package io.continual.iam.impl.common.jwt;

import io.continual.builder.Builder;
import io.continual.iam.credentials.JwtCredential;
import io.continual.iam.exceptions.IamSvcException;
import io.continual.iam.identity.JwtValidator;
import io.continual.util.data.Sha256HmacSigner;
import io.continual.util.data.TypeConvertor;
import io.continual.util.data.json.CommentedJsonTokener;
import io.continual.util.data.json.JsonVisitor;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.net.URL;
import java.net.URLConnection;
import java.nio.charset.StandardCharsets;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.Base64;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.TreeSet;
import org.json.JSONException;
import org.json.JSONObject;
import org.json.JSONTokener;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/continual/iam/impl/common/jwt/SimpleJwtValidator.class */
public class SimpleJwtValidator implements JwtValidator {
    private final String fName;
    private final String fAudience;
    private final TreeSet<String> fIssuers = new TreeSet<>();
    private final LinkedList<SigValidator> fSigValidators = new LinkedList<>();
    private static final Logger log = LoggerFactory.getLogger(SimpleJwtValidator.class);

    /* loaded from: input_file:io/continual/iam/impl/common/jwt/SimpleJwtValidator$Builder.class */
    public static class Builder {
        private String fName = "(anonymous)";
        private String fAudience = "";
        private final TreeSet<String> fIssuers = new TreeSet<>();
        private String fPublicKeyUrl = null;

        public SimpleJwtValidator build() throws Builder.BuildFailure {
            return new SimpleJwtValidator(this);
        }

        public Builder named(String str) {
            this.fName = str;
            return this;
        }

        public Builder forIssuer(String str) {
            this.fIssuers.add(str);
            return this;
        }

        public Builder forAudience(String str) {
            this.fAudience = str;
            return this;
        }

        public Builder getPublicKeysFrom(String str) {
            this.fPublicKeyUrl = str;
            return this;
        }
    }

    /* loaded from: input_file:io/continual/iam/impl/common/jwt/SimpleJwtValidator$Hs256SigValidator.class */
    protected static class Hs256SigValidator implements SigValidator {
        private final String fSecret;

        public Hs256SigValidator(String str) {
            this.fSecret = str;
        }

        @Override // io.continual.iam.impl.common.jwt.SimpleJwtValidator.SigValidator
        public boolean validate(JwtCredential jwtCredential) {
            return TypeConvertor.base64UrlEncode(Sha256HmacSigner.signToBytes(jwtCredential.getSignedContent(), this.fSecret)).equals(jwtCredential.getSignature());
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:io/continual/iam/impl/common/jwt/SimpleJwtValidator$RsaValidator.class */
    public static class RsaValidator implements SigValidator {
        private final PublicKey fPubKey;

        public RsaValidator(JSONObject jSONObject) throws NoSuchAlgorithmException, InvalidKeySpecException {
            this.fPubKey = KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(SimpleJwtValidator.stringToInt(jSONObject.getString("n")), SimpleJwtValidator.stringToInt(jSONObject.getString("e"))));
            SimpleJwtValidator.log.info("key is: {}", new String(Base64.getEncoder().encodeToString(this.fPubKey.getEncoded())));
        }

        public RsaValidator(String str) throws CertificateException {
            this.fPubKey = ((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes(StandardCharsets.UTF_8)))).getPublicKey();
        }

        @Override // io.continual.iam.impl.common.jwt.SimpleJwtValidator.SigValidator
        public boolean validate(JwtCredential jwtCredential) {
            try {
                String signedContent = jwtCredential.getSignedContent();
                byte[] base64UrlDecode = TypeConvertor.base64UrlDecode(jwtCredential.getSignature());
                Signature signature = Signature.getInstance("SHA256withRSA");
                signature.initVerify(this.fPubKey);
                signature.update(signedContent.getBytes(StandardCharsets.UTF_8));
                return signature.verify(base64UrlDecode);
            } catch (GeneralSecurityException e) {
                SimpleJwtValidator.log.warn("Unable to produce RSA with SHA-256 signature check.", e);
                return false;
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:io/continual/iam/impl/common/jwt/SimpleJwtValidator$SigValidator.class */
    public interface SigValidator {
        boolean validate(JwtCredential jwtCredential);
    }

    @Override // io.continual.iam.identity.JwtValidator
    public boolean validate(JwtCredential jwtCredential) throws IamSvcException {
        if (!this.fIssuers.contains(jwtCredential.getIssuer())) {
            log.info("{} is not from an issuer the {} validator recognizes.", jwtCredential, this.fName);
            return false;
        }
        if (!jwtCredential.isForAudience(this.fAudience)) {
            log.info("{} is not for the {} validator's audience.", jwtCredential, this.fName);
            return false;
        }
        Iterator<SigValidator> it = getValidators().iterator();
        while (it.hasNext()) {
            if (it.next().validate(jwtCredential)) {
                return true;
            }
        }
        return false;
    }

    public List<SigValidator> getValidators() {
        LinkedList linkedList = new LinkedList();
        linkedList.addAll(this.fSigValidators);
        return linkedList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SimpleJwtValidator(Builder builder) throws Builder.BuildFailure {
        this.fName = builder.fName;
        this.fIssuers.addAll(builder.fIssuers);
        this.fAudience = builder.fAudience;
        if (builder.fPublicKeyUrl != null) {
            this.fSigValidators.addAll(readJwk(builder.fPublicKeyUrl));
        }
        if (this.fIssuers.size() < 1) {
            throw new Builder.BuildFailure("No issuers specified for validator.");
        }
        if (this.fAudience == null || this.fAudience.length() == 0) {
            throw new Builder.BuildFailure("No audience specified for validator.");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static BigInteger stringToInt(String str) {
        return new BigInteger(1, TypeConvertor.base64UrlDecode(str));
    }

    private static List<SigValidator> readJwk(String str) throws Builder.BuildFailure {
        log.info("Reading keys from {}", str);
        final LinkedList linkedList = new LinkedList();
        try {
            URLConnection openConnection = new URL(str).openConnection();
            openConnection.connect();
            try {
                InputStream inputStream = (InputStream) openConnection.getContent();
                try {
                    JSONObject jSONObject = new JSONObject((JSONTokener) new CommentedJsonTokener(inputStream));
                    if (jSONObject.has("keys")) {
                        JsonVisitor.forEachElement(jSONObject.getJSONArray("keys"), new JsonVisitor.ArrayVisitor<JSONObject, GeneralSecurityException>() { // from class: io.continual.iam.impl.common.jwt.SimpleJwtValidator.1
                            public boolean visit(JSONObject jSONObject2) throws JSONException, GeneralSecurityException {
                                if (!jSONObject2.getString("kty").equals("RSA")) {
                                    return true;
                                }
                                linkedList.add(new RsaValidator(jSONObject2));
                                return true;
                            }
                        });
                    } else {
                        JsonVisitor.forEachElement(jSONObject, new JsonVisitor.ObjectVisitor<String, CertificateException>() { // from class: io.continual.iam.impl.common.jwt.SimpleJwtValidator.2
                            public boolean visit(String str2, String str3) throws CertificateException {
                                linkedList.add(new RsaValidator(str3));
                                return true;
                            }
                        });
                    }
                    if (inputStream != null) {
                        inputStream.close();
                    }
                    return linkedList;
                } catch (Throwable th) {
                    if (inputStream != null) {
                        try {
                            inputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (GeneralSecurityException e) {
                throw new Builder.BuildFailure(e);
            }
        } catch (IOException | JSONException e2) {
            throw new Builder.BuildFailure(e2);
        }
    }
}
