package org.sdase.commons.server.auth.service;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.exceptions.TokenExpiredException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.Verification;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.Validate;
import org.sdase.commons.server.auth.error.JwtAuthException;
import org.sdase.commons.server.auth.key.LoadedPublicKey;
import org.sdase.commons.server.auth.key.PublicKeyLoader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/sdase/commons/server/auth/service/AuthService.class */
public class AuthService implements TokenAuthorizer {
    private static final Logger LOG = LoggerFactory.getLogger(AuthService.class);
    private PublicKeyLoader publicKeyLoader;
    private long leeway;

    public AuthService(PublicKeyLoader publicKeyLoader, long j) {
        Validate.notNull(publicKeyLoader);
        Validate.inclusiveBetween(0L, Long.MAX_VALUE, j);
        this.publicKeyLoader = publicKeyLoader;
        this.leeway = j;
    }

    @Override // org.sdase.commons.server.auth.service.TokenAuthorizer
    public Map<String, Claim> auth(String str) {
        try {
            DecodedJWT decode = JWT.decode(str);
            String keyId = decode.getKeyId();
            String asString = decode.getHeaderClaim("x5t").asString();
            if (StringUtils.isBlank(keyId) && StringUtils.isBlank(asString)) {
                List<LoadedPublicKey> keysWithoutAnyId = this.publicKeyLoader.getKeysWithoutAnyId();
                if (keysWithoutAnyId.size() > 1) {
                    LOG.warn("Verifying token without kid and x5t trying {} public keys", Integer.valueOf(keysWithoutAnyId.size()));
                }
                Collections.reverse(keysWithoutAnyId);
                return ((DecodedJWT) keysWithoutAnyId.stream().map(loadedPublicKey -> {
                    return verifyJwtSignature(str, loadedPublicKey);
                }).filter((v0) -> {
                    return v0.isPresent();
                }).map((v0) -> {
                    return v0.get();
                }).findFirst().orElseThrow(() -> {
                    return new JwtAuthException("Could not verify JWT without kid nor x5t.");
                })).getClaims();
            }
            LoadedPublicKey loadedPublicKey2 = this.publicKeyLoader.getLoadedPublicKey(keyId, asString);
            if (loadedPublicKey2 != null) {
                return verifyJwtSignature(str, loadedPublicKey2).orElseThrow(() -> {
                    return new JwtAuthException("Verifying token failed");
                }).getClaims();
            }
            LOG.error("No key found for verification, matching the requested kid {}", keyId);
            throw new JwtAuthException("Could not verify JWT with the requested kid.");
        } catch (JWTVerificationException e) {
            throw new JwtAuthException((Throwable) e);
        }
    }

    private static Algorithm resolveAlgorithm(LoadedPublicKey loadedPublicKey) {
        String sigAlgorithm = loadedPublicKey.getSigAlgorithm();
        boolean z = -1;
        switch (sigAlgorithm.hashCode()) {
            case 66245349:
                if (sigAlgorithm.equals("ES256")) {
                    z = 3;
                    break;
                }
                break;
            case 66246401:
                if (sigAlgorithm.equals("ES384")) {
                    z = 4;
                    break;
                }
                break;
            case 66248104:
                if (sigAlgorithm.equals("ES512")) {
                    z = 5;
                    break;
                }
                break;
            case 78251122:
                if (sigAlgorithm.equals("RS256")) {
                    z = false;
                    break;
                }
                break;
            case 78252174:
                if (sigAlgorithm.equals("RS384")) {
                    z = true;
                    break;
                }
                break;
            case 78253877:
                if (sigAlgorithm.equals("RS512")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return Algorithm.RSA256((RSAPublicKey) loadedPublicKey.getPublicKey(), (RSAPrivateKey) null);
            case true:
                return Algorithm.RSA384((RSAPublicKey) loadedPublicKey.getPublicKey(), (RSAPrivateKey) null);
            case true:
                return Algorithm.RSA512((RSAPublicKey) loadedPublicKey.getPublicKey(), (RSAPrivateKey) null);
            case true:
                return Algorithm.ECDSA256((ECPublicKey) loadedPublicKey.getPublicKey(), (ECPrivateKey) null);
            case true:
                return Algorithm.ECDSA384((ECPublicKey) loadedPublicKey.getPublicKey(), (ECPrivateKey) null);
            case true:
                return Algorithm.ECDSA512((ECPublicKey) loadedPublicKey.getPublicKey(), (ECPrivateKey) null);
            default:
                throw new JwtAuthException("Unsupported algorithm :'" + loadedPublicKey.getSigAlgorithm() + "'");
        }
    }

    private Optional<DecodedJWT> verifyJwtSignature(String str, LoadedPublicKey loadedPublicKey) {
        try {
            Verification acceptLeeway = JWT.require(resolveAlgorithm(loadedPublicKey)).acceptLeeway(this.leeway);
            if (StringUtils.isNotBlank(loadedPublicKey.getRequiredIssuer())) {
                acceptLeeway = acceptLeeway.withIssuer(loadedPublicKey.getRequiredIssuer());
            }
            return Optional.of(acceptLeeway.build().verify(str));
        } catch (TokenExpiredException e) {
            LOG.warn("Verifying token failed.", e);
            return Optional.empty();
        } catch (JWTVerificationException e2) {
            LOG.error("Verifying token failed.", e2);
            return Optional.empty();
        }
    }
}
