package org.cloudfoundry.multiapps.controller.core.security.token.parsers;

import java.util.Map;
import javax.inject.Inject;
import javax.inject.Named;
import org.cloudfoundry.multiapps.controller.client.uaa.UAAClient;
import org.cloudfoundry.multiapps.controller.client.util.TokenFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.jwt.JwtHelper;
import org.springframework.security.jwt.crypto.sign.InvalidSignatureException;
import org.springframework.security.jwt.crypto.sign.MacSigner;
import org.springframework.security.jwt.crypto.sign.RsaVerifier;
import org.springframework.security.jwt.crypto.sign.SignatureVerifier;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;

@Named
@Order(0)
/* loaded from: input_file:org/cloudfoundry/multiapps/controller/core/security/token/parsers/JwtTokenParser.class */
public class JwtTokenParser implements TokenParser {
    private static final Logger LOGGER = LoggerFactory.getLogger(JwtTokenParser.class);
    protected final TokenFactory tokenFactory;
    private TokenKey tokenKey;
    private final UAAClient uaaClient;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/cloudfoundry/multiapps/controller/core/security/token/parsers/JwtTokenParser$TokenKey.class */
    public static class TokenKey {
        private final String value;
        private final String algorithm;

        TokenKey(String str, String str2) {
            this.value = str;
            this.algorithm = str2;
        }

        String getValue() {
            return this.value;
        }

        String getAlgorithm() {
            return this.algorithm;
        }
    }

    @Inject
    public JwtTokenParser(TokenFactory tokenFactory, UAAClient uAAClient) {
        this.tokenFactory = tokenFactory;
        this.uaaClient = uAAClient;
    }

    @Override // org.cloudfoundry.multiapps.controller.core.security.token.parsers.TokenParser
    public OAuth2AccessToken parse(String str) {
        try {
            verifyToken(str);
            return this.tokenFactory.createToken(str);
        } catch (IllegalStateException e) {
            LOGGER.debug("Error parsing jwt token", e);
            return null;
        }
    }

    protected void verifyToken(String str) {
        try {
            decodeAndVerify(str);
        } catch (InvalidTokenException e) {
            refreshTokenKey();
            decodeAndVerify(str);
        }
    }

    private void decodeAndVerify(String str) {
        try {
            JwtHelper.decodeAndVerify(str, getSignatureVerifier(getCachedTokenKey()));
        } catch (InvalidSignatureException e) {
            throw new InvalidTokenException(e.getMessage(), e);
        }
    }

    private TokenKey getCachedTokenKey() {
        if (this.tokenKey == null) {
            synchronized (this) {
                if (this.tokenKey == null) {
                    refreshTokenKey();
                }
            }
        }
        return this.tokenKey;
    }

    private void refreshTokenKey() {
        this.tokenKey = readTokenKey();
    }

    private static SignatureVerifier getSignatureVerifier(TokenKey tokenKey) {
        MacSigner rsaVerifier;
        String algorithm = tokenKey.getAlgorithm();
        if (algorithm.equals("SHA256withRSA") || algorithm.equals("RS256")) {
            rsaVerifier = new RsaVerifier(tokenKey.getValue());
        } else {
            if (!algorithm.equals("HMACSHA256") && !algorithm.equals("HS256")) {
                throw new InternalAuthenticationServiceException("Unsupported verifier algorithm " + algorithm);
            }
            rsaVerifier = new MacSigner(tokenKey.getValue());
        }
        return rsaVerifier;
    }

    private TokenKey readTokenKey() {
        Map readTokenKey = this.uaaClient.readTokenKey();
        Object obj = readTokenKey.get("value");
        Object obj2 = readTokenKey.get("alg");
        if (obj == null || obj2 == null) {
            throw new InternalAuthenticationServiceException("Response from /token_key does not contain a key value or an algorithm");
        }
        return new TokenKey(obj.toString(), obj2.toString());
    }
}
