package com.google.api.server.spi.auth;

import com.google.api.server.spi.Client;
import com.google.api.server.spi.auth.common.User;
import com.google.api.server.spi.config.Authenticator;
import com.google.api.server.spi.config.Singleton;
import com.google.api.server.spi.config.model.ApiMethodConfig;
import com.google.api.server.spi.request.Attribute;
import endpoints.repackaged.com.google.api.client.googleapis.auth.oauth2.GoogleIdToken;
import endpoints.repackaged.com.google.api.client.googleapis.auth.oauth2.GoogleIdTokenVerifier;
import endpoints.repackaged.com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.servlet.http.HttpServletRequest;

@Singleton
/* loaded from: input_file:com/google/api/server/spi/auth/GoogleJwtAuthenticator.class */
public class GoogleJwtAuthenticator implements Authenticator {
    private static final Logger logger = Logger.getLogger(GoogleJwtAuthenticator.class.getName());
    private final GoogleIdTokenVerifier verifier;

    public GoogleJwtAuthenticator() {
        this(new GoogleIdTokenVerifier.Builder(Client.getInstance().getHttpTransport(), Client.getInstance().getJsonFactory()).build());
    }

    public GoogleJwtAuthenticator(GoogleIdTokenVerifier googleIdTokenVerifier) {
        this.verifier = googleIdTokenVerifier;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public GoogleIdToken verifyToken(String str) {
        if (str == null) {
            return null;
        }
        try {
            return this.verifier.verify(str);
        } catch (IOException | IllegalArgumentException | GeneralSecurityException e) {
            logger.warning(e.getMessage());
            return null;
        }
    }

    @Override // com.google.api.server.spi.config.Authenticator
    public User authenticate(HttpServletRequest httpServletRequest) {
        GoogleIdToken verifyToken;
        Attribute from = Attribute.from(httpServletRequest);
        if (from.isEnabled(Attribute.SKIP_TOKEN_AUTH)) {
            return null;
        }
        String authToken = GoogleAuth.getAuthToken(httpServletRequest);
        if (!GoogleAuth.isJwt(authToken) || (verifyToken = verifyToken(authToken)) == null) {
            return null;
        }
        String authorizedParty = verifyToken.getPayload().getAuthorizedParty();
        String str = (String) verifyToken.getPayload().getAudience();
        ApiMethodConfig apiMethodConfig = (ApiMethodConfig) from.get(Attribute.API_METHOD_CONFIG);
        if (from.isEnabled(Attribute.ENABLE_CLIENT_ID_WHITELIST) && !GoogleAuth.checkClientId(authorizedParty, apiMethodConfig.getClientIds(), false)) {
            logger.warning("ClientId is not allowed: " + authorizedParty);
            return null;
        }
        if (!GoogleAuth.checkAudience(str, apiMethodConfig.getAudiences(), authorizedParty)) {
            logger.warning("Audience is not allowed: " + str);
            return null;
        }
        String subject = verifyToken.getPayload().getSubject();
        String email = verifyToken.getPayload().getEmail();
        User user = (subject == null && email == null) ? null : new User(subject, email);
        if (from.isEnabled(Attribute.REQUIRE_APPENGINE_USER)) {
            com.google.appengine.api.users.User user2 = email == null ? null : new com.google.appengine.api.users.User(email, "");
            from.set(Attribute.AUTHENTICATED_APPENGINE_USER, user2);
            logger.log(Level.INFO, "appEngineUser = {0}", user2);
        } else {
            logger.log(Level.INFO, "user = {0}", user);
        }
        return user;
    }
}
