solutionappliance.core.type.JavaType;
import com.solutionappliance.core.util.CommonUtil;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.Signature;
import java.time.Instant;
import java.util.Base64;
import java.util.Map;
import java.util.Optional;
import java.util.StringJoiner;
import org.checkerframework.dataflow.qual.SideEffectFree;

/* loaded from: input_file:com/solutionappliance/support/jwt/Jwt.class */
public class Jwt implements Identity, TextPrintable {
    public static final JavaType<Jwt> type = JavaType.forClass(Jwt.class);
    private final JwtHeader header;
    private final ByteArray encodedHeader;
    private final JwtPayload payload;
    private final ByteArray encodedPayload;
    private final ByteArray signature;

    public Jwt(ActorContext actorContext, String str) {
        String[] split = str.split("\\.");
        if (split.length < 2 || split.length > 3) {
            throw new IllegalArgumentException("Invalid JWT token string");
        }
        this.encodedHeader = ByteArray.valueOf(TextCodec.base64url, split[0]);
        this.encodedPayload = ByteArray.valueOf(TextCodec.base64url, split[1]);
        this.header = new JwtHeader(actorContext, this.encodedHeader);
        this.payload = new JwtPayload(actorContext, this.encodedPayload);
        if (split.length == 3) {
            this.signature = ByteArray.valueOf(TextCodec.base64url, split[2]);
        } else {
            this.signature = null;
        }
    }

    public JwtHeader header() {
        return this.header;
    }

    public JwtPayload payload() {
        return this.payload;
    }

    public String toJwtString(boolean z) {
        StringJoiner add = new StringJoiner(".").add((CharSequence) this.encodedHeader.read(TextCodec.base64url)).add((CharSequence) this.encodedPayload.read(TextCodec.base64url));
        if (z && this.signature != null) {
            add.add((CharSequence) this.signature.read(TextCodec.base64url));
        }
        return add.toString();
    }

    @SideEffectFree
    public String toString() {
        return TextPrinter.forClass(getClass()).printValueLine(this.header).printValueLine(this.payload).done().toString();
    }

    @Override // com.solutionappliance.core.system.credential.Identity, com.solutionappliance.core.text.writer.spi.TextPrintable
    public void print(ActorContext actorContext, TextPrinter textPrinter, Level level) {
        if (level.greaterThanOrEqualTo(Level.INFO)) {
            textPrinter.print(toString());
            return;
        }
        textPrinter.println(toString());
        textPrinter.startFormat(Indent.format).println(level, this.header).println("Extra: " + this.header.extra).println(level, this.payload).println("Extra: " + this.payload.extra).endFormat();
        ByteArray byteArray = this.signature;
        if (byteArray != null) {
            textPrinter.println("Signature").startFormat(Indent.format).println((String) byteArray.read(TextCodec.base64url)).endFormat();
        }
    }

    private JsonWebKey signatureVerificationKey() throws JwtVerificationException {
        JsonWebKey jsonWebKey;
        Map<String, JsonWebKey> keyMap = this.payload.providerMetadata().keyMap();
        if (this.header.hasKeyId() && (jsonWebKey = keyMap.get(this.header.getKeyId())) != null) {
            return jsonWebKey;
        }
        Optional<JsonWebKey> findFirst = keyMap.values().stream().filter(jsonWebKey2 -> {
            return !jsonWebKey2.hasUse() || "sig".equals(jsonWebKey2.getUse());
        }).findFirst();
        if (findFirst.isPresent()) {
            return findFirst.get();
        }
        throw new JwtVerificationException(new MultiPartName("safeature", "jwt", "signature", "key", "notfound"), "Could not find a verification key");
    }

    @Override // com.solutionappliance.core.system.credential.Identity
    public MultiPartName identityName() {
        return new MultiPartName("safeatue", (String) CommonUtil.firstNonNull(this.payload.tryGetIssuer(), "unknown"), (String) CommonUtil.firstNonNull(this.payload.tryGetSubject(), "unknown"));
    }

    private static String removeNonQuotedSpaces(String str) {
        char[] charArray = str.toCharArray();
        StringBuilder sb = new StringBuilder(charArray.length);
        boolean z = false;
        boolean z2 = false;
        for (char c : charArray) {
            if (c == '\\') {
                z2 = !z2;
            } else if (c == '\"' && !z2) {
                z = !z;
            }
            if (!Character.isWhitespace(c) || z) {
                sb.append(c);
            }
        }
        return sb.toString();
    }

    private static String toJsonString(ActorContext actorContext, TextEntity textEntity) {
        JsonWriter jsonWriter = (JsonWriter) TextPrinter.forString(actorContext).open(JsonWriter.jsonObject());
        try {
            textEntity.writeValue(actorContext, jsonWriter);
            String removeNonQuotedSpaces = removeNonQuotedSpaces(jsonWriter.done().toString());
            if (jsonWriter != null) {
                jsonWriter.close();
            }
            return removeNonQuotedSpaces;
        } catch (Throwable th) {
            if (jsonWriter != null) {
                try {
                    jsonWriter.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    public static String toJwtString(ActorContext actorContext, TextEntity textEntity) {
        return Base64.getUrlEncoder().encodeToString(toJsonString(actorContext, textEntity).getBytes(StandardCharsets.UTF_8)).replaceAll("=", "");
    }

    public void assertValid(Instant instant) throws JwtVerificationException {
        this.payload.assertValid(instant);
        if (!this.header.hasKeyId()) {
            throw new JwtVerificationException(new MultiPartName("safeature", "jwt", "kid", "notfound"), "No JWT keyId found in header");
        }
        if (!this.header.hasAlgorithm()) {
            throw new JwtVerificationException(new MultiPartName("safeature", "jwt", "alg", "notfound"), "No JWT algorithm found in header");
        }
        if (this.header.hasJwtType() && !"JWT".equalsIgnoreCase(this.header.getJwtType())) {
            throw new JwtVerificationException(new MultiPartName("safeature", "jwt", "typ", "invalid"), "Expecting a JWT token, not $[jwtType]").add("jwtType", (Object) this.header.getJwtType());
        }
        JsonWebKey signatureVerificationKey = signatureVerificationKey();
        JwsSignatureAlgorithm algorithm = this.header.hasAlgorithm() ? this.header.getAlgorithm() : signatureVerificationKey.getAlgorithm();
        PublicKey publicKey = (PublicKey) signatureVerificationKey.toKey();
        String jwtString = toJwtString(false);
        ByteArray byteArray = this.signature;
        if (byteArray != null) {
            try {
                Signature jceSignature = algorithm.jceSignature();
                jceSignature.initVerify(publicKey);
                jceSignature.update(jwtString.getBytes(StandardCharsets.UTF_8));
                if (jceSignature.verify(byteArray.toArray())) {
                } else {
                    throw new JwtVerificationException(new MultiPartName("safeature", "jwt", "signature", "invalid"), "Invalid signature");
                }
            } catch (GeneralSecurityException e) {
                throw new JwtVerificationException(new MultiPartName("safeature", "jwt", "signature", "invalid"), "Unable to verify signature", e);
            }
        }
    }
}
