package com.sap.cloud.security.xsuaa.token.authentication;

import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.sap.cloud.security.xsuaa.XsuaaServiceConfiguration;
import com.sap.cloud.security.xsuaa.token.TokenClaims;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.concurrent.TimeUnit;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.oauth2.jwt.JwtValidationException;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.util.Assert;
import org.springframework.web.client.RestOperations;

/* loaded from: input_file:com/sap/cloud/security/xsuaa/token/authentication/XsuaaJwtDecoder.class */
public class XsuaaJwtDecoder implements JwtDecoder {
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private final XsuaaServiceConfiguration xsuaaServiceConfiguration;
    Cache<String, JwtDecoder> cache;
    private OAuth2TokenValidator<Jwt> tokenValidators;
    private Collection<PostValidationAction> postValidationActions;
    private TokenInfoExtractor tokenInfoExtractor;
    private RestOperations restOperations;

    /* JADX INFO: Access modifiers changed from: package-private */
    public XsuaaJwtDecoder(final XsuaaServiceConfiguration xsuaaServiceConfiguration, int i, int i2, OAuth2TokenValidator<Jwt> oAuth2TokenValidator, Collection<PostValidationAction> collection) {
        this.cache = Caffeine.newBuilder().expireAfterWrite(i, TimeUnit.SECONDS).maximumSize(i2).build();
        this.tokenValidators = oAuth2TokenValidator;
        this.xsuaaServiceConfiguration = xsuaaServiceConfiguration;
        this.tokenInfoExtractor = new TokenInfoExtractor() { // from class: com.sap.cloud.security.xsuaa.token.authentication.XsuaaJwtDecoder.1
            @Override // com.sap.cloud.security.xsuaa.token.authentication.TokenInfoExtractor
            public String getJku(JWT jwt) {
                return (String) jwt.getHeader().toJSONObject().getOrDefault(TokenClaims.CLAIM_JKU, (Object) null);
            }

            @Override // com.sap.cloud.security.xsuaa.token.authentication.TokenInfoExtractor
            public String getKid(JWT jwt) {
                return (String) jwt.getHeader().toJSONObject().getOrDefault(TokenClaims.CLAIM_KID, (Object) null);
            }

            @Override // com.sap.cloud.security.xsuaa.token.authentication.TokenInfoExtractor
            public String getUaaDomain(JWT jwt) {
                return xsuaaServiceConfiguration.getUaaDomain();
            }
        };
        this.postValidationActions = collection != null ? collection : Collections.emptyList();
    }

    public Jwt decode(String str) throws JwtException {
        Assert.notNull(str, "token is required");
        try {
            Jwt verifyToken = verifyToken(JWTParser.parse(str));
            this.postValidationActions.forEach(postValidationAction -> {
                postValidationAction.perform(verifyToken);
            });
            return verifyToken;
        } catch (ParseException e) {
            throw new JwtException("Error initializing JWT decoder: " + e.getMessage());
        }
    }

    public void setTokenInfoExtractor(TokenInfoExtractor tokenInfoExtractor) {
        this.tokenInfoExtractor = tokenInfoExtractor;
    }

    public void setRestOperations(RestOperations restOperations) {
        this.restOperations = restOperations;
    }

    private Jwt verifyToken(JWT jwt) {
        try {
            return verifyTokenOnline(jwt.getParsedString(), this.tokenInfoExtractor.getJku(jwt), this.tokenInfoExtractor.getKid(jwt), this.tokenInfoExtractor.getUaaDomain(jwt));
        } catch (JwtException e) {
            return tryToVerifyWithOfflineKey(jwt.getParsedString(), e);
        }
    }

    private Jwt verifyTokenOnline(String str, String str2, String str3, String str4) {
        try {
            canVerifyWithOnlineKey(str2, str3, str4);
            validateJKU(str2, str4);
            return verifyWithOnlineKey(str, str2, str3);
        } catch (JwtValidationException e) {
            throw e;
        } catch (JwtException e2) {
            throw new JwtException("JWT verification failed: " + e2.getMessage());
        }
    }

    private void canVerifyWithOnlineKey(String str, String str2, String str3) {
        if (str == null || str2 == null || str3 == null) {
            ArrayList arrayList = new ArrayList();
            if (str == null) {
                arrayList.add(TokenClaims.CLAIM_JKU);
            }
            if (str2 == null) {
                arrayList.add(TokenClaims.CLAIM_KID);
            }
            if (str3 == null) {
                arrayList.add("uaadomain");
            }
            throw new JwtException(String.format("Cannot verify with online token key, %s is null", String.join(", ", arrayList)));
        }
    }

    private void validateJKU(String str, String str2) {
        try {
            URI uri = new URI(str);
            if (uri.getHost() == null) {
                throw new JwtException("JKU of token is not valid");
            }
            if (uri.getHost().endsWith(str2)) {
                return;
            }
            this.logger.warn(String.format("Error: Do not trust jku '%s' because it does not match uaa domain '%s'", str, str2));
            throw new JwtException("JKU of token header is not trusted");
        } catch (URISyntaxException e) {
            throw new JwtException("JKU of token header is not valid");
        }
    }

    private Jwt verifyWithOnlineKey(String str, String str2, String str3) {
        return ((JwtDecoder) this.cache.get(str2 + str3, str4 -> {
            return getDecoder(str2);
        })).decode(str);
    }

    private JwtDecoder getDecoder(String str) {
        NimbusJwtDecoder.JwkSetUriJwtDecoderBuilder withJwkSetUri = NimbusJwtDecoder.withJwkSetUri(str);
        if (this.restOperations != null) {
            withJwkSetUri.restOperations(this.restOperations);
        }
        NimbusJwtDecoder build = withJwkSetUri.build();
        build.setJwtValidator(this.tokenValidators);
        return build;
    }

    private Jwt tryToVerifyWithOfflineKey(String str, JwtException jwtException) {
        String verificationKey = this.xsuaaServiceConfiguration.getVerificationKey();
        if (verificationKey == null || verificationKey.isEmpty()) {
            throw jwtException;
        }
        return verifyWithOfflineKey(str, verificationKey);
    }

    private Jwt verifyWithOfflineKey(String str, String str2) {
        try {
            NimbusJwtDecoder build = NimbusJwtDecoder.withPublicKey(createPublicKey(str2)).build();
            build.setJwtValidator(this.tokenValidators);
            return build.decode(str);
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new JwtException(e.getMessage());
        }
    }

    private static String convertPEMKey(String str) {
        return str.replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "");
    }

    private RSAPublicKey createPublicKey(String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(convertPEMKey(str))));
    }
}
