package com.uid2.shared.secure.gcpoidc;

import com.google.api.client.json.webtoken.JsonWebToken;
import com.google.api.client.util.Clock;
import com.google.auth.oauth2.TokenVerifier;
import com.google.common.base.Strings;
import com.uid2.shared.secure.AttestationClientException;
import com.uid2.shared.secure.AttestationFailure;
import com.uid2.shared.secure.JwtUtils;
import com.uid2.shared.secure.gcpoidc.TokenPayload;
import java.io.IOException;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;

/* loaded from: input_file:com/uid2/shared/secure/gcpoidc/TokenSignatureValidator.class */
public class TokenSignatureValidator implements ITokenSignatureValidator {
    private static final String PUBLIC_CERT_LOCATION = "https://www.googleapis.com/service_accounts/v1/metadata/jwk/signer@confidentialspace-sign.iam.gserviceaccount.com";
    private static final String AUDIENCE = "https://sts.googleapis.com";
    private static final String ISSUER = "https://confidentialcomputing.googleapis.com";
    private final TokenVerifier tokenVerifier;
    public static final boolean BYPASS_SIGNATURE_CHECK = false;

    public TokenSignatureValidator() {
        this(null, null);
    }

    protected TokenSignatureValidator(PublicKey publicKey, Clock clock) {
        TokenVerifier.Builder newBuilder = TokenVerifier.newBuilder();
        newBuilder.setCertificatesLocation(PUBLIC_CERT_LOCATION);
        if (publicKey != null) {
            newBuilder.setPublicKey(publicKey);
        }
        if (clock != null) {
            newBuilder.setClock(clock);
        }
        newBuilder.setAudience(AUDIENCE);
        newBuilder.setIssuer(ISSUER);
        this.tokenVerifier = newBuilder.build();
    }

    @Override // com.uid2.shared.secure.gcpoidc.ITokenSignatureValidator
    public TokenPayload validate(String str) throws AttestationClientException {
        if (Strings.isNullOrEmpty(str)) {
            throw new IllegalArgumentException("tokenString can not be null or empty");
        }
        try {
            JsonWebToken.Payload payload = this.tokenVerifier.verify(str).getPayload();
            TokenPayload.TokenPayloadBuilder builder = TokenPayload.builder();
            builder.dbgStat((String) JwtUtils.tryGetField(payload, "dbgstat", String.class));
            builder.swName((String) JwtUtils.tryGetField(payload, "swname", String.class));
            List list = (List) JwtUtils.tryGetField(payload, "swversion", List.class);
            if (list != null && !list.isEmpty()) {
                builder.swVersion((String) JwtUtils.tryConvert(list.get(0), String.class));
            }
            Map map = (Map) JwtUtils.tryGetField(payload, "submods", Map.class);
            if (map != null) {
                Map map2 = (Map) JwtUtils.tryGetField(map, "confidential_space", Map.class);
                if (map2 != null) {
                    builder.csSupportedAttributes((List) JwtUtils.tryGetField(map2, "support_attributes", List.class));
                }
                Map map3 = (Map) JwtUtils.tryGetField(map, "container", Map.class);
                if (map3 != null) {
                    builder.workloadImageReference((String) JwtUtils.tryGetField(map3, "image_reference", String.class));
                    builder.workloadImageDigest((String) JwtUtils.tryGetField(map3, "image_digest", String.class));
                    builder.restartPolicy((String) JwtUtils.tryGetField(map3, "restart_policy", String.class));
                    builder.cmdOverrides((List) JwtUtils.tryGetField(map3, "cmd_override", ArrayList.class));
                    builder.envOverrides((Map) JwtUtils.tryGetField(map3, "env_override", Map.class));
                }
                Map map4 = (Map) JwtUtils.tryGetField(map, "gce", Map.class);
                if (map4 != null) {
                    builder.gceZone((String) JwtUtils.tryGetField(map4, "zone", String.class));
                }
            }
            return builder.build();
        } catch (IOException e) {
            throw new AttestationClientException("Fail to parse token, error: " + e.getMessage(), AttestationFailure.BAD_PAYLOAD);
        } catch (TokenVerifier.VerificationException e2) {
            throw new AttestationClientException("Fail to validate the token signature, error: " + e2.getMessage(), AttestationFailure.BAD_CERTIFICATE);
        }
    }
}
