package org.eclipse.hono.service.auth;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwsHeader;
import io.jsonwebtoken.JwtParserBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SigningKeyResolverAdapter;
import io.jsonwebtoken.impl.DefaultJwtParserBuilder;
import io.jsonwebtoken.impl.compression.DeflateCompressionCodec;
import io.jsonwebtoken.jackson.io.JacksonDeserializer;
import io.jsonwebtoken.security.InvalidKeyException;
import io.jsonwebtoken.security.Keys;
import io.jsonwebtoken.security.SecurityException;
import io.jsonwebtoken.security.SignatureException;
import io.quarkus.runtime.annotations.RegisterForReflection;
import io.vertx.core.Vertx;
import io.vertx.core.http.HttpClient;
import io.vertx.core.http.HttpClientOptions;
import io.vertx.core.http.HttpHeaders;
import io.vertx.core.http.HttpMethod;
import io.vertx.core.http.RequestOptions;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.impl.jose.JWK;
import java.security.Key;
import java.util.HashMap;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.concurrent.atomic.AtomicLong;
import java.util.stream.Stream;
import org.eclipse.hono.service.auth.JwtSupport;
import org.eclipse.hono.service.auth.delegating.AuthenticationServerClientConfigProperties;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RegisterForReflection(targets = {DefaultJwtParserBuilder.class, JacksonDeserializer.class, DeflateCompressionCodec.class})
/* loaded from: input_file:org/eclipse/hono/service/auth/JjwtBasedAuthTokenValidator.class */
public final class JjwtBasedAuthTokenValidator extends JwtSupport implements AuthTokenValidator {
    private static final Logger LOG = LoggerFactory.getLogger(JjwtBasedAuthTokenValidator.class);
    private final SignatureSupportingConfigProperties config;
    private final AtomicLong nextJwksPollingTask;
    private final AtomicBoolean jwksPollingInProgress;
    private HttpClient httpClient;
    private RequestOptions requestOptions;
    private long pollingIntervalMillis;
    private boolean isJwksSignatureAlgorithmRequired;

    public JjwtBasedAuthTokenValidator(Vertx vertx, SignatureSupportingConfigProperties signatureSupportingConfigProperties) {
        super(vertx);
        this.nextJwksPollingTask = new AtomicLong(-1L);
        this.jwksPollingInProgress = new AtomicBoolean(false);
        this.pollingIntervalMillis = 300000L;
        this.isJwksSignatureAlgorithmRequired = true;
        Objects.requireNonNull(signatureSupportingConfigProperties);
        useConfiguredKeys(signatureSupportingConfigProperties);
        this.config = signatureSupportingConfigProperties;
    }

    public JjwtBasedAuthTokenValidator(Vertx vertx, AuthenticationServerClientConfigProperties authenticationServerClientConfigProperties) {
        super(vertx);
        this.nextJwksPollingTask = new AtomicLong(-1L);
        this.jwksPollingInProgress = new AtomicBoolean(false);
        this.pollingIntervalMillis = 300000L;
        this.isJwksSignatureAlgorithmRequired = true;
        Objects.requireNonNull(authenticationServerClientConfigProperties);
        try {
            useConfiguredKeys(authenticationServerClientConfigProperties.getValidation());
        } catch (IllegalArgumentException e) {
            LOG.info("using JWK set retrieved from Authentication service vor validating tokens");
            this.isJwksSignatureAlgorithmRequired = authenticationServerClientConfigProperties.isJwksSignatureAlgorithmRequired();
            this.pollingIntervalMillis = authenticationServerClientConfigProperties.getJwksPollingInterval().toMillis();
            this.httpClient = vertx.createHttpClient(new HttpClientOptions().setTrustOptions(authenticationServerClientConfigProperties.getTrustOptions()));
            this.requestOptions = new RequestOptions().setHost(authenticationServerClientConfigProperties.getHost()).setPort(Integer.valueOf(authenticationServerClientConfigProperties.getJwksEndpointPort())).setSsl(Boolean.valueOf(authenticationServerClientConfigProperties.isJwksEndpointTlsEnabled())).setURI(authenticationServerClientConfigProperties.getJwksEndpointUri()).setMethod(HttpMethod.GET).addHeader(HttpHeaders.ACCEPT, "application/jwk-set+json").setTimeout(2000L);
            requestJwkSet();
        }
        this.config = authenticationServerClientConfigProperties.getValidation();
    }

    private void useConfiguredKeys(SignatureSupportingConfigProperties signatureSupportingConfigProperties) {
        try {
            if (signatureSupportingConfigProperties.getSharedSecret() != null) {
                byte[] bytes = getBytes(signatureSupportingConfigProperties.getSharedSecret());
                addSecretKey(Keys.hmacShaKeyFor(bytes));
                LOG.info("using shared secret [{} bytes] for validating tokens", Integer.valueOf(bytes.length));
            } else {
                if (signatureSupportingConfigProperties.getCertPath() == null) {
                    throw new IllegalArgumentException("configuration does not specify any key material for validating tokens");
                }
                setPublicKey(signatureSupportingConfigProperties.getCertPath());
                LOG.info("using public key from certificate [{}] for validating tokens", signatureSupportingConfigProperties.getCertPath());
            }
        } catch (SecurityException e) {
            throw new IllegalArgumentException("failed to create validator for configured key material", e);
        }
    }

    private void requestJwkSet() {
        if (this.jwksPollingInProgress.compareAndSet(false, true)) {
            this.vertx.cancelTimer(this.nextJwksPollingTask.get());
            Logger logger = LOG;
            Object[] objArr = new Object[4];
            objArr[0] = this.requestOptions.isSsl().booleanValue() ? "s" : "";
            objArr[1] = this.requestOptions.getHost();
            objArr[2] = this.requestOptions.getPort();
            objArr[3] = this.requestOptions.getURI();
            logger.debug("requesting JWK set from http{}://{}:{}{}", objArr);
            this.httpClient.request(this.requestOptions).compose((v0) -> {
                return v0.send();
            }).compose((v0) -> {
                return v0.body();
            }).map((v0) -> {
                return v0.toJsonObject();
            }).map(jsonObject -> {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("server returned JWK set:{}{}", System.lineSeparator(), jsonObject.encodePrettily());
                }
                JsonArray jsonArray = jsonObject.getJsonArray("keys", new JsonArray());
                if (jsonArray.isEmpty()) {
                    LOG.warn("server returned empty key set, won't be able to validate tokens");
                }
                return jsonArray;
            }).onSuccess(jsonArray -> {
                HashMap hashMap = new HashMap();
                Stream stream = jsonArray.stream();
                Class<JsonObject> cls = JsonObject.class;
                Objects.requireNonNull(JsonObject.class);
                Stream filter = stream.filter(cls::isInstance);
                Class<JsonObject> cls2 = JsonObject.class;
                Objects.requireNonNull(JsonObject.class);
                filter.map(cls2::cast).forEach(jsonObject2 -> {
                    if (this.isJwksSignatureAlgorithmRequired && !jsonObject2.containsKey("alg")) {
                        LOG.warn("JSON Web Key does not contain required alg property, skipping key ...");
                        return;
                    }
                    try {
                        JWK jwk = new JWK(jsonObject2);
                        hashMap.put(jwk.getId(), new JwtSupport.KeySpec(jwk.publicKey(), jwk.getAlgorithm()));
                    } catch (Exception e) {
                        LOG.warn("failed to deserialize JSON Web Key retrieved from server", e.getCause());
                    }
                });
                setValidatingKeys(hashMap);
                LOG.debug("successfully retrieved JWK set of {} key(s)", Integer.valueOf(hashMap.size()));
                this.nextJwksPollingTask.set(this.vertx.setTimer(this.pollingIntervalMillis, l -> {
                    requestJwkSet();
                }));
            }).onFailure(th -> {
                LOG.warn("failed to retrieve JWK set from server, will try again in 3s ...", th);
                this.nextJwksPollingTask.set(this.vertx.setTimer(3000L, l -> {
                    requestJwkSet();
                }));
            }).onComplete(asyncResult -> {
                this.jwksPollingInProgress.set(false);
            });
        }
    }

    private Key getValidatingKey(String str, String str2) {
        if (str == null) {
            LOG.debug("token has no kid header, will try to use default key for validating signature");
            JwtSupport.KeySpec validatingKey = getValidatingKey();
            if (validatingKey.supportsSignatureAlgorithm(str2)) {
                return validatingKey.key;
            }
            throw new InvalidKeyException("validating key on record does not support signature algorithm [%s] used in token".formatted(str2));
        }
        JwtSupport.KeySpec validatingKey2 = getValidatingKey(str);
        if (validatingKey2 == null) {
            LOG.debug("unknown validating key [id: {}]", str);
            requestJwkSet();
            throw new InvalidKeyException("unknown validating key");
        }
        if (!validatingKey2.supportsSignatureAlgorithm(str2)) {
            throw new InvalidKeyException("validating key on record [id: %s] does not support signature\nalgorithm [%s] used in token".formatted(str, str2));
        }
        LOG.debug("using key [id: {}] to validate signature (alg: {}]", str, str2);
        return validatingKey2.key;
    }

    @Override // org.eclipse.hono.service.auth.AuthTokenValidator
    public Jws<Claims> expand(String str) {
        Objects.requireNonNull(str);
        JwtParserBuilder signingKeyResolver = Jwts.parserBuilder().requireIssuer(this.config.getIssuer()).setSigningKeyResolver(new SigningKeyResolverAdapter() { // from class: org.eclipse.hono.service.auth.JjwtBasedAuthTokenValidator.1
            public Key resolveSigningKey(JwsHeader jwsHeader, Claims claims) {
                String str2 = (String) Optional.ofNullable(jwsHeader.getAlgorithm()).orElseThrow(() -> {
                    return new SignatureException("token does not contain required alg header");
                });
                return JjwtBasedAuthTokenValidator.this.getValidatingKey(jwsHeader.getKeyId(), str2);
            }
        });
        Optional ofNullable = Optional.ofNullable(this.config.getAudience());
        Objects.requireNonNull(signingKeyResolver);
        ofNullable.ifPresent(signingKeyResolver::requireAudience);
        return signingKeyResolver.build().parseClaimsJws(str);
    }
}
