package de.gwdg.cdstar.ext.auth.jwt;

import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.AlgorithmMismatchException;
import com.auth0.jwt.exceptions.TokenExpiredException;
import com.auth0.jwt.impl.PublicClaims;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import de.gwdg.cdstar.Utils;
import de.gwdg.cdstar.auth.StringPermission;
import de.gwdg.cdstar.runtime.Config;
import de.gwdg.cdstar.runtime.ConfigException;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;

/* loaded from: input_file:de/gwdg/cdstar/ext/auth/jwt/JWTIssuerConfig.class */
class JWTIssuerConfig {
    private final String name;
    private final String iss;
    private final String domain;
    private final int leeway;
    private final boolean trusted;
    private final JWTRealm realm;
    private final Map<String, Algorithm> algos = new HashMap();
    private final List<StringPermission> permits = new ArrayList();

    public JWTIssuerConfig(JWTRealm jWTRealm, String str, Config config) throws ConfigException {
        this.realm = jWTRealm;
        this.name = str;
        config.setDefault("leeway", "0");
        this.iss = config.get(PublicClaims.ISSUER, str);
        this.domain = config.get("domain", str);
        this.leeway = config.getInt("leeway");
        this.trusted = config.getBool("trusted");
        if (config.hasKey("permit")) {
            for (String str2 : config.getArray("permit")) {
                this.permits.add(StringPermission.parse(str2));
            }
        }
        if (config.hasKey("hmac")) {
            setHmac(Utils.base64decode(config.get("hmac")));
        }
        try {
            if (config.hasKey("rsa")) {
                setRsaKey((RSAPublicKey) loadKey("RSA", config.get("rsa")));
            }
            if (config.hasKey("ecdsa")) {
                setEcdsaKey((ECPublicKey) loadKey("EC", config.get("ecdsa")));
            }
            if (config.hasKey(PublicClaims.ALGORITHM)) {
                List<String> list = config.getList(PublicClaims.ALGORITHM);
                this.algos.keySet().removeIf(str3 -> {
                    return !list.contains(str3);
                });
                for (String str4 : list) {
                    if (!this.algos.containsKey(str4)) {
                        throw new ConfigException("Algorithm " + str4 + " not known or not supported with current configuration.");
                    }
                }
            }
        } catch (IOException | NoSuchAlgorithmException | CertificateException | InvalidKeySpecException e) {
            throw new ConfigException("Failed to load pubic keys", e);
        }
    }

    private <T extends PublicKey> T loadKey(String str, String str2) throws CertificateException, IOException, InvalidKeySpecException, NoSuchAlgorithmException, ConfigException {
        if (str2.endsWith(".pem") || str2.endsWith(".pub")) {
            return (T) ((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(Files.newInputStream(Paths.get(str2, new String[0]), new OpenOption[0]))).getPublicKey();
        }
        if (str2.endsWith(".der")) {
            return (T) KeyFactory.getInstance(str).generatePublic(new X509EncodedKeySpec(Files.readAllBytes(Paths.get(str2, new String[0]))));
        }
        return (T) KeyFactory.getInstance(str).generatePublic(new X509EncodedKeySpec(Utils.base64decode(str2)));
    }

    private void setEcdsaKey(ECPublicKey eCPublicKey) {
        addAlgo(Algorithm.ECDSA256(eCPublicKey, null));
        addAlgo(Algorithm.ECDSA384(eCPublicKey, null));
        addAlgo(Algorithm.ECDSA512(eCPublicKey, null));
    }

    private void setRsaKey(RSAPublicKey rSAPublicKey) {
        addAlgo(Algorithm.RSA256(rSAPublicKey, null));
        addAlgo(Algorithm.RSA384(rSAPublicKey, null));
        addAlgo(Algorithm.RSA512(rSAPublicKey, null));
    }

    private void setHmac(byte[] bArr) {
        addAlgo(Algorithm.HMAC256(bArr));
        addAlgo(Algorithm.HMAC384(bArr));
        addAlgo(Algorithm.HMAC512(bArr));
    }

    private void addAlgo(Algorithm algorithm) {
        this.algos.put(algorithm.getName(), algorithm);
    }

    public String getIss() {
        return this.iss;
    }

    public String getName() {
        return this.name;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public JWTPrincipal fromToken(DecodedJWT decodedJWT) {
        verify(decodedJWT);
        HashSet hashSet = new HashSet(this.permits);
        Claim claim = decodedJWT.getClaim("cdstar:grant");
        Claim claim2 = decodedJWT.getClaim("cdstar:read");
        Claim claim3 = decodedJWT.getClaim("cdstar:create");
        if (!this.trusted && (!claim.isNull() || !claim2.isNull() || !claim3.isNull())) {
            JWTRealm.log.warn("Issuer '{}' tried to inject permissions, but was not configured as trusted.", this.name);
        }
        if (this.trusted) {
            if (!claim.isNull()) {
                for (String str : (String[]) claim.asArray(String.class)) {
                    if (str.startsWith("vault:") || str.startsWith("archive:")) {
                        hashSet.add(StringPermission.parse(str));
                    } else {
                        JWTRealm.log.warn("Issuer '{}' tried to inject permissions outside of the 'vault:*' and 'archive:*' namespaces: {}", this.name, str);
                    }
                }
            }
            if (!claim2.isNull()) {
                for (String str2 : (String[]) claim2.asArray(String.class)) {
                    hashSet.add(StringPermission.ofParts(new String[]{"vault", str2, "read"}));
                }
            }
            if (!claim3.isNull()) {
                for (String str3 : (String[]) claim3.asArray(String.class)) {
                    hashSet.add(StringPermission.ofParts(new String[]{"vault", str3, "read"}));
                    hashSet.add(StringPermission.ofParts(new String[]{"vault", str3, "create"}));
                }
            }
        }
        return new JWTPrincipal(this.realm, decodedJWT, this, hashSet);
    }

    public void verify(DecodedJWT decodedJWT) {
        Algorithm algorithm = this.algos.get(decodedJWT.getAlgorithm());
        if (algorithm == null) {
            throw new AlgorithmMismatchException("Unexpected JWT algorithm: " + decodedJWT.getAlgorithm());
        }
        algorithm.verify(decodedJWT);
        checkExpired(decodedJWT);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkExpired(DecodedJWT decodedJWT) {
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        Date notBefore = decodedJWT.getNotBefore();
        Date expiresAt = decodedJWT.getExpiresAt();
        if (notBefore != null && notBefore.getTime() / 1000 > currentTimeMillis + this.leeway) {
            throw new TokenExpiredException("Token rejected based on 'nbf' (Not BeFore) claim.");
        }
        if (expiresAt != null && expiresAt.getTime() / 1000 < currentTimeMillis - this.leeway) {
            throw new TokenExpiredException("Token rejected based on 'exp' (Expiration Time) claim.");
        }
    }

    public String getDomain() {
        return this.domain;
    }
}
