package net.tokensmith.otter.security.csrf;

import java.io.ByteArrayOutputStream;
import java.time.OffsetDateTime;
import java.util.Map;
import java.util.Optional;
import net.tokensmith.jwt.builder.compact.SecureCompactBuilder;
import net.tokensmith.jwt.builder.exception.CompactException;
import net.tokensmith.jwt.config.JwtAppFactory;
import net.tokensmith.jwt.entity.jwk.SymmetricKey;
import net.tokensmith.jwt.entity.jwt.JsonWebToken;
import net.tokensmith.jwt.entity.jwt.header.Algorithm;
import net.tokensmith.jwt.exception.InvalidJWT;
import net.tokensmith.jwt.exception.SignatureException;
import net.tokensmith.jwt.serialization.exception.JsonToJwtException;
import net.tokensmith.otter.controller.entity.Cookie;
import net.tokensmith.otter.security.RandomString;
import net.tokensmith.otter.security.csrf.exception.CsrfException;
import net.tokensmith.otter.security.entity.ChallengeToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/tokensmith/otter/security/csrf/DoubleSubmitCSRF.class */
public class DoubleSubmitCSRF {
    public static final String SIGNATURE_INVALID = "Signature Invalid";
    public static final String CSRF_FAILED = "CSRF failed validation. challengeTokensMatch: {}, noiseMatch: {}";
    private static String VERIFY_MSG = "Could not verify signature";
    private static String SERIALIZE_JWT = "Could not serialize to compact jwt";
    private static String DE_SERIALIZE_JWT = "Could not deserialize CSRF JWT to pojo";
    protected static Logger LOGGER = LoggerFactory.getLogger(DoubleSubmitCSRF.class);
    private JwtAppFactory jwtAppFactory;
    private RandomString randomString;
    private SymmetricKey preferredSignKey;
    private Map<String, SymmetricKey> rotationSignKeys;

    public DoubleSubmitCSRF(JwtAppFactory jwtAppFactory, RandomString randomString) {
        this.jwtAppFactory = jwtAppFactory;
        this.randomString = randomString;
    }

    public DoubleSubmitCSRF(JwtAppFactory jwtAppFactory, RandomString randomString, SymmetricKey symmetricKey, Map<String, SymmetricKey> map) {
        this.jwtAppFactory = jwtAppFactory;
        this.randomString = randomString;
        this.preferredSignKey = symmetricKey;
        this.rotationSignKeys = map;
    }

    public Boolean doTokensMatch(String str, String str2) {
        try {
            CsrfClaims claims = toClaims(str);
            CsrfClaims claims2 = toClaims(str2);
            Boolean valueOf = Boolean.valueOf(claims.getChallengeToken().equals(claims2.getChallengeToken()));
            Boolean valueOf2 = Boolean.valueOf(claims.getNoise().equals(claims2.getNoise()));
            if (valueOf.booleanValue() && !valueOf2.booleanValue()) {
                return true;
            }
            LOGGER.debug(CSRF_FAILED, valueOf, valueOf2);
            return false;
        } catch (CsrfException e) {
            LOGGER.debug(e.getMessage(), e);
            return false;
        }
    }

    protected CsrfClaims toClaims(String str) throws CsrfException {
        try {
            JsonWebToken csrfToJwt = csrfToJwt(str);
            try {
                if (verifyCsrfCookieSignature(csrfToJwt, getSignKey((String) csrfToJwt.getHeader().getKeyId().get())).booleanValue()) {
                    return (CsrfClaims) csrfToJwt.getClaims();
                }
                LOGGER.debug(SIGNATURE_INVALID);
                throw new CsrfException(SIGNATURE_INVALID);
            } catch (CsrfException e) {
                LOGGER.debug(e.getMessage(), e);
                throw e;
            }
        } catch (CsrfException e2) {
            LOGGER.debug(e2.getMessage(), e2);
            throw e2;
        }
    }

    public JsonWebToken csrfToJwt(String str) throws CsrfException {
        try {
            return this.jwtAppFactory.jwtSerde().stringToJwt(str, CsrfClaims.class);
        } catch (JsonToJwtException e) {
            throw new CsrfException(DE_SERIALIZE_JWT, e);
        } catch (InvalidJWT e2) {
            throw new CsrfException(DE_SERIALIZE_JWT, e2);
        }
    }

    protected SymmetricKey getSignKey(String str) {
        return ((String) this.preferredSignKey.getKeyId().get()).equals(str) ? this.preferredSignKey : this.rotationSignKeys.get(str);
    }

    protected Boolean verifyCsrfCookieSignature(JsonWebToken jsonWebToken, SymmetricKey symmetricKey) throws CsrfException {
        try {
            return Boolean.valueOf(this.jwtAppFactory.verifySignature(jsonWebToken.getHeader().getAlgorithm(), symmetricKey).run(jsonWebToken));
        } catch (SignatureException e) {
            throw new CsrfException(VERIFY_MSG, e);
        }
    }

    public String makeChallengeToken() {
        return this.randomString.run();
    }

    public Cookie makeCsrfCookie(String str, ChallengeToken challengeToken, Boolean bool, int i, Boolean bool2) throws CsrfException {
        ByteArrayOutputStream jwt = toJwt(challengeToken);
        Cookie cookie = new Cookie();
        cookie.setSecure(bool.booleanValue());
        cookie.setName(str);
        cookie.setMaxAge(i);
        cookie.setValue(jwt.toString());
        cookie.setHttpOnly(bool2.booleanValue());
        return cookie;
    }

    public ByteArrayOutputStream toJwt(ChallengeToken challengeToken) throws CsrfException {
        Optional of = Optional.of(Long.valueOf(OffsetDateTime.now().toEpochSecond()));
        CsrfClaims csrfClaims = new CsrfClaims();
        csrfClaims.setChallengeToken(challengeToken.getToken());
        csrfClaims.setNoise(challengeToken.getNoise());
        csrfClaims.setIssuedAt(of);
        try {
            return new SecureCompactBuilder().alg(Algorithm.HS256).key(this.preferredSignKey).claims(csrfClaims).build();
        } catch (CompactException e) {
            throw new CsrfException(SERIALIZE_JWT, e);
        }
    }

    public void setPreferredSignKey(SymmetricKey symmetricKey) {
        this.preferredSignKey = symmetricKey;
    }

    public void setRotationSignKeys(Map<String, SymmetricKey> map) {
        this.rotationSignKeys = map;
    }
}
