package net.tokensmith.otter.security.cookie;

import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import net.tokensmith.jwt.builder.compact.SecureCompactBuilder;
import net.tokensmith.jwt.builder.exception.CompactException;
import net.tokensmith.jwt.config.JwtAppFactory;
import net.tokensmith.jwt.entity.jwk.SymmetricKey;
import net.tokensmith.jwt.entity.jwt.Claims;
import net.tokensmith.jwt.entity.jwt.JsonWebToken;
import net.tokensmith.jwt.entity.jwt.header.Algorithm;
import net.tokensmith.jwt.exception.InvalidJWT;
import net.tokensmith.jwt.exception.SignatureException;
import net.tokensmith.jwt.serialization.exception.JsonToJwtException;
import net.tokensmith.otter.config.CookieConfig;
import net.tokensmith.otter.controller.entity.Cookie;
import net.tokensmith.otter.security.cookie.either.CookieError;
import net.tokensmith.otter.security.cookie.either.ReadEither;
import net.tokensmith.otter.security.cookie.either.ReadError;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:net/tokensmith/otter/security/cookie/CookieSigner.class */
public class CookieSigner implements CookieSecurity {
    protected static Logger LOGGER = LoggerFactory.getLogger(CookieSigner.class);
    public static final String SIGNATURE_INVALID = "Signature Invalid";
    private JwtAppFactory jwtAppFactory;
    private Map<String, SymmetricKey> keys;
    private Map<String, String> preferredKeys;

    public CookieSigner(JwtAppFactory jwtAppFactory, Map<String, SymmetricKey> map, Map<String, String> map2) {
        this.jwtAppFactory = jwtAppFactory;
        this.keys = map;
        this.preferredKeys = map2;
    }

    @Override // net.tokensmith.otter.security.cookie.CookieSecurity
    public <T extends Claims> Cookie make(CookieConfig cookieConfig, T t) throws CookieJwtException {
        try {
            return new Cookie.Builder().secure(cookieConfig.getSecure().booleanValue()).name(cookieConfig.getName()).maxAge(cookieConfig.getAge().intValue()).value(new SecureCompactBuilder().alg(Algorithm.HS256).key(getKey(this.preferredKeys.get(cookieConfig.getName()))).claims(t).build().toString()).httpOnly(cookieConfig.getHttpOnly().booleanValue()).build();
        } catch (CompactException e) {
            throw new CookieJwtException("Could not serialize to compact jwt", e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Override // net.tokensmith.otter.security.cookie.CookieSecurity
    public <T extends Claims> ReadEither<T> read(String str, Class<T> cls) {
        ReadEither.Builder builder = new ReadEither.Builder();
        try {
            JsonWebToken<T> jwt = toJwt(str, cls);
            if (!jwt.getHeader().getKeyId().isPresent()) {
                builder.left(new ReadError.Builder().claims(Optional.of(jwt.getClaims())).cookieError(CookieError.NO_KEY_ID).build());
                return builder.build();
            }
            SymmetricKey key = getKey((String) jwt.getHeader().getKeyId().get());
            if (Objects.isNull(key)) {
                LOGGER.debug("do not have key id: {}", jwt.getHeader().getKeyId().get());
                builder.left(new ReadError.Builder().claims(Optional.of(jwt.getClaims())).cookieError(CookieError.SIGNATURE_ERROR).build());
                return builder.build();
            }
            try {
                if (verifySignature(jwt, key).booleanValue()) {
                    builder.right(jwt.getClaims());
                    return builder.build();
                }
                LOGGER.debug("Signature Invalid");
                builder.left(new ReadError.Builder().claims(Optional.of(jwt.getClaims())).cookieError(CookieError.SIGNATURE_INVALID).build());
                return builder.build();
            } catch (CookieJwtException e) {
                LOGGER.debug(e.getMessage(), e);
                builder.left(new ReadError.Builder().claims(Optional.of(jwt.getClaims())).cookieError(CookieError.SIGNATURE_ERROR).cause(e).build());
                return builder.build();
            }
        } catch (CookieJwtException e2) {
            LOGGER.debug(e2.getMessage(), e2);
            builder.left(new ReadError.Builder().cause(e2).cookieError(CookieError.JWT_INVALID).build());
            return builder.build();
        }
    }

    @Override // net.tokensmith.otter.security.cookie.CookieSecurity
    public SymmetricKey getKey(String str) {
        return this.keys.get(str);
    }

    protected <T extends Claims> JsonWebToken<T> toJwt(String str, Class<T> cls) throws CookieJwtException {
        try {
            return this.jwtAppFactory.jwtSerde().stringToJwt(str, cls);
        } catch (JsonToJwtException | InvalidJWT e) {
            throw new CookieJwtException("Could not deserialize CSRF JWT to pojo", e);
        }
    }

    protected <T extends Claims> Boolean verifySignature(JsonWebToken<T> jsonWebToken, SymmetricKey symmetricKey) throws CookieJwtException {
        try {
            return Boolean.valueOf(this.jwtAppFactory.verifySignature(jsonWebToken.getHeader().getAlgorithm(), symmetricKey).run(jsonWebToken));
        } catch (SignatureException e) {
            throw new CookieJwtException("Could not verify signature", e);
        }
    }
}
