package io.quarkus.smallrye.jwt.runtime.auth;

import io.smallrye.jwt.auth.principal.JWTAuthContextInfo;
import io.smallrye.jwt.auth.principal.KeyLocationResolver;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.enterprise.context.ApplicationScoped;
import javax.inject.Inject;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.JwksVerificationKeyResolver;
import org.wildfly.security.auth.realm.token.TokenValidator;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.authz.Attributes;
import org.wildfly.security.evidence.BearerTokenEvidence;

@ApplicationScoped
/* loaded from: input_file:io/quarkus/smallrye/jwt/runtime/auth/MpJwtValidator.class */
public class MpJwtValidator implements TokenValidator {
    private static final String ROLE_MAPPINGS = "roleMappings";
    private static Logger log = Logger.getLogger(MpJwtValidator.class);

    @Inject
    JWTAuthContextInfo authContextInfo;

    public MpJwtValidator() {
    }

    public MpJwtValidator(JWTAuthContextInfo jWTAuthContextInfo) {
        this.authContextInfo = jWTAuthContextInfo;
    }

    public Attributes validate(BearerTokenEvidence bearerTokenEvidence) throws RealmUnavailableException {
        String token = bearerTokenEvidence.getToken();
        try {
            JwtConsumerBuilder jwsAlgorithmConstraints = new JwtConsumerBuilder().setRequireExpirationTime().setRequireSubject().setSkipDefaultAudienceValidation().setJwsAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, new String[]{"RS256"}));
            if (this.authContextInfo.isRequireIssuer()) {
                jwsAlgorithmConstraints.setExpectedIssuer(true, this.authContextInfo.getIssuedBy());
            } else {
                jwsAlgorithmConstraints.setExpectedIssuer(false, (String) null);
            }
            if (this.authContextInfo.getSignerKey() != null) {
                jwsAlgorithmConstraints.setVerificationKey(this.authContextInfo.getSignerKey());
            } else if (this.authContextInfo.isFollowMpJwt11Rules()) {
                jwsAlgorithmConstraints.setVerificationKeyResolver(new KeyLocationResolver(this.authContextInfo.getJwksUri()));
            } else {
                jwsAlgorithmConstraints.setVerificationKeyResolver(new JwksVerificationKeyResolver(this.authContextInfo.loadJsonWebKeys()));
            }
            if (this.authContextInfo.getExpGracePeriodSecs() > 0) {
                jwsAlgorithmConstraints.setAllowedClockSkewInSeconds(this.authContextInfo.getExpGracePeriodSecs());
            } else {
                jwsAlgorithmConstraints.setEvaluationTime(NumericDate.fromSeconds(0L));
            }
            JwtConsumer build = jwsAlgorithmConstraints.build();
            JwtContext process = build.process(token);
            ((JsonWebStructure) process.getJoseObjects().get(0)).getHeader("typ");
            build.processContext(process);
            JwtClaims jwtClaims = process.getJwtClaims();
            if (jwtClaims.hasClaim(ROLE_MAPPINGS)) {
                try {
                    Map map = (Map) jwtClaims.getClaimValue(ROLE_MAPPINGS, Map.class);
                    List stringListClaimValue = jwtClaims.getStringListClaimValue(Claims.groups.name());
                    ArrayList arrayList = new ArrayList(stringListClaimValue);
                    for (String str : map.keySet()) {
                        if (stringListClaimValue.contains(str)) {
                            arrayList.add((String) map.get(str));
                        }
                    }
                    jwtClaims.setStringListClaim("groups", arrayList);
                    log.infof("Updated groups to: %s", arrayList);
                } catch (Exception e) {
                    log.warnf(e, "Failed to access rolesMapping claim", new Object[0]);
                }
            }
            jwtClaims.setClaim(Claims.raw_token.name(), token);
            return new ClaimAttributes(jwtClaims);
        } catch (InvalidJwtException e2) {
            throw new RealmUnavailableException("Failed to verify token", e2);
        }
    }
}
