package io.jans.configapi.auth.util;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.datatype.jsonorg.JsonOrgModule;
import io.jans.as.model.crypto.PublicKey;
import io.jans.as.model.crypto.signature.AlgorithmFamily;
import io.jans.as.model.crypto.signature.ECDSAPublicKey;
import io.jans.as.model.crypto.signature.RSAPublicKey;
import io.jans.as.model.crypto.signature.SignatureAlgorithm;
import io.jans.as.model.exception.InvalidJwtException;
import io.jans.as.model.jwk.JSONWebKey;
import io.jans.as.model.jwk.JSONWebKeySet;
import io.jans.as.model.jwk.KeyType;
import io.jans.as.model.jws.ECDSASigner;
import io.jans.as.model.jws.RSASigner;
import io.jans.as.model.jwt.Jwt;
import io.jans.configapi.auth.client.AuthClientFactory;
import io.jans.configapi.service.ConfigurationService;
import io.jans.configapi.util.ApiConstants;
import io.jans.util.StringHelper;
import java.io.IOException;
import java.util.Date;
import java.util.List;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.Response;
import org.json.JSONObject;
import org.slf4j.Logger;

@ApplicationScoped
/* loaded from: input_file:io/jans/configapi/auth/util/JwtUtil.class */
public class JwtUtil {

    @Inject
    Logger log;

    @Inject
    ConfigurationService configurationService;

    @Inject
    AuthUtil authUtil;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: io.jans.configapi.auth.util.JwtUtil$1, reason: invalid class name */
    /* loaded from: input_file:io/jans/configapi/auth/util/JwtUtil$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$jans$as$model$jwk$KeyType = new int[KeyType.values().length];

        static {
            try {
                $SwitchMap$io$jans$as$model$jwk$KeyType[KeyType.RSA.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$jans$as$model$jwk$KeyType[KeyType.EC.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public boolean isJwt(String str) throws Exception {
        this.log.trace("\n\n JwtUtil::isJwt()  token = " + str);
        boolean z = false;
        try {
            parse(str);
            z = true;
        } catch (Exception e) {
            this.log.error("Not jwt token " + str);
        }
        return z;
    }

    public Jwt parse(String str) throws InvalidJwtException {
        this.log.trace("\n\n JwtUtil::parse()  encodedJwt = " + str);
        if (StringHelper.isNotEmpty(str)) {
            return Jwt.parse(str);
        }
        return null;
    }

    public void validateToken(String str, List<String> list) throws InvalidJwtException, Exception {
        try {
            Jwt parse = parse(str);
            this.log.trace("JwtUtil::validateToken() -JWT details :  jwt.getSigningInput() = " + parse.getSigningInput() + " ,jwt.getEncodedSignature() = " + parse.getEncodedSignature() + " ,jwt.getHeader().getKeyId() = " + parse.getHeader().getKeyId() + " ,jwt.getHeader().getSignatureAlgorithm() = " + parse.getHeader().getSignatureAlgorithm() + " ,jwt.getClaims().getClaimAsString(JwtHeaderName.ALGORITHM) = " + parse.getClaims().getClaimAsString("alg") + " ,jwt.getClaims().getClaimAsString(JwtHeaderName.ENCRYPTION_METHOD) = " + parse.getClaims().getClaimAsString("enc") + ".");
            Date claimAsDate = parse.getClaims().getClaimAsDate("exp");
            String claimAsString = parse.getClaims().getClaimAsString("iss");
            List<String> claimAsStringList = parse.getClaims().getClaimAsStringList("scope");
            this.log.debug("\n\n JwtUtil::validateToken() - expiresAt = " + claimAsDate + " , issuer =" + claimAsString + " , scopes = " + claimAsStringList + "\n");
            this.log.info("Validate JWT");
            Date date = new Date();
            if (date.after(claimAsDate)) {
                this.log.error("ID Token is expired. (It is after " + date + ").");
                throw new WebApplicationException("ID Token is expired", Response.status(Response.Status.UNAUTHORIZED).build());
            }
            this.log.info("Validate JWT Issuer");
            if (!this.authUtil.isValidIssuer(claimAsString)) {
                throw new WebApplicationException("Jwt Issuer is Invalid.", Response.status(Response.Status.UNAUTHORIZED).build());
            }
            this.log.info("Retrieve JSON Web Key Set URI");
            String jwksUri = getJwksUri(claimAsString);
            this.log.trace("\n\n JwtUtil::validateToken() - jwksUri = " + jwksUri);
            this.log.info("Retrieve JSON Web Key Set");
            JSONWebKeySet jSONWebKeys = getJSONWebKeys(jwksUri);
            this.log.trace("\n\n JwtUtil::validateToken() - jsonWebKeySet = " + jSONWebKeys);
            this.log.info("Verify JWT signature");
            boolean validateSignature = validateSignature(parse, jSONWebKeys);
            this.log.debug("\n\n JwtUtil::validateToken() - isJwtSignatureValid = " + validateSignature + "\n\n");
            if (!validateSignature) {
                throw new WebApplicationException("Jwt Signature is Invalid.", Response.status(Response.Status.UNAUTHORIZED).build());
            }
            this.log.info("Validate token scopes");
            if (this.authUtil.validateScope(claimAsStringList, list)) {
                return;
            }
            this.log.error("Insufficient scopes. Required scope: " + list + ", token scopes: " + claimAsStringList);
            throw new WebApplicationException("Insufficient scopes. Required scope", Response.status(Response.Status.UNAUTHORIZED).build());
        } catch (InvalidJwtException e) {
            this.log.error("Not a valid Jwt token = " + e);
            throw e;
        }
    }

    public boolean validateSignature(Jwt jwt, JSONWebKeySet jSONWebKeySet) {
        this.log.trace("\n\n JwtUtil::validateSignature() - jwt = " + jwt + " , jsonWebKeySet =" + jSONWebKeySet + "\n");
        try {
            String claimAsString = jwt.getHeader().getClaimAsString(ApiConstants.KID);
            String claimAsString2 = jwt.getHeader().getClaimAsString("alg");
            SignatureAlgorithm signatureAlgorithm = jwt.getHeader().getSignatureAlgorithm();
            this.log.trace("\n\n JwtUtil::validateSignature() - kid = " + claimAsString + " , algorithm =" + claimAsString2 + " signatureAlgorithm = " + signatureAlgorithm + "\n");
            RSAPublicKey publicKey = getPublicKey(claimAsString, jSONWebKeySet, signatureAlgorithm);
            this.log.trace("\n\n JwtUtil::validateSignature() - publicKey = " + publicKey + "\n");
            if (publicKey == null) {
                this.log.error("Failed to get RSA public key.");
                return false;
            }
            RSASigner rSASigner = null;
            if (AlgorithmFamily.RSA.equals(signatureAlgorithm.getFamily())) {
                rSASigner = new RSASigner(SignatureAlgorithm.fromString(claimAsString2), publicKey);
            } else if (AlgorithmFamily.EC.equals(signatureAlgorithm.getFamily())) {
                rSASigner = new ECDSASigner(SignatureAlgorithm.fromString(claimAsString2), (ECDSAPublicKey) publicKey);
            }
            if (rSASigner == null) {
                this.log.error("ID Token signer is not found!");
                return false;
            }
            if (rSASigner.validate(jwt)) {
                this.log.debug("ID Token is successfully validated.");
                return true;
            }
            this.log.error("ID Token signature invalid.");
            return false;
        } catch (Exception e) {
            this.log.error("Failed to validate id_token. Message: " + e.getMessage(), e);
            return false;
        }
    }

    public PublicKey getPublicKey(String str, JSONWebKeySet jSONWebKeySet, SignatureAlgorithm signatureAlgorithm) {
        this.log.trace("\n\n JwtUtil::getPublicKey() - kid = " + str + " , jsonWebKeySet =" + jSONWebKeySet + " , signatureAlgorithm =  " + signatureAlgorithm + "\n");
        JSONWebKey key = jSONWebKeySet.getKey(str);
        if (key == null) {
            return null;
        }
        switch (AnonymousClass1.$SwitchMap$io$jans$as$model$jwk$KeyType[key.getKty().ordinal()]) {
            case 1:
                return new RSAPublicKey(key.getN(), key.getE());
            case 2:
                return new ECDSAPublicKey(SignatureAlgorithm.fromString(key.getAlg().getParamName()), key.getX(), key.getY());
            default:
                return null;
        }
    }

    public JSONObject fromJson(String str) throws IOException {
        this.log.trace("\n\n JwtUtil::fromJson() - json = " + str + " \n");
        ObjectMapper objectMapper = new ObjectMapper();
        objectMapper.registerModule(new JsonOrgModule());
        return (JSONObject) objectMapper.readValue(str, JSONObject.class);
    }

    public String getJwksUri(String str) throws Exception {
        this.log.debug("JwtUtil::getJSONWebKeys() - issuer = " + str);
        return (StringHelper.isNotEmpty(str) && str.equals(this.configurationService.find().getIssuer())) ? this.configurationService.find().getJwksUri() : AuthClientFactory.getJwksUri(str);
    }

    public JSONWebKeySet getJSONWebKeys(String str) throws Exception {
        this.log.debug("\n\n JwtUtil::getJSONWebKeys() - jwksUri = " + str + " \n");
        JSONWebKeySet jSONWebKeys = AuthClientFactory.getJSONWebKeys(str);
        this.log.trace("\n\n JwtUtil::getJSONWebKeys() - jsonWebKeySet = " + jSONWebKeys + " \n");
        return jSONWebKeys;
    }
}
