package io.integon;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.net.URL;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Date;
import java.util.HashMap;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:io/integon/JWTValidator.class */
public class JWTValidator {
    private static final Log log = LogFactory.getLog(JWTValidator.class);
    private HashMap<String, Boolean> jtiMap;
    private JWKSet jwkSet = null;
    private String cachedJwksEndpoint = null;
    private long cachedTimeJWKSet = 0;
    private JWK jwk = null;
    private long ttl = 3600000;
    private long refreshTimeout = 1800000;
    private JWSVerifier verifier = null;
    private RSAPublicKey publicKey = null;
    private long jtiMapTimeout = 28800000;
    private long jtiMapLastCleaned = 0;

    public boolean validateToken(String str, String str2) throws Exception {
        try {
            SignedJWT parse = SignedJWT.parse(str);
            log.debug("JWT token parsed successfully");
            loadAndCacheJWKSet(str2);
            getAndVerifyJWKByKid(parse);
            convertJWKToPublicKey(this.jwk);
            if (this.verifier == null) {
                this.verifier = new RSASSAVerifier(this.publicKey);
                log.debug("Verifier created successfully");
            }
            if (parse.verify(this.verifier)) {
                log.debug("JWT token validated successfully");
                return true;
            }
            log.debug("Failed to validate JWT using the provided JWKS");
            throw new Exception("Failed to validate JWT using the provided JWKS");
        } catch (ParseException e) {
            log.error("Failed to parse JWT token: " + e.getMessage());
            throw new Exception("Invalid JWT token");
        }
    }

    public boolean isTokenExpired(String str) throws Exception {
        try {
            if (SignedJWT.parse(str).getJWTClaimsSet().getExpirationTime().before(new Date())) {
                log.debug("JWT token is expired");
                return true;
            }
            log.debug("JWT token is not expired");
            return false;
        } catch (ParseException e) {
            log.error("Failed to parse JWT token: " + e.getMessage());
            throw new Exception("Invalid JWT token");
        }
    }

    public boolean areClaimsValid(String str, HashMap<String, String> hashMap) throws Exception {
        try {
            SignedJWT parse = SignedJWT.parse(str);
            if (hashMap.get("iat") != null) {
                if (isLongParseable(hashMap.get("iat").toString())) {
                    if (parse.getJWTClaimsSet().getIssueTime().before(new Date(System.currentTimeMillis() - Long.valueOf(Long.parseLong(hashMap.get("iat").toString()) * 1000).longValue()))) {
                        log.debug("JWT token issue time claim is too old");
                        throw new Exception("JWT token issue time claim is too old");
                    }
                } else {
                    log.debug("JWT token issue time claim is not a valid long value, this claim will be ignored");
                }
                log.debug("JWT token issue time claim is not too old");
            }
            if (hashMap.get("iss") != null) {
                if (!parse.getJWTClaimsSet().getIssuer().equals(hashMap.get("iss").toString())) {
                    log.debug("JWT token issuer claim does not match the expected value: " + hashMap.get("iss").toString());
                    throw new Exception("JWT token issuer claim does not match the expected value");
                }
                log.debug("JWT token issuer claim matches the expected value");
            }
            if (hashMap.get("sub") != null) {
                if (!parse.getJWTClaimsSet().getSubject().equals(hashMap.get("sub").toString())) {
                    log.debug("JWT token subject claim does not match the expected value: " + hashMap.get("sub").toString());
                    throw new Exception("JWT token subject claim does not match the expected value");
                }
                log.debug("JWT token subject claim matches the expected value");
            }
            if (hashMap.get("aud") != null) {
                if (!parse.getJWTClaimsSet().getAudience().contains(hashMap.get("aud").toString())) {
                    log.debug("JWT token audience claim does not match the expected value: " + hashMap.get("aud").toString());
                    throw new Exception("JWT token audience claim does not match the expected value");
                }
                log.debug("JWT token audience claim matches the expected value");
            }
            if (hashMap.get("jti") == "enabled") {
                if (this.jtiMap == null || System.currentTimeMillis() - this.jtiMapLastCleaned > this.jtiMapTimeout) {
                    this.jtiMap = new HashMap<>();
                    this.jtiMapLastCleaned = System.currentTimeMillis();
                    log.debug("Created a new JTI map");
                }
                if (this.jtiMap.containsKey(parse.getJWTClaimsSet().getJWTID())) {
                    log.debug("JWT with this JWT ID has already been used: " + parse.getJWTClaimsSet().getJWTID());
                    throw new Exception("JWT with this JWT ID has already been used");
                }
                this.jtiMap.put(parse.getJWTClaimsSet().getJWTID(), true);
                log.debug("Added JWT ID to the JTI map");
                log.debug("JWT token JTI claim is valid");
            }
            log.debug("JWT token claims are valid");
            return true;
        } catch (ParseException e) {
            log.error("Failed to parse JWT token: " + e.getMessage());
            throw new Exception("Invalid JWT token");
        }
    }

    private void clearCache() {
        this.jwkSet = null;
        this.jwk = null;
        this.cachedJwksEndpoint = null;
        this.publicKey = null;
        this.cachedTimeJWKSet = 0L;
        log.debug("Cleared the cached values");
    }

    private void convertJWKToPublicKey(JWK jwk) throws Exception {
        try {
            if (this.publicKey == null) {
                this.publicKey = ((RSAKey) jwk).toRSAPublicKey();
                log.debug("Converted JWK to RSA public key");
            }
        } catch (JOSEException e) {
            clearCache();
            log.error("Failed to convert JWK to RSA public key: " + e.getMessage());
            throw new Exception("Failed to convert JWK to RSA public key");
        }
    }

    private void getAndVerifyJWKByKid(SignedJWT signedJWT) throws Exception {
        JWSHeader header = signedJWT.getHeader();
        String keyID = header.getKeyID();
        if (header == null || keyID == null) {
            log.debug("Invalid JWT token: JWT header or key id is null");
            throw new Exception("Invalid JWT token");
        }
        if (this.jwk == null) {
            this.jwk = this.jwkSet.getKeyByKeyId(keyID);
            if (this.jwk == null) {
                log.debug(keyID + " not found in JWKS Endpoint: " + this.cachedJwksEndpoint);
                throw new Exception("Failed to validate JWT using the provided JWKS");
            }
        }
        log.debug(keyID + " found in JWKS Endpoint: " + this.cachedJwksEndpoint);
    }

    private void loadAndCacheJWKSet(String str) throws Exception {
        if (this.jwkSet != null && this.cachedTimeJWKSet + this.ttl >= System.currentTimeMillis() && this.cachedJwksEndpoint.equals(str)) {
            if (this.cachedTimeJWKSet + this.refreshTimeout < System.currentTimeMillis()) {
                try {
                    this.jwkSet = JWKSet.load(new URL(str));
                    log.debug("JWK set loaded from the provided endpoint (refresh): " + str);
                    this.cachedTimeJWKSet = System.currentTimeMillis();
                    this.cachedJwksEndpoint = str;
                    return;
                } catch (Exception e) {
                    return;
                }
            }
            return;
        }
        try {
            clearCache();
            this.jwkSet = JWKSet.load(new URL(str));
            log.debug("JWK set loaded from the provided endpoint: " + str);
            this.cachedTimeJWKSet = System.currentTimeMillis();
            this.cachedJwksEndpoint = str;
        } catch (IOException | ParseException e2) {
            log.error("Failed to load JWKS from the provided endpoint: " + str + " because " + e2.getMessage());
            throw new Exception("Failed to load JWKS from the provided endpoint");
        }
    }

    public void setCacheTimeouts(String str, String str2) {
        if (isLongParseable(str)) {
            this.ttl = Long.parseLong(str) * 1000;
            log.debug("Set the JWK timeout to " + str + " seconds");
        } else {
            log.debug(str + " is not a valid value for the JWK timeout. Defaulting to 1 hour.");
        }
        if (!isLongParseable(str2)) {
            log.debug(str2 + " is not a valid value for the JWK refresh timeout. Defaulting to 30 minutes.");
        } else {
            this.refreshTimeout = Long.parseLong(str2) * 1000;
            log.debug("Set the JWK refresh timeout to " + str2 + " seconds");
        }
    }

    private boolean isLongParseable(String str) {
        try {
            Long.parseLong(str);
            log.debug(str + " is a valid long value");
            return true;
        } catch (NumberFormatException e) {
            return false;
        }
    }
}
