package io.micronaut.security.token.jwt.validator;

import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import io.micronaut.security.token.jwt.encryption.EncryptionConfiguration;
import io.micronaut.security.token.jwt.generator.claims.JwtClaimsSetAdapter;
import io.micronaut.security.token.jwt.signature.SignatureConfiguration;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/micronaut/security/token/jwt/validator/JwtValidator.class */
public final class JwtValidator {
    private static final Logger LOG = LoggerFactory.getLogger(JwtValidator.class);
    private final List<SignatureConfiguration> signatures;
    private final List<EncryptionConfiguration> encryptions;
    private final List<JwtClaimsValidator> claimsValidators;

    /* loaded from: input_file:io/micronaut/security/token/jwt/validator/JwtValidator$Builder.class */
    public static final class Builder {
        private List<SignatureConfiguration> signatures;
        private List<EncryptionConfiguration> encryptions;
        private List<JwtClaimsValidator> claimsValidators;

        private Builder() {
            this.signatures = new ArrayList();
            this.encryptions = new ArrayList();
            this.claimsValidators = new ArrayList();
        }

        public Builder withSignatures(SignatureConfiguration... signatureConfigurationArr) {
            this.signatures = Arrays.asList(signatureConfigurationArr);
            return this;
        }

        public Builder withSignatures(Collection<? extends SignatureConfiguration> collection) {
            this.signatures = new ArrayList(collection);
            return this;
        }

        public Builder withEncryptions(EncryptionConfiguration... encryptionConfigurationArr) {
            this.encryptions = Arrays.asList(encryptionConfigurationArr);
            return this;
        }

        public Builder withEncryptions(Collection<? extends EncryptionConfiguration> collection) {
            this.encryptions = new ArrayList(collection);
            return this;
        }

        public Builder withClaimValidators(JwtClaimsValidator... jwtClaimsValidatorArr) {
            this.claimsValidators = Arrays.asList(jwtClaimsValidatorArr);
            return this;
        }

        public Builder withClaimValidators(Collection<? extends JwtClaimsValidator> collection) {
            this.claimsValidators = new ArrayList(collection);
            return this;
        }

        public JwtValidator build() {
            return new JwtValidator(this.signatures, this.encryptions, this.claimsValidators);
        }
    }

    private JwtValidator(List<SignatureConfiguration> list, List<EncryptionConfiguration> list2, List<JwtClaimsValidator> list3) {
        this.signatures = list;
        this.encryptions = list2;
        this.claimsValidators = list3;
    }

    public Optional<JWT> validate(String str) {
        try {
            return validate(JWTParser.parse(str));
        } catch (ParseException e) {
            if (LOG.isWarnEnabled()) {
                LOG.warn("Failed to parse JWT: {}", e.getMessage());
            }
            return Optional.empty();
        }
    }

    public Optional<JWT> validate(JWT jwt) {
        Optional<JWT> validate = jwt instanceof PlainJWT ? validate((PlainJWT) jwt) : jwt instanceof EncryptedJWT ? validate((EncryptedJWT) jwt) : jwt instanceof SignedJWT ? validate((SignedJWT) jwt) : Optional.empty();
        return this.claimsValidators.isEmpty() ? validate : validate.filter(jwt2 -> {
            try {
                JwtClaimsSetAdapter jwtClaimsSetAdapter = new JwtClaimsSetAdapter(jwt2.getJWTClaimsSet());
                return this.claimsValidators.stream().allMatch(jwtClaimsValidator -> {
                    return jwtClaimsValidator.validate(jwtClaimsSetAdapter);
                });
            } catch (ParseException e) {
                if (!LOG.isErrorEnabled()) {
                    return false;
                }
                LOG.error("Failed to retrieve the claims set", e);
                return false;
            }
        });
    }

    private Optional<JWT> validate(PlainJWT plainJWT) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Validating plain JWT");
        }
        if (this.signatures.isEmpty()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("JWT is not signed and no signature configurations -> verified");
            }
            return Optional.of(plainJWT);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("A non-signed JWT cannot be accepted as signature configurations have been defined");
        }
        return Optional.empty();
    }

    private Optional<JWT> validate(EncryptedJWT encryptedJWT) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Validating encrypted JWT");
        }
        JWEHeader header = encryptedJWT.getHeader();
        ArrayList arrayList = new ArrayList(this.encryptions);
        arrayList.sort(comparator(header));
        Iterator it = arrayList.iterator();
        if (!it.hasNext()) {
            return Optional.empty();
        }
        EncryptionConfiguration encryptionConfiguration = (EncryptionConfiguration) it.next();
        if (LOG.isTraceEnabled()) {
            LOG.trace("Using encryption configuration: {}", encryptionConfiguration.toString());
        }
        try {
            encryptionConfiguration.decrypt(encryptedJWT);
            SignedJWT signedJWT = encryptedJWT.getPayload().toSignedJWT();
            if (signedJWT != null) {
                return validate(signedJWT);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("Encrypted JWT couldn't be converted to a signed JWT.");
            }
            return Optional.empty();
        } catch (JOSEException e) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("Decryption fails with encryption configuration: {}, passing to the next one", encryptionConfiguration.toString());
            }
            return Optional.empty();
        }
    }

    private Optional<JWT> validate(SignedJWT signedJWT) {
        if (LOG.isDebugEnabled()) {
            LOG.debug("Validating signed JWT");
        }
        JWSAlgorithm algorithm = signedJWT.getHeader().getAlgorithm();
        ArrayList<SignatureConfiguration> arrayList = new ArrayList(this.signatures);
        arrayList.sort(comparator(algorithm));
        for (SignatureConfiguration signatureConfiguration : arrayList) {
            try {
            } catch (JOSEException e) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("Verification failed with signature configuration: {}, passing to the next one", signatureConfiguration);
                }
            }
            if (signatureConfiguration.verify(signedJWT)) {
                return Optional.of(signedJWT);
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("JWT Signature verification failed: {}", signedJWT.getParsedString());
            }
        }
        return Optional.empty();
    }

    private static Comparator<SignatureConfiguration> comparator(JWSAlgorithm jWSAlgorithm) {
        return (signatureConfiguration, signatureConfiguration2) -> {
            boolean supports = signatureConfiguration.supports(jWSAlgorithm);
            if (supports == signatureConfiguration2.supports(jWSAlgorithm)) {
                return 0;
            }
            return supports ? -1 : 1;
        };
    }

    private static Comparator<EncryptionConfiguration> comparator(JWEHeader jWEHeader) {
        JWEAlgorithm algorithm = jWEHeader.getAlgorithm();
        EncryptionMethod encryptionMethod = jWEHeader.getEncryptionMethod();
        return (encryptionConfiguration, encryptionConfiguration2) -> {
            boolean supports = encryptionConfiguration.supports(algorithm, encryptionMethod);
            if (supports == encryptionConfiguration2.supports(algorithm, encryptionMethod)) {
                return 0;
            }
            return supports ? -1 : 1;
        };
    }

    public static Builder builder() {
        return new Builder();
    }
}
