package io.micronaut.security.token.jwt.validator;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import io.micronaut.security.authentication.Authentication;
import io.micronaut.security.token.jwt.encryption.EncryptionConfiguration;
import io.micronaut.security.token.jwt.signature.SignatureConfiguration;
import io.micronaut.security.token.validator.TokenValidator;
import io.reactivex.Flowable;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.List;
import javax.inject.Singleton;
import org.reactivestreams.Publisher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:io/micronaut/security/token/jwt/validator/JwtTokenValidator.class */
public class JwtTokenValidator implements TokenValidator {
    private static final Logger LOG = LoggerFactory.getLogger(JwtTokenValidator.class);
    protected final List<SignatureConfiguration> signatureConfigurations = new ArrayList();
    protected final List<EncryptionConfiguration> encryptionConfigurations = new ArrayList();

    public JwtTokenValidator(Collection<SignatureConfiguration> collection, Collection<EncryptionConfiguration> collection2) {
        this.signatureConfigurations.addAll(collection);
        this.encryptionConfigurations.addAll(collection2);
    }

    private boolean validateExpirationTime(JWTClaimsSet jWTClaimsSet) {
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        return expirationTime == null || !expirationTime.before(new Date());
    }

    private Publisher<Authentication> validatePlainJWT(JWT jwt) throws ParseException {
        if (this.signatureConfigurations.isEmpty()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("JWT is not signed and no signature configurations -> verified");
            }
            return createAuthentication(jwt);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("A non-signed JWT cannot be accepted as signature configurations have been defined");
        }
        return Flowable.empty();
    }

    private Publisher<Authentication> validateSignedJWT(SignedJWT signedJWT) throws ParseException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("JWT is signed");
        }
        JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
        for (SignatureConfiguration signatureConfiguration : this.signatureConfigurations) {
            if (signatureConfiguration.supports(algorithm)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Using signature configuration: {}", signatureConfiguration.toString());
                }
                try {
                    if (signatureConfiguration.verify(signedJWT)) {
                        return createAuthentication(signedJWT);
                    }
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("JWT verification failed: {}", signedJWT.getParsedString());
                    }
                } catch (JOSEException e) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Verification fails with signature configuration: {}, passing to the next one", signatureConfiguration);
                    }
                }
            } else if (LOG.isDebugEnabled()) {
                LOG.debug("{}", signatureConfiguration.supportedAlgorithmsMessage());
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("No signature algorithm found for JWT: {}", signedJWT.getParsedString());
        }
        return Flowable.empty();
    }

    private Publisher<Authentication> validateEncryptedJWT(JWT jwt, EncryptedJWT encryptedJWT, String str) throws ParseException {
        if (LOG.isDebugEnabled()) {
            LOG.debug("JWT is encrypted");
        }
        JWEHeader header = encryptedJWT.getHeader();
        JWEAlgorithm algorithm = header.getAlgorithm();
        EncryptionMethod encryptionMethod = header.getEncryptionMethod();
        for (EncryptionConfiguration encryptionConfiguration : this.encryptionConfigurations) {
            if (encryptionConfiguration.supports(algorithm, encryptionMethod)) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Using encryption configuration: {}", encryptionConfiguration.toString());
                }
                try {
                    encryptionConfiguration.decrypt(encryptedJWT);
                    SignedJWT signedJWT = encryptedJWT.getPayload().toSignedJWT();
                    if (signedJWT != null) {
                        return validateSignedJWT(signedJWT);
                    }
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("encrypted JWT could couldn't be converted to a signed JWT.");
                    }
                    return Flowable.empty();
                } catch (JOSEException e) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("Decryption fails with encryption configuration: {}, passing to the next one", encryptionConfiguration.toString());
                    }
                }
            }
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("No encryption algorithm found for JWT: {}", str);
        }
        return Flowable.empty();
    }

    public Publisher<Authentication> validateToken(String str) {
        try {
            JWT parse = JWTParser.parse(str);
            return parse instanceof PlainJWT ? validatePlainJWT(parse) : parse instanceof EncryptedJWT ? validateEncryptedJWT(parse, (EncryptedJWT) parse, str) : parse instanceof SignedJWT ? validateSignedJWT((SignedJWT) parse) : Flowable.empty();
        } catch (ParseException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Cannot decrypt / verify JWT: {}", e.getMessage());
            }
            return Flowable.empty();
        }
    }

    private Publisher<Authentication> createAuthentication(JWT jwt) throws ParseException {
        JWTClaimsSet jWTClaimsSet = jwt.getJWTClaimsSet();
        if (jWTClaimsSet.getSubject() == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("JWT must contain a subject ('sub' claim)");
            }
            return Flowable.empty();
        }
        if (validateExpirationTime(jwt.getJWTClaimsSet())) {
            return Flowable.just(new AuthenticationJWTClaimsSetAdapter(jWTClaimsSet));
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("JWT expired");
        }
        return Flowable.empty();
    }
}
