package com.linecorp.armeria.server.saml;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.linecorp.armeria.internal.common.util.TemporaryThreadLocals;
import com.linecorp.armeria.internal.shaded.guava.base.MoreObjects;
import com.linecorp.armeria.internal.shaded.guava.base.Preconditions;
import io.netty.util.internal.MacAddressUtil;
import io.netty.util.internal.ThreadLocalRandom;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Base64;
import java.util.Date;
import java.util.Objects;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/linecorp/armeria/server/saml/JwtBasedSamlRequestIdManager.class */
final class JwtBasedSamlRequestIdManager implements SamlRequestIdManager {
    private static final Logger logger = LoggerFactory.getLogger(JwtBasedSamlRequestIdManager.class);
    private static final String CLAIM_NAME_UNIQUIFIER1 = "un1";
    private static final String CLAIM_NAME_UNIQUIFIER2 = "un2";
    private final String issuer;
    private final Algorithm algorithm;
    private final int validSeconds;
    private final int leewaySeconds;
    private final String un1;
    private final JWTVerifier verifier;

    /* JADX INFO: Access modifiers changed from: package-private */
    public JwtBasedSamlRequestIdManager(String str, Algorithm algorithm, int i, int i2) {
        this.issuer = (String) Objects.requireNonNull(str, "issuer");
        this.algorithm = (Algorithm) Objects.requireNonNull(algorithm, "algorithm");
        this.validSeconds = i;
        this.leewaySeconds = i2;
        Preconditions.checkArgument(i > 0, "invalid valid duration: " + i + " (expected: > 0)");
        Preconditions.checkArgument(i2 >= 0, "invalid leeway duration:" + i2 + " (expected: >= 0)");
        this.un1 = getUniquifierPrefix();
        this.verifier = JWT.require(algorithm).withIssuer(new String[]{str}).acceptLeeway(i2).build();
    }

    @Override // com.linecorp.armeria.server.saml.SamlRequestIdManager
    public String newId() {
        Instant now = Instant.now();
        return JWT.create().withIssuer(this.issuer).withIssuedAt(Date.from(now)).withExpiresAt(Date.from(now.plus(this.validSeconds, (TemporalUnit) ChronoUnit.SECONDS))).withClaim(CLAIM_NAME_UNIQUIFIER1, this.un1).withClaim(CLAIM_NAME_UNIQUIFIER2, Integer.valueOf(ThreadLocalRandom.current().nextInt(Integer.MAX_VALUE) & Integer.MAX_VALUE)).sign(this.algorithm);
    }

    @Override // com.linecorp.armeria.server.saml.SamlRequestIdManager
    public boolean validateId(String str) {
        Objects.requireNonNull(str, "id");
        try {
            this.verifier.verify(str);
            return true;
        } catch (Throwable th) {
            logger.trace("JWT token validation failed", th);
            return false;
        }
    }

    public String toString() {
        return MoreObjects.toStringHelper(this).add("issuer", this.issuer).add("algorithm", this.algorithm).add("validSeconds", this.validSeconds).add("leewaySeconds", this.leewaySeconds).toString();
    }

    private static String getUniquifierPrefix() {
        byte[] byteArray = TemporaryThreadLocals.get().byteArray(6);
        ThreadLocalRandom.current().nextBytes(byteArray);
        Base64.Encoder encoder = Base64.getEncoder();
        return encoder.encodeToString(MacAddressUtil.defaultMachineId()) + encoder.encodeToString(byteArray);
    }
}
