package uk.co.spudsoft.jwtvalidatorvertx.impl;

import com.google.common.base.Strings;
import io.vertx.core.Future;
import java.nio.charset.StandardCharsets;
import java.time.LocalDateTime;
import java.time.ZoneOffset;
import java.util.Base64;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.List;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import uk.co.spudsoft.jwtvalidatorvertx.JWK;
import uk.co.spudsoft.jwtvalidatorvertx.JWT;
import uk.co.spudsoft.jwtvalidatorvertx.JsonWebAlgorithm;
import uk.co.spudsoft.jwtvalidatorvertx.JsonWebKeySetHandler;
import uk.co.spudsoft.jwtvalidatorvertx.JwtValidatorVertx;

/* loaded from: input_file:uk/co/spudsoft/jwtvalidatorvertx/impl/JwtValidatorVertxImpl.class */
public class JwtValidatorVertxImpl implements JwtValidatorVertx {
    private static final Logger logger = LoggerFactory.getLogger(JwtValidatorVertxImpl.class);
    private static final Base64.Decoder B64DECODER = Base64.getUrlDecoder();
    private static final EnumSet<JsonWebAlgorithm> DEFAULT_PERMITTED_ALGS = EnumSet.of(JsonWebAlgorithm.RS256, JsonWebAlgorithm.RS384, JsonWebAlgorithm.RS512);
    private final JsonWebKeySetHandler openIdDiscoveryHandler;
    private boolean requireExp = true;
    private boolean requireNbf = true;
    private long timeLeewaySeconds = 0;
    private EnumSet<JsonWebAlgorithm> permittedAlgs = EnumSet.copyOf((EnumSet) DEFAULT_PERMITTED_ALGS);

    public JwtValidatorVertxImpl(JsonWebKeySetHandler jsonWebKeySetHandler) {
        this.openIdDiscoveryHandler = jsonWebKeySetHandler;
    }

    @Override // uk.co.spudsoft.jwtvalidatorvertx.JwtValidatorVertx
    public EnumSet<JsonWebAlgorithm> getPermittedAlgorithms() {
        return EnumSet.copyOf((EnumSet) this.permittedAlgs);
    }

    @Override // uk.co.spudsoft.jwtvalidatorvertx.JwtValidatorVertx
    public JwtValidatorVertx setPermittedAlgorithms(EnumSet<JsonWebAlgorithm> enumSet) {
        this.permittedAlgs = EnumSet.copyOf((EnumSet) enumSet);
        return this;
    }

    @Override // uk.co.spudsoft.jwtvalidatorvertx.JwtValidatorVertx
    public JwtValidatorVertx addPermittedAlgorithm(JsonWebAlgorithm jsonWebAlgorithm) {
        this.permittedAlgs.add(jsonWebAlgorithm);
        return this;
    }

    @Override // uk.co.spudsoft.jwtvalidatorvertx.JwtValidatorVertx
    public JwtValidatorVertx setTimeLeewaySeconds(long j) {
        this.timeLeewaySeconds = j;
        return this;
    }

    @Override // uk.co.spudsoft.jwtvalidatorvertx.JwtValidatorVertx
    public JwtValidatorVertx setRequireExp(boolean z) {
        this.requireExp = z;
        return this;
    }

    @Override // uk.co.spudsoft.jwtvalidatorvertx.JwtValidatorVertx
    public JwtValidatorVertx setRequireNbf(boolean z) {
        this.requireNbf = z;
        return this;
    }

    @Override // uk.co.spudsoft.jwtvalidatorvertx.JwtValidatorVertx
    public Future<JWT> validateToken(String str, List<String> list, boolean z) {
        try {
            JWT parseJws = JWT.parseJws(str);
            try {
                JsonWebAlgorithm validateAlgorithm = validateAlgorithm(parseJws.getAlgorithm());
                parseJws.getKid();
                if (parseJws.getPayloadSize() == 0) {
                    logger.error("No payload claims found in JWT");
                    return Future.failedFuture(new IllegalArgumentException("Parse of signed JWT failed"));
                }
                this.openIdDiscoveryHandler.validateIssuer(parseJws.getIssuer());
                return parseJws.getJwk(this.openIdDiscoveryHandler).compose(jwk -> {
                    try {
                        verify(validateAlgorithm, jwk, parseJws);
                        long currentTimeMillis = System.currentTimeMillis() / 1000;
                        validateNbf(parseJws, currentTimeMillis);
                        validateExp(parseJws, currentTimeMillis);
                        validateAud(parseJws, list, z);
                        validateSub(parseJws);
                        return Future.succeededFuture(parseJws);
                    } catch (Throwable th) {
                        logger.info("Validation of {} token failed: ", parseJws.getAlgorithm(), th);
                        return Future.failedFuture(new IllegalArgumentException("Validation of " + parseJws.getAlgorithm() + " signed JWT failed", th));
                    }
                });
            } catch (Throwable th) {
                logger.error("Failed to process token: ", th);
                return Future.failedFuture(th);
            }
        } catch (Throwable th2) {
            logger.error("Parse of JWT failed: ", th2);
            return Future.failedFuture(new IllegalArgumentException("Parse of signed JWT failed", th2));
        }
    }

    private void verify(JsonWebAlgorithm jsonWebAlgorithm, JWK<?> jwk, JWT jwt) throws IllegalArgumentException {
        if (Strings.isNullOrEmpty(jwt.getSignature())) {
            throw new IllegalStateException("No signature in token.");
        }
        if (JsonWebAlgorithm.none == jsonWebAlgorithm) {
            throw new IllegalStateException("Algorithm \"none\" not allowed");
        }
        try {
            if (jwk.verify(jsonWebAlgorithm, B64DECODER.decode(jwt.getSignature()), jwt.getSignatureBase().getBytes(StandardCharsets.UTF_8))) {
            } else {
                throw new IllegalArgumentException("Signature verification failed");
            }
        } catch (Throwable th) {
            logger.warn("Signature verification failed: ", th);
            throw new IllegalArgumentException("Signature verification failed", th);
        }
    }

    private void validateSub(JWT jwt) throws IllegalArgumentException {
        if (Strings.isNullOrEmpty(jwt.getSubject())) {
            throw new IllegalArgumentException("No subject specified in token");
        }
    }

    private void validateAud(JWT jwt, List<String> list, boolean z) throws IllegalArgumentException {
        if (list == null || (!z && list.isEmpty())) {
            throw new IllegalStateException("Required audience not set");
        }
        if (jwt.getAudience() == null) {
            throw new IllegalArgumentException("Token does not include aud claim");
        }
        for (String str : jwt.getAudience()) {
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                if (it.next().equals(str)) {
                    return;
                }
            }
        }
        if (z) {
            return;
        }
        if (list.size() == 1) {
            logger.warn("Required audience ({}) not found in token aud claim: {}", list.get(0), jwt.getAudience());
        } else {
            logger.warn("None of the required audiences ({}) found in token aud claim: {}", list, jwt.getAudience());
        }
        throw new IllegalArgumentException("Required audience not found in token");
    }

    private void validateExp(JWT jwt, long j) throws IllegalArgumentException {
        if (jwt.getExpiration() == null) {
            if (this.requireExp) {
                throw new IllegalArgumentException("Token does not specify exp");
            }
        } else {
            long j2 = j - this.timeLeewaySeconds;
            if (jwt.getExpiration().longValue() < j2) {
                logger.warn("Token exp = {} ({}), now = {} ({}), target = {} ({})", new Object[]{jwt.getExpiration(), jwt.getExpirationLocalDateTime(), Long.valueOf(j), LocalDateTime.ofEpochSecond(j, 0, ZoneOffset.UTC), Long.valueOf(j2), LocalDateTime.ofEpochSecond(j2, 0, ZoneOffset.UTC)});
                throw new IllegalArgumentException("Token is not valid after " + String.valueOf(jwt.getExpirationLocalDateTime()));
            }
        }
    }

    private void validateNbf(JWT jwt, long j) throws IllegalArgumentException {
        if (jwt.getNotBefore() == null) {
            if (this.requireNbf) {
                throw new IllegalArgumentException("Token does not specify exp");
            }
        } else {
            if (jwt.getNotBefore().longValue() > j + this.timeLeewaySeconds) {
                throw new IllegalArgumentException("Token is not valid until " + String.valueOf(jwt.getNotBeforeLocalDateTime()));
            }
        }
    }

    private JsonWebAlgorithm validateAlgorithm(String str) {
        if (str == null) {
            logger.warn("No signature algorithm in token.");
            throw new IllegalArgumentException("Parse of signed JWT failed");
        }
        try {
            JsonWebAlgorithm valueOf = JsonWebAlgorithm.valueOf(str);
            if (this.permittedAlgs.contains(valueOf)) {
                return valueOf;
            }
            logger.warn("Failed to find algorithm \"{}\" in {}", str, this.permittedAlgs);
            throw new IllegalArgumentException("Parse of signed JWT failed");
        } catch (Throwable th) {
            logger.warn("Failed to parse algorithm \"{}\"", str);
            throw new IllegalArgumentException("Parse of signed JWT failed");
        }
    }
}
