package io.vertx.ext.auth.impl.jose;

import io.vertx.core.impl.logging.Logger;
import io.vertx.core.impl.logging.LoggerFactory;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.JWTOptions;
import io.vertx.ext.auth.NoSuchKeyIdException;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Random;
import java.util.concurrent.ConcurrentHashMap;
import java.util.stream.Collectors;
import java.util.stream.Stream;

/* loaded from: input_file:io/vertx/ext/auth/impl/jose/JWT.class */
public final class JWT {
    private final Logger logger;
    private static final Random RND = new Random();
    private static final Charset UTF8 = StandardCharsets.UTF_8;
    private static final Base64.Encoder encoder = Base64.getUrlEncoder().withoutPadding();
    private static final Base64.Decoder decoder = Base64.getUrlDecoder();
    private final Map<String, List<Crypto>> SIGN;
    private final Map<String, List<Crypto>> VERIFY;

    public JWT() {
        this.logger = LoggerFactory.getLogger(JWT.class);
        this.SIGN = new ConcurrentHashMap();
        this.VERIFY = new ConcurrentHashMap();
        this.SIGN.put("none", Collections.singletonList(new CryptoNone()));
        this.VERIFY.put("none", Collections.singletonList(new CryptoNone()));
    }

    @Deprecated
    public JWT(KeyStore keyStore, char[] cArr) {
        this();
        Iterator<JWK> it = JWK.load(keyStore, new String(cArr), null).iterator();
        while (it.hasNext()) {
            addJWK(it.next());
        }
    }

    public JWT addJWK(JWK jwk) {
        List<Crypto> list = null;
        if (jwk.isFor(2)) {
            list = this.VERIFY.computeIfAbsent(jwk.getAlgorithm(), str -> {
                return new ArrayList();
            });
            addJWK(list, jwk);
        }
        if (jwk.isFor(1)) {
            list = this.SIGN.computeIfAbsent(jwk.getAlgorithm(), str2 -> {
                return new ArrayList();
            });
            addJWK(list, jwk);
        }
        if (list == null) {
            throw new IllegalStateException("unknown JWK use: " + jwk.getUse());
        }
        return this;
    }

    private void addJWK(List<Crypto> list, JWK jwk) {
        boolean z = false;
        int i = 0;
        while (true) {
            if (i >= list.size()) {
                break;
            }
            if (list.get(i).getLabel().equals(jwk.getLabel())) {
                list.set(i, jwk);
                z = true;
                break;
            }
            i++;
        }
        if (z) {
            return;
        }
        list.add(jwk);
    }

    public static JsonObject parse(byte[] bArr) {
        return parse(new String(bArr, UTF8));
    }

    public static JsonObject parse(String str) {
        String[] split = str.split("\\.");
        if (split.length < 2 || split.length > 3) {
            throw new RuntimeException("Not enough or too many segments");
        }
        String str2 = split[0];
        String str3 = split[1];
        return new JsonObject().put("header", new JsonObject(new String(base64urlDecode(str2), UTF8))).put("payload", new JsonObject(new String(base64urlDecode(str3), UTF8))).put("signatureBase", str2 + "." + str3).put("signature", split.length == 2 ? null : split[2]);
    }

    public JsonObject decode(String str) {
        boolean isUnsecure = isUnsecure();
        String[] split = str.split("\\.");
        if (isUnsecure) {
            if (split.length != 2) {
                throw new IllegalStateException("JWT is in unsecured mode but token is signed.");
            }
        } else if (split.length != 3) {
            throw new IllegalStateException("JWT is in secure mode but token is not signed.");
        }
        String str2 = split[0];
        String str3 = split[1];
        String str4 = isUnsecure ? null : split[2];
        if ("".equals(str4)) {
            throw new IllegalStateException("Signature is required");
        }
        JsonObject jsonObject = new JsonObject(new String(base64urlDecode(str2), UTF8));
        JsonObject jsonObject2 = new JsonObject(new String(base64urlDecode(str3), UTF8));
        String string = jsonObject.getString("alg");
        List<Crypto> list = this.VERIFY.get(string);
        if (list == null || list.size() == 0) {
            throw new NoSuchKeyIdException(string);
        }
        if (!isUnsecure && "none".equals(string)) {
            throw new IllegalStateException("Algorithm \"none\" not allowed");
        }
        if (isUnsecure) {
            return jsonObject2;
        }
        byte[] base64urlDecode = base64urlDecode(str4);
        byte[] bytes = (str2 + "." + str3).getBytes(UTF8);
        String string2 = jsonObject.getString("kid");
        boolean z = false;
        for (Crypto crypto : list) {
            if (string2 == null || crypto.getId() == null || string2.equals(crypto.getId())) {
                z = true;
                if (crypto.verify(base64urlDecode, bytes)) {
                    return jsonObject2;
                }
            }
        }
        if (z) {
            throw new RuntimeException("Signature verification failed");
        }
        throw new NoSuchKeyIdException(string, string2);
    }

    public boolean isExpired(JsonObject jsonObject, JWTOptions jWTOptions) {
        if (jsonObject == null) {
            return false;
        }
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        if (jsonObject.containsKey("exp") && !jWTOptions.isIgnoreExpiration() && currentTimeMillis - jWTOptions.getLeeway() >= jsonObject.getLong("exp").longValue()) {
            if (!this.logger.isTraceEnabled()) {
                return true;
            }
            this.logger.trace(String.format("Expired JWT token: exp[%d] <= (now[%d] - leeway[%d])", jsonObject.getLong("exp"), Long.valueOf(currentTimeMillis), Integer.valueOf(jWTOptions.getLeeway())));
            return true;
        }
        if (jsonObject.containsKey("iat")) {
            Long l = jsonObject.getLong("iat");
            if (l.longValue() > currentTimeMillis + jWTOptions.getLeeway()) {
                if (!this.logger.isTraceEnabled()) {
                    return true;
                }
                this.logger.trace(String.format("Invalid JWT token: iat[%d] > now[%d] + leeway[%d]", l, Long.valueOf(currentTimeMillis), Integer.valueOf(jWTOptions.getLeeway())));
                return true;
            }
        }
        if (!jsonObject.containsKey("nbf")) {
            return false;
        }
        Long l2 = jsonObject.getLong("nbf");
        if (l2.longValue() <= currentTimeMillis + jWTOptions.getLeeway()) {
            return false;
        }
        if (!this.logger.isTraceEnabled()) {
            return true;
        }
        this.logger.trace(String.format("Invalid JWT token: nbf[%d] > now[%d] + leeway[%d]", l2, Long.valueOf(currentTimeMillis), Integer.valueOf(jWTOptions.getLeeway())));
        return true;
    }

    public boolean isScopeGranted(JsonObject jsonObject, JWTOptions jWTOptions) {
        if (jsonObject == null) {
            return false;
        }
        if (jWTOptions.getScopes() == null || jWTOptions.getScopes().isEmpty()) {
            return true;
        }
        if (jsonObject.getValue("scope") == null) {
            if (!this.logger.isDebugEnabled()) {
                return false;
            }
            this.logger.debug("Invalid JWT: scope claim is required");
            return false;
        }
        JsonArray jsonArray = jsonObject.getValue("scope") instanceof String ? new JsonArray((List) Stream.of((Object[]) jsonObject.getString("scope").split(jWTOptions.getScopeDelimiter())).collect(Collectors.toList())) : jsonObject.getJsonArray("scope");
        if (jsonArray.getList().containsAll(jWTOptions.getScopes())) {
            return true;
        }
        if (!this.logger.isDebugEnabled()) {
            return false;
        }
        this.logger.debug(String.format("Invalid JWT scopes expected[%s] actual[%s]", jWTOptions.getScopes(), jsonArray.getList()));
        return false;
    }

    public String sign(JsonObject jsonObject, JWTOptions jWTOptions) {
        String algorithm = jWTOptions.getAlgorithm();
        List<Crypto> list = this.SIGN.get(algorithm);
        if (list == null || list.size() == 0) {
            throw new RuntimeException("Algorithm not supported: " + algorithm);
        }
        Crypto crypto = list.get(RND.nextInt(list.size()));
        JsonObject put = new JsonObject().mergeIn(jWTOptions.getHeader()).put("typ", "JWT").put("alg", algorithm);
        if (crypto.getId() != null) {
            put.put("kid", crypto.getId());
        }
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        if (!jWTOptions.isNoTimestamp()) {
            jsonObject.put("iat", jsonObject.getValue("iat", Long.valueOf(currentTimeMillis)));
        }
        if (jWTOptions.getExpiresInSeconds() > 0) {
            jsonObject.put("exp", Long.valueOf(currentTimeMillis + jWTOptions.getExpiresInSeconds()));
        }
        if (jWTOptions.getAudience() != null && jWTOptions.getAudience().size() >= 1) {
            if (jWTOptions.getAudience().size() > 1) {
                jsonObject.put("aud", new JsonArray(jWTOptions.getAudience()));
            } else {
                jsonObject.put("aud", jWTOptions.getAudience().get(0));
            }
        }
        if (jWTOptions.getScopes() != null && jWTOptions.getScopes().size() >= 1) {
            if (jWTOptions.hasScopeDelimiter()) {
                jsonObject.put("scope", String.join(jWTOptions.getScopeDelimiter(), jWTOptions.getScopes()));
            } else {
                jsonObject.put("scope", new JsonArray(jWTOptions.getScopes()));
            }
        }
        if (jWTOptions.getIssuer() != null) {
            jsonObject.put("iss", jWTOptions.getIssuer());
        }
        if (jWTOptions.getSubject() != null) {
            jsonObject.put("sub", jWTOptions.getSubject());
        }
        String base64urlEncode = base64urlEncode(put.encode());
        String base64urlEncode2 = base64urlEncode(jsonObject.encode());
        return base64urlEncode + "." + base64urlEncode2 + "." + base64urlEncode(crypto.sign((base64urlEncode + "." + base64urlEncode2).getBytes(UTF8)));
    }

    private static byte[] base64urlDecode(String str) {
        return decoder.decode(str.getBytes(UTF8));
    }

    private static String base64urlEncode(String str) {
        return base64urlEncode(str.getBytes(UTF8));
    }

    private static String base64urlEncode(byte[] bArr) {
        return encoder.encodeToString(bArr);
    }

    public boolean isUnsecure() {
        return this.VERIFY.size() == 1 && this.SIGN.size() == 1;
    }

    public Collection<String> availableAlgorithms() {
        HashSet hashSet = new HashSet();
        hashSet.addAll(this.VERIFY.keySet());
        hashSet.addAll(this.SIGN.keySet());
        return hashSet;
    }
}
