package io.micronaut.security.token.jwt.validator;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import io.micronaut.core.annotation.NonNull;
import io.micronaut.core.annotation.Nullable;
import io.micronaut.security.token.jwt.encryption.EncryptionConfiguration;
import io.micronaut.security.token.jwt.generator.claims.JwtClaimsSetAdapter;
import io.micronaut.security.token.jwt.signature.SignatureConfiguration;
import io.micronaut.security.token.jwt.signature.jwks.JwksCache;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Deprecated(since = "4.8.0", forRemoval = true)
/* loaded from: input_file:io/micronaut/security/token/jwt/validator/JwtValidator.class */
public final class JwtValidator<T> {
    private static final Logger LOG = LoggerFactory.getLogger(JwtValidator.class);
    private static final String DOT = ".";
    private final List<SignatureConfiguration> signatures;
    private final List<EncryptionConfiguration> encryptions;
    private final List<JwtClaimsValidator> claimsValidators;

    /* loaded from: input_file:io/micronaut/security/token/jwt/validator/JwtValidator$Builder.class */
    public static final class Builder<T> {
        private List<SignatureConfiguration> signatures = new ArrayList();
        private List<EncryptionConfiguration> encryptions = new ArrayList();
        private List<JwtClaimsValidator> claimsValidators = new ArrayList();

        private Builder() {
        }

        public Builder withSignatures(SignatureConfiguration... signatureConfigurationArr) {
            this.signatures = Arrays.asList(signatureConfigurationArr);
            return this;
        }

        public Builder withSignatures(Collection<? extends SignatureConfiguration> collection) {
            this.signatures = new ArrayList(collection);
            return this;
        }

        public Builder withEncryptions(EncryptionConfiguration... encryptionConfigurationArr) {
            this.encryptions = Arrays.asList(encryptionConfigurationArr);
            return this;
        }

        public Builder withEncryptions(Collection<? extends EncryptionConfiguration> collection) {
            this.encryptions = new ArrayList(collection);
            return this;
        }

        public Builder withClaimValidators(JwtClaimsValidator... jwtClaimsValidatorArr) {
            this.claimsValidators = Arrays.asList(jwtClaimsValidatorArr);
            return this;
        }

        public Builder withClaimValidators(Collection<? extends JwtClaimsValidator> collection) {
            this.claimsValidators = new ArrayList(collection);
            return this;
        }

        public JwtValidator<T> build() {
            return new JwtValidator<>(this.signatures, this.encryptions, this.claimsValidators);
        }
    }

    private JwtValidator(List<SignatureConfiguration> list, List<EncryptionConfiguration> list2, List<JwtClaimsValidator> list3) {
        this.signatures = list;
        this.encryptions = list2;
        this.claimsValidators = list3;
    }

    public Optional<JWT> validate(String str, @Nullable T t) {
        try {
        } catch (ParseException e) {
            if (LOG.isTraceEnabled()) {
                LOG.trace("Failed to parse JWT: {}", e.getMessage());
            }
        }
        if (hasAtLeastTwoDots(str)) {
            return validate(JWTParser.parse(str), (JWT) t);
        }
        if (LOG.isTraceEnabled()) {
            LOG.trace("token {} does not contain two dots", str);
        }
        return Optional.empty();
    }

    private boolean hasAtLeastTwoDots(String str) {
        return str.contains(DOT) && str.indexOf(DOT, str.indexOf(DOT) + 1) != -1;
    }

    public Optional<JWT> validate(@NonNull JWT jwt, @Nullable T t) {
        Optional<JWT> validate = jwt instanceof PlainJWT ? validate((PlainJWT) jwt) : jwt instanceof EncryptedJWT ? validate((EncryptedJWT) jwt) : jwt instanceof SignedJWT ? validate((SignedJWT) jwt) : Optional.empty();
        return this.claimsValidators.isEmpty() ? validate : validate.filter(jwt2 -> {
            try {
                JwtClaimsSetAdapter jwtClaimsSetAdapter = new JwtClaimsSetAdapter(jwt2.getJWTClaimsSet());
                return this.claimsValidators.stream().allMatch(jwtClaimsValidator -> {
                    return jwtClaimsValidator.validate(jwtClaimsSetAdapter, t);
                });
            } catch (ParseException e) {
                if (!LOG.isErrorEnabled()) {
                    return false;
                }
                LOG.error("Failed to retrieve the claims set", e);
                return false;
            }
        });
    }

    private Optional<JWT> validate(PlainJWT plainJWT) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Validating plain JWT");
        }
        if (this.signatures.isEmpty()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("JWT is not signed and no signature configurations -> verified");
            }
            return Optional.of(plainJWT);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("A non-signed JWT cannot be accepted as signature configurations have been defined");
        }
        return Optional.empty();
    }

    private Optional<JWT> validate(EncryptedJWT encryptedJWT) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Validating encrypted JWT");
        }
        JWEHeader header = encryptedJWT.getHeader();
        ArrayList arrayList = new ArrayList(this.encryptions);
        arrayList.sort(comparator(header));
        Iterator it = arrayList.iterator();
        if (!it.hasNext()) {
            if (LOG.isDebugEnabled() && this.encryptions.isEmpty()) {
                LOG.debug("JWT is encrypted and no encryption configurations -> not verified");
            }
            return Optional.empty();
        }
        EncryptionConfiguration encryptionConfiguration = (EncryptionConfiguration) it.next();
        if (LOG.isTraceEnabled()) {
            LOG.trace("Using encryption configuration: {}", encryptionConfiguration);
        }
        try {
            encryptionConfiguration.decrypt(encryptedJWT);
            SignedJWT signedJWT = encryptedJWT.getPayload().toSignedJWT();
            if (signedJWT != null) {
                return validate(signedJWT);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Encrypted JWT couldn't be converted to a signed JWT.");
            }
            return Optional.empty();
        } catch (JOSEException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Decryption fails with encryption configuration: {}, passing to the next one", encryptionConfiguration);
            }
            return Optional.empty();
        }
    }

    private Optional<JWT> validate(SignedJWT signedJWT) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Validating signed JWT");
        }
        JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
        ArrayList arrayList = new ArrayList(this.signatures);
        arrayList.sort(comparator(algorithm, signedJWT.getHeader().getKeyID()));
        Optional<JWT> validate = validate(signedJWT, arrayList);
        if (validate.isPresent()) {
            return validate;
        }
        for (SignatureConfiguration signatureConfiguration : arrayList) {
            if ((signatureConfiguration instanceof JwksCache) && ((JwksCache) signatureConfiguration).isExpired()) {
                ((JwksCache) signatureConfiguration).clear();
                Optional<JWT> validate2 = validate(signedJWT, signatureConfiguration);
                if (validate2.isPresent()) {
                    return validate2;
                }
            }
        }
        if (LOG.isDebugEnabled() && this.signatures.isEmpty()) {
            LOG.debug("JWT is signed and no signature configurations -> not verified");
        }
        return Optional.empty();
    }

    private Optional<JWT> validate(SignedJWT signedJWT, SignatureConfiguration signatureConfiguration) {
        try {
        } catch (JOSEException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Verification failed with signature configuration: {}, passing to the next one", signatureConfiguration);
            }
        }
        if (signatureConfiguration.verify(signedJWT)) {
            return Optional.of(signedJWT);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("JWT Signature verification failed: {}", signedJWT.getParsedString());
        }
        return Optional.empty();
    }

    private Optional<JWT> validate(SignedJWT signedJWT, List<SignatureConfiguration> list) {
        Iterator<SignatureConfiguration> it = list.iterator();
        while (it.hasNext()) {
            Optional<JWT> validate = validate(signedJWT, it.next());
            if (validate.isPresent()) {
                return validate;
            }
        }
        return Optional.empty();
    }

    private static int compareKeyIds(SignatureConfiguration signatureConfiguration, SignatureConfiguration signatureConfiguration2, @Nullable String str) {
        if (str == null) {
            return 0;
        }
        Optional<Boolean> signatureConfigurationMatchesKeyId = signatureConfigurationMatchesKeyId(signatureConfiguration, str);
        Optional<Boolean> signatureConfigurationMatchesKeyId2 = signatureConfigurationMatchesKeyId(signatureConfiguration2, str);
        if (signatureConfigurationMatchesKeyId.isPresent() && signatureConfigurationMatchesKeyId2.isPresent()) {
            return signatureConfigurationMatchesKeyId2.get().compareTo(signatureConfigurationMatchesKeyId.get());
        }
        if (signatureConfigurationMatchesKeyId.isPresent()) {
            return Boolean.TRUE.equals(signatureConfigurationMatchesKeyId.get()) ? 1 : -1;
        }
        if (signatureConfigurationMatchesKeyId2.isPresent()) {
            return Boolean.TRUE.equals(signatureConfigurationMatchesKeyId2.get()) ? 1 : -1;
        }
        return 0;
    }

    private static Comparator<SignatureConfiguration> comparator(JWSAlgorithm jWSAlgorithm, @Nullable String str) {
        return (signatureConfiguration, signatureConfiguration2) -> {
            int compareKeyIds = compareKeyIds(signatureConfiguration, signatureConfiguration2, str);
            if (compareKeyIds != 0) {
                return compareKeyIds;
            }
            boolean signatureConfigurationSupportsAlgorithm = signatureConfigurationSupportsAlgorithm(signatureConfiguration, jWSAlgorithm);
            if (signatureConfigurationSupportsAlgorithm == signatureConfigurationSupportsAlgorithm(signatureConfiguration2, jWSAlgorithm)) {
                return 0;
            }
            return signatureConfigurationSupportsAlgorithm ? -1 : 1;
        };
    }

    private static Optional<Boolean> signatureConfigurationMatchesKeyId(@NonNull SignatureConfiguration signatureConfiguration, @NonNull String str) {
        return signatureConfiguration instanceof JwksCache ? ((JwksCache) signatureConfiguration).getKeyIds().map(list -> {
            return Boolean.valueOf(list.contains(str));
        }) : Optional.empty();
    }

    private static boolean signatureConfigurationSupportsAlgorithm(@NonNull SignatureConfiguration signatureConfiguration, @NonNull JWSAlgorithm jWSAlgorithm) {
        if (!(signatureConfiguration instanceof JwksCache) || ((JwksCache) signatureConfiguration).isPresent()) {
            return signatureConfiguration.supports(jWSAlgorithm);
        }
        return false;
    }

    private static Comparator<EncryptionConfiguration> comparator(JWEHeader jWEHeader) {
        JWEAlgorithm algorithm = jWEHeader.getAlgorithm();
        EncryptionMethod encryptionMethod = jWEHeader.getEncryptionMethod();
        return (encryptionConfiguration, encryptionConfiguration2) -> {
            boolean supports = encryptionConfiguration.supports(algorithm, encryptionMethod);
            if (supports == encryptionConfiguration2.supports(algorithm, encryptionMethod)) {
                return 0;
            }
            return supports ? -1 : 1;
        };
    }

    public static Builder builder() {
        return new Builder();
    }
}
