package org.jfrog.access.token;

import com.google.common.collect.Maps;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;
import java.text.ParseException;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.Callable;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.jfrog.access.migration.ConfigMigrationRunner;
import org.jfrog.access.token.migration.JwtAccessTokenVersion;
import org.jfrog.access.token.migration.JwtMigratableClaims;
import org.jfrog.access.util.SecurityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/access-common-core-2.0.1.jar:org/jfrog/access/token/JwtAccessTokenImpl.class */
public class JwtAccessTokenImpl implements JwtAccessToken {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) JwtAccessTokenImpl.class);
    private static final String SCOPE = "scp";
    private static final String PAYLOAD = "payload";
    private final JWTClaimsSet claimsSet;
    private final SignedJWT signedJWT;
    private final String tokenValue;
    private final JwsAccessTokenHeader jwsHeader;

    /* loaded from: input_file:WEB-INF/lib/access-common-core-2.0.1.jar:org/jfrog/access/token/JwtAccessTokenImpl$Builder.class */
    public static class Builder {
        private final JWTClaimsSet.Builder claimsSetBuilder;
        private final Map<String, Object> customHeaderParams;

        private Builder() {
            this.customHeaderParams = Maps.newHashMap();
            this.claimsSetBuilder = new JWTClaimsSet.Builder().issueTime(new Date());
        }

        private Builder(JwtAccessTokenImpl jwtAccessTokenImpl) {
            this.customHeaderParams = Maps.newHashMap();
            this.claimsSetBuilder = new JWTClaimsSet.Builder(jwtAccessTokenImpl.claimsSet);
            Optional.ofNullable(jwtAccessTokenImpl.getJwsHeader()).ifPresent(jwsAccessTokenHeader -> {
                this.customHeaderParams.putAll(jwsAccessTokenHeader.getCustomHeaderParams());
            });
        }

        public Builder tokenId(String str) {
            this.claimsSetBuilder.jwtID(str);
            return this;
        }

        public Builder audience(List<String> list) {
            this.claimsSetBuilder.audience(list);
            return this;
        }

        public Builder issuer(String str) {
            this.claimsSetBuilder.issuer(str);
            return this;
        }

        public Builder subject(String str) {
            this.claimsSetBuilder.subject(str);
            return this;
        }

        public Builder scope(List<String> list) {
            this.claimsSetBuilder.claim(JwtAccessTokenImpl.SCOPE, scopeToStringClaim(list));
            return this;
        }

        private String scopeToStringClaim(List<String> list) {
            if (list == null || list.isEmpty()) {
                return "";
            }
            JwtAccessToken.requireValidScopeFormat(list);
            return String.join(" ", list);
        }

        public Builder payload(String str) {
            this.claimsSetBuilder.claim("payload", str);
            return this;
        }

        public Builder issuedAt(long j) {
            this.claimsSetBuilder.issueTime(new Date(j));
            return this;
        }

        public Builder expiry(long j) {
            this.claimsSetBuilder.expirationTime(new Date(j));
            return this;
        }

        /* JADX WARN: Multi-variable type inference failed */
        public Builder customHeaderParam(@Nonnull String str, @Nullable Object obj) {
            this.customHeaderParams.put(Objects.requireNonNull(str, "custom header key is required"), obj);
            return this;
        }

        public JwtAccessToken build() {
            return new JwtAccessTokenImpl(this.claimsSetBuilder.build(), null, null);
        }

        public JwtAccessToken buildAndSign(@Nonnull PrivateKey privateKey, @Nonnull Certificate certificate) {
            JWTClaimsSet build = this.claimsSetBuilder.build();
            SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JwtAccessTokenImpl.access$400().getAlgorithm()).type(JOSEObjectType.JWT).keyID(Base64URL.encode(SecurityUtils.calcSha256ThumbprintBytes(certificate)).toString()).customParams(this.customHeaderParams).customParam("ver", JwtAccessTokenVersion.current().getVersionString()).build(), build);
            try {
                signedJWT.sign(JwtAccessTokenImpl.access$400().createSigner(privateKey));
                return new JwtAccessTokenImpl(build, signedJWT, signedJWT.serialize());
            } catch (JOSEException e) {
                throw new RuntimeException("Failed to sign JWT token.", e);
            }
        }
    }

    private JwtAccessTokenImpl(JWTClaimsSet jWTClaimsSet, SignedJWT signedJWT, String str) {
        this.signedJWT = signedJWT;
        this.tokenValue = str;
        this.jwsHeader = signedJWT == null ? null : new JwsAccessTokenHeaderImpl(signedJWT.getHeader());
        this.claimsSet = migrateClaimsSet(jWTClaimsSet, this.jwsHeader);
    }

    private JWTClaimsSet migrateClaimsSet(JWTClaimsSet jWTClaimsSet, JwsAccessTokenHeader jwsAccessTokenHeader) {
        JwtAccessTokenVersion current = JwtAccessTokenVersion.current();
        if (jwsAccessTokenHeader != null) {
            try {
                current = JwtAccessTokenVersion.fromVersionString(jwsAccessTokenHeader.getVersion());
            } catch (Exception e) {
                log.warn("Could not identify access token version '{}', handling as current version: '{}'", jwsAccessTokenHeader.getVersion(), current.getVersionString());
                log.debug("Could not identify access token version '{}'", jwsAccessTokenHeader.getVersion(), e);
            }
        }
        JwtMigratableClaims jwtMigratableClaims = new JwtMigratableClaims(jWTClaimsSet, current);
        new ConfigMigrationRunner(false).migrateIfNeeded(jwtMigratableClaims);
        return jwtMigratableClaims.getClaimsSetBuilder().build();
    }

    @Override // org.jfrog.access.token.JwtAccessToken
    @Nonnull
    public String getTokenId() {
        return this.claimsSet.getJWTID();
    }

    @Override // org.jfrog.access.token.JwtAccessToken
    @Nonnull
    public List<String> getAudience() {
        List<String> audience = this.claimsSet.getAudience();
        return audience == null ? Collections.emptyList() : Collections.unmodifiableList(audience);
    }

    @Override // org.jfrog.access.token.JwtAccessToken
    @Nonnull
    public String getIssuer() {
        return this.claimsSet.getIssuer();
    }

    @Override // org.jfrog.access.token.JwtAccessToken
    public Long getExpiry() {
        Date expirationTime = this.claimsSet.getExpirationTime();
        if (expirationTime == null) {
            return null;
        }
        return Long.valueOf(expirationTime.getTime());
    }

    @Override // org.jfrog.access.token.JwtAccessToken
    @Nonnull
    public String getSubject() {
        return this.claimsSet.getSubject();
    }

    @Override // org.jfrog.access.token.JwtAccessToken
    @Nonnull
    public List<String> getScope() {
        return (List) wrapException(() -> {
            return parseScopeClaim(this.claimsSet.getStringClaim(SCOPE));
        });
    }

    @Nonnull
    private List<String> parseScopeClaim(String str) {
        return str == null ? Collections.emptyList() : (List) Stream.of((Object[]) str.split(" ")).collect(Collectors.toList());
    }

    @Override // org.jfrog.access.token.JwtAccessToken
    public String getPayload() {
        return (String) wrapException(() -> {
            return this.claimsSet.getStringClaim("payload");
        });
    }

    @Override // org.jfrog.access.token.JwtAccessToken
    public long getIssuedAt() {
        return this.claimsSet.getIssueTime().getTime();
    }

    @Override // org.jfrog.access.token.JwtAccessToken, org.jfrog.access.token.AccessToken
    public String getTokenValue() {
        return this.tokenValue;
    }

    @Override // org.jfrog.access.token.JwtAccessToken
    public boolean verify(PublicKey publicKey) {
        if (this.signedJWT == null) {
            throw new IllegalStateException("The token is not signed.");
        }
        try {
            return this.signedJWT.verify(getSigningTools().createVerifier(publicKey));
        } catch (JOSEException e) {
            throw new RuntimeException("Failed to verify signed access token.", e);
        }
    }

    @Override // org.jfrog.access.token.JwtAccessToken
    public boolean isSigned() {
        return this.signedJWT != null;
    }

    @Override // org.jfrog.access.token.JwtAccessToken
    @Nullable
    public JwsAccessTokenHeader getJwsHeader() {
        return this.jwsHeader;
    }

    public String toString() {
        return toJsonString();
    }

    @Override // org.jfrog.access.token.JwtAccessToken
    public String toJsonString() {
        return this.claimsSet.toJSONObject().toJSONString();
    }

    public static JwtAccessToken fromJsonString(String str) {
        try {
            return new JwtAccessTokenImpl(JWTClaimsSet.parse(str), null, null);
        } catch (ParseException e) {
            throw new IllegalArgumentException("Failed to parse json", e);
        }
    }

    @Nonnull
    public static JwtAccessToken parseTokenValue(String str) {
        try {
            SignedJWT parse = SignedJWT.parse(str);
            return new JwtAccessTokenImpl(parse.getJWTClaimsSet(), parse, str);
        } catch (ParseException e) {
            throw new IllegalArgumentException("Failed to parse token.", e);
        }
    }

    public static Builder builder() {
        return new Builder();
    }

    public static Builder builder(JwtAccessToken jwtAccessToken) {
        return new Builder();
    }

    @Nonnull
    private static JWSSigningTools getSigningTools() {
        return JWSSigningTools.RS256;
    }

    private static <V> V wrapException(Callable<V> callable) {
        try {
            return callable.call();
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage(), e);
        }
    }

    static /* synthetic */ JWSSigningTools access$400() {
        return getSigningTools();
    }
}
