package software.sandc.springframework.security.jwt.impl.consumer;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SigningKeyResolver;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.authentication.InsufficientAuthenticationException;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.util.Assert;
import software.sandc.springframework.security.jwt.JWTRequestResponseHandler;
import software.sandc.springframework.security.jwt.consumer.JWTAuthorityConnector;
import software.sandc.springframework.security.jwt.consumer.JWTConsumer;
import software.sandc.springframework.security.jwt.impl.DefaultJWTRequestResponseHandler;
import software.sandc.springframework.security.jwt.impl.DefaultSigningKeyResolver;
import software.sandc.springframework.security.jwt.model.JWTAuthentication;
import software.sandc.springframework.security.jwt.model.JWTContext;
import software.sandc.springframework.security.jwt.model.TokenContainer;
import software.sandc.springframework.security.jwt.model.exception.ExpiredTokenException;
import software.sandc.springframework.security.jwt.model.exception.InvalidTokenException;
import software.sandc.springframework.security.jwt.model.parameter.DisableXSRFParameter;
import software.sandc.springframework.security.jwt.model.parameter.IgnoreExpiryParameter;
import software.sandc.springframework.security.jwt.model.parameter.Parameters;
import software.sandc.springframework.security.jwt.util.BooleanUtils;

/* loaded from: input_file:software/sandc/springframework/security/jwt/impl/consumer/DefaultJWTConsumer.class */
public class DefaultJWTConsumer implements JWTConsumer, InitializingBean {
    protected static final Integer TEN_YEARS_IN_SECONDS = 315360000;
    public static final String SPRING_SECURITY_JWT_XSRF_PARAMETER_NAME = "xsrf-token";
    public static final String SPRING_SECURITY_JWT_SESSION_ID_PARAMETER_NAME = "jti";
    public static final String SPRING_SECURITY_JWT_AUTHORITIES_PARAMETER_NAME = "authorities";
    protected String authoritiesParameterName = SPRING_SECURITY_JWT_AUTHORITIES_PARAMETER_NAME;
    protected String sessionIdParameterName = SPRING_SECURITY_JWT_SESSION_ID_PARAMETER_NAME;
    protected String xsrfParameterName = SPRING_SECURITY_JWT_XSRF_PARAMETER_NAME;
    protected JWTAuthorityConnector jwtAuthorityConnector;
    protected SigningKeyResolver signingKeyResolver;
    protected JWTRequestResponseHandler jwtRequestResponseHandler;

    public DefaultJWTConsumer() {
    }

    public DefaultJWTConsumer(JWTAuthorityConnector jWTAuthorityConnector) {
        this.jwtAuthorityConnector = jWTAuthorityConnector;
    }

    public void afterPropertiesSet() throws Exception {
        Assert.notNull(this.jwtAuthorityConnector, "jwtAuthorityConnector must be specified");
        if (this.jwtRequestResponseHandler == null) {
            this.jwtRequestResponseHandler = new DefaultJWTRequestResponseHandler();
        }
        if (this.signingKeyResolver == null) {
            this.signingKeyResolver = new DefaultSigningKeyResolver(this.jwtAuthorityConnector);
        }
    }

    @Override // software.sandc.springframework.security.jwt.consumer.JWTConsumer
    public JWTContext authenticateJWTRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        JWTContext jWTContext = null;
        TokenContainer tokenFromRequest = this.jwtRequestResponseHandler.getTokenFromRequest(httpServletRequest);
        if (tokenFromRequest != null) {
            try {
                jWTContext = validate(tokenFromRequest, this.jwtRequestResponseHandler.getParametersFromRequest(httpServletRequest));
            } catch (ExpiredTokenException e) {
                jWTContext = this.jwtAuthorityConnector.requestRenew(httpServletRequest);
            }
            handleJWTContext(httpServletRequest, httpServletResponse, jWTContext);
        }
        return jWTContext;
    }

    @Override // software.sandc.springframework.security.jwt.consumer.JWTConsumer
    public JWTContext validate(TokenContainer tokenContainer, Parameters parameters) throws InvalidTokenException, ExpiredTokenException {
        if (tokenContainer == null) {
            throw new InvalidTokenException("Token container is empty");
        }
        JwtParser signingKeyResolver = Jwts.parser().setSigningKeyResolver(this.signingKeyResolver);
        if (parameters != null && BooleanUtils.isTrue((Boolean) parameters.getValueOf(IgnoreExpiryParameter.class)).booleanValue()) {
            signingKeyResolver = signingKeyResolver.setAllowedClockSkewSeconds(TEN_YEARS_IN_SECONDS.intValue());
        }
        String jwtToken = tokenContainer.getJwtToken();
        String jWTModeFromParameters = getJWTModeFromParameters(parameters);
        try {
            Claims claims = (Claims) signingKeyResolver.parseClaimsJws(jwtToken).getBody();
            String xsrfToken = tokenContainer.getXsrfToken();
            validateXSRF(claims, xsrfToken);
            return createJWTContext(extractPrincipal(claims), extractSessionId(claims), xsrfToken, getAuthorities(claims), jWTModeFromParameters, jwtToken);
        } catch (JwtException e) {
            throw new InvalidTokenException("JWT Token is invalid.", e);
        } catch (ExpiredJwtException e2) {
            throw new ExpiredTokenException("JWT Token is expired.");
        }
    }

    public void setSigningKeyResolver(SigningKeyResolver signingKeyResolver) {
        this.signingKeyResolver = signingKeyResolver;
    }

    public void setJWTAuthorityConnector(JWTAuthorityConnector jWTAuthorityConnector) {
        this.jwtAuthorityConnector = jWTAuthorityConnector;
    }

    public void setJwtRequestResponseHandler(JWTRequestResponseHandler jWTRequestResponseHandler) {
        this.jwtRequestResponseHandler = jWTRequestResponseHandler;
    }

    public JWTRequestResponseHandler getJwtRequestResponseHandler() {
        return this.jwtRequestResponseHandler;
    }

    public void setAuthoritiesParameterName(String str) {
        this.authoritiesParameterName = str;
    }

    public void setXsrfParameterName(String str) {
        this.xsrfParameterName = str;
    }

    public void setSessionIdParameterName(String str) {
        this.sessionIdParameterName = str;
    }

    protected void handleJWTContext(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, JWTContext jWTContext) {
        if (jWTContext == null || !jWTContext.isAuthenticated()) {
            return;
        }
        SecurityContextHolder.getContext().setAuthentication(jWTContext.getAuthentication());
        this.jwtRequestResponseHandler.putTokenToResponse(httpServletRequest, httpServletResponse, jWTContext.getTokenContainer());
    }

    protected void validateXSRF(Claims claims, String str) {
        String str2 = (String) claims.get(this.xsrfParameterName, String.class);
        if (str2 != null && !str2.equals(str)) {
            throw new InsufficientAuthenticationException("XSRF Token is not valid.");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String extractPrincipal(Claims claims) {
        String subject = claims.getSubject();
        if (subject == null || subject.isEmpty()) {
            throw new InvalidTokenException("A valid token must provide a non-empty principal value.");
        }
        return subject;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String extractSessionId(Claims claims) {
        return (String) claims.get(this.sessionIdParameterName, String.class);
    }

    protected Collection<GrantedAuthority> getAuthorities(Claims claims) {
        String str = (String) claims.get(this.authoritiesParameterName, String.class);
        if (str == null || str.isEmpty()) {
            return null;
        }
        List asList = Arrays.asList(str.split(","));
        ArrayList arrayList = new ArrayList();
        Iterator it = asList.iterator();
        while (it.hasNext()) {
            arrayList.add(new SimpleGrantedAuthority((String) it.next()));
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public JWTContext createJWTContext(String str, String str2, String str3, Collection<? extends GrantedAuthority> collection, String str4, String str5) {
        return new JWTContext(new JWTAuthentication(str, str2, collection), new TokenContainer(str4, str5, str3));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String getJWTModeFromParameters(Parameters parameters) {
        return (parameters == null || !BooleanUtils.isTrue((Boolean) parameters.getValueOf(DisableXSRFParameter.class)).booleanValue()) ? DefaultJWTRequestResponseHandler.SPRING_SECURITY_JWT_REQUEST_HEADER_JWT_MODE_VALUE_WEB : DefaultJWTRequestResponseHandler.SPRING_SECURITY_JWT_REQUEST_HEADER_JWT_MODE_VALUE_APP;
    }
}
