package leap.oauth2.webapp.token.jwt;

import java.util.Map;
import java.util.Objects;
import leap.core.AppConfigException;
import leap.core.annotation.Inject;
import leap.core.security.token.TokenVerifyException;
import leap.core.security.token.jwt.JwtVerifier;
import leap.core.security.token.jwt.RsaVerifier;
import leap.lang.Strings;
import leap.lang.http.client.HttpClient;
import leap.lang.http.client.HttpResponse;
import leap.lang.logging.Log;
import leap.lang.logging.LogFactory;
import leap.lang.security.RSA;
import leap.oauth2.webapp.OAuth2Config;
import leap.oauth2.webapp.OAuth2InternalServerException;
import leap.oauth2.webapp.OAuth2Params;
import leap.oauth2.webapp.token.SimpleTokenInfo;
import leap.oauth2.webapp.token.Token;
import leap.oauth2.webapp.token.TokenInfo;
import leap.oauth2.webapp.token.TokenVerifier;
import leap.web.security.SecurityConfig;

/* loaded from: input_file:leap/oauth2/webapp/token/jwt/JwtTokenVerifier.class */
public class JwtTokenVerifier implements TokenVerifier {
    private static final Log log = LogFactory.get(JwtTokenVerifier.class);

    @Inject
    protected SecurityConfig sc;

    @Inject
    protected OAuth2Config config;

    @Inject
    protected HttpClient httpClient;
    private volatile JwtVerifier verifier;

    @Override // leap.oauth2.webapp.token.TokenVerifier
    public TokenInfo verifyToken(Token token) throws TokenVerifyException {
        if (null == this.verifier) {
            if (Strings.isEmpty(this.config.getPublicKeyUrl())) {
                throw new AppConfigException("publicKeyUrl must be configured");
            }
            refreshJwtVerifier();
        }
        return verify(this.verifier, token.getToken());
    }

    protected void refreshJwtVerifier() {
        log.info("Fetching public key from server, url '{}' ...", new Object[]{this.config.getPublicKeyUrl()});
        HttpResponse httpResponse = this.httpClient.request(this.config.getPublicKeyUrl()).get();
        if (!httpResponse.isOk()) {
            throw new OAuth2InternalServerException("Error fetching public key from server, status " + httpResponse.getStatus() + "");
        }
        this.verifier = new RsaVerifier(RSA.decodePublicKey(httpResponse.getString()));
    }

    protected TokenInfo verify(JwtVerifier jwtVerifier, String str) throws TokenVerifyException {
        Map verify;
        try {
            verify = jwtVerifier.verify(str);
        } catch (TokenVerifyException e) {
            refreshJwtVerifier();
            verify = jwtVerifier.verify(str);
        }
        SimpleTokenInfo simpleTokenInfo = new SimpleTokenInfo();
        String str2 = (String) verify.remove("user_id");
        Objects.toString(verify.remove("username"));
        simpleTokenInfo.setUserId(str2);
        simpleTokenInfo.setScope((String) verify.remove("scope"));
        simpleTokenInfo.setClientId((String) verify.remove(OAuth2Params.CLIENT_ID));
        simpleTokenInfo.setCreated(System.currentTimeMillis());
        try {
            Object obj = verify.get("expires_in");
            if (obj == null) {
                throw new IllegalStateException("'expires_in' not found in jwt token");
            }
            simpleTokenInfo.setExpiresIn((obj instanceof Integer ? ((Integer) obj).intValue() : Integer.parseInt(obj.toString())) * 1000);
            return simpleTokenInfo;
        } catch (NumberFormatException e2) {
            throw new IllegalStateException("Invalid expires_in : " + e2.getMessage(), e2);
        }
    }
}
