package com.google.cloud.spring.security.firebase;

import com.nimbusds.jose.util.X509CertUtils;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.locks.ReentrantLock;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.ParameterizedTypeReference;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.ResponseEntity;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.util.Assert;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:com/google/cloud/spring/security/firebase/FirebaseJwtTokenDecoder.class */
public class FirebaseJwtTokenDecoder implements JwtDecoder {
    private static final String DECODING_ERROR_MESSAGE_TEMPLATE = "An error occurred while attempting to decode the Jwt: %s";
    private final RestOperations restClient;
    private final String googlePublicKeysEndpoint;
    private final OAuth2TokenValidator<Jwt> tokenValidator;
    private final Logger logger = LoggerFactory.getLogger(FirebaseJwtTokenDecoder.class);
    private Pattern maxAgePattern = Pattern.compile("max-age=(\\d*)");
    private ReentrantLock keysLock = new ReentrantLock();
    private volatile Long expires = 0L;
    private Map<String, JwtDecoder> delegates = new ConcurrentHashMap();

    public FirebaseJwtTokenDecoder(RestOperations restOperations, String str, OAuth2TokenValidator<Jwt> oAuth2TokenValidator) {
        this.restClient = restOperations;
        this.googlePublicKeysEndpoint = str;
        this.tokenValidator = oAuth2TokenValidator;
    }

    public Jwt decode(String str) throws JwtException {
        SignedJWT parse = parse(str);
        if (isExpired().booleanValue()) {
            try {
                this.keysLock.tryLock();
                refresh();
            } finally {
                this.keysLock.unlock();
            }
        }
        JwtDecoder jwtDecoder = this.delegates.get(parse.getHeader().getKeyID());
        if (jwtDecoder == null) {
            throw new JwtException("No certificate found for key: " + parse.getHeader().getKeyID());
        }
        return jwtDecoder.decode(str);
    }

    private void refresh() {
        if (isExpired().booleanValue()) {
            try {
                ResponseEntity exchange = this.restClient.exchange(this.googlePublicKeysEndpoint, HttpMethod.GET, (HttpEntity) null, new ParameterizedTypeReference<Map<String, String>>() { // from class: com.google.cloud.spring.security.firebase.FirebaseJwtTokenDecoder.1
                }, new Object[0]);
                Long parseCacheControlHeaders = parseCacheControlHeaders(exchange.getHeaders());
                this.expires = Long.valueOf(parseCacheControlHeaders.longValue() > -1 ? System.currentTimeMillis() + (parseCacheControlHeaders.longValue() * 1000) : 0L);
                if (!exchange.getStatusCode().is2xxSuccessful()) {
                    throw new JwtException("Error retrieving public certificates from remote endpoint");
                }
                this.delegates.clear();
                for (String str : ((Map) exchange.getBody()).keySet()) {
                    try {
                        JwtDecoder build = NimbusJwtDecoder.withPublicKey((RSAPublicKey) convertToX509Cert((String) ((Map) exchange.getBody()).get(str)).getPublicKey()).signatureAlgorithm(SignatureAlgorithm.from("RS256")).build();
                        build.setJwtValidator(this.tokenValidator);
                        this.delegates.put(str, build);
                    } catch (Exception e) {
                        this.logger.error("Could not read certificate for key {}", str);
                    }
                }
            } catch (Exception e2) {
                throw new JwtException("Error fetching public keys", e2);
            }
        }
    }

    private SignedJWT parse(String str) {
        try {
            SignedJWT parse = JWTParser.parse(str);
            if (parse instanceof SignedJWT) {
                return parse;
            }
            throw new JwtException("Unsupported algorithm of " + parse.getHeader().getAlgorithm());
        } catch (Exception e) {
            throw new JwtException(String.format(DECODING_ERROR_MESSAGE_TEMPLATE, e.getMessage()), e);
        }
    }

    private Boolean isExpired() {
        return Boolean.valueOf(System.currentTimeMillis() >= this.expires.longValue());
    }

    private X509Certificate convertToX509Cert(String str) {
        X509Certificate parse = X509CertUtils.parse(str);
        Assert.notNull(parse, "Could not parse certificate String");
        return parse;
    }

    private Long parseCacheControlHeaders(HttpHeaders httpHeaders) {
        List list = httpHeaders.get("Cache-Control");
        if (list == null || list.isEmpty()) {
            return -1L;
        }
        for (String str : ((String) list.get(0)).split(",")) {
            Matcher matcher = this.maxAgePattern.matcher(str.trim());
            if (matcher.matches()) {
                return Long.valueOf(matcher.group(1));
            }
        }
        return -1L;
    }
}
