package io.continual.iam.credentials;

import io.continual.util.data.TypeConvertor;
import io.continual.util.data.json.JsonVisitor;
import io.continual.util.time.Clock;
import java.util.TreeSet;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/continual/iam/credentials/JwtCredential.class */
public class JwtCredential {
    private final String fOrigToken;
    private final String fSubject;
    private final String fIssuer;
    private final TreeSet<String> fAudience;
    private final String fSignedContent;
    private final String fSignature;
    private final String fAlgo;
    private static TreeSet<String> skSignatureAlgos = new TreeSet<>();
    private static final Logger log;

    /* loaded from: input_file:io/continual/iam/credentials/JwtCredential$InvalidJwtToken.class */
    public static class InvalidJwtToken extends Exception {
        private static final long serialVersionUID = 1;
    }

    public static JwtCredential fromHeader(String str) throws InvalidJwtToken {
        if (str != null && str.startsWith("Bearer ")) {
            String[] split = str.split(" ");
            if (split.length == 2) {
                return new JwtCredential(split[1]);
            }
        }
        throw new InvalidJwtToken();
    }

    public JwtCredential(String str) throws InvalidJwtToken {
        this(str, true);
    }

    public JwtCredential(String str, boolean z) throws InvalidJwtToken {
        this.fOrigToken = str;
        String[] split = str.split("\\.");
        if (split.length != 3) {
            throw new InvalidJwtToken();
        }
        this.fSignedContent = split[0] + "." + split[1];
        log.info("signed data: {}", this.fSignedContent);
        this.fSignature = split[2];
        try {
            JSONObject jSONObject = new JSONObject(new String(TypeConvertor.base64UrlDecode(split[0])));
            String string = jSONObject.getString("typ");
            this.fAlgo = jSONObject.getString("alg");
            if (!string.equals("JWT") || !skSignatureAlgos.contains(this.fAlgo)) {
                log.info("Unrecognized type or algo on JWT: " + string + " / " + this.fAlgo);
                throw new InvalidJwtToken();
            }
            String str2 = new String(TypeConvertor.base64UrlDecode(split[1]));
            JSONObject jSONObject2 = new JSONObject(str2);
            log.debug("Unpacking JWT: {}", str2);
            this.fIssuer = jSONObject2.getString("iss");
            this.fAudience = new TreeSet<>();
            JSONArray optJSONArray = jSONObject2.optJSONArray("aud");
            if (optJSONArray != null) {
                this.fAudience.addAll(JsonVisitor.arrayToList(optJSONArray));
            } else {
                this.fAudience.add(jSONObject2.getString("aud"));
            }
            long j = jSONObject2.getLong("exp");
            long now = Clock.now() / 1000;
            if (z && j < now) {
                log.info("Expired token. exp=" + j + "; currently " + now);
                throw new InvalidJwtToken();
            }
            this.fSubject = jSONObject2.getString("sub");
            if (this.fSubject.length() == 0) {
                log.info("No subject on token");
                throw new InvalidJwtToken();
            }
        } catch (JSONException e) {
            log.info("Couldn't parse token.");
            throw new InvalidJwtToken();
        }
    }

    public String toBearerString() {
        return this.fOrigToken;
    }

    public String getSignedContent() {
        return this.fSignedContent;
    }

    public String getSignature() {
        return this.fSignature;
    }

    public String toString() {
        return "JWT for " + this.fSubject;
    }

    public String getSubject() {
        return this.fSubject;
    }

    public String getIssuer() {
        return this.fIssuer;
    }

    public boolean isForAudience(String str) {
        return this.fAudience.contains(str);
    }

    public String getSigningAlgorithm() {
        return this.fAlgo;
    }

    static {
        skSignatureAlgos.add("HS256");
        skSignatureAlgos.add("RS256");
        log = LoggerFactory.getLogger(JwtCredential.class);
    }
}
