package io.continual.iam.impl.auth0;

import com.auth0.jwk.JwkException;
import com.auth0.jwk.UrlJwkProvider;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import io.continual.builder.Builder;
import io.continual.iam.credentials.JwtCredential;
import io.continual.iam.exceptions.IamSvcException;
import io.continual.iam.identity.JwtValidator;
import io.continual.util.data.exprEval.EnvDataSource;
import io.continual.util.data.exprEval.ExpressionEvaluator;
import io.continual.util.data.exprEval.SpecialFnsDataSource;
import io.continual.util.data.json.JsonVisitor;
import java.security.interfaces.RSAPublicKey;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/continual/iam/impl/auth0/Auth0JwtValidator.class */
public class Auth0JwtValidator implements JwtValidator {
    private final String fDomain;
    private final List<String> fEmailClaimFields;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) Auth0JwtValidator.class);

    public Auth0JwtValidator(JSONObject jSONObject) throws Builder.BuildFailure {
        try {
            ExpressionEvaluator expressionEvaluator = new ExpressionEvaluator(new EnvDataSource(), new SpecialFnsDataSource());
            this.fDomain = expressionEvaluator.evaluateText(jSONObject.getString("domain"));
            this.fEmailClaimFields = new LinkedList();
            JSONArray optJSONArray = jSONObject.optJSONArray("emailClaims");
            if (optJSONArray != null) {
                this.fEmailClaimFields.addAll(JsonVisitor.arrayToList(expressionEvaluator.evaluateJsonArray(optJSONArray)));
            } else {
                this.fEmailClaimFields.add(expressionEvaluator.evaluateText(jSONObject.optString("emailClaim")));
            }
            if (this.fEmailClaimFields.size() == 0) {
                throw new Builder.BuildFailure("No email claim fields registered.");
            }
        } catch (JSONException e) {
            throw new Builder.BuildFailure(e);
        }
    }

    @Override // io.continual.iam.identity.JwtValidator
    public boolean validate(JwtCredential jwtCredential) throws IamSvcException {
        log.info("auth0: {}", jwtCredential);
        DecodedJWT validate = validate(jwtCredential.toBearerString());
        if (validate == null) {
            return false;
        }
        if (getEmailClaim(validate) != null) {
            return true;
        }
        log.warn("User {} was authenticated but doesn't have a recognized email claim {}.", validate.getSubject());
        return false;
    }

    @Override // io.continual.iam.identity.JwtValidator
    public String getSubject(JwtCredential jwtCredential) throws IamSvcException {
        log.info("auth0: {}", jwtCredential);
        String emailClaim = getEmailClaim(JWT.decode(jwtCredential.toBearerString()));
        if (emailClaim == null) {
            throw new IamSvcException("Problem extracting email claim from token.");
        }
        return emailClaim;
    }

    private String getEmailClaim(DecodedJWT decodedJWT) {
        Iterator<String> it = this.fEmailClaimFields.iterator();
        while (it.hasNext()) {
            Claim claim = decodedJWT.getClaim(it.next());
            String asString = claim == null ? null : claim.asString();
            if (asString != null) {
                return asString;
            }
        }
        return null;
    }

    private DecodedJWT validate(String str) throws IamSvcException {
        try {
            DecodedJWT decode = JWT.decode(str);
            JWT.require(Algorithm.RSA256((RSAPublicKey) new UrlJwkProvider(this.fDomain).get(decode.getKeyId()).getPublicKey(), null)).withIssuer("https://" + this.fDomain + "/").build().verify(str);
            return decode;
        } catch (JwkException e) {
            log.info("token [{}...] JwkException failure: {}", str.substring(0, 10), e.getMessage());
            throw new IamSvcException(e);
        } catch (JWTVerificationException e2) {
            log.info("token [{}...] JWTVerificationException failure: {}", str.substring(0, 10), e2.getMessage());
            return null;
        }
    }
}
