package com.floragunn.searchguard.enterprise.auth.oidc;

import com.floragunn.searchguard.authc.AuthenticatorUnavailableException;
import com.google.common.base.Strings;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
import org.apache.cxf.rs.security.jose.jws.JwsUtils;
import org.apache.cxf.rs.security.jose.jwt.JwtClaims;
import org.apache.cxf.rs.security.jose.jwt.JwtException;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/auth/oidc/JwtVerifier.class */
public class JwtVerifier {
    private final KeyProvider keyProvider;
    private final String requiredAudience;
    private final String requiredIssuer;

    public JwtVerifier(KeyProvider keyProvider, String str, String str2) {
        this.keyProvider = keyProvider;
        this.requiredAudience = str;
        this.requiredIssuer = str2;
    }

    public JwtToken getVerifiedJwtToken(String str) throws BadCredentialsException, AuthenticatorUnavailableException {
        try {
            JwsJwtCompactConsumer jwsJwtCompactConsumer = new JwsJwtCompactConsumer(str);
            JwtToken jwtToken = jwsJwtCompactConsumer.getJwtToken();
            validateIssuer(jwtToken);
            validateAudienceRestriction(jwtToken);
            boolean verifySignatureWith = jwsJwtCompactConsumer.verifySignatureWith(getInitializedSignatureVerifier(this.keyProvider.getKey(jwtToken.getJwsHeaders().getKeyId()), jwtToken));
            if (!verifySignatureWith && Strings.isNullOrEmpty(jwtToken.getJwsHeaders().getKeyId())) {
                verifySignatureWith = jwsJwtCompactConsumer.verifySignatureWith(getInitializedSignatureVerifier(this.keyProvider.getKeyAfterRefresh(null), jwtToken));
            }
            if (!verifySignatureWith) {
                throw new BadCredentialsException("Invalid JWT signature");
            }
            validateClaims(jwtToken);
            return jwtToken;
        } catch (JwtException e) {
            throw new BadCredentialsException(e.getMessage(), e);
        }
    }

    private void validateSignatureAlgorithm(JsonWebKey jsonWebKey, JwtToken jwtToken) throws BadCredentialsException {
        if (Strings.isNullOrEmpty(jsonWebKey.getAlgorithm())) {
            return;
        }
        SignatureAlgorithm algorithm = SignatureAlgorithm.getAlgorithm(jsonWebKey.getAlgorithm());
        SignatureAlgorithm algorithm2 = SignatureAlgorithm.getAlgorithm(jwtToken.getJwsHeaders().getAlgorithm());
        if (!algorithm.equals(algorithm2)) {
            throw new BadCredentialsException("Algorithm of JWT does not match algorithm of JWK (" + String.valueOf(algorithm) + " != " + String.valueOf(algorithm2) + ")");
        }
    }

    private JwsSignatureVerifier getInitializedSignatureVerifier(JsonWebKey jsonWebKey, JwtToken jwtToken) throws BadCredentialsException, JwtException {
        validateSignatureAlgorithm(jsonWebKey, jwtToken);
        JwsSignatureVerifier signatureVerifier = JwsUtils.getSignatureVerifier(jsonWebKey, jwtToken.getJwsHeaders().getSignatureAlgorithm());
        if (signatureVerifier == null) {
            throw new BadCredentialsException("Cannot verify JWT");
        }
        return signatureVerifier;
    }

    private void validateClaims(JwtToken jwtToken) throws BadCredentialsException, JwtException {
        JwtClaims claims = jwtToken.getClaims();
        if (claims != null) {
            JwtUtils.validateJwtExpiry(claims, 0, false);
            JwtUtils.validateJwtNotBefore(claims, 0, false);
        }
    }

    private void validateAudienceRestriction(JwtToken jwtToken) {
        if (this.requiredAudience == null) {
            return;
        }
        JwtClaims claims = jwtToken.getClaims();
        if (claims == null) {
            throw new JwtException("No claims defined");
        }
        if (!claims.getAudiences().contains(this.requiredAudience)) {
            throw new JwtException("Invalid audience claim: " + String.valueOf(claims.getAudiences()));
        }
    }

    private void validateIssuer(JwtToken jwtToken) {
        if (this.requiredIssuer == null) {
            return;
        }
        JwtClaims claims = jwtToken.getClaims();
        if (claims == null) {
            throw new JwtException("No claims defined");
        }
        if (!this.requiredIssuer.equals(claims.getIssuer())) {
            throw new JwtException("Invalid issuer claim: " + claims.getIssuer());
        }
    }
}
