package de.cidaas.interceptor.authentication.provider;

import de.cidaas.jwk.InvalidPublicKeyException;
import de.cidaas.jwk.JwkException;
import de.cidaas.jwk.JwkProvider;
import de.cidaas.jwk.SigningKeyNotFoundException;
import de.cidaas.jwt.JWT;
import de.cidaas.jwt.JWTVerifier;
import de.cidaas.jwt.algorithms.Algorithm;
import de.cidaas.jwt.exceptions.JWTVerificationException;
import de.cidaas.model.JwtAuthentication;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:de/cidaas/interceptor/authentication/provider/OfflineAuthenticationProvider.class */
public class OfflineAuthenticationProvider implements AuthenticationProvider {
    private final String issuer;
    private final String clientId;
    private final JwkProvider jwkProvider;

    public OfflineAuthenticationProvider(String str, String str2, JwkProvider jwkProvider) {
        this.clientId = str;
        this.issuer = str2;
        this.jwkProvider = jwkProvider;
    }

    public boolean supports(Class<?> cls) {
        return JwtAuthentication.class.equals(cls);
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        try {
            JwtAuthentication jwtAuthentication = (JwtAuthentication) authentication;
            jwtVerifier(getPublicKeyForKID(jwtAuthentication.m2getCredentials().getKeyId())).verify(jwtAuthentication.m2getCredentials().getTokenAsString());
            jwtAuthentication.setAuthenticated(true);
            return jwtAuthentication;
        } catch (JWTVerificationException e) {
            throw new BadCredentialsException("Not a valid token", e);
        }
    }

    public RSAPublicKey getPublicKeyForKID(String str) {
        if (str == null) {
            throw new BadCredentialsException("No kid found in jwt");
        }
        if (this.jwkProvider == null) {
            throw new AuthenticationServiceException("Missing jwk provider");
        }
        try {
            return (RSAPublicKey) this.jwkProvider.get(str).getPublicKey();
        } catch (JwkException e) {
            throw new AuthenticationServiceException("Cannot authenticate with jwt", e);
        } catch (InvalidPublicKeyException e2) {
            throw new AuthenticationServiceException("Could not retrieve public key from issuer", e2);
        } catch (SigningKeyNotFoundException e3) {
            throw new AuthenticationServiceException("Could not retrieve jwks from issuer", e3);
        }
    }

    private JWTVerifier jwtVerifier(RSAPublicKey rSAPublicKey) throws AuthenticationException {
        return JWT.require(Algorithm.RSA256(rSAPublicKey, (RSAPrivateKey) null)).withIssuer(new String[]{this.issuer}).withAudience(new String[]{this.clientId}).build();
    }
}
