package com.sap.cloud.security.xsuaa.token.authentication;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.sap.cloud.security.xsuaa.XsuaaServiceConfiguration;
import com.sap.cloud.security.xsuaa.token.TokenClaims;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.text.ParseException;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import javax.annotation.Nullable;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.cache.concurrent.ConcurrentMapCache;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.BadJwtException;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.oauth2.jwt.JwtValidationException;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.util.Assert;
import org.springframework.util.StringUtils;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:com/sap/cloud/security/xsuaa/token/authentication/XsuaaJwtDecoder.class */
public class XsuaaJwtDecoder implements JwtDecoder {
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private final XsuaaServiceConfiguration xsuaaServiceConfiguration;
    private final Duration cacheValidityInSeconds;
    private final int cacheSize;
    final Cache<String, JwtDecoder> cache;
    private final OAuth2TokenValidator<Jwt> tokenValidators;
    private final Collection<PostValidationAction> postValidationActions;
    private TokenInfoExtractor tokenInfoExtractor;
    private RestOperations restOperations;

    /* JADX INFO: Access modifiers changed from: package-private */
    public XsuaaJwtDecoder(final XsuaaServiceConfiguration xsuaaServiceConfiguration, int i, int i2, OAuth2TokenValidator<Jwt> oAuth2TokenValidator, Collection<PostValidationAction> collection) {
        this.cacheValidityInSeconds = Duration.ofSeconds(i);
        this.cacheSize = i2;
        this.cache = Caffeine.newBuilder().expireAfterWrite(this.cacheValidityInSeconds).maximumSize(this.cacheSize).build();
        this.tokenValidators = oAuth2TokenValidator;
        this.xsuaaServiceConfiguration = xsuaaServiceConfiguration;
        this.tokenInfoExtractor = new TokenInfoExtractor() { // from class: com.sap.cloud.security.xsuaa.token.authentication.XsuaaJwtDecoder.1
            @Override // com.sap.cloud.security.xsuaa.token.authentication.TokenInfoExtractor
            public String getJku(JWT jwt) {
                return new JSONObject(jwt.getHeader().toString()).optString(TokenClaims.CLAIM_JKU, null);
            }

            @Override // com.sap.cloud.security.xsuaa.token.authentication.TokenInfoExtractor
            public String getKid(JWT jwt) {
                return new JSONObject(jwt.getHeader().toString()).optString(TokenClaims.CLAIM_KID, null);
            }

            @Override // com.sap.cloud.security.xsuaa.token.authentication.TokenInfoExtractor
            public String getUaaDomain(JWT jwt) {
                return xsuaaServiceConfiguration.getUaaDomain();
            }
        };
        this.postValidationActions = collection != null ? collection : Collections.emptyList();
    }

    public Jwt decode(String str) throws BadJwtException {
        Assert.notNull(str, "token is required");
        try {
            Jwt verifyToken = verifyToken(JWTParser.parse(str));
            this.postValidationActions.forEach(postValidationAction -> {
                postValidationAction.perform(verifyToken);
            });
            return verifyToken;
        } catch (ParseException e) {
            throw new BadJwtException("Error initializing JWT decoder: " + e.getMessage());
        }
    }

    public void setTokenInfoExtractor(TokenInfoExtractor tokenInfoExtractor) {
        this.tokenInfoExtractor = tokenInfoExtractor;
    }

    public void setRestOperations(RestOperations restOperations) {
        this.restOperations = restOperations;
    }

    private Jwt verifyToken(JWT jwt) {
        try {
            return verifyToken(jwt.getParsedString(), this.tokenInfoExtractor.getKid(jwt), this.tokenInfoExtractor.getUaaDomain(jwt), getZid(jwt));
        } catch (BadJwtException e) {
            if (!e.getMessage().contains("Couldn't retrieve remote JWK set") && !e.getMessage().contains("Cannot verify with online token key, uaadomain is")) {
                throw e;
            }
            this.logger.debug(e.getMessage());
            return tryToVerifyWithVerificationKey(jwt.getParsedString(), e);
        }
    }

    @Nullable
    private static String getZid(JWT jwt) {
        String str;
        try {
            str = jwt.getJWTClaimsSet().getStringClaim(TokenClaims.CLAIM_ZONE_ID);
        } catch (ParseException e) {
            str = null;
        }
        if (str != null && str.trim().isEmpty()) {
            str = null;
        }
        return str;
    }

    private Jwt verifyToken(String str, String str2, String str3, String str4) {
        try {
            canVerifyWithKey(str2, str3);
            return verifyWithKey(str, composeJku(str3, str4), str2);
        } catch (JwtException e) {
            throw new BadJwtException("JWT verification failed: " + e.getMessage());
        } catch (JwtValidationException e2) {
            throw e2;
        }
    }

    private void canVerifyWithKey(String str, String str2) {
        if (str == null || str2 == null) {
            ArrayList arrayList = new ArrayList();
            if (str == null) {
                arrayList.add(TokenClaims.CLAIM_KID);
            }
            if (str2 == null) {
                arrayList.add("uaadomain");
            }
            throw new BadJwtException(String.format("Cannot verify with online token key, %s is null", String.join(", ", arrayList)));
        }
    }

    private String composeJku(String str, String str2) {
        String str3 = str2 != null ? "?zid=" + str2 : "";
        return str.startsWith("http://") ? str + "/token_keys" + str3 : "https://" + str + "/token_keys" + str3;
    }

    private Jwt verifyWithKey(String str, String str2, String str3) {
        return ((JwtDecoder) this.cache.get(str2 + str3, str4 -> {
            return getDecoder(str2);
        })).decode(str);
    }

    private JwtDecoder getDecoder(String str) {
        NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder cache = NimbusJwtDecoder.withJwkSetUri(str).cache(new ConcurrentMapCache("jwkSetCache", Caffeine.newBuilder().expireAfterWrite(this.cacheValidityInSeconds).maximumSize(this.cacheSize).build().asMap(), false));
        if (this.restOperations != null) {
            cache.restOperations(this.restOperations);
        }
        NimbusJwtDecoder build = cache.build();
        build.setJwtValidator(this.tokenValidators);
        return build;
    }

    private Jwt tryToVerifyWithVerificationKey(String str, JwtException jwtException) {
        this.logger.debug("Falling back to token validation with verificationkey");
        String verificationKey = this.xsuaaServiceConfiguration.getVerificationKey();
        if (StringUtils.hasText(verificationKey)) {
            return verifyWithVerificationKey(str, verificationKey);
        }
        throw jwtException;
    }

    private Jwt verifyWithVerificationKey(String str, String str2) {
        try {
            NimbusJwtDecoder build = NimbusJwtDecoder.withPublicKey(createPublicKey(str2)).build();
            build.setJwtValidator(this.tokenValidators);
            return build.decode(str);
        } catch (IllegalArgumentException | NoSuchAlgorithmException | InvalidKeySpecException | BadJwtException e) {
            this.logger.debug("Jwt signature validation with fallback verificationkey failed: {}", e.getMessage());
            throw new BadJwtException("Jwt validation with fallback verificationkey failed");
        }
    }

    private static String extractKey(String str) {
        return str.replace("\n", "").replace("\\n", "").replace("\r", "").replace("\\r", "").replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "");
    }

    private RSAPublicKey createPublicKey(String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
        this.logger.debug("verificationkey={}", str);
        String extractKey = extractKey(str);
        this.logger.debug("RSA public key n+e={}", extractKey);
        RSAPublicKey rSAPublicKey = (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(extractKey)));
        this.logger.debug("parsed RSA e={}, n={}", rSAPublicKey.getPublicExponent(), rSAPublicKey.getModulus());
        return rSAPublicKey;
    }
}
