package com.e2eq.framework.model.security.provider.cognito;

import io.smallrye.jwt.auth.principal.JWTParser;
import io.smallrye.jwt.auth.principal.ParseException;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.json.Json;
import jakarta.json.JsonArray;
import jakarta.json.JsonObject;
import jakarta.json.JsonReader;
import java.io.StringReader;
import java.net.HttpURLConnection;
import java.net.URI;
import java.security.PublicKey;
import java.util.Base64;
import java.util.Scanner;
import java.util.concurrent.ConcurrentHashMap;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.eclipse.microprofile.jwt.JsonWebToken;
import org.jose4j.jwk.PublicJsonWebKey;

@ApplicationScoped
/* loaded from: input_file:com/e2eq/framework/model/security/provider/cognito/CognitoTokenValidator.class */
public class CognitoTokenValidator {

    @ConfigProperty(name = "auth.provider")
    String authProvider;

    @ConfigProperty(name = "aws.cognito.region")
    String awsRegion;

    @ConfigProperty(name = "aws.cognito.user-pool-id")
    String userPoolId;

    @ConfigProperty(name = "aws.cognito.client-id")
    String clientId;

    @Inject
    JWTParser jwtParser;
    private final ConcurrentHashMap<String, PublicKey> keyCache = new ConcurrentHashMap<>();

    public JsonWebToken validateToken(String str) throws Exception {
        String extractKidFromToken = extractKidFromToken(str);
        PublicKey publicKey = getPublicKey(extractKidFromToken);
        if (publicKey == null) {
            throw new ParseException("Unable to find public key for kid: " + extractKidFromToken);
        }
        JsonWebToken verify = this.jwtParser.verify(str, publicKey);
        validateClaims(verify);
        return verify;
    }

    private PublicKey getPublicKey(String str) throws Exception {
        PublicKey publicKey = this.keyCache.get(str);
        if (publicKey != null) {
            return publicKey;
        }
        JsonReader createReader = Json.createReader(new StringReader(fetchJwks()));
        try {
            JsonArray jsonArray = createReader.readObject().getJsonArray("keys");
            for (int i = 0; i < jsonArray.size(); i++) {
                JsonObject jsonObject = jsonArray.getJsonObject(i);
                if (str.equals(jsonObject.getString("kid"))) {
                    PublicKey publicKey2 = PublicJsonWebKey.Factory.newPublicJwk(jsonObject.toString()).getPublicKey();
                    this.keyCache.put(str, publicKey2);
                    if (createReader != null) {
                        createReader.close();
                    }
                    return publicKey2;
                }
            }
            if (createReader == null) {
                return null;
            }
            createReader.close();
            return null;
        } catch (Throwable th) {
            if (createReader != null) {
                try {
                    createReader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private String fetchJwks() throws Exception {
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URI(String.format("https://cognito-idp.%s.amazonaws.com/%s/.well-known/jwks.json", this.awsRegion, this.userPoolId)).toURL().openConnection();
        httpURLConnection.setRequestMethod("GET");
        Scanner scanner = new Scanner(httpURLConnection.getInputStream());
        try {
            scanner.useDelimiter("\\A");
            String next = scanner.hasNext() ? scanner.next() : "";
            scanner.close();
            return next;
        } catch (Throwable th) {
            try {
                scanner.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private String extractKidFromToken(String str) throws ParseException {
        try {
            String[] split = str.split("\\.");
            if (split.length != 3) {
                throw new ParseException("Invalid JWT token format");
            }
            JsonReader createReader = Json.createReader(new StringReader(new String(Base64.getUrlDecoder().decode(split[0]))));
            try {
                JsonObject readObject = createReader.readObject();
                if (!readObject.containsKey("kid")) {
                    throw new ParseException("Token header missing 'kid' claim");
                }
                String string = readObject.getString("kid");
                if (createReader != null) {
                    createReader.close();
                }
                return string;
            } finally {
            }
        } catch (Exception e) {
            throw new ParseException("Failed to extract kid from token", e);
        }
    }

    private void validateClaims(JsonWebToken jsonWebToken) throws ParseException {
        if (!String.format("https://cognito-idp.%s.amazonaws.com/%s", this.awsRegion, this.userPoolId).equals(jsonWebToken.getIssuer())) {
            throw new ParseException("Invalid token issuer");
        }
        String str = (String) jsonWebToken.getClaim("token_use");
        if (!str.equals("access") && !str.equals("id")) {
            throw new ParseException("Invalid token_use claim");
        }
        if ("access".equals(str) && !this.clientId.equals((String) jsonWebToken.getClaim("client_id"))) {
            throw new ParseException("Invalid client_id claim");
        }
        if (jsonWebToken.getExpirationTime() < System.currentTimeMillis() / 1000) {
            throw new ParseException("Token has expired");
        }
    }
}
