package de.gwdg.cdstar.ext.auth.jwt;

import com.auth0.jwt.JWT;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.exceptions.TokenExpiredException;
import com.auth0.jwt.interfaces.DecodedJWT;
import de.gwdg.cdstar.LRUCache;
import de.gwdg.cdstar.Utils;
import de.gwdg.cdstar.auth.Credentials;
import de.gwdg.cdstar.auth.Permission;
import de.gwdg.cdstar.auth.Session;
import de.gwdg.cdstar.auth.StringPermission;
import de.gwdg.cdstar.auth.TokenCredentials;
import de.gwdg.cdstar.auth.realm.Authenticator;
import de.gwdg.cdstar.auth.realm.Authorizer;
import de.gwdg.cdstar.runtime.Config;
import de.gwdg.cdstar.runtime.ConfigException;
import de.gwdg.cdstar.runtime.Plugin;
import java.io.UnsupportedEncodingException;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Plugin(name = {"jwt"})
/* loaded from: input_file:de/gwdg/cdstar/ext/auth/jwt/JWTRealm.class */
public class JWTRealm implements Authenticator, Authorizer {
    static final Logger log = LoggerFactory.getLogger((Class<?>) JWTRealm.class);
    private final Map<String, JWTIssuerConfig> issuerConfigs = new HashMap();
    private JWTIssuerConfig defaultIssuer;
    private final String realmName;
    LRUCache<String, JWTPrincipal> cache;

    public JWTRealm(Config config) throws ConfigException, IllegalArgumentException, UnsupportedEncodingException {
        this.realmName = config.get("_name");
        for (Map.Entry entry : config.getTable().entrySet()) {
            if (!((String) entry.getKey()).equals("class")) {
                JWTIssuerConfig jWTIssuerConfig = new JWTIssuerConfig(this, (String) entry.getKey(), (Config) entry.getValue());
                this.issuerConfigs.put(jWTIssuerConfig.getIss(), jWTIssuerConfig);
                if (((String) entry.getKey()).equals("default")) {
                    this.defaultIssuer = jWTIssuerConfig;
                }
            }
        }
        this.cache = new LRUCache<>("jwt", 64);
    }

    public String getName() {
        return this.realmName;
    }

    public Session login(Credentials credentials) {
        String token;
        int indexOf;
        int indexOf2;
        if (!(credentials instanceof TokenCredentials) || (indexOf = (token = ((TokenCredentials) credentials).getToken()).indexOf(46)) == -1 || (indexOf2 = token.indexOf(46, indexOf + 1)) == -1 || token.indexOf(46, indexOf2 + 1) > -1) {
            return null;
        }
        try {
            return fromToken(token);
        } catch (JWTDecodeException e) {
            if (!log.isDebugEnabled()) {
                return null;
            }
            log.debug("Token failed to parse as JWT token: {}", Utils.repr(token));
            return null;
        } catch (Exception e2) {
            log.warn("JWT token verification failed: {}", Utils.repr(token), e2);
            return null;
        }
    }

    public JWTPrincipal fromToken(String str) {
        JWTPrincipal jWTPrincipal = (JWTPrincipal) this.cache.get(str);
        if (jWTPrincipal != null) {
            jWTPrincipal.checkExpired();
            if (log.isDebugEnabled()) {
                log.debug("Authenticated JWT principal (cached): {}", jWTPrincipal);
            }
            return jWTPrincipal;
        }
        DecodedJWT decode = JWT.decode(str);
        JWTIssuerConfig jWTIssuerConfig = decode.getIssuer() == null ? this.defaultIssuer : this.issuerConfigs.get(decode.getIssuer());
        if (jWTIssuerConfig == null) {
            throw new JWTVerificationException("Unknown issuer.");
        }
        JWTPrincipal fromToken = jWTIssuerConfig.fromToken(decode);
        if (log.isDebugEnabled()) {
            log.debug("Authenticated JWT principal: {}", fromToken);
        }
        this.cache.put(str, fromToken);
        return fromToken;
    }

    public void logout(Session session) {
    }

    public boolean isPermitted(Session session, Permission permission) {
        if (!(session instanceof JWTPrincipal) || !(permission instanceof StringPermission)) {
            return false;
        }
        JWTPrincipal jWTPrincipal = (JWTPrincipal) session;
        try {
            jWTPrincipal.checkExpired();
            Iterator<Permission> it = jWTPrincipal.getPermissions().iterator();
            while (it.hasNext()) {
                StringPermission stringPermission = (Permission) it.next();
                if ((permission instanceof StringPermission) && stringPermission.implies(permission)) {
                    return true;
                }
            }
            return false;
        } catch (TokenExpiredException e) {
            log.warn("Use of an expired Token: {}", session, e);
            return false;
        }
    }
}
