package it.cosenonjaviste.security.jwt.valves;

import com.auth0.jwk.InvalidPublicKeyException;
import com.auth0.jwk.Jwk;
import com.auth0.jwk.JwkException;
import com.auth0.jwk.JwkProvider;
import com.auth0.jwk.JwkProviderBuilder;
import com.auth0.jwt.JWT;
import com.auth0.jwt.exceptions.InvalidClaimException;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.RSAKeyProvider;
import it.cosenonjaviste.security.jwt.exceptions.ValveInitializationException;
import it.cosenonjaviste.security.jwt.model.JwtAdapter;
import it.cosenonjaviste.security.jwt.utils.Preconditions;
import it.cosenonjaviste.security.jwt.utils.verifiers.JwtTokenVerifier;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Collections;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.ServletException;
import org.apache.catalina.LifecycleException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;

/* loaded from: input_file:it/cosenonjaviste/security/jwt/valves/OidcJwtTokenValve.class */
public class OidcJwtTokenValve extends AbstractJwtTokenValve {
    private static final Log LOG = LogFactory.getLog(OidcJwtTokenValve.class);
    private URL issuerUrl;
    private Set<String> supportedAudiences;
    private int expiresIn;
    private TimeUnit timeUnit;
    private JwkProvider urlJwkProvider;

    public OidcJwtTokenValve() {
        defaults();
    }

    void defaults() {
        this.supportedAudiences = Collections.emptySet();
        this.expiresIn = 60;
        this.timeUnit = TimeUnit.MINUTES;
        this.customUserIdClaim = "sub";
        this.customRolesClaim = "authorities";
    }

    protected void initInternal() throws LifecycleException {
        try {
            super.initInternal();
            this.urlJwkProvider = new JwkProviderBuilder(this.issuerUrl).cached(10L, this.expiresIn, this.timeUnit).build();
        } catch (Exception e) {
            LOG.error(e.getMessage(), e);
            throw new ValveInitializationException(e.getMessage(), e);
        }
    }

    @Override // it.cosenonjaviste.security.jwt.valves.AbstractJwtTokenValve
    protected void handleAuthentication(Request request, Response response) throws IOException, ServletException {
        try {
            Optional<DecodedJWT> jwtFrom = getJwtFrom(request);
            if (jwtFrom.isPresent()) {
                authenticateRequest(request, verify(jwtFrom.get()));
                getNext().invoke(request, response);
            } else {
                sendUnauthorizedError(request, response, "Authorization token not provided");
            }
        } catch (JWTVerificationException e) {
            sendUnauthorizedError(request, response, e.getMessage());
        } catch (JwkException e2) {
            LOG.error(e2.getMessage(), e2);
            sendUnauthorizedError(request, response, e2.getMessage());
        }
    }

    private JwtAdapter verify(DecodedJWT decodedJWT) throws JwkException {
        JwtAdapter verify = JwtTokenVerifier.create(newRsaKeyProvider(this.urlJwkProvider.get(decodedJWT.getKeyId())), this.customUserIdClaim, this.customRolesClaim).verify(decodedJWT);
        if (!this.supportedAudiences.isEmpty()) {
            String asString = decodedJWT.getClaim("aud").asString();
            if (!this.supportedAudiences.contains(asString)) {
                throw new InvalidClaimException("Audience claim value '" + asString + "' not supported");
            }
        }
        return verify;
    }

    private RSAKeyProvider newRsaKeyProvider(final Jwk jwk) {
        return new RSAKeyProvider() { // from class: it.cosenonjaviste.security.jwt.valves.OidcJwtTokenValve.1
            /* renamed from: getPublicKeyById, reason: merged with bridge method [inline-methods] */
            public RSAPublicKey m4getPublicKeyById(String str) {
                try {
                    return (RSAPublicKey) jwk.getPublicKey();
                } catch (InvalidPublicKeyException e) {
                    throw new JWTDecodeException(e.getMessage(), e);
                }
            }

            /* renamed from: getPrivateKey, reason: merged with bridge method [inline-methods] */
            public RSAPrivateKey m3getPrivateKey() {
                return null;
            }

            public String getPrivateKeyId() {
                return null;
            }
        };
    }

    private Optional<DecodedJWT> getJwtFrom(Request request) {
        String header = request.getHeader("Authorization");
        if (header == null || !header.toLowerCase().startsWith("bearer ")) {
            return Optional.empty();
        }
        String replaceAll = header.replaceAll("(?i)Bearer (.*)", "$1");
        return !replaceAll.isEmpty() ? Optional.of(JWT.decode(replaceAll)) : Optional.empty();
    }

    public void setIssuerUrl(String str) throws MalformedURLException {
        this.issuerUrl = new URL(str);
    }

    public void setSupportedAudiences(String str) {
        Preconditions.checkArgument(str != null, "supportedAudiences cannot be null");
        this.supportedAudiences = (Set) Stream.of((Object[]) str.split(",")).map((v0) -> {
            return v0.trim();
        }).collect(Collectors.toSet());
    }

    public void setExpiresIn(int i) {
        this.expiresIn = i;
    }

    public void setTimeUnit(String str) {
        this.timeUnit = TimeUnit.valueOf(str);
    }
}
