package org.apache.tomee.microprofile.jwt;

import java.security.Key;
import java.util.List;
import java.util.Map;
import java.util.function.Predicate;
import org.apache.openejb.util.Logger;
import org.apache.tomee.microprofile.jwt.config.JWTAuthConfiguration;
import org.apache.tomee.microprofile.jwt.config.PublicKeyResolver;
import org.apache.tomee.microprofile.jwt.principal.JWTCallerPrincipal;
import org.eclipse.microprofile.jwt.Claims;
import org.eclipse.microprofile.jwt.JsonWebToken;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.keys.resolvers.JwksVerificationKeyResolver;

/* loaded from: input_file:lib/mp-jwt-8.0.15.jar:org/apache/tomee/microprofile/jwt/JsonWebTokenValidator.class */
public class JsonWebTokenValidator {
    private static final Logger VALIDATION = Logger.getInstance(JWTLogCategories.CONSTRAINT, JsonWebTokenValidator.class);
    private final Predicate<JsonWebToken> validation;
    private final Key verificationKey;
    private final Map<String, Key> verificationKeys;
    private final String issuer;
    private boolean allowNoExpiryClaim;

    /* loaded from: input_file:lib/mp-jwt-8.0.15.jar:org/apache/tomee/microprofile/jwt/JsonWebTokenValidator$Builder.class */
    public static class Builder {
        private Key verificationKey;
        private List<JsonWebKey> verificationKeys;
        private String issuer;
        private Predicate<JsonWebToken> validation = jsonWebToken -> {
            return true;
        };
        private boolean allowNoExpiryClaim = false;

        public Builder add(Predicate<JsonWebToken> predicate) {
            this.validation = predicate.and(predicate);
            return this;
        }

        public Builder publicKey(String str) {
            return verificationKey(new PublicKeyResolver().readPublicKeys(str).entrySet().iterator().next().getValue());
        }

        public Builder verificationKey(Key key) {
            this.verificationKey = key;
            return this;
        }

        public Builder verificationKey(Map<String, Key> map) {
            this.verificationKeys = this.verificationKeys;
            return this;
        }

        public JsonWebTokenValidator build() {
            return new JsonWebTokenValidator(this.validation, this.verificationKey, this.issuer, null, this.allowNoExpiryClaim);
        }

        public Builder verificationKeys(List<JsonWebKey> list) {
            this.verificationKeys = list;
            return this;
        }

        public Builder issuer(String str) {
            this.issuer = str;
            return this;
        }

        public Builder allowNoExpiryClaim(boolean z) {
            this.allowNoExpiryClaim = z;
            return this;
        }
    }

    public JsonWebTokenValidator(Predicate<JsonWebToken> predicate, Key key, String str, Map<String, Key> map, boolean z) {
        this.allowNoExpiryClaim = false;
        this.validation = predicate;
        this.verificationKey = key;
        this.verificationKeys = map;
        this.issuer = str;
        this.allowNoExpiryClaim = z;
    }

    public JsonWebToken validate(String str) throws ParseException {
        JWTAuthConfiguration authConfiguration = this.verificationKey != null ? JWTAuthConfiguration.authConfiguration(this.verificationKey, this.issuer, this.allowNoExpiryClaim) : JWTAuthConfiguration.authConfiguration(this.verificationKeys, this.issuer, this.allowNoExpiryClaim);
        try {
            JwtConsumerBuilder jwsAlgorithmConstraints = new JwtConsumerBuilder().setRelaxVerificationKeyValidation().setRequireSubject().setSkipDefaultAudienceValidation().setJwsAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, "RS256", "RS384", "RS512"));
            if (authConfiguration.getIssuer() != null) {
                jwsAlgorithmConstraints.setExpectedIssuer(authConfiguration.getIssuer());
            }
            if (authConfiguration.getExpGracePeriodSecs() > 0) {
                jwsAlgorithmConstraints.setAllowedClockSkewInSeconds(authConfiguration.getExpGracePeriodSecs());
            } else {
                jwsAlgorithmConstraints.setEvaluationTime(NumericDate.fromSeconds(0L));
            }
            if (authConfiguration.isSingleKey()) {
                jwsAlgorithmConstraints.setVerificationKey(authConfiguration.getPublicKey());
            } else {
                jwsAlgorithmConstraints.setVerificationKeyResolver(new JwksVerificationKeyResolver(authConfiguration.getPublicKeys()));
            }
            JwtConsumer build = jwsAlgorithmConstraints.build();
            JwtContext process = build.process(str);
            String header = process.getJoseObjects().get(0).getHeader("typ");
            build.processContext(process);
            JwtClaims jwtClaims = process.getJwtClaims();
            String str2 = (String) jwtClaims.getClaimValue("upn", String.class);
            if (str2 == null) {
                str2 = (String) jwtClaims.getClaimValue("preferred_username", String.class);
                if (str2 == null) {
                    str2 = jwtClaims.getSubject();
                }
            }
            jwtClaims.setClaim(Claims.raw_token.name(), str);
            return new JWTCallerPrincipal(str, header, jwtClaims, str2);
        } catch (MalformedClaimException e) {
            VALIDATION.warning(e.getMessage());
            throw new ParseException("Failed to verify token claims", e);
        } catch (InvalidJwtException e2) {
            VALIDATION.warning(e2.getMessage());
            throw new ParseException("Failed to verify token", e2);
        }
    }

    public static Builder builder() {
        return new Builder();
    }
}
