package com.networknt.security;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.networknt.client.ClientConfig;
import com.networknt.client.oauth.OauthHelper;
import com.networknt.client.oauth.SignKeyRequest;
import com.networknt.client.oauth.TokenKeyRequest;
import com.networknt.config.Config;
import com.networknt.config.ConfigException;
import com.networknt.config.JsonMapper;
import com.networknt.exception.ClientException;
import com.networknt.exception.ExpiredTokenException;
import com.networknt.status.Status;
import com.networknt.utility.FingerPrintUtil;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.function.BiFunction;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.ErrorCodeValidator;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.JwksVerificationKeyResolver;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.keys.resolvers.X509VerificationKeyResolver;
import org.jose4j.lang.JoseException;
import org.owasp.encoder.Encode;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/security/JwtVerifier.class */
public class JwtVerifier extends TokenVerifier {
    static final Logger logger = LoggerFactory.getLogger(JwtVerifier.class);
    static final String GET_KEY_ERROR = "ERR10066";
    public static final String KID = "kid";
    public static final String SECURITY_CONFIG = "security";
    private static final int CACHE_EXPIRED_IN_MINUTES = 15;
    public static final String JWT_KEY_RESOLVER_X509CERT = "X509Certificate";
    public static final String JWT_KEY_RESOLVER_JWKS = "JsonWebKeySet";
    static SecurityConfig config;
    int secondsOfAllowedClockSkew;
    Boolean enableJwtCache;
    Boolean enableRelaxedKeyValidation;
    Boolean bootstrapFromKeyService;
    static Cache<String, JwtClaims> cache;
    static Map<String, X509Certificate> certMap;
    static Map<String, List<JsonWebKey>> jwksMap;
    static String audience;
    static Map<String, String> audienceMap;
    static List<String> fingerPrints;

    public JwtVerifier(SecurityConfig securityConfig) {
        config = securityConfig;
        this.secondsOfAllowedClockSkew = securityConfig.getClockSkewInSeconds();
        this.bootstrapFromKeyService = Boolean.valueOf(securityConfig.isBootstrapFromKeyService());
        this.enableRelaxedKeyValidation = Boolean.valueOf(securityConfig.isEnableRelaxedKeyValidation());
        this.enableJwtCache = Boolean.valueOf(securityConfig.isEnableJwtCache());
        if (Boolean.TRUE.equals(this.enableJwtCache)) {
            cache = Caffeine.newBuilder().maximumSize(securityConfig.getJwtCacheFullSize()).expireAfterWrite(15L, TimeUnit.MINUTES).build();
        }
        String keyResolver = securityConfig.getKeyResolver();
        cacheCertificates();
        if (JWT_KEY_RESOLVER_JWKS.equals(keyResolver) && this.bootstrapFromKeyService.booleanValue()) {
            jwksMap = getJsonWebKeyMap();
        } else {
            jwksMap = new HashMap();
        }
    }

    private void cacheCertificates() {
        certMap = new HashMap();
        fingerPrints = new ArrayList();
        if (config.getCertificate() != null) {
            Map<String, Object> certificate = config.getCertificate();
            for (String str : certificate.keySet()) {
                X509Certificate x509Certificate = null;
                try {
                    x509Certificate = readCertificate((String) certificate.get(str));
                } catch (Exception e) {
                    logger.error("Exception:", e);
                }
                certMap.put(str, x509Certificate);
                fingerPrints.add(FingerPrintUtil.getCertFingerPrint(x509Certificate));
            }
        }
        logger.debug("Successfully cached Certificate");
    }

    public X509Certificate readCertificate(String str) throws Exception {
        InputStream inputStream = null;
        X509Certificate x509Certificate = null;
        try {
            try {
                InputStream inputStreamFromFile = Config.getInstance().getInputStreamFromFile(str);
                if (inputStreamFromFile != null) {
                    x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(inputStreamFromFile);
                } else {
                    logger.info("Certificate " + Encode.forJava(str) + " not found.");
                }
                if (inputStreamFromFile != null) {
                    try {
                        inputStreamFromFile.close();
                    } catch (IOException e) {
                        logger.error("Exception: ", e);
                    }
                }
            } catch (Exception e2) {
                logger.error("Exception: ", e2);
                if (0 != 0) {
                    try {
                        inputStream.close();
                    } catch (IOException e3) {
                        logger.error("Exception: ", e3);
                    }
                }
            }
            return x509Certificate;
        } catch (Throwable th) {
            if (0 != 0) {
                try {
                    inputStream.close();
                } catch (IOException e4) {
                    logger.error("Exception: ", e4);
                }
            }
            throw th;
        }
    }

    public JwtClaims verifyJwt(String str, boolean z, boolean z2, String str2, String str3, List<String> list) throws InvalidJwtException, ExpiredTokenException {
        return verifyJwt(str, z, z2, str2, str3, list, this::getKeyResolver);
    }

    public JwtClaims verifyJwt(String str, boolean z, boolean z2) throws InvalidJwtException, ExpiredTokenException {
        return verifyJwt(str, z, z2, null, null, null, this::getKeyResolver);
    }

    public JwtClaims verifyJwt(String str, boolean z, boolean z2, String str2, String str3, List<String> list, BiFunction<String, Object, VerificationKeyResolver> biFunction) throws InvalidJwtException, ExpiredTokenException {
        if (Boolean.TRUE.equals(this.enableJwtCache)) {
            JwtClaims jwtClaims = str2 != null ? (JwtClaims) cache.getIfPresent(str2 + ":" + str) : (JwtClaims) cache.getIfPresent(str);
            if (jwtClaims != null) {
                checkExpiry(z, jwtClaims, this.secondsOfAllowedClockSkew, null);
                return jwtClaims;
            }
        }
        JwtConsumerBuilder skipSignatureVerification = new JwtConsumerBuilder().setSkipAllValidators().setDisableRequireSignature().setSkipSignatureVerification();
        if (this.enableRelaxedKeyValidation.booleanValue()) {
            skipSignatureVerification.setRelaxVerificationKeyValidation();
        }
        JwtContext process = skipSignatureVerification.build().process(str);
        JwtClaims jwtClaims2 = process.getJwtClaims();
        String keyIdHeaderValue = ((JsonWebStructure) process.getJoseObjects().get(0)).getKeyIdHeaderValue();
        checkExpiry(z, jwtClaims2, this.secondsOfAllowedClockSkew, process);
        validateAudience(jwtClaims2, str3, list, process);
        JwtConsumerBuilder verificationKeyResolver = new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(315360000).setSkipDefaultAudienceValidation().setVerificationKeyResolver(biFunction.apply(keyIdHeaderValue, list != null ? list : str3));
        if (this.enableRelaxedKeyValidation.booleanValue()) {
            verificationKeyResolver.setRelaxVerificationKeyValidation();
        }
        JwtClaims jwtClaims3 = verificationKeyResolver.build().process(str).getJwtClaims();
        if (Boolean.TRUE.equals(this.enableJwtCache)) {
            if (str2 != null) {
                cache.put(str2 + ":" + str, jwtClaims3);
            } else {
                cache.put(str, jwtClaims3);
            }
            if (cache.estimatedSize() > config.getJwtCacheFullSize()) {
                logger.warn("JWT cache exceeds the size limit " + config.getJwtCacheFullSize());
            }
        }
        return jwtClaims3;
    }

    private void validateAudience(JwtClaims jwtClaims, String str, List<String> list, JwtContext jwtContext) throws InvalidJwtException {
        ClientConfig clientConfig = ClientConfig.get();
        String str2 = null;
        try {
            if (str == null && list == null) {
                String str3 = audience;
                if (str3 != null && !isJwtAudienceValid(jwtClaims, str3)) {
                    throw new InvalidJwtException("Invalid Audience", Collections.singletonList(new ErrorCodeValidator.Error(8, "Invalid Audience")), jwtContext);
                }
            } else if (list != null && list.size() > 0) {
                for (String str4 : list) {
                    if (audienceMap != null && audienceMap.size() > 0 && !isJwtAudienceValid(jwtClaims, audienceMap.get(str4))) {
                        throw new InvalidJwtException("Invalid Audience", Collections.singletonList(new ErrorCodeValidator.Error(8, "Invalid Audience")), jwtContext);
                    }
                }
            } else if (str != null) {
                String serviceIdByRequestPath = getServiceIdByRequestPath(clientConfig, str);
                if (serviceIdByRequestPath == null) {
                    str2 = audience;
                } else if (audienceMap != null && audienceMap.size() > 0) {
                    str2 = audienceMap.get(serviceIdByRequestPath);
                }
                if (str2 != null && !isJwtAudienceValid(jwtClaims, str2)) {
                    throw new InvalidJwtException("Invalid Audience", Collections.singletonList(new ErrorCodeValidator.Error(8, "Invalid Audience")), jwtContext);
                }
            }
        } catch (MalformedClaimException e) {
            logger.error("MalformedClaimException:", e);
            throw new InvalidJwtException("MalformedClaimException", new ErrorCodeValidator.Error(18, "Invalid Audience"), e, jwtContext);
        }
    }

    private boolean isJwtAudienceValid(JwtClaims jwtClaims, String str) throws MalformedClaimException {
        if (jwtClaims.getAudience() == null) {
            return false;
        }
        return jwtClaims.getAudience().size() == 1 ? ((String) jwtClaims.getAudience().get(0)).equals(str) : jwtClaims.getAudience().contains(str);
    }

    private static void checkExpiry(boolean z, JwtClaims jwtClaims, int i, JwtContext jwtContext) throws ExpiredTokenException, InvalidJwtException {
        if (z) {
            return;
        }
        try {
            if (NumericDate.now().getValue() - i >= jwtClaims.getExpirationTime().getValue()) {
                logger.info("Cached jwt token is expired!");
                throw new ExpiredTokenException("Token is expired");
            }
        } catch (MalformedClaimException e) {
            logger.error("MalformedClaimException:", e);
            throw new InvalidJwtException("MalformedClaimException", new ErrorCodeValidator.Error(18, "Invalid ExpirationTime Format"), e, jwtContext);
        }
    }

    private VerificationKeyResolver getKeyResolver(String str, Object obj) {
        List list;
        String keyResolver = config.getKeyResolver();
        X509Certificate x509Certificate = certMap == null ? null : certMap.get(str);
        if (x509Certificate != null) {
            X509VerificationKeyResolver x509VerificationKeyResolver = new X509VerificationKeyResolver(new X509Certificate[]{x509Certificate});
            x509VerificationKeyResolver.setTryAllOnNoThumbHeader(true);
            return x509VerificationKeyResolver;
        }
        if (!JWT_KEY_RESOLVER_JWKS.equals(keyResolver)) {
            logger.error("Both X509Certificate and JWK are not configured.");
            return null;
        }
        ClientConfig clientConfig = ClientConfig.get();
        List<JsonWebKey> list2 = null;
        if (obj == null) {
            list2 = jwksMap.get(str);
        } else if (obj instanceof String) {
            String serviceIdByRequestPath = getServiceIdByRequestPath(clientConfig, (String) obj);
            list2 = serviceIdByRequestPath == null ? jwksMap.get(str) : jwksMap.get(serviceIdByRequestPath + ":" + str);
        } else if ((obj instanceof List) && (list = (List) obj) != null && list.size() > 0) {
            Iterator it = list.iterator();
            while (it.hasNext()) {
                list2 = jwksMap.get(((String) it.next()) + ":" + str);
                if (list2 != null && list2.size() > 0) {
                    break;
                }
            }
        }
        if (list2 == null) {
            list2 = getJsonWebKeySetForToken(str, obj);
            if (list2 == null || list2.isEmpty()) {
                throw new RuntimeException("no JWK for kid: " + str);
            }
            if (obj == null) {
                cacheJwkList(list2, null);
            } else if (obj instanceof String) {
                cacheJwkList(list2, getServiceIdByRequestPath(clientConfig, (String) obj));
            } else if (obj instanceof List) {
                Iterator it2 = ((List) obj).iterator();
                while (it2.hasNext()) {
                    cacheJwkList(list2, (String) it2.next());
                }
            }
        }
        logger.debug("Got Json web key set from local cache");
        return new JwksVerificationKeyResolver(list2);
    }

    private void cacheJwkList(List<JsonWebKey> list, String str) {
        for (JsonWebKey jsonWebKey : list) {
            if (str != null) {
                if (logger.isTraceEnabled()) {
                    logger.trace("cache the jwkList with serviceId {} kid {} and key {}", new Object[]{str, jsonWebKey.getKeyId(), str + ":" + jsonWebKey.getKeyId()});
                }
                jwksMap.put(str + ":" + jsonWebKey.getKeyId(), list);
            } else {
                if (logger.isTraceEnabled()) {
                    logger.trace("cache the jwkList with kid and only kid as key", jsonWebKey.getKeyId());
                }
                jwksMap.put(jsonWebKey.getKeyId(), list);
            }
        }
    }

    private String getServiceIdByRequestPath(ClientConfig clientConfig, String str) {
        Map pathPrefixServices = clientConfig.getPathPrefixServices();
        if (!clientConfig.isMultipleAuthServers()) {
            return null;
        }
        if (pathPrefixServices == null || pathPrefixServices.size() == 0) {
            throw new ConfigException("pathPrefixServices property is missing or has an empty value in client.yml");
        }
        String str2 = null;
        for (Map.Entry entry : pathPrefixServices.entrySet()) {
            if (str.startsWith((String) entry.getKey())) {
                str2 = (String) entry.getValue();
            }
        }
        if (str2 == null) {
            throw new ConfigException("serviceId cannot be identified in client.yml with the requestPath = " + str);
        }
        return str2;
    }

    private Map<String, List<JsonWebKey>> getJsonWebKeyMap() {
        jwksMap = new HashMap();
        ClientConfig clientConfig = ClientConfig.get();
        Map map = (Map) clientConfig.getTokenConfig().get("key");
        if (clientConfig.isMultipleAuthServers()) {
            Map map2 = (Map) map.get("serviceIdAuthServers");
            if (map2 == null || map2.size() <= 0) {
                logger.error("serviceIdAuthServers property is missing or empty in the token key configuration");
            } else {
                audienceMap = new HashMap();
                for (Map.Entry entry : map2.entrySet()) {
                    String str = (String) entry.getKey();
                    Map map3 = (Map) entry.getValue();
                    if (map3.get("client_id") == null || map3.get("client_secret") == null) {
                        String str2 = (String) map3.get("audience");
                        if (str2 != null) {
                            if (logger.isTraceEnabled()) {
                                logger.trace("audience {} is mapped to serviceId {}", str2, str);
                            }
                            audienceMap.put(str, str2);
                        }
                        TokenKeyRequest tokenKeyRequest = new TokenKeyRequest((String) null, true, map3);
                        try {
                            if (logger.isDebugEnabled()) {
                                logger.debug("Getting Json Web Key list from {} for serviceId {}", tokenKeyRequest.getServerUrl(), entry.getKey());
                            }
                            String key = OauthHelper.getKey(tokenKeyRequest);
                            if (logger.isDebugEnabled()) {
                                logger.debug("Got Json Web Key = " + key);
                            }
                            List<JsonWebKey> jsonWebKeys = new JsonWebKeySet(key).getJsonWebKeys();
                            if (jsonWebKeys != null && !jsonWebKeys.isEmpty()) {
                                for (JsonWebKey jsonWebKey : jsonWebKeys) {
                                    jwksMap.put(str + ":" + jsonWebKey.getKeyId(), jsonWebKeys);
                                    if (logger.isDebugEnabled()) {
                                        logger.debug("Successfully cached JWK for serviceId {} kid {} with key {}", new Object[]{str, jsonWebKey.getKeyId(), str + ":" + jsonWebKey.getKeyId()});
                                    }
                                }
                            } else if (logger.isErrorEnabled()) {
                                logger.error("Cannot get JWK from OAuth server.");
                            }
                        } catch (JoseException e) {
                            if (logger.isErrorEnabled()) {
                                logger.error("Failed to get JWK set. - {} - {}", new Object[]{new Status(GET_KEY_ERROR, new Object[0]), e.getMessage(), e});
                            }
                        } catch (ClientException e2) {
                            if (logger.isErrorEnabled()) {
                                logger.error("Failed to get key. - {} - {} ", new Object[]{new Status(GET_KEY_ERROR, new Object[0]), e2.getMessage(), e2});
                            }
                        }
                    }
                }
            }
        } else {
            audience = (String) map.get("audience");
            if (logger.isTraceEnabled()) {
                logger.trace("A single audience {} is configured in client.yml", audience);
            }
            TokenKeyRequest tokenKeyRequest2 = new TokenKeyRequest((String) null, true, (Map) null);
            try {
                if (logger.isDebugEnabled()) {
                    logger.debug("Getting Json Web Key list from {}", tokenKeyRequest2.getServerUrl());
                }
                String key2 = OauthHelper.getKey(tokenKeyRequest2);
                if (logger.isDebugEnabled()) {
                    logger.debug("Got Json Web Key = " + key2);
                }
                List<JsonWebKey> jsonWebKeys2 = new JsonWebKeySet(key2).getJsonWebKeys();
                if (jsonWebKeys2 == null || jsonWebKeys2.isEmpty()) {
                    throw new RuntimeException("cannot get JWK from OAuth server");
                }
                for (JsonWebKey jsonWebKey2 : jsonWebKeys2) {
                    jwksMap.put(jsonWebKey2.getKeyId(), jsonWebKeys2);
                    if (logger.isDebugEnabled()) {
                        logger.debug("Successfully cached JWK for kid {}", jsonWebKey2.getKeyId());
                    }
                }
            } catch (ClientException e3) {
                if (logger.isErrorEnabled()) {
                    logger.error("Failed to get Key. - {} - {}", new Object[]{new Status(GET_KEY_ERROR, new Object[0]), e3.getMessage(), e3});
                }
            } catch (JoseException e4) {
                if (logger.isErrorEnabled()) {
                    logger.error("Failed to get JWK. - {} - {}", new Object[]{new Status(GET_KEY_ERROR, new Object[0]), e4.getMessage(), e4});
                }
            }
        }
        return jwksMap;
    }

    private List<JsonWebKey> getJsonWebKeySetForToken(String str, Object obj) {
        List<JsonWebKey> retrieveJwk;
        if (logger.isTraceEnabled()) {
            logger.trace(("kid = " + str + obj) instanceof String ? " requestPath = " + obj : " jwkServiceIds = " + obj);
        }
        ClientConfig clientConfig = ClientConfig.get();
        if (obj == null || !clientConfig.isMultipleAuthServers()) {
            retrieveJwk = retrieveJwk(str, null);
        } else if (obj instanceof String) {
            String str2 = (String) obj;
            Map pathPrefixServices = clientConfig.getPathPrefixServices();
            if (pathPrefixServices == null || pathPrefixServices.size() == 0) {
                throw new ConfigException("pathPrefixServices property is missing or has an empty value in client.yml");
            }
            String str3 = null;
            for (Map.Entry entry : pathPrefixServices.entrySet()) {
                if (str2.startsWith((String) entry.getKey())) {
                    str3 = (String) entry.getValue();
                }
            }
            if (str3 == null) {
                throw new ConfigException("serviceId cannot be identified in client.yml with the requestPath = " + str2);
            }
            retrieveJwk = retrieveJwk(str, getJwkConfig(clientConfig, str3));
        } else {
            if (!(obj instanceof List)) {
                throw new ConfigException("requestPathOrJwkServiceIds must be a string or a list of strings");
            }
            retrieveJwk = new ArrayList();
            Iterator it = ((List) obj).iterator();
            while (it.hasNext()) {
                retrieveJwk.addAll(retrieveJwk(str, getJwkConfig(clientConfig, (String) it.next())));
            }
        }
        return retrieveJwk;
    }

    private List<JsonWebKey> retrieveJwk(String str, Map<String, Object> map) {
        if (logger.isTraceEnabled() && map != null) {
            logger.trace("multiple oauth config based on path = " + JsonMapper.toJson(map));
        }
        TokenKeyRequest tokenKeyRequest = new TokenKeyRequest(str, true, map);
        try {
            if (logger.isDebugEnabled()) {
                logger.debug("Getting Json Web Key list from {}", tokenKeyRequest.getServerUrl());
            }
            String key = OauthHelper.getKey(tokenKeyRequest);
            if (logger.isDebugEnabled()) {
                logger.debug("Got Json Web Key {} from {} with path {}", new Object[]{key, tokenKeyRequest.getServerUrl(), tokenKeyRequest.getUri()});
            }
            return new JsonWebKeySet(key).getJsonWebKeys();
        } catch (JoseException e) {
            if (!logger.isErrorEnabled()) {
                return null;
            }
            logger.error("Failed to get JWK. - {} - {}", new Object[]{new Status(GET_KEY_ERROR, new Object[0]), e.getMessage(), e});
            return null;
        } catch (ClientException e2) {
            if (!logger.isErrorEnabled()) {
                return null;
            }
            logger.error("Failed to get key - {} - {}", new Object[]{new Status(GET_KEY_ERROR, new Object[0]), e2.getMessage(), e2});
            return null;
        }
    }

    public X509Certificate getCertForToken(String str) {
        X509Certificate x509Certificate = null;
        TokenKeyRequest tokenKeyRequest = new TokenKeyRequest(str);
        try {
            if (logger.isWarnEnabled()) {
                logger.warn("<Deprecated: use JsonWebKeySet instead> Getting raw certificate for kid: {} from {}", str, tokenKeyRequest.getServerUrl());
            }
            String key = OauthHelper.getKey(tokenKeyRequest);
            if (logger.isWarnEnabled()) {
                logger.warn("<Deprecated: use JsonWebKeySet instead> Got raw certificate {} for kid: {}", key, str);
            }
            x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(key.getBytes(StandardCharsets.UTF_8)));
        } catch (ClientException e) {
            if (logger.isErrorEnabled()) {
                logger.error("Failed to get key: {}", e.getMessage(), e);
            }
        } catch (CertificateException e2) {
            if (logger.isErrorEnabled()) {
                logger.error("Failed to generate certificate: {}", e2.getMessage(), e2);
            }
        }
        return x509Certificate;
    }

    public X509Certificate getCertForSign(String str) {
        X509Certificate x509Certificate = null;
        try {
            x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(OauthHelper.getKey(new SignKeyRequest(str)).getBytes(StandardCharsets.UTF_8)));
        } catch (ClientException e) {
            if (logger.isErrorEnabled()) {
                logger.error("Failed to get key: {}", e.getMessage(), e);
            }
        } catch (CertificateException e2) {
            if (logger.isErrorEnabled()) {
                logger.error("Failed to generate certificate: {}", e2.getMessage(), e2);
            }
        }
        return x509Certificate;
    }

    public List<String> getFingerPrints() {
        return fingerPrints;
    }
}
