package io.vertx.ext.auth.jwt.impl;

import io.vertx.core.AsyncResult;
import io.vertx.core.Future;
import io.vertx.core.Handler;
import io.vertx.core.Vertx;
import io.vertx.core.file.FileSystemException;
import io.vertx.core.impl.logging.Logger;
import io.vertx.core.impl.logging.LoggerFactory;
import io.vertx.core.json.Json;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.ext.auth.JWTOptions;
import io.vertx.ext.auth.KeyStoreOptions;
import io.vertx.ext.auth.PubSecKeyOptions;
import io.vertx.ext.auth.User;
import io.vertx.ext.auth.authentication.Credentials;
import io.vertx.ext.auth.authentication.TokenCredentials;
import io.vertx.ext.auth.authorization.PermissionBasedAuthorization;
import io.vertx.ext.auth.impl.jose.JWK;
import io.vertx.ext.auth.impl.jose.JWT;
import io.vertx.ext.auth.jwt.JWTAuth;
import io.vertx.ext.auth.jwt.JWTAuthOptions;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;

/* loaded from: input_file:io/vertx/ext/auth/jwt/impl/JWTAuthProviderImpl.class */
public class JWTAuthProviderImpl implements JWTAuth {
    private final JWT jwt = new JWT();
    private final String permissionsClaimKey;
    private final JWTOptions jwtOptions;
    private static final Logger LOG = LoggerFactory.getLogger(JWTAuthProviderImpl.class);
    private static final JsonArray EMPTY_ARRAY = new JsonArray();
    private static final Collection<String> SPECIAL_KEYS = Arrays.asList("access_token", "exp", "iat", "nbf");

    public JWTAuthProviderImpl(Vertx vertx, JWTAuthOptions jWTAuthOptions) {
        this.permissionsClaimKey = jWTAuthOptions.getPermissionsClaimKey();
        this.jwtOptions = jWTAuthOptions.getJWTOptions();
        this.jwt.nonceAlgorithm(this.jwtOptions.getNonceAlgorithm());
        KeyStoreOptions keyStore = jWTAuthOptions.getKeyStore();
        if (keyStore != null) {
            try {
                KeyStore keyStore2 = keyStore.getProvider() == null ? KeyStore.getInstance(keyStore.getType()) : KeyStore.getInstance(keyStore.getType(), keyStore.getProvider());
                synchronized (JWTAuthProviderImpl.class) {
                    if (keyStore.getPath() != null) {
                        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(vertx.fileSystem().readFileBlocking(keyStore.getPath()).getBytes());
                        try {
                            keyStore2.load(byteArrayInputStream, keyStore.getPassword().toCharArray());
                            byteArrayInputStream.close();
                        } catch (Throwable th) {
                            try {
                                byteArrayInputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                            throw th;
                        }
                    } else {
                        keyStore2.load(null, keyStore.getPassword().toCharArray());
                    }
                }
                Iterator it = JWK.load(keyStore2, keyStore.getPassword(), keyStore.getPasswordProtection()).iterator();
                while (it.hasNext()) {
                    this.jwt.addJWK((JWK) it.next());
                }
            } catch (IOException | KeyStoreException | FileSystemException | NoSuchAlgorithmException | NoSuchProviderException | CertificateException e) {
                throw new RuntimeException(e);
            }
        }
        if (jWTAuthOptions.getPubSecKeys() != null) {
            Iterator<PubSecKeyOptions> it2 = jWTAuthOptions.getPubSecKeys().iterator();
            while (it2.hasNext()) {
                this.jwt.addJWK(new JWK(it2.next()));
            }
        }
        List<JsonObject> jwks = jWTAuthOptions.getJwks();
        if (jwks != null) {
            Iterator<JsonObject> it3 = jwks.iterator();
            while (it3.hasNext()) {
                try {
                    this.jwt.addJWK(new JWK(it3.next()));
                } catch (Exception e2) {
                    LOG.warn("Unsupported JWK", e2);
                }
            }
        }
    }

    public void authenticate(JsonObject jsonObject, Handler<AsyncResult<User>> handler) {
        authenticate(jsonObject).onComplete(handler);
    }

    public Future<User> authenticate(JsonObject jsonObject) {
        return authenticate((Credentials) new TokenCredentials(jsonObject.getString("token")));
    }

    public Future<User> authenticate(Credentials credentials) {
        try {
            TokenCredentials tokenCredentials = (TokenCredentials) credentials;
            tokenCredentials.checkValid((Object) null);
            try {
                JsonObject decode = this.jwt.decode(tokenCredentials.getToken());
                if (this.jwtOptions.getAudience() != null) {
                    if (Collections.disjoint(this.jwtOptions.getAudience(), (decode.getValue("aud") instanceof String ? new JsonArray().add(decode.getValue("aud", "")) : decode.getJsonArray("aud", EMPTY_ARRAY)).getList())) {
                        return Future.failedFuture("Invalid JWT audience. expected: " + Json.encode(this.jwtOptions.getAudience()));
                    }
                }
                if (this.jwtOptions.getIssuer() != null && !this.jwtOptions.getIssuer().equals(decode.getString("iss"))) {
                    return Future.failedFuture("Invalid JWT issuer");
                }
                User createUser = createUser(tokenCredentials.getToken(), decode, this.permissionsClaimKey);
                return (!createUser.expired(this.jwtOptions.getLeeway()) || this.jwtOptions.isIgnoreExpiration()) ? Future.succeededFuture(createUser) : Future.failedFuture("Invalid JWT token: token expired.");
            } catch (RuntimeException e) {
                return Future.failedFuture(e);
            }
        } catch (RuntimeException e2) {
            return Future.failedFuture(e2);
        }
    }

    @Override // io.vertx.ext.auth.jwt.JWTAuth
    public String generateToken(JsonObject jsonObject, JWTOptions jWTOptions) {
        JsonObject copy = jsonObject.copy();
        if (jWTOptions.getPermissions() != null && !copy.containsKey(this.permissionsClaimKey)) {
            copy.put(this.permissionsClaimKey, new JsonArray(jWTOptions.getPermissions()));
        }
        return this.jwt.sign(copy, jWTOptions);
    }

    @Override // io.vertx.ext.auth.jwt.JWTAuth
    public String generateToken(JsonObject jsonObject) {
        return generateToken(jsonObject, this.jwtOptions);
    }

    private static JsonArray getJsonPermissions(JsonObject jsonObject, String str) {
        return str.contains("/") ? getNestedJsonValue(jsonObject, str) : jsonObject.getJsonArray(str, (JsonArray) null);
    }

    @Deprecated
    private User createUser(String str, JsonObject jsonObject, String str2) {
        User fromToken = User.fromToken(str);
        if (jsonObject.containsKey("amr")) {
            fromToken.principal().put("amr", jsonObject.getValue("amr"));
        }
        fromToken.attributes().put("accessToken", jsonObject);
        copyProperties(jsonObject, fromToken.attributes(), "exp", "iat", "nbf", "sub");
        for (String str3 : jsonObject.fieldNames()) {
            if (!SPECIAL_KEYS.contains(str3)) {
                fromToken.principal().put(str3, jsonObject.getValue(str3));
            }
        }
        fromToken.attributes().put("rootClaim", "accessToken");
        JsonArray jsonPermissions = getJsonPermissions(jsonObject, str2);
        if (jsonPermissions != null) {
            Iterator it = jsonPermissions.iterator();
            while (it.hasNext()) {
                Object next = it.next();
                if (next instanceof String) {
                    fromToken.authorizations().add("jwt-authentication", PermissionBasedAuthorization.create((String) next));
                }
            }
        }
        return fromToken;
    }

    private static void copyProperties(JsonObject jsonObject, JsonObject jsonObject2, String... strArr) {
        if (jsonObject == null || jsonObject2 == null) {
            return;
        }
        for (String str : strArr) {
            if (jsonObject.containsKey(str) && !jsonObject2.containsKey(str)) {
                jsonObject2.put(str, jsonObject.getValue(str));
            }
        }
    }

    private static JsonArray getNestedJsonValue(JsonObject jsonObject, String str) {
        String[] split = str.split("/");
        JsonObject jsonObject2 = null;
        for (int i = 0; i < split.length; i++) {
            if (i == 0) {
                jsonObject2 = jsonObject.getJsonObject(split[i]);
            } else if (i == split.length - 1) {
                if (jsonObject2 != null) {
                    return jsonObject2.getJsonArray(split[i]);
                }
            } else if (jsonObject2 != null) {
                jsonObject2 = jsonObject2.getJsonObject(split[i]);
            }
        }
        return null;
    }
}
