package com.solutionappliance.support.google.jwt;

import com.solutionappliance.core.data.int8.ByteArray;
import com.solutionappliance.core.data.int8.codec.TextCodec;
import com.solutionappliance.core.lang.Level;
import com.solutionappliance.core.lang.MultiPartName;
import com.solutionappliance.core.system.ActorContext;
import com.solutionappliance.core.system.credential.Identity;
import com.solutionappliance.core.text.entity.TextEntity;
import com.solutionappliance.core.text.writer.TextPrinter;
import com.solutionappliance.core.text.writer.format.Indent;
import com.solutionappliance.core.text.writer.spi.TextPrintable;
import com.solutionappliance.core.type.JavaType;
import com.solutionappliance.core.util.CommonUtil;
import com.solutionappliance.support.jwt.JsonWebKey;
import com.solutionappliance.support.jwt.JwsSignatureAlgorithm;
import com.solutionappliance.support.jwt.Jwt;
import com.solutionappliance.support.jwt.JwtHeader;
import com.solutionappliance.support.jwt.JwtVerificationException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.PublicKey;
import java.security.Signature;
import java.time.Instant;
import java.util.Map;
import java.util.Optional;
import java.util.StringJoiner;
import org.checkerframework.dataflow.qual.SideEffectFree;

/* loaded from: input_file:com/solutionappliance/support/google/jwt/GoogleJwt.class */
public class GoogleJwt implements Identity, TextPrintable {
    public static final JavaType<GoogleJwt> type = JavaType.forClass(GoogleJwt.class);
    private final JwtHeader header;
    private final ByteArray encodedHeader;
    private final GoogleJwtPayload payload;
    private final ByteArray encodedPayload;
    private final ByteArray signature;

    public GoogleJwt(ActorContext actorContext, String str) {
        String[] split = str.split("\\.");
        if (split.length < 2 || split.length > 3) {
            throw new IllegalArgumentException("Invalid JWT token string");
        }
        this.encodedHeader = ByteArray.valueOf(TextCodec.base64url, split[0]);
        this.encodedPayload = ByteArray.valueOf(TextCodec.base64url, split[1]);
        this.header = new JwtHeader(actorContext, this.encodedHeader);
        this.payload = new GoogleJwtPayload(actorContext, this.encodedPayload);
        if (split.length == 3) {
            this.signature = ByteArray.valueOf(TextCodec.base64url, split[2]);
        } else {
            this.signature = null;
        }
    }

    public JwtHeader header() {
        return this.header;
    }

    public GoogleJwtPayload payload() {
        return this.payload;
    }

    public String toJwtString(boolean z) {
        StringJoiner add = new StringJoiner(".").add((CharSequence) this.encodedHeader.read(TextCodec.base64url)).add((CharSequence) this.encodedPayload.read(TextCodec.base64url));
        if (z && this.signature != null) {
            add.add((CharSequence) this.signature.read(TextCodec.base64url));
        }
        return add.toString();
    }

    @SideEffectFree
    public String toString() {
        return TextPrinter.forClass(getClass()).printValueLine(this.header).printValueLine(this.payload).printValueLine(this.signature).done().toString();
    }

    @Override // com.solutionappliance.core.system.credential.Identity, com.solutionappliance.core.text.writer.spi.TextPrintable
    public void print(ActorContext actorContext, TextPrinter textPrinter, Level level) {
        if (level.greaterThanOrEqualTo(Level.INFO)) {
            textPrinter.println(toString());
            return;
        }
        textPrinter.println(toString());
        textPrinter.println("Header").startFormat(Indent.format).println(Level.DETAIL, this.header).endFormat().println("Paylod").startFormat(Indent.format).println(Level.DETAIL, this.payload).endFormat();
        ByteArray byteArray = this.signature;
        if (byteArray != null) {
            textPrinter.println("Signature").startFormat(Indent.format).println((String) byteArray.read(TextCodec.base64url)).endFormat();
        }
    }

    private JsonWebKey signatureVerificationKey() throws JwtVerificationException {
        JsonWebKey jsonWebKey;
        if (this.header.hasKeyId() && "d25f8dbcf97dc7ec401f0171fb6e6bda9ed9e792".equals(this.header.getKeyId())) {
            return new GoogleWebKey(ActorContext.staticContext(), "d25f8dbcf97dc7ec401f0171fb6e6bda9ed9e792", "RSA", JwsSignatureAlgorithm.StandardAlgorithm.RS256, "sig", new BigInteger("24870100232935884166003601397517657223586180353826206880482360905394714965691130149893196445571551971965667671072883922323959846035717111697376676439202019270202545407851304782772652364285635135823780092214897082334237407070937066795005814631108768284841013514591302083520781932036943404267751180454731137904311706922102990362728369637123637241108684852171215752463867307619321167718478879182374251524967054448715924417781269992296643252830146949379063628657045686063829166115815804908252315841900606282279439822562120642645396417002750186609071991546725000464582835870303742670331631919995671606266789246670985902233"), new BigInteger("65537"));
        }
        Map<String, JsonWebKey> keyMap = this.payload.providerMetadata().keyMap();
        if (this.header.hasKeyId() && (jsonWebKey = keyMap.get(this.header.getKeyId())) != null) {
            return jsonWebKey;
        }
        Optional<JsonWebKey> findFirst = keyMap.values().stream().filter(jsonWebKey2 -> {
            return !jsonWebKey2.hasUse() || "sig".equals(jsonWebKey2.getUse());
        }).findFirst();
        if (findFirst.isPresent()) {
            return findFirst.get();
        }
        throw new JwtVerificationException(new MultiPartName("safeature", "google", "signature", "key", "notfound"), "Could not find a verification key");
    }

    @Override // com.solutionappliance.core.system.credential.Identity
    public MultiPartName identityName() {
        return new MultiPartName("safeatue", (String) CommonUtil.firstNonNull(this.payload.tryGetIssuer(), "unknown"), (String) CommonUtil.firstNonNull(this.payload.tryGetSubject(), "unknown"));
    }

    static String toJwtString(ActorContext actorContext, TextEntity textEntity) {
        return Jwt.toJwtString(actorContext, textEntity);
    }

    public void assertValid(Instant instant) throws JwtVerificationException {
        this.payload.assertValid(instant);
        if (!this.header.hasKeyId()) {
            throw new JwtVerificationException(new MultiPartName("safeature", "google", "kid", "notfound"), "No JWT keyId found in header");
        }
        if (!this.header.hasAlgorithm()) {
            throw new JwtVerificationException(new MultiPartName("safeature", "google", "alg", "notfound"), "No JWT algorithm found in header");
        }
        if (this.header.hasJwtType() && !"JWT".equalsIgnoreCase(this.header.getJwtType())) {
            throw new JwtVerificationException(new MultiPartName("safeature", "google", "typ", "invalid"), "Expecting a JWT token, not $[jwtType]").add("jwtType", (Object) this.header.getJwtType());
        }
        JsonWebKey signatureVerificationKey = signatureVerificationKey();
        JwsSignatureAlgorithm algorithm = this.header.hasAlgorithm() ? this.header.getAlgorithm() : signatureVerificationKey.getAlgorithm();
        PublicKey publicKey = (PublicKey) signatureVerificationKey.toKey();
        String jwtString = toJwtString(false);
        ByteArray byteArray = this.signature;
        if (byteArray != null) {
            try {
                Signature jceSignature = algorithm.jceSignature();
                jceSignature.initVerify(publicKey);
                jceSignature.update(jwtString.getBytes(StandardCharsets.UTF_8));
                if (jceSignature.verify(byteArray.toArray())) {
                } else {
                    throw new JwtVerificationException(new MultiPartName("safeature", "google", "signature", "invalid"), "Invalid signature");
                }
            } catch (GeneralSecurityException e) {
                throw new JwtVerificationException(new MultiPartName("safeature", "google", "signature", "invalid"), "Unable to verify signature", e);
            }
        }
    }
}
