package work.ready.core.security.cloud;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.function.BiFunction;
import javax.cache.expiry.CreatedExpiryPolicy;
import javax.cache.expiry.Duration;
import org.apache.ignite.IgniteCache;
import org.apache.ignite.configuration.NearCacheConfiguration;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.ErrorCodeValidator;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.jwx.JsonWebStructure;
import org.jose4j.keys.resolvers.JwksVerificationKeyResolver;
import org.jose4j.keys.resolvers.VerificationKeyResolver;
import org.jose4j.keys.resolvers.X509VerificationKeyResolver;
import work.ready.cloud.ReadyCloud;
import work.ready.cloud.client.oauth.OauthHelper;
import work.ready.cloud.client.oauth.SignKeyRequest;
import work.ready.cloud.client.oauth.TokenKeyRequest;
import work.ready.cloud.cluster.Cloud;
import work.ready.core.exception.ExpiredTokenException;
import work.ready.core.log.Log;
import work.ready.core.log.LogFactory;
import work.ready.core.security.SecurityConfig;
import work.ready.core.server.Ready;
import work.ready.core.tools.HashUtil;
import work.ready.core.tools.HttpUtil;
import work.ready.core.tools.StrUtil;

/* loaded from: input_file:work/ready/core/security/cloud/JwtVerifier.class */
public class JwtVerifier {
    private static final Log logger = LogFactory.getLog(JwtVerifier.class);
    private static final int CACHE_EXPIRED_IN_MINUTES = 15;
    public static final String JWT_KEY_RESOLVER = "keyResolver";
    public static final String JWT_KEY_RESOLVER_X509CERT = "X509Certificate";
    public static final String JWT_KEY_RESOLVER_JWKS = "JsonWebKeySet";
    private SecurityConfig config;
    private IgniteCache<String, JwtClaims> cache;
    private Map<String, X509Certificate> certMap;
    private Map<String, List<JsonWebKey>> jwksMap;
    private List<String> fingerPrints;

    /* loaded from: input_file:work/ready/core/security/cloud/JwtVerifier$LazyHolder.class */
    private static class LazyHolder {
        static final JwtVerifier instance = new JwtVerifier(Ready.getMainApplicationConfig().getSecurity());

        private LazyHolder() {
        }
    }

    public static JwtVerifier getInstance() {
        return LazyHolder.instance;
    }

    public JwtVerifier(SecurityConfig securityConfig) {
        this.config = securityConfig;
        if (securityConfig.isEnableJwtCache() && ReadyCloud.isReady()) {
            this.cache = Cloud.getOrCreateCache(ReadyCloud.getInstance().newCacheConfig("ready.work:oauth2:jwt"), new NearCacheConfiguration());
        }
        String keyResolver = securityConfig.getKeyResolver();
        boolean z = -1;
        switch (keyResolver.hashCode()) {
            case -314623983:
                if (keyResolver.equals(JWT_KEY_RESOLVER_X509CERT)) {
                    z = true;
                    break;
                }
                break;
            case 308504015:
                if (keyResolver.equals(JWT_KEY_RESOLVER_JWKS)) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                this.jwksMap = new HashMap();
                return;
            case true:
                if (securityConfig.isBootstrapFromKeyService()) {
                    return;
                }
                this.certMap = new HashMap();
                this.fingerPrints = new ArrayList();
                Map map = (Map) Optional.ofNullable(securityConfig.getCertificate()).orElse(new HashMap());
                for (String str : map.keySet()) {
                    X509Certificate x509Certificate = null;
                    try {
                        x509Certificate = readCertificate((String) map.get(str));
                    } catch (Exception e) {
                        logger.error(e, "Exception: ", new Object[0]);
                    }
                    this.certMap.put(str, x509Certificate);
                    this.fingerPrints.add(HashUtil.getCertFingerPrint(x509Certificate));
                }
                return;
            default:
                logger.info("%s not found or not recognized in SecurityConfig section of bootstrap config. Use %s as default %s", new Object[]{JWT_KEY_RESOLVER, JWT_KEY_RESOLVER_X509CERT, JWT_KEY_RESOLVER});
                return;
        }
    }

    public X509Certificate readCertificate(String str) {
        InputStream inputStream = null;
        X509Certificate x509Certificate = null;
        try {
            try {
                InputStream inputStreamFromFile = Ready.config().getInputStreamFromFile(str);
                if (inputStreamFromFile != null) {
                    x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(inputStreamFromFile);
                } else {
                    logger.info("Certificate " + str + " not found.", new Object[0]);
                }
                if (inputStreamFromFile != null) {
                    try {
                        inputStreamFromFile.close();
                    } catch (IOException e) {
                        logger.error(e, "Exception: ", new Object[0]);
                    }
                }
            } catch (Throwable th) {
                if (0 != 0) {
                    try {
                        inputStream.close();
                    } catch (IOException e2) {
                        logger.error(e2, "Exception: ", new Object[0]);
                    }
                }
                throw th;
            }
        } catch (Exception e3) {
            logger.error(e3, "Exception: ", new Object[0]);
            if (0 != 0) {
                try {
                    inputStream.close();
                } catch (IOException e4) {
                    logger.error(e4, "Exception: ", new Object[0]);
                }
            }
        }
        return x509Certificate;
    }

    public static String getJwtFromAuthorization(String str) {
        String str2 = null;
        if (str != null && str.length() > 10 && str.substring(0, 7).toLowerCase().equals("bearer ")) {
            String[] split = StrUtil.split(str, ' ');
            if (split.length == 2) {
                str2 = split[1];
            }
        }
        return str2;
    }

    public JwtClaims verifyJwt(String str, boolean z, boolean z2) throws InvalidJwtException, ExpiredTokenException {
        return verifyJwt(str, z, z2, (v1, v2) -> {
            return getKeyResolver(v1, v2);
        });
    }

    public JwtClaims verifyJwt(String str, boolean z, boolean z2, BiFunction<String, Boolean, VerificationKeyResolver> biFunction) throws InvalidJwtException, ExpiredTokenException {
        JwtClaims jwtClaims;
        if (this.config.isEnableJwtCache() && this.cache != null && (jwtClaims = (JwtClaims) this.cache.get(str)) != null) {
            if (!z) {
                try {
                    if (NumericDate.fromMilliseconds(Ready.currentTimeMillis()).getValue() - this.config.getClockSkewInSeconds() >= jwtClaims.getExpirationTime().getValue()) {
                        logger.info("Cached jwt token is expired!", new Object[0]);
                        throw new ExpiredTokenException("Token is expired");
                    }
                } catch (MalformedClaimException e) {
                    logger.error(e, "MalformedClaimException: ", new Object[0]);
                }
            }
            return jwtClaims;
        }
        JwtContext process = new JwtConsumerBuilder().setSkipAllValidators().setDisableRequireSignature().setSkipSignatureVerification().build().process(str);
        JwtClaims jwtClaims2 = process.getJwtClaims();
        String keyIdHeaderValue = ((JsonWebStructure) process.getJoseObjects().get(0)).getKeyIdHeaderValue();
        if (!z) {
            try {
                if (NumericDate.fromMilliseconds(Ready.currentTimeMillis()).getValue() - this.config.getClockSkewInSeconds() >= jwtClaims2.getExpirationTime().getValue()) {
                    logger.info("jwt token is expired!", new Object[0]);
                    throw new ExpiredTokenException("Token is expired");
                }
            } catch (MalformedClaimException e2) {
                logger.error(e2, "MalformedClaimException: ", new Object[0]);
                throw new InvalidJwtException("MalformedClaimException", new ErrorCodeValidator.Error(18, "Invalid ExpirationTime Format"), e2, process);
            }
        }
        JwtClaims jwtClaims3 = new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(315360000).setSkipDefaultAudienceValidation().setVerificationKeyResolver(biFunction.apply(keyIdHeaderValue, Boolean.valueOf(z2))).build().process(str).getJwtClaims();
        if (this.config.isEnableJwtCache()) {
            this.cache.withExpiryPolicy(new CreatedExpiryPolicy(new Duration(TimeUnit.MINUTES, 15L))).put(str, jwtClaims3);
        }
        return jwtClaims3;
    }

    private VerificationKeyResolver getKeyResolver(String str, boolean z) {
        X509VerificationKeyResolver x509VerificationKeyResolver = null;
        String keyResolver = this.config.getKeyResolver();
        boolean z2 = -1;
        switch (keyResolver.hashCode()) {
            case -314623983:
                if (keyResolver.equals(JWT_KEY_RESOLVER_X509CERT)) {
                    z2 = true;
                    break;
                }
                break;
            case 308504015:
                if (keyResolver.equals(JWT_KEY_RESOLVER_JWKS)) {
                    z2 = 2;
                    break;
                }
                break;
        }
        switch (z2) {
            case true:
            default:
                X509Certificate x509Certificate = this.certMap == null ? null : this.certMap.get(str);
                if (x509Certificate == null) {
                    x509Certificate = z ? getCertForToken(str) : getCertForSign(str);
                    if (this.certMap == null) {
                        this.certMap = new HashMap();
                    }
                    this.certMap.put(str, x509Certificate);
                } else {
                    logger.debug("Got raw certificate for kid: %s from local cache", new Object[]{str});
                }
                X509VerificationKeyResolver x509VerificationKeyResolver2 = new X509VerificationKeyResolver(new X509Certificate[]{x509Certificate});
                x509VerificationKeyResolver2.setTryAllOnNoThumbHeader(true);
                x509VerificationKeyResolver = x509VerificationKeyResolver2;
                break;
            case true:
                List<JsonWebKey> list = this.jwksMap == null ? null : this.jwksMap.get(str);
                if (list == null) {
                    list = getJsonWebKeySetForToken(str);
                    if (list != null) {
                        if (this.jwksMap == null) {
                            this.jwksMap = new HashMap();
                        }
                        this.jwksMap.put(str, list);
                    }
                } else {
                    logger.debug("Got Json web key set for kid: %s from local cache", new Object[]{str});
                }
                if (list != null) {
                    x509VerificationKeyResolver = new JwksVerificationKeyResolver(list);
                    break;
                }
                break;
        }
        return x509VerificationKeyResolver;
    }

    private List<JsonWebKey> getJsonWebKeySetForToken(String str) {
        TokenKeyRequest tokenKeyRequest = new TokenKeyRequest(str);
        try {
            logger.debug("Getting Json Web Key for kid: %s from %s", new Object[]{str, tokenKeyRequest.getServerUrl()});
            String key = OauthHelper.getKey(tokenKeyRequest);
            logger.debug("Got Json Web Key '%s' for kid: %s", new Object[]{key, str});
            return new JsonWebKeySet(key).getJsonWebKeys();
        } catch (Exception e) {
            logger.error(e, "Exception: ", new Object[0]);
            throw new RuntimeException(e);
        }
    }

    public X509Certificate getCertForToken(String str) {
        TokenKeyRequest tokenKeyRequest = new TokenKeyRequest(str);
        try {
            logger.warn("<Deprecated: use JsonWebKeySet instead> Getting raw certificate for key id: %s from %s", new Object[]{str, tokenKeyRequest.getServerUrl()});
            String key = OauthHelper.getKey(tokenKeyRequest);
            logger.warn("<Deprecated: use JsonWebKeySet instead> Got %s bytes of raw certificate %s for key id: %s", new Object[]{Integer.valueOf(key.length()), key, str});
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(HttpUtil.decodeBase64(key)));
        } catch (Exception e) {
            logger.error(e, "Exception: ", new Object[0]);
            throw new RuntimeException(e);
        }
    }

    public X509Certificate getCertForSign(String str) {
        SignKeyRequest signKeyRequest = new SignKeyRequest(str);
        try {
            logger.warn("Getting raw certificate for key id: %s from %s", new Object[]{str, signKeyRequest.getServerUrl()});
            String key = OauthHelper.getKey(signKeyRequest);
            logger.warn("Got %s bytes of raw certificate %s for key id: %s", new Object[]{Integer.valueOf(key.length()), key, str});
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(HttpUtil.decodeBase64(key)));
        } catch (Exception e) {
            logger.error(e, "Exception: ", new Object[0]);
            throw new RuntimeException(e);
        }
    }

    public List getFingerPrints() {
        return this.fingerPrints;
    }
}
