package io.micronaut.security.token.jwt.signature.jwks;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKMatcher;
import com.nimbusds.jose.jwk.JWKSelector;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyType;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.SignedJWT;
import io.micronaut.context.annotation.EachBean;
import io.micronaut.core.util.functional.ThrowingFunction;
import io.micronaut.core.util.functional.ThrowingSupplier;
import io.micronaut.security.token.jwt.signature.SignatureConfiguration;
import java.io.IOException;
import java.net.URL;
import java.text.ParseException;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@EachBean(JwksSignatureConfiguration.class)
/* loaded from: input_file:io/micronaut/security/token/jwt/signature/jwks/JwksSignature.class */
public class JwksSignature implements SignatureConfiguration {
    public static final int DEFAULT_REFRESH_JWKS_ATTEMPTS = 1;
    private static final Logger LOG = LoggerFactory.getLogger(JwksSignature.class);

    @Nullable
    private JWKSet jwkSet;

    @Nonnull
    private final KeyType keyType;

    @Nonnull
    private final String url;

    public JwksSignature(JwksSignatureConfiguration jwksSignatureConfiguration) {
        this.url = jwksSignatureConfiguration.getUrl();
        if (LOG.isDebugEnabled()) {
            LOG.debug("JWT validation URL: {}", this.url);
        }
        this.jwkSet = loadJwkSet(this.url);
        this.keyType = jwksSignatureConfiguration.getKeyType();
    }

    private Optional<JWKSet> getJWKSet() {
        return Optional.ofNullable(this.jwkSet);
    }

    private List<JWK> getJsonWebKeys() {
        return (List) getJWKSet().map((v0) -> {
            return v0.getKeys();
        }).orElse(Collections.emptyList());
    }

    @Override // io.micronaut.security.token.jwt.signature.SignatureConfiguration
    public String supportedAlgorithmsMessage() {
        return ((String) getJsonWebKeys().stream().map((v0) -> {
            return v0.getAlgorithm();
        }).map((v0) -> {
            return v0.getName();
        }).reduce((str, str2) -> {
            return str + ", " + str2;
        }).map(str3 -> {
            return "Only the " + str3;
        }).orElse("No")) + " algorithms are supported";
    }

    @Override // io.micronaut.security.token.jwt.signature.SignatureConfiguration
    public boolean supports(JWSAlgorithm jWSAlgorithm) {
        Stream<R> map = getJsonWebKeys().stream().map((v0) -> {
            return v0.getAlgorithm();
        });
        jWSAlgorithm.getClass();
        return map.anyMatch((v1) -> {
            return r1.equals(v1);
        });
    }

    @Override // io.micronaut.security.token.jwt.signature.SignatureConfiguration
    public boolean verify(SignedJWT signedJWT) throws JOSEException {
        List<JWK> matches = matches(signedJWT, getJWKSet().orElse(null), getRefreshJwksAttempts());
        if (LOG.isDebugEnabled()) {
            LOG.debug("Found {} matching JWKs", Integer.valueOf(matches.size()));
        }
        if (matches == null || matches.isEmpty()) {
            return false;
        }
        return verify(matches, signedJWT);
    }

    protected JWKSet loadJwkSet(String str) {
        try {
            return JWKSet.load(new URL(str));
        } catch (IOException | ParseException e) {
            if (!LOG.isErrorEnabled()) {
                return null;
            }
            LOG.error("Exception loading JWK. The JwksSignature will not be used to verify a JWT if further refresh attempts fail", e);
            return null;
        }
    }

    protected List<JWK> matches(SignedJWT signedJWT, @Nullable JWKSet jWKSet, int i) {
        List<JWK> select = new JWKSelector(new JWKMatcher.Builder().keyType(this.keyType).keyID(signedJWT.getHeader().getKeyID()).build()).select(jWKSet);
        if (i <= 0 || !select.isEmpty()) {
            return select;
        }
        this.jwkSet = loadJwkSet(this.url);
        return matches(signedJWT, jWKSet, i - 1);
    }

    protected Optional<JWSVerifier> getVerifier(JWK jwk) {
        if (jwk instanceof RSAKey) {
            RSAKey rSAKey = (RSAKey) jwk;
            rSAKey.getClass();
            return getVerifier(rSAKey::toRSAPublicKey, RSASSAVerifier::new);
        }
        if (!(jwk instanceof ECKey)) {
            return Optional.empty();
        }
        ECKey eCKey = (ECKey) jwk;
        eCKey.getClass();
        return getVerifier(eCKey::toECPublicKey, ECDSAVerifier::new);
    }

    private <T, R extends JWSVerifier> Optional<R> getVerifier(ThrowingSupplier<T, JOSEException> throwingSupplier, ThrowingFunction<T, R, JOSEException> throwingFunction) {
        Object obj = null;
        try {
            obj = throwingSupplier.get();
        } catch (JOSEException e) {
            if (LOG.isErrorEnabled()) {
                LOG.error("JOSEException when retrieving public key", e);
            }
        }
        if (obj != null) {
            try {
                return Optional.of(throwingFunction.apply(obj));
            } catch (JOSEException e2) {
                if (LOG.isErrorEnabled()) {
                    LOG.error("JOSEException when instantiating the verifier", e2);
                }
            }
        }
        return Optional.empty();
    }

    protected boolean verify(List<JWK> list, SignedJWT signedJWT) {
        return list.stream().map(this::getVerifier).filter((v0) -> {
            return v0.isPresent();
        }).map((v0) -> {
            return v0.get();
        }).anyMatch(jWSVerifier -> {
            try {
                return signedJWT.verify(jWSVerifier);
            } catch (JOSEException e) {
                if (!LOG.isErrorEnabled()) {
                    return false;
                }
                LOG.error("JOSEException when verifying jwt", e);
                return false;
            }
        });
    }

    public int getRefreshJwksAttempts() {
        return 1;
    }
}
