package org.wildfly.security.soteria.original;

import com.nimbusds.jose.Algorithm;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.ImmutableSecret;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWEKeySelector;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTClaimsSetVerifier;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.util.Objects;
import java.util.concurrent.ConcurrentHashMap;
import org.glassfish.soteria.mechanisms.openid.domain.OpenIdConfiguration;

@ApplicationScoped
/* loaded from: input_file:org/wildfly/security/soteria/original/JWTValidator.class */
public class JWTValidator {

    @Inject
    private OpenIdConfiguration configuration;
    private ConcurrentHashMap<CacheKey, JWSKeySelector> jwsCache = new ConcurrentHashMap<>();
    private ConcurrentHashMap<CacheKey, JWEKeySelector> jweCache = new ConcurrentHashMap<>();

    public JWTClaimsSet validateBearerToken(JWT jwt, JWTClaimsSetVerifier jWTClaimsSetVerifier) {
        JWTClaimsSet process;
        try {
            if (jwt instanceof PlainJWT) {
                process = ((PlainJWT) jwt).getJWTClaimsSet();
                jWTClaimsSetVerifier.verify(process, (SecurityContext) null);
            } else if (jwt instanceof SignedJWT) {
                SignedJWT signedJWT = (SignedJWT) jwt;
                String name = signedJWT.getHeader().getAlgorithm().getName();
                if (Objects.isNull(name)) {
                    name = "RS256";
                }
                DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
                defaultJWTProcessor.setJWSKeySelector(getJWSKeySelector(name));
                defaultJWTProcessor.setJWTClaimsSetVerifier(jWTClaimsSetVerifier);
                process = defaultJWTProcessor.process(signedJWT, (SecurityContext) null);
            } else {
                if (!(jwt instanceof EncryptedJWT)) {
                    throw new IllegalStateException("Unexpected JWT type : " + jwt.getClass());
                }
                EncryptedJWT encryptedJWT = (EncryptedJWT) jwt;
                String name2 = encryptedJWT.getHeader().getAlgorithm().getName();
                DefaultJWTProcessor defaultJWTProcessor2 = new DefaultJWTProcessor();
                defaultJWTProcessor2.setJWSKeySelector(getJWSKeySelector(name2));
                defaultJWTProcessor2.setJWTClaimsSetVerifier(jWTClaimsSetVerifier);
                process = defaultJWTProcessor2.process(encryptedJWT, (SecurityContext) null);
            }
            return process;
        } catch (ParseException | BadJOSEException | JOSEException e) {
            throw new IllegalStateException(e);
        }
    }

    private JWSKeySelector<?> getJWSKeySelector(String str) {
        return this.jwsCache.computeIfAbsent(createCacheKey(str), cacheKey -> {
            return createJWSKeySelector(str);
        });
    }

    private CacheKey createCacheKey(String str) {
        return new CacheKey(str, Integer.valueOf(this.configuration.getJwksConnectTimeout()), Integer.valueOf(this.configuration.getJwksReadTimeout()), this.configuration.getProviderMetadata().getJwksURL(), this.configuration.getClientSecret());
    }

    private JWSKeySelector<?> createJWSKeySelector(String str) {
        ImmutableSecret remoteJWKSet;
        JWSAlgorithm jWSAlgorithm = new JWSAlgorithm(str);
        if (Algorithm.NONE.equals(jWSAlgorithm)) {
            throw new IllegalStateException("Unsupported JWS algorithm : " + jWSAlgorithm);
        }
        if (JWSAlgorithm.Family.RSA.contains(jWSAlgorithm) || JWSAlgorithm.Family.EC.contains(jWSAlgorithm)) {
            remoteJWKSet = new RemoteJWKSet(this.configuration.getProviderMetadata().getJwksURL(), new DefaultResourceRetriever(this.configuration.getJwksConnectTimeout(), this.configuration.getJwksReadTimeout(), 51200));
        } else {
            if (!JWSAlgorithm.Family.HMAC_SHA.contains(jWSAlgorithm)) {
                throw new IllegalStateException("Unsupported JWS algorithm : " + jWSAlgorithm);
            }
            byte[] bytes = new String(this.configuration.getClientSecret()).getBytes(StandardCharsets.UTF_8);
            if (Objects.isNull(bytes)) {
                throw new IllegalStateException("Missing client secret");
            }
            remoteJWKSet = new ImmutableSecret(bytes);
        }
        return new JWSVerificationKeySelector(jWSAlgorithm, remoteJWKSet);
    }
}
