package org.reaktivity.nukleus.auth.jwt.internal.util;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.HashMap;
import java.util.Map;
import java.util.function.Consumer;
import java.util.function.LongSupplier;
import org.agrona.LangUtil;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.lang.JoseException;

/* loaded from: input_file:org/reaktivity/nukleus/auth/jwt/internal/util/JwtValidator.class */
public class JwtValidator {
    private final ThreadLocal<JsonWebSignature> jwsRef = ThreadLocal.withInitial(JsonWebSignature::new);
    private final Map<String, JsonWebKey> keysByKid;
    private final LongSupplier supplyCurrentTimeMillis;

    public JwtValidator(Path path, LongSupplier longSupplier) {
        Map<String, JsonWebKey> map = null;
        try {
            map = toKeyMap(new String(Files.readAllBytes(path), StandardCharsets.UTF_8));
        } catch (IOException e) {
            LangUtil.rethrowUnchecked(e);
        }
        this.keysByKid = map;
        this.supplyCurrentTimeMillis = longSupplier;
    }

    public JwtValidator(String str, LongSupplier longSupplier) {
        this.keysByKid = toKeyMap(str);
        this.supplyCurrentTimeMillis = longSupplier;
    }

    private Map<String, JsonWebKey> toKeyMap(String str) {
        JsonWebKeySet jsonWebKeySet = null;
        try {
            jsonWebKeySet = new JsonWebKeySet(str);
        } catch (JoseException e) {
            LangUtil.rethrowUnchecked(e);
        }
        HashMap hashMap = new HashMap();
        jsonWebKeySet.getJsonWebKeys().forEach(jsonWebKey -> {
            String keyId = jsonWebKey.getKeyId();
            if (keyId == null) {
                throw new IllegalArgumentException("Key without kid");
            }
            if (jsonWebKey.getAlgorithm() == null) {
                throw new IllegalArgumentException("Key without alg");
            }
            if (hashMap.put(keyId, jsonWebKey) != null) {
                throw new IllegalArgumentException("Key with duplicate kid");
            }
        });
        return hashMap;
    }

    public void forEachRealm(Consumer<String> consumer) {
        this.keysByKid.forEach((str, jsonWebKey) -> {
            consumer.accept(str);
        });
    }

    public String validateAndGetRealm(String str) {
        JsonWebKey jsonWebKey;
        String str2 = null;
        try {
            JsonWebSignature jsonWebSignature = this.jwsRef.get();
            jsonWebSignature.setCompactSerialization(str);
            String keyIdHeaderValue = jsonWebSignature.getKeyIdHeaderValue();
            if (keyIdHeaderValue != null && (jsonWebKey = this.keysByKid.get(keyIdHeaderValue)) != null && jsonWebKey.getAlgorithm().equals(jsonWebSignature.getAlgorithmHeaderValue())) {
                jsonWebSignature.setKey(jsonWebKey.getKey());
                if (withinDuration(jsonWebSignature)) {
                    if (jsonWebSignature.verifySignature()) {
                        str2 = keyIdHeaderValue;
                    }
                }
            }
        } catch (JoseException | MalformedClaimException | InvalidJwtException e) {
        }
        return str2;
    }

    private boolean withinDuration(JsonWebSignature jsonWebSignature) throws MalformedClaimException, InvalidJwtException, JoseException {
        JwtClaims parse = JwtClaims.parse(jsonWebSignature.getPayload());
        long asLong = this.supplyCurrentTimeMillis.getAsLong();
        NumericDate expirationTime = parse.getExpirationTime();
        NumericDate notBefore = parse.getNotBefore();
        return (expirationTime == null || asLong <= expirationTime.getValueInMillis()) && (notBefore == null || asLong >= notBefore.getValueInMillis());
    }
}
