package com.microsoft.bot.connector.authentication;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.microsoft.bot.connector.ExecutorFactory;
import java.io.ByteArrayInputStream;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Date;
import java.util.List;
import java.util.concurrent.CompletableFuture;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/microsoft/bot/connector/authentication/JwtTokenExtractor.class */
public class JwtTokenExtractor {
    private static final Logger LOGGER = LoggerFactory.getLogger(CachingOpenIdMetadata.class);
    private TokenValidationParameters tokenValidationParameters;
    private List<String> allowedSigningAlgorithms;
    private OpenIdMetadataResolver openIdMetadataResolver;
    private OpenIdMetadata openIdMetadata;

    public JwtTokenExtractor(TokenValidationParameters tokenValidationParameters, String str, List<String> list) {
        this.tokenValidationParameters = new TokenValidationParameters(tokenValidationParameters);
        this.tokenValidationParameters.requireSignedTokens = true;
        this.allowedSigningAlgorithms = list;
        if (this.tokenValidationParameters.issuerSigningKeyResolver == null) {
            this.openIdMetadataResolver = new CachingOpenIdMetadataResolver();
        } else {
            this.openIdMetadataResolver = this.tokenValidationParameters.issuerSigningKeyResolver;
        }
        this.openIdMetadata = this.openIdMetadataResolver.get(str);
    }

    public CompletableFuture<ClaimsIdentity> getIdentity(String str, String str2) {
        return getIdentity(str, str2, new ArrayList());
    }

    public CompletableFuture<ClaimsIdentity> getIdentity(String str, String str2, List<String> list) {
        if (str == null) {
            return CompletableFuture.completedFuture(null);
        }
        String[] split = str.split(" ");
        return split.length == 2 ? getIdentity(split[0], split[1], str2, list) : CompletableFuture.completedFuture(null);
    }

    public CompletableFuture<ClaimsIdentity> getIdentity(String str, String str2, String str3, List<String> list) {
        return (!str.equalsIgnoreCase("bearer") || str2 == null) ? CompletableFuture.completedFuture(null) : !hasAllowedIssuer(str2) ? CompletableFuture.completedFuture(null) : validateToken(str2, str3, list);
    }

    private boolean hasAllowedIssuer(String str) {
        return this.tokenValidationParameters.validIssuers != null && this.tokenValidationParameters.validIssuers.contains(JWT.decode(str).getIssuer());
    }

    private CompletableFuture<ClaimsIdentity> validateToken(String str, String str2, List<String> list) {
        return CompletableFuture.supplyAsync(() -> {
            X509Certificate decodeCertificate;
            DecodedJWT decode = JWT.decode(str);
            OpenIdMetadataKey key = this.openIdMetadata.getKey(decode.getKeyId());
            if (key == null) {
                return null;
            }
            try {
                JWT.require(Algorithm.RSA256(key.key, (RSAPrivateKey) null)).acceptLeeway(this.tokenValidationParameters.clockSkew.getSeconds()).build().verify(str);
                if (this.tokenValidationParameters.validateIssuerSigningKey && key.certificateChain != null && key.certificateChain.size() > 0 && (decodeCertificate = decodeCertificate(key.certificateChain.get(0))) != null && !isCertValid(decodeCertificate)) {
                    throw new JWTVerificationException("Signing certificate is not valid");
                }
                if (key.endorsements != null) {
                    if (!EndorsementsValidator.validate(str2, key.endorsements)) {
                        throw new AuthenticationException(String.format("Could not validate endorsement for key: %s with endorsements: %s", key.key.toString(), StringUtils.join(new List[]{key.endorsements})));
                    }
                    if (!list.stream().allMatch(str3 -> {
                        return EndorsementsValidator.validate(str3, key.endorsements);
                    })) {
                        throw new AuthenticationException(String.format("Could not validate additional endorsement for key: %s with endorsements: %s", key.key.toString(), StringUtils.join(new List[]{list})));
                    }
                }
                if (this.allowedSigningAlgorithms.contains(decode.getAlgorithm())) {
                    return new ClaimsIdentity(decode);
                }
                throw new AuthenticationException(String.format("Could not validate algorithm for key: %s with algorithms: %s", decode.getAlgorithm(), StringUtils.join(new List[]{this.allowedSigningAlgorithms})));
            } catch (JWTVerificationException e) {
                LOGGER.warn(e.getMessage());
                throw new AuthenticationException((Throwable) e);
            }
        }, ExecutorFactory.getExecutor());
    }

    private X509Certificate decodeCertificate(String str) {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(str)));
        } catch (Throwable th) {
            return null;
        }
    }

    private boolean isCertValid(X509Certificate x509Certificate) {
        long time = new Date().getTime();
        long millis = this.tokenValidationParameters.clockSkew.toMillis();
        return time >= x509Certificate.getNotBefore().getTime() - millis && time <= x509Certificate.getNotAfter().getTime() + millis;
    }
}
