package com.uid2.shared.attest;

import com.google.api.client.json.webtoken.JsonWebToken;
import com.google.auth.oauth2.TokenVerifier;
import com.uid2.shared.Const;
import io.vertx.core.json.JsonObject;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/uid2/shared/attest/JwtService.class */
public class JwtService {
    private static final Logger LOGGER = LoggerFactory.getLogger(JwtService.class);
    private final JsonObject config;
    private final HashSet<PublicKey> publicKeys = new HashSet<>();

    /* loaded from: input_file:com/uid2/shared/attest/JwtService$ValidationException.class */
    public class ValidationException extends Exception {
        public ValidationException(Optional<String> optional) {
            super(optional == null ? "Validation Error" : optional.orElse("Validation Error"));
        }

        public ValidationException(Optional<String> optional, Exception exc) {
            super(optional == null ? "Validation Error" : optional.orElse("Validation Error"), exc);
        }
    }

    public JwtService(JsonObject jsonObject) {
        this.config = jsonObject;
        String string = jsonObject.getString(Const.Config.AwsKmsJwtSigningPublicKeysProp, "");
        String[] split = string.split(",");
        if (string.isBlank() || split == null || split.length == 0) {
            LOGGER.info("Unable to read public keys from the configuration. JWTs can not be verified.");
        } else {
            parsePublicKeysFromConfig(split);
        }
    }

    public JwtValidationResponse validateJwt(String str, String str2, String str3) throws ValidationException {
        if (str2 == null || str2.isBlank()) {
            throw new IllegalArgumentException("Audience can not be empty");
        }
        if (str3 == null || str3.isBlank()) {
            throw new IllegalArgumentException("Issuer can not be empty");
        }
        JwtValidationResponse jwtValidationResponse = new JwtValidationResponse(false);
        if (this.publicKeys.isEmpty()) {
            LOGGER.error("Unable to get public keys. Validation can not continue. Check the configuration for the service and ensure all valid public keys are specified in the property: {}", Const.Config.AwsKmsJwtSigningPublicKeysProp);
            throw new ValidationException(Optional.of("Unable to get public keys. Validation can not continue"));
        }
        Exception exc = null;
        Iterator<PublicKey> it = this.publicKeys.iterator();
        while (it.hasNext()) {
            try {
                JsonWebToken.Payload payload = TokenVerifier.newBuilder().setPublicKey(it.next()).setAudience(str2).setIssuer(str3).build().verify(str).getPayload();
                jwtValidationResponse = new JwtValidationResponse(true).withSubject(payload.get("sub").toString()).withRoles(payload.get("roles").toString()).withEnclaveId(payload.get("enclaveId").toString()).withEnclaveType(payload.get("enclaveType").toString()).withSiteId(Integer.valueOf(payload.get("siteId").toString())).withOperatorVersion(payload.get("operatorVersion").toString()).withAudience(payload.get("aud").toString());
                return jwtValidationResponse;
            } catch (Exception e) {
                exc = e;
            }
        }
        if (jwtValidationResponse.getIsValid()) {
            return jwtValidationResponse;
        }
        throw new ValidationException(Optional.ofNullable(exc.getMessage()), exc);
    }

    private void parsePublicKeysFromConfig(String[] strArr) {
        Arrays.stream(strArr).forEach(str -> {
            PublicKey publicKeyFromString;
            if (str != null) {
                try {
                    if (!str.isBlank() && (publicKeyFromString = getPublicKeyFromString(str)) != null) {
                        this.publicKeys.add(publicKeyFromString);
                    }
                } catch (ValidationException e) {
                    LOGGER.error("Unable to parse Public Key string that starts with: {}", str.substring(0, str.length() > 15 ? 15 : str.length()));
                }
            }
        });
    }

    private PublicKey getPublicKeyFromString(String str) throws ValidationException {
        try {
            return KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(str.replace("-----BEGIN PUBLIC KEY-----", "").replaceAll(System.lineSeparator(), "").replaceAll("\n", "").replace("-----END PUBLIC KEY-----", ""))));
        } catch (IllegalArgumentException | NoSuchAlgorithmException | InvalidKeySpecException e) {
            LOGGER.error("Error creating Public key from configuration:", e);
            throw new ValidationException(Optional.of("Error creating Public key from configuration"), e);
        }
    }
}
