package org.apache.hadoop.hive.metastore.auth.jwt;

import com.google.common.base.Preconditions;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory;
import com.nimbusds.jose.jwk.AsymmetricJWK;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.text.ParseException;
import java.util.Date;
import java.util.List;
import javax.security.sasl.AuthenticationException;
import org.apache.hadoop.conf.Configuration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hive/metastore/auth/jwt/JWTValidator.class */
public class JWTValidator {
    private static final Logger LOG = LoggerFactory.getLogger(JWTValidator.class.getName());
    private static final DefaultJWSVerifierFactory JWS_VERIFIER_FACTORY = new DefaultJWSVerifierFactory();
    private final URLBasedJWKSProvider jwksProvider;

    public JWTValidator(Configuration configuration) throws IOException, ParseException {
        this.jwksProvider = new URLBasedJWKSProvider(configuration);
    }

    public String validateJWTAndExtractUser(String str) throws ParseException, AuthenticationException {
        Preconditions.checkNotNull(this.jwksProvider);
        Preconditions.checkNotNull(str, "No token found");
        SignedJWT parse = SignedJWT.parse(str);
        List<JWK> jWKs = this.jwksProvider.getJWKs(parse.getHeader());
        if (jWKs.isEmpty()) {
            throw new AuthenticationException("Failed to find matched JWKs with the JWT header: " + parse.getHeader());
        }
        Exception exc = null;
        for (JWK jwk : jWKs) {
            String keyID = jwk.getKeyID() == null ? "null" : jwk.getKeyID();
            try {
            } catch (Exception e) {
                exc = e;
                LOG.warn("Failed to verify JWT {} by JWK {}", new Object[]{parse.getPayload(), keyID, e});
            }
            if (parse.verify(getVerifier(parse.getHeader(), jwk))) {
                LOG.debug("Verified JWT {} by JWK {}", parse.getPayload(), keyID);
                break;
            }
            continue;
        }
        String substring = str.substring(Math.max(0, str.length() - 7));
        if (parse.getState() != JWSObject.State.VERIFIED) {
            throw new AuthenticationException("Failed to verify the JWT signature (ends with " + substring + ")", exc);
        }
        JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        if (expirationTime == null || !new Date().after(expirationTime)) {
            return jWTClaimsSet.getSubject();
        }
        LOG.warn("Rejecting an expired JWT: {}", parse.getPayload());
        throw new AuthenticationException("JWT (ends with " + substring + ") has been expired");
    }

    private static JWSVerifier getVerifier(JWSHeader jWSHeader, JWK jwk) throws JOSEException {
        Preconditions.checkArgument(jwk instanceof AsymmetricJWK, "JWT signature verification with symmetric key is not allowed.");
        return JWS_VERIFIER_FACTORY.createJWSVerifier(jWSHeader, ((AsymmetricJWK) jwk).toPublicKey());
    }
}
