package io.spiffe.svid.jwtsvid;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import io.spiffe.bundle.BundleSource;
import io.spiffe.bundle.jwtbundle.JwtBundle;
import io.spiffe.exception.AuthorityNotFoundException;
import io.spiffe.exception.BundleNotFoundException;
import io.spiffe.exception.InvalidSpiffeIdException;
import io.spiffe.exception.JwtSvidException;
import io.spiffe.internal.JwtSignatureAlgorithm;
import io.spiffe.spiffeid.SpiffeId;
import java.security.PublicKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import lombok.Generated;
import lombok.NonNull;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:io/spiffe/svid/jwtsvid/JwtSvid.class */
public final class JwtSvid {
    private final SpiffeId spiffeId;
    private final Set<String> audience;
    private final Date expiry;
    private final Map<String, Object> claims;
    private final String token;
    private final Date issuedAt;
    private final String hint;
    public static final String HEADER_TYP_JWT = "JWT";
    public static final String HEADER_TYP_JOSE = "JOSE";

    private JwtSvid(SpiffeId spiffeId, Set<String> set, Date date, Date date2, Map<String, Object> map, String str, String str2) {
        this.spiffeId = spiffeId;
        this.audience = set;
        this.expiry = date2;
        this.claims = map;
        this.token = str;
        this.issuedAt = date;
        this.hint = str2;
    }

    public static JwtSvid parseAndValidate(@NonNull String str, @NonNull BundleSource<JwtBundle> bundleSource, @NonNull Set<String> set) throws JwtSvidException, BundleNotFoundException, AuthorityNotFoundException {
        if (str == null) {
            throw new NullPointerException("token is marked non-null but is null");
        }
        if (bundleSource == null) {
            throw new NullPointerException("jwtBundleSource is marked non-null but is null");
        }
        if (set == null) {
            throw new NullPointerException("audience is marked non-null but is null");
        }
        return parseAndValidate(str, bundleSource, set, null);
    }

    public static JwtSvid parseAndValidate(@NonNull String str, @NonNull BundleSource<JwtBundle> bundleSource, @NonNull Set<String> set, String str2) throws JwtSvidException, BundleNotFoundException, AuthorityNotFoundException {
        if (str == null) {
            throw new NullPointerException("token is marked non-null but is null");
        }
        if (bundleSource == null) {
            throw new NullPointerException("jwtBundleSource is marked non-null but is null");
        }
        if (set == null) {
            throw new NullPointerException("audience is marked non-null but is null");
        }
        if (StringUtils.isBlank(str)) {
            throw new IllegalArgumentException("Token cannot be blank");
        }
        SignedJWT signedJWT = getSignedJWT(str);
        validateTypeHeader(signedJWT.getHeader());
        JwtSignatureAlgorithm parseAlgorithm = parseAlgorithm(signedJWT.getHeader().getAlgorithm());
        JWTClaimsSet jwtClaimsSet = getJwtClaimsSet(signedJWT);
        validateAudience(jwtClaimsSet.getAudience(), set);
        Date issueTime = jwtClaimsSet.getIssueTime();
        Date expirationTime = jwtClaimsSet.getExpirationTime();
        validateExpiration(expirationTime);
        SpiffeId spiffeIdOfSubject = getSpiffeIdOfSubject(jwtClaimsSet);
        JwtBundle bundleForTrustDomain = bundleSource.getBundleForTrustDomain(spiffeIdOfSubject.getTrustDomain());
        String keyId = getKeyId(signedJWT.getHeader());
        verifySignature(signedJWT, bundleForTrustDomain.findJwtAuthority(keyId), parseAlgorithm, keyId);
        return new JwtSvid(spiffeIdOfSubject, new HashSet(jwtClaimsSet.getAudience()), issueTime, expirationTime, jwtClaimsSet.getClaims(), str, str2);
    }

    public static JwtSvid parseInsecure(@NonNull String str, @NonNull Set<String> set) throws JwtSvidException {
        if (str == null) {
            throw new NullPointerException("token is marked non-null but is null");
        }
        if (set == null) {
            throw new NullPointerException("audience is marked non-null but is null");
        }
        return parseInsecure(str, set, null);
    }

    public static JwtSvid parseInsecure(@NonNull String str, @NonNull Set<String> set, String str2) throws JwtSvidException {
        if (str == null) {
            throw new NullPointerException("token is marked non-null but is null");
        }
        if (set == null) {
            throw new NullPointerException("audience is marked non-null but is null");
        }
        if (StringUtils.isBlank(str)) {
            throw new IllegalArgumentException("Token cannot be blank");
        }
        SignedJWT signedJWT = getSignedJWT(str);
        validateTypeHeader(signedJWT.getHeader());
        parseAlgorithm(signedJWT.getHeader().getAlgorithm());
        JWTClaimsSet jwtClaimsSet = getJwtClaimsSet(signedJWT);
        validateAudience(jwtClaimsSet.getAudience(), set);
        Date issueTime = jwtClaimsSet.getIssueTime();
        Date expirationTime = jwtClaimsSet.getExpirationTime();
        validateExpiration(expirationTime);
        return new JwtSvid(getSpiffeIdOfSubject(jwtClaimsSet), new HashSet(jwtClaimsSet.getAudience()), issueTime, expirationTime, jwtClaimsSet.getClaims(), str, str2);
    }

    public String marshal() {
        return this.token;
    }

    public Date getExpiry() {
        return new Date(this.expiry.getTime());
    }

    public String getHint() {
        return this.hint;
    }

    public Map<String, Object> getClaims() {
        return Collections.unmodifiableMap(this.claims);
    }

    public Set<String> getAudience() {
        return Collections.unmodifiableSet(this.audience);
    }

    private static JWTClaimsSet getJwtClaimsSet(SignedJWT signedJWT) {
        try {
            return signedJWT.getJWTClaimsSet();
        } catch (ParseException e) {
            throw new IllegalArgumentException("Unable to parse JWT token", e);
        }
    }

    private static SignedJWT getSignedJWT(String str) {
        try {
            return SignedJWT.parse(str);
        } catch (ParseException e) {
            throw new IllegalArgumentException("Unable to parse JWT token", e);
        }
    }

    private static void verifySignature(SignedJWT signedJWT, PublicKey publicKey, JwtSignatureAlgorithm jwtSignatureAlgorithm, String str) throws JwtSvidException {
        try {
            if (!signedJWT.verify(getJwsVerifier(publicKey, jwtSignatureAlgorithm))) {
                throw new JwtSvidException(String.format("Signature invalid: cannot be verified with the authority with keyId=%s", str));
            }
        } catch (ClassCastException | JOSEException e) {
            throw new JwtSvidException(String.format("Error verifying signature with the authority with keyId=%s", str), e);
        }
    }

    private static JWSVerifier getJwsVerifier(PublicKey publicKey, JwtSignatureAlgorithm jwtSignatureAlgorithm) throws JOSEException, JwtSvidException {
        ECDSAVerifier rSASSAVerifier;
        if (JwtSignatureAlgorithm.Family.EC.contains(jwtSignatureAlgorithm)) {
            rSASSAVerifier = new ECDSAVerifier((ECPublicKey) publicKey);
        } else {
            if (!JwtSignatureAlgorithm.Family.RSA.contains(jwtSignatureAlgorithm)) {
                throw new JwtSvidException(String.format("Unsupported token signature algorithm %s", jwtSignatureAlgorithm));
            }
            rSASSAVerifier = new RSASSAVerifier((RSAPublicKey) publicKey);
        }
        return rSASSAVerifier;
    }

    private static String getKeyId(JWSHeader jWSHeader) throws JwtSvidException {
        String keyID = jWSHeader.getKeyID();
        if (keyID == null) {
            throw new JwtSvidException("Token header missing key id");
        }
        if (StringUtils.isBlank(keyID)) {
            throw new JwtSvidException("Token header key id contains an empty value");
        }
        return keyID;
    }

    private static void validateExpiration(Date date) throws JwtSvidException {
        if (date == null) {
            throw new JwtSvidException("Token missing expiration claim");
        }
        if (date.before(new Date())) {
            throw new JwtSvidException("Token has expired");
        }
    }

    private static SpiffeId getSpiffeIdOfSubject(JWTClaimsSet jWTClaimsSet) throws JwtSvidException {
        String subject = jWTClaimsSet.getSubject();
        if (StringUtils.isBlank(subject)) {
            throw new JwtSvidException("Token missing subject claim");
        }
        try {
            return SpiffeId.parse(subject);
        } catch (InvalidSpiffeIdException e) {
            throw new JwtSvidException(String.format("Subject %s cannot be parsed as a SPIFFE ID", subject), e);
        }
    }

    private static void validateAudience(List<String> list, Set<String> set) throws JwtSvidException {
        if (!list.containsAll(set)) {
            throw new JwtSvidException(String.format("expected audience in %s (audience=%s)", set, list));
        }
    }

    private static JwtSignatureAlgorithm parseAlgorithm(JWSAlgorithm jWSAlgorithm) throws JwtSvidException {
        if (jWSAlgorithm == null) {
            throw new JwtSvidException("JWT header 'alg' is required");
        }
        try {
            return JwtSignatureAlgorithm.parse(jWSAlgorithm.getName());
        } catch (IllegalArgumentException e) {
            throw new JwtSvidException(e.getMessage(), e);
        }
    }

    private static void validateTypeHeader(JWSHeader jWSHeader) throws JwtSvidException {
        JOSEObjectType type = jWSHeader.getType();
        if (type == null || StringUtils.isBlank(type.toString())) {
            return;
        }
        String jOSEObjectType = type.toString();
        if (!HEADER_TYP_JWT.equals(jOSEObjectType) && !HEADER_TYP_JOSE.equals(jOSEObjectType)) {
            throw new JwtSvidException(String.format("If JWT header 'typ' is present, it must be either 'JWT' or 'JOSE'. Got: '%s'.", type.toString()));
        }
    }

    @Generated
    public SpiffeId getSpiffeId() {
        return this.spiffeId;
    }

    @Generated
    public String getToken() {
        return this.token;
    }

    @Generated
    public Date getIssuedAt() {
        return this.issuedAt;
    }

    @Generated
    public boolean equals(Object obj) {
        if (obj == this) {
            return true;
        }
        if (!(obj instanceof JwtSvid)) {
            return false;
        }
        JwtSvid jwtSvid = (JwtSvid) obj;
        SpiffeId spiffeId = getSpiffeId();
        SpiffeId spiffeId2 = jwtSvid.getSpiffeId();
        if (spiffeId == null) {
            if (spiffeId2 != null) {
                return false;
            }
        } else if (!spiffeId.equals(spiffeId2)) {
            return false;
        }
        Set<String> audience = getAudience();
        Set<String> audience2 = jwtSvid.getAudience();
        if (audience == null) {
            if (audience2 != null) {
                return false;
            }
        } else if (!audience.equals(audience2)) {
            return false;
        }
        Date expiry = getExpiry();
        Date expiry2 = jwtSvid.getExpiry();
        if (expiry == null) {
            if (expiry2 != null) {
                return false;
            }
        } else if (!expiry.equals(expiry2)) {
            return false;
        }
        Map<String, Object> claims = getClaims();
        Map<String, Object> claims2 = jwtSvid.getClaims();
        if (claims == null) {
            if (claims2 != null) {
                return false;
            }
        } else if (!claims.equals(claims2)) {
            return false;
        }
        String token = getToken();
        String token2 = jwtSvid.getToken();
        if (token == null) {
            if (token2 != null) {
                return false;
            }
        } else if (!token.equals(token2)) {
            return false;
        }
        Date issuedAt = getIssuedAt();
        Date issuedAt2 = jwtSvid.getIssuedAt();
        if (issuedAt == null) {
            if (issuedAt2 != null) {
                return false;
            }
        } else if (!issuedAt.equals(issuedAt2)) {
            return false;
        }
        String hint = getHint();
        String hint2 = jwtSvid.getHint();
        return hint == null ? hint2 == null : hint.equals(hint2);
    }

    @Generated
    public int hashCode() {
        SpiffeId spiffeId = getSpiffeId();
        int hashCode = (1 * 59) + (spiffeId == null ? 43 : spiffeId.hashCode());
        Set<String> audience = getAudience();
        int hashCode2 = (hashCode * 59) + (audience == null ? 43 : audience.hashCode());
        Date expiry = getExpiry();
        int hashCode3 = (hashCode2 * 59) + (expiry == null ? 43 : expiry.hashCode());
        Map<String, Object> claims = getClaims();
        int hashCode4 = (hashCode3 * 59) + (claims == null ? 43 : claims.hashCode());
        String token = getToken();
        int hashCode5 = (hashCode4 * 59) + (token == null ? 43 : token.hashCode());
        Date issuedAt = getIssuedAt();
        int hashCode6 = (hashCode5 * 59) + (issuedAt == null ? 43 : issuedAt.hashCode());
        String hint = getHint();
        return (hashCode6 * 59) + (hint == null ? 43 : hint.hashCode());
    }

    @Generated
    public String toString() {
        return "JwtSvid(spiffeId=" + getSpiffeId() + ", audience=" + getAudience() + ", expiry=" + getExpiry() + ", claims=" + getClaims() + ", token=" + getToken() + ", issuedAt=" + getIssuedAt() + ", hint=" + getHint() + ")";
    }
}
