package be.atbash.runtime.security.jwt.principal;

import be.atbash.ee.security.octopus.jwt.decoder.JWTVerifier;
import be.atbash.ee.security.octopus.nimbus.jwt.CommonJWTHeader;
import be.atbash.ee.security.octopus.nimbus.jwt.JWTClaimsSet;
import be.atbash.ee.security.octopus.nimbus.jwt.util.DateUtils;
import be.atbash.runtime.core.data.util.SystemPropertyUtil;
import java.text.ParseException;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import org.slf4j.MDC;

/* loaded from: input_file:be/atbash/runtime/security/jwt/principal/MPBearerTokenVerifier.class */
public class MPBearerTokenVerifier implements JWTVerifier {
    private final JWTAuthContextInfo authContextInfo;

    public MPBearerTokenVerifier(JWTAuthContextInfo jWTAuthContextInfo) {
        this.authContextInfo = jWTAuthContextInfo;
    }

    public boolean verify(CommonJWTHeader commonJWTHeader, JWTClaimsSet jWTClaimsSet) {
        boolean z = jWTClaimsSet.getIssuer() != null && this.authContextInfo.getIssuedBy().contains(jWTClaimsSet.getIssuer());
        if (!this.authContextInfo.getExpectedAudience().isEmpty() && !checkAudience(this.authContextInfo.getExpectedAudience(), jWTClaimsSet.getAudience())) {
            MDC.put("jwt.verification.fail", String.format("The token did not contain the expected audience. Expected = %s, token = %s", String.join(",", this.authContextInfo.getExpectedAudience()), String.join(",", jWTClaimsSet.getAudience())));
            z = false;
        }
        Date date = new Date();
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        if (expirationTime == null || !DateUtils.isAfter(expirationTime, date, this.authContextInfo.getExpGracePeriodSecs())) {
            z = false;
        } else {
            Date notBeforeTime = jWTClaimsSet.getNotBeforeTime();
            if (notBeforeTime != null && !DateUtils.isBefore(notBeforeTime, date, this.authContextInfo.getExpGracePeriodSecs())) {
                z = false;
            }
        }
        if (SystemPropertyUtil.getInstance().isTck("jwt")) {
            Date issueTime = jWTClaimsSet.getIssueTime();
            if (issueTime == null || !DateUtils.isBefore(issueTime, date, this.authContextInfo.getExpGracePeriodSecs())) {
                MDC.put("jwt.verification.fail", String.format("The token is used before it is issued (iat = %s)", issueTime));
                z = false;
            }
            String jwtid = jWTClaimsSet.getJWTID();
            if (jwtid == null || jwtid.isBlank()) {
                MDC.put("jwt.verification.fail", "The token has no token id (jti)");
                z = false;
            }
        }
        try {
            String stringClaim = jWTClaimsSet.getStringClaim("upn");
            String subject = jWTClaimsSet.getSubject();
            if (stringClaim == null && subject == null) {
                MDC.put("jwt.verification.fail", "The token has no subject and 'upn' claim");
                z = false;
            }
        } catch (ParseException e) {
            z = false;
        }
        if (!this.authContextInfo.getRequiredClaims().isEmpty()) {
            Iterator<String> it = this.authContextInfo.getRequiredClaims().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                String next = it.next();
                if (!jWTClaimsSet.getClaims().containsKey(next)) {
                    z = false;
                    MDC.put("jwt.verification.fail", String.format("The token does not contain the custom defined required claim '%s'", next));
                    break;
                }
            }
        }
        return z;
    }

    private boolean checkAudience(Set<String> set, List<String> list) {
        boolean z = false;
        Iterator<String> it = set.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            if (list.contains(it.next())) {
                z = true;
                break;
            }
        }
        return z;
    }
}
