package org.finos.tracdap.common.auth.internal;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.security.KeyPair;
import java.security.PublicKey;
import java.security.interfaces.ECPrivateKey;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.time.Instant;
import org.finos.tracdap.common.config.ConfigDefaults;
import org.finos.tracdap.common.exception.EStartup;
import org.finos.tracdap.common.exception.EUnexpected;
import org.finos.tracdap.config.AuthenticationConfig;
import org.finos.tracdap.config.PlatformInfo;

/* loaded from: input_file:org/finos/tracdap/common/auth/internal/JwtValidator.class */
public class JwtValidator {
    protected static final String JWT_NAME_CLAIM = "name";
    protected static final String JWT_LIMIT_CLAIM = "limit";
    protected final Algorithm algorithm;
    protected final String issuer;
    protected final int expiry;
    private final JWTVerifier verifier;

    public static JwtValidator configure(AuthenticationConfig authenticationConfig, PlatformInfo platformInfo, PublicKey publicKey) {
        if (authenticationConfig.getDisableSigning()) {
            if (platformInfo.getProduction()) {
                throw new EStartup(String.format("Token signing must be enabled in production environment [%s]", platformInfo.getEnvironment()));
            }
            return new JwtProcessor(authenticationConfig, Algorithm.none());
        }
        if (publicKey == null) {
            throw new EStartup("Root authentication key is not available (do you need to run auth-tool)?");
        }
        return new JwtValidator(authenticationConfig, chooseAlgorithm(publicKey));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtValidator(AuthenticationConfig authenticationConfig, Algorithm algorithm) {
        this.algorithm = algorithm;
        this.issuer = authenticationConfig.getJwtIssuer();
        this.expiry = ConfigDefaults.readOrDefault(authenticationConfig.getJwtExpiry(), ConfigDefaults.DEFAULT_JWT_EXPIRY);
        this.verifier = JWT.require(algorithm).withIssuer(this.issuer).build();
    }

    public SessionInfo decodeAndValidate(String str) {
        try {
            DecodedJWT verify = this.verifier.verify(str);
            Claim claim = verify.getClaim("sub");
            Claim claim2 = verify.getClaim(JWT_NAME_CLAIM);
            Claim claim3 = verify.getClaim("iat");
            Claim claim4 = verify.getClaim("exp");
            Claim claim5 = verify.getClaim(JWT_LIMIT_CLAIM);
            if (claim == null || claim3 == null || claim4 == null || claim5 == null) {
                SessionInfo sessionInfo = new SessionInfo();
                sessionInfo.setValid(false);
                sessionInfo.setErrorMessage("Authentication failed: Missing required details");
                return sessionInfo;
            }
            UserInfo userInfo = new UserInfo();
            userInfo.setUserId(claim.asString());
            userInfo.setDisplayName(claim2 != null ? claim2.asString() : claim.asString());
            Instant ofEpochSecond = Instant.ofEpochSecond(claim3.asLong().longValue());
            Instant ofEpochSecond2 = Instant.ofEpochSecond(claim4.asLong().longValue());
            Instant ofEpochSecond3 = Instant.ofEpochSecond(claim5.asLong().longValue());
            SessionInfo sessionInfo2 = new SessionInfo();
            sessionInfo2.setUserInfo(userInfo);
            sessionInfo2.setIssueTime(ofEpochSecond);
            sessionInfo2.setExpiryTime(ofEpochSecond2);
            sessionInfo2.setExpiryLimit(ofEpochSecond3);
            sessionInfo2.setValid(true);
            return sessionInfo2;
        } catch (JWTVerificationException | NumberFormatException e) {
            String format = String.format("Session is not valid: %s", e.getMessage());
            SessionInfo sessionInfo3 = new SessionInfo();
            sessionInfo3.setValid(false);
            sessionInfo3.setErrorMessage(format);
            return sessionInfo3;
        }
    }

    private static Algorithm chooseAlgorithm(PublicKey publicKey) {
        if (publicKey == null) {
            throw new EUnexpected();
        }
        return chooseAlgorithm(new KeyPair(publicKey, null));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static Algorithm chooseAlgorithm(KeyPair keyPair) {
        if (keyPair == null) {
            throw new EUnexpected();
        }
        String algorithm = keyPair.getPublic().getAlgorithm();
        int length = keyPair.getPublic().getEncoded().length * 8;
        if (algorithm.equals("EC")) {
            if (length >= 512) {
                return Algorithm.ECDSA512((ECPublicKey) keyPair.getPublic(), (ECPrivateKey) keyPair.getPrivate());
            }
            if (length >= 384) {
                return Algorithm.ECDSA384((ECPublicKey) keyPair.getPublic(), (ECPrivateKey) keyPair.getPrivate());
            }
            if (length >= 256) {
                return Algorithm.ECDSA256((ECPublicKey) keyPair.getPublic(), (ECPrivateKey) keyPair.getPrivate());
            }
        }
        if (algorithm.equals("RSA")) {
            if (length >= 3072) {
                return Algorithm.RSA512((RSAPublicKey) keyPair.getPublic(), (RSAPrivateKey) keyPair.getPrivate());
            }
            if (length >= 2048) {
                return Algorithm.RSA384((RSAPublicKey) keyPair.getPublic(), (RSAPrivateKey) keyPair.getPrivate());
            }
            if (length >= 1024) {
                return Algorithm.RSA256((RSAPublicKey) keyPair.getPublic(), (RSAPrivateKey) keyPair.getPrivate());
            }
        }
        throw new EStartup(String.format("Root authentication keys are not available, no JWT singing / validation algorithm for [algorithM: %s, key size: %s]", algorithm, Integer.valueOf(length)));
    }
}
