package io.vertx.ext.auth.jwt.impl;

import io.vertx.core.AsyncResult;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.Vertx;
import io.vertx.core.file.FileSystemException;
import io.vertx.core.json.Json;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.KeyStoreOptions;
import io.vertx.ext.auth.PubSecKeyOptions;
import io.vertx.ext.auth.SecretOptions;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.jwt.JWTAuth;
import io.vertx.ext.auth.jwt.JWTAuthOptions;
import io.vertx.ext.auth.jwt.JWTOptions;
import io.vertx.ext.jwt.JWT;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.Collections;
import java.util.List;

/* loaded from: input_file:io/vertx/ext/auth/jwt/impl/JWTAuthProviderImpl.class */
public class JWTAuthProviderImpl implements JWTAuth {
    private static final JsonArray EMPTY_ARRAY = new JsonArray();
    private final JWT jwt;
    private final String permissionsClaimKey;
    private final String issuer;
    private final List<String> audience;
    private final boolean ignoreExpiration;

    public JWTAuthProviderImpl(Vertx vertx, JWTAuthOptions jWTAuthOptions) {
        this.permissionsClaimKey = jWTAuthOptions.getPermissionsClaimKey();
        this.issuer = jWTAuthOptions.getIssuer();
        this.audience = jWTAuthOptions.getAudience();
        this.ignoreExpiration = jWTAuthOptions.isIgnoreExpiration();
        KeyStoreOptions keyStore = jWTAuthOptions.getKeyStore();
        try {
            if (keyStore != null) {
                KeyStore keyStore2 = KeyStore.getInstance(keyStore.getType());
                synchronized (JWTAuthProviderImpl.class) {
                    ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(vertx.fileSystem().readFileBlocking(keyStore.getPath()).getBytes());
                    Throwable th = null;
                    try {
                        try {
                            keyStore2.load(byteArrayInputStream, keyStore.getPassword().toCharArray());
                            if (byteArrayInputStream != null) {
                                if (0 != 0) {
                                    try {
                                        byteArrayInputStream.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    byteArrayInputStream.close();
                                }
                            }
                        } finally {
                        }
                    } catch (Throwable th3) {
                        if (byteArrayInputStream != null) {
                            if (th != null) {
                                try {
                                    byteArrayInputStream.close();
                                } catch (Throwable th4) {
                                    th.addSuppressed(th4);
                                }
                            } else {
                                byteArrayInputStream.close();
                            }
                        }
                        throw th3;
                    }
                }
                this.jwt = new JWT(keyStore2, keyStore.getPassword().toCharArray());
            } else {
                this.jwt = new JWT();
                List<PubSecKeyOptions> pubSecKeys = jWTAuthOptions.getPubSecKeys();
                if (pubSecKeys != null) {
                    for (PubSecKeyOptions pubSecKeyOptions : pubSecKeys) {
                        this.jwt.addKeyPair(pubSecKeyOptions.getType(), pubSecKeyOptions.getPublicKey(), pubSecKeyOptions.getSecretKey());
                    }
                }
                List<SecretOptions> secrets = jWTAuthOptions.getSecrets();
                if (secrets != null) {
                    for (SecretOptions secretOptions : secrets) {
                        this.jwt.addSecret(secretOptions.getType(), secretOptions.getSecret());
                    }
                }
            }
        } catch (IOException | KeyStoreException | FileSystemException | NoSuchAlgorithmException | CertificateException e) {
            throw new RuntimeException(e);
        }
    }

    public void authenticate(JsonObject jsonObject, Handler<AsyncResult<User>> handler) {
        try {
            JsonObject decode = this.jwt.decode(jsonObject.getString("jwt"));
            long currentTimeMillis = System.currentTimeMillis() / 1000;
            if (decode.containsKey("exp") && !this.ignoreExpiration && currentTimeMillis >= decode.getLong("exp").longValue()) {
                handler.handle(Future.failedFuture("Expired JWT token: exp <= now"));
                return;
            }
            if (decode.containsKey("iat") && decode.getLong("iat").longValue() > currentTimeMillis) {
                handler.handle(Future.failedFuture("Invalid JWT token: iat > now"));
                return;
            }
            if (decode.containsKey("nbf") && decode.getLong("nbf").longValue() > currentTimeMillis) {
                handler.handle(Future.failedFuture("Invalid JWT token: nbf > now"));
                return;
            }
            if (this.audience != null) {
                if (Collections.disjoint(this.audience, (decode.getValue("aud") instanceof String ? new JsonArray().add(decode.getValue("aud", "")) : decode.getJsonArray("aud", EMPTY_ARRAY)).getList())) {
                    handler.handle(Future.failedFuture("Invalid JWT audient. expected: " + Json.encode(this.audience)));
                    return;
                }
            }
            if (this.issuer == null || this.issuer.equals(decode.getString("iss"))) {
                handler.handle(Future.succeededFuture(new JWTUser(decode, this.permissionsClaimKey)));
            } else {
                handler.handle(Future.failedFuture("Invalid JWT issuer"));
            }
        } catch (RuntimeException e) {
            handler.handle(Future.failedFuture(e));
        }
    }

    @Override // io.vertx.ext.auth.jwt.JWTAuth
    public String generateToken(JsonObject jsonObject, JWTOptions jWTOptions) {
        JsonObject json = jWTOptions.toJson();
        JsonObject copy = jsonObject.copy();
        if (json.containsKey("permissions") && !copy.containsKey(this.permissionsClaimKey)) {
            copy.put(this.permissionsClaimKey, json.getJsonArray("permissions"));
        }
        return this.jwt.sign(copy, json);
    }
}
