package io.pravega.segmentstore.server.host.delegationtoken;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Strings;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import io.pravega.auth.AuthHandler;
import io.pravega.auth.InvalidClaimException;
import io.pravega.auth.InvalidTokenException;
import io.pravega.auth.TokenException;
import io.pravega.auth.TokenExpiredException;
import io.pravega.common.Exceptions;
import io.pravega.shared.security.token.JsonWebToken;
import io.pravega.shared.security.token.JwtParser;
import lombok.Generated;
import lombok.NonNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/pravega/segmentstore/server/host/delegationtoken/TokenVerifierImpl.class */
public class TokenVerifierImpl implements DelegationTokenVerifier {

    @SuppressFBWarnings(justification = "generated code")
    @Generated
    private static final Logger log = LoggerFactory.getLogger(TokenVerifierImpl.class);
    private final byte[] tokenSigningKey;

    @VisibleForTesting
    public TokenVerifierImpl(String str) {
        Exceptions.checkNotNullOrEmpty(str, "tokenSigningKeyBasis");
        this.tokenSigningKey = str.getBytes();
    }

    @Override // io.pravega.segmentstore.server.host.delegationtoken.DelegationTokenVerifier
    public JsonWebToken verifyToken(@NonNull String str, String str2, @NonNull AuthHandler.Permissions permissions) throws TokenExpiredException, InvalidTokenException, InvalidClaimException, TokenException {
        if (str == null) {
            throw new NullPointerException("resource is marked non-null but is null");
        }
        if (permissions == null) {
            throw new NullPointerException("expectedLevel is marked non-null but is null");
        }
        if (Strings.isNullOrEmpty(str2)) {
            throw new InvalidTokenException("Token is null or empty");
        }
        JsonWebToken parse = JwtParser.parse(str2, this.tokenSigningKey);
        if (parse.getPermissionsByResource().entrySet().stream().filter(entry -> {
            return resourceMatchesClaimKey((String) entry.getKey(), str) && permissions.compareTo(AuthHandler.Permissions.valueOf(entry.getValue().toString())) <= 0;
        }).findFirst().isPresent()) {
            return parse;
        }
        log.debug(String.format("No matching claim found for resource [%s] and permission [%s] in token [%s].", str, permissions, str2));
        throw new InvalidClaimException(String.format("No matching claim found for resource: [%s] and permission: [%s] in the delegation token.", str, permissions));
    }

    private boolean resourceMatchesClaimKey(String str, String str2) {
        return str2.equals(str) || (str.endsWith("/") && str2.startsWith(str)) || str2.startsWith(new StringBuilder().append(str).append("/").toString()) || str.equals("*");
    }
}
