package io.fusionauth.jwt;

import io.fusionauth.jwt.domain.Algorithm;
import io.fusionauth.jwt.domain.Header;
import io.fusionauth.jwt.domain.JWT;
import io.fusionauth.jwt.json.Mapper;
import java.nio.charset.StandardCharsets;
import java.time.ZoneOffset;
import java.time.ZonedDateTime;
import java.util.Arrays;
import java.util.Base64;
import java.util.Map;
import java.util.Objects;
import java.util.function.Function;

/* loaded from: input_file:io/fusionauth/jwt/JWTDecoder.class */
public class JWTDecoder {
    private int clockSkew = 0;

    public JWT decode(String str, Verifier... verifierArr) {
        Objects.requireNonNull(str);
        Objects.requireNonNull(verifierArr);
        String[] parts = getParts(str);
        Header header = (Header) Mapper.deserialize(base64Decode(parts[0]), Header.class);
        return validate(str, parts, header, (Verifier) Arrays.stream(verifierArr).filter(verifier -> {
            return verifier.canVerify(header.algorithm);
        }).findFirst().orElse(null), verifierArr.length == 0);
    }

    public JWTDecoder withClockSkew(int i) {
        this.clockSkew = i;
        return this;
    }

    public JWT decode(String str, Map<String, Verifier> map) {
        return decode(str, map, header -> {
            return header.getString("kid");
        });
    }

    public JWT decode(String str, Map<String, Verifier> map, Function<Header, String> function) {
        Objects.requireNonNull(str);
        Objects.requireNonNull(map);
        Objects.requireNonNull(function);
        String[] parts = getParts(str);
        Header header = (Header) Mapper.deserialize(base64Decode(parts[0]), Header.class);
        return validate(str, parts, header, map.get(function.apply(header)), map.isEmpty());
    }

    private byte[] base64Decode(String str) {
        try {
            return Base64.getUrlDecoder().decode(str);
        } catch (IllegalArgumentException e) {
            throw new InvalidJWTException("The encoded JWT is not properly Base64 encoded.", e);
        }
    }

    private String[] getParts(String str) {
        String[] split = str.split("\\.");
        if (split.length == 3 || (split.length == 2 && str.endsWith("."))) {
            return split;
        }
        throw new InvalidJWTException("The encoded JWT is not properly formatted. Expected a three part dot separated string.");
    }

    private JWT validate(String str, String[] strArr, Header header, Verifier verifier, boolean z) {
        if (strArr.length == 2) {
            if (!z) {
                throw new NoneNotAllowedException();
            }
            if (header.algorithm != Algorithm.none) {
                throw new MissingSignatureException("Your provided a JWT with the algorithm [" + header.algorithm.getName() + "] but it is missing a signature");
            }
        } else {
            if (header.algorithm == Algorithm.none) {
                throw new InvalidJWTException("You provided a JWT with a signature and an algorithm of none");
            }
            if (verifier == null) {
                throw new MissingVerifierException("No Verifier has been provided for verify a signature signed using [" + header.algorithm.getName() + "]");
            }
            if (!verifier.canVerify(header.algorithm)) {
                throw new MissingVerifierException("No Verifier has been provided for verify a signature signed using [" + header.algorithm.getName() + "]");
            }
            verifySignature(verifier, header, strArr[2], str);
        }
        JWT jwt = (JWT) Mapper.deserialize(base64Decode(strArr[1]), JWT.class);
        jwt.header = header;
        ZonedDateTime now = now();
        if (jwt.isExpired(now.minusSeconds(this.clockSkew))) {
            throw new JWTExpiredException();
        }
        if (jwt.isUnavailableForProcessing(now.plusSeconds(this.clockSkew))) {
            throw new JWTUnavailableForProcessingException();
        }
        return jwt;
    }

    protected ZonedDateTime now() {
        return ZonedDateTime.now(ZoneOffset.UTC);
    }

    private void verifySignature(Verifier verifier, Header header, String str, String str2) {
        verifier.verify(header.algorithm, str2.substring(0, str2.lastIndexOf(46)).getBytes(StandardCharsets.UTF_8), base64Decode(str));
    }
}
