package de.cidaas.interceptor.config;

import de.cidaas.interceptor.authentication.JwtAuthentication;
import de.cidaas.jwk.InvalidPublicKeyException;
import de.cidaas.jwk.JwkException;
import de.cidaas.jwk.JwkProvider;
import de.cidaas.jwk.SigningKeyNotFoundException;
import de.cidaas.jwt.JWT;
import de.cidaas.jwt.JWTVerifier;
import de.cidaas.jwt.algorithms.Algorithm;
import de.cidaas.jwt.exceptions.JWTVerificationException;
import java.security.interfaces.RSAPublicKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:de/cidaas/interceptor/config/JwtAuthenticationProvider.class */
public class JwtAuthenticationProvider implements AuthenticationProvider {
    private static Logger logger = LoggerFactory.getLogger(JwtAuthenticationProvider.class);
    private final byte[] secret;
    private final String issuer;
    private final String audience;
    private final JwkProvider jwkProvider;
    private long leeway;

    public JwtAuthenticationProvider(byte[] bArr, String str, String str2) {
        this.leeway = 0L;
        this.secret = bArr;
        this.issuer = str;
        this.audience = str2;
        this.jwkProvider = null;
    }

    public JwtAuthenticationProvider(JwkProvider jwkProvider, String str, String str2) {
        this.leeway = 0L;
        this.jwkProvider = jwkProvider;
        this.secret = null;
        this.issuer = str;
        this.audience = str2;
    }

    public boolean supports(Class<?> cls) {
        return JwtAuthentication.class.isAssignableFrom(cls);
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        if (!supports(authentication.getClass())) {
            return null;
        }
        JwtAuthentication jwtAuthentication = (JwtAuthentication) authentication;
        try {
            Authentication verify = jwtAuthentication.verify(jwtVerifier(jwtAuthentication));
            logger.info("Authenticated with jwt with scopes {}", verify.getAuthorities());
            return verify;
        } catch (JWTVerificationException e) {
            throw new BadCredentialsException("Not a valid token", e);
        }
    }

    public JwtAuthenticationProvider withJwtVerifierLeeway(long j) {
        this.leeway = j;
        return this;
    }

    private JWTVerifier jwtVerifier(JwtAuthentication jwtAuthentication) throws AuthenticationException {
        if (this.secret != null) {
            return providerForHS256(this.secret, this.issuer, this.audience, this.leeway);
        }
        String keyId = jwtAuthentication.getKeyId();
        if (keyId == null) {
            throw new BadCredentialsException("No kid found in jwt");
        }
        if (this.jwkProvider == null) {
            throw new AuthenticationServiceException("Missing jwk provider");
        }
        try {
            return providerForRS256((RSAPublicKey) this.jwkProvider.get(keyId).getPublicKey(), this.issuer, this.audience, this.leeway);
        } catch (InvalidPublicKeyException e) {
            throw new AuthenticationServiceException("Could not retrieve public key from issuer", e);
        } catch (SigningKeyNotFoundException e2) {
            throw new AuthenticationServiceException("Could not retrieve jwks from issuer", e2);
        } catch (JwkException e3) {
            throw new AuthenticationServiceException("Cannot authenticate with jwt", e3);
        }
    }

    private static JWTVerifier providerForRS256(RSAPublicKey rSAPublicKey, String str, String str2, long j) {
        return JWT.require(Algorithm.RSA256(rSAPublicKey, null)).withIssuer(str).acceptLeeway(j).build();
    }

    private static JWTVerifier providerForHS256(byte[] bArr, String str, String str2, long j) {
        return JWT.require(Algorithm.HMAC256(bArr)).withIssuer(str).withAudience(str2).acceptLeeway(j).build();
    }
}
