package org.apache.nifi.web.security.jwt.converter;

import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.PlainJWT;
import java.util.Objects;
import org.apache.nifi.web.security.oidc.client.web.OidcRegistrationProperty;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.client.registration.ClientRegistration;
import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
import org.springframework.security.oauth2.jwt.BadJwtException;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtDecoderFactory;
import org.springframework.security.oauth2.jwt.JwtException;

/* loaded from: input_file:org/apache/nifi/web/security/jwt/converter/StandardIssuerJwtDecoder.class */
public class StandardIssuerJwtDecoder implements JwtDecoder {
    private static final Logger logger = LoggerFactory.getLogger(StandardIssuerJwtDecoder.class);
    private final JwtDecoder applicationJwtDecoder;
    private final ClientRegistration clientRegistration;
    private final JwtDecoder clientRegistrationJwtDecoder;

    public StandardIssuerJwtDecoder(JwtDecoder jwtDecoder, JwtDecoderFactory<ClientRegistration> jwtDecoderFactory, ClientRegistrationRepository clientRegistrationRepository) {
        this.applicationJwtDecoder = (JwtDecoder) Objects.requireNonNull(jwtDecoder, "Application JWT Decoder required");
        this.clientRegistration = clientRegistrationRepository.findByRegistrationId(OidcRegistrationProperty.REGISTRATION_ID.getProperty());
        if (this.clientRegistration == null) {
            logger.debug("OIDC Client Registration not configured for JWT Decoder");
            this.clientRegistrationJwtDecoder = null;
        } else {
            Objects.requireNonNull(jwtDecoderFactory, "JWT Decoder Factory required");
            this.clientRegistrationJwtDecoder = jwtDecoderFactory.createDecoder(this.clientRegistration);
        }
    }

    public Jwt decode(String str) throws JwtException {
        return this.clientRegistration == null ? this.applicationJwtDecoder.decode(str) : isIssuerRegistered(getTokenIssuer(parse(str))) ? this.clientRegistrationJwtDecoder.decode(str) : this.applicationJwtDecoder.decode(str);
    }

    private boolean isIssuerRegistered(String str) {
        return this.clientRegistration == null ? false : this.clientRegistration.getProviderDetails().getIssuerUri().equals(str);
    }

    private String getTokenIssuer(JWT jwt) {
        try {
            String issuer = jwt.getJWTClaimsSet().getIssuer();
            if (issuer == null || issuer.isEmpty()) {
                throw new BadJwtException("Token Issuer claim not found");
            }
            return issuer;
        } catch (Exception e) {
            throw new BadJwtException("Token Issuer parsing failed", e);
        }
    }

    private JWT parse(String str) {
        if (str == null || str.isEmpty()) {
            throw new BadJwtException("Token not found");
        }
        try {
            JWT parse = JWTParser.parse(str);
            if (parse instanceof PlainJWT) {
                throw new BadJwtException("Unsigned Token not supported");
            }
            return parse;
        } catch (Exception e) {
            throw new BadJwtException("Token parsing failed", e);
        }
    }
}
