package org.springframework.boot.actuate.autoconfigure.cloudfoundry.servlet;

import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.springframework.boot.actuate.autoconfigure.cloudfoundry.CloudFoundryAuthorizationException;
import org.springframework.boot.actuate.autoconfigure.cloudfoundry.Token;

/* loaded from: input_file:BOOT-INF/lib/spring-boot-actuator-autoconfigure-3.3.0.jar:org/springframework/boot/actuate/autoconfigure/cloudfoundry/servlet/TokenValidator.class */
class TokenValidator {
    private final CloudFoundrySecurityService securityService;
    private Map<String, String> tokenKeys;

    /* JADX INFO: Access modifiers changed from: package-private */
    public TokenValidator(CloudFoundrySecurityService cloudFoundrySecurityService) {
        this.securityService = cloudFoundrySecurityService;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void validate(Token token) {
        validateAlgorithm(token);
        validateKeyIdAndSignature(token);
        validateExpiry(token);
        validateIssuer(token);
        validateAudience(token);
    }

    private void validateAlgorithm(Token token) {
        String signatureAlgorithm = token.getSignatureAlgorithm();
        if (signatureAlgorithm == null) {
            throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.INVALID_SIGNATURE, "Signing algorithm cannot be null");
        }
        if (!signatureAlgorithm.equals(AlgorithmIdentifiers.RSA_USING_SHA256)) {
            throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.UNSUPPORTED_TOKEN_SIGNING_ALGORITHM, "Signing algorithm " + signatureAlgorithm + " not supported");
        }
    }

    private void validateKeyIdAndSignature(Token token) {
        String keyId = token.getKeyId();
        if (this.tokenKeys == null || !hasValidKeyId(keyId)) {
            this.tokenKeys = this.securityService.fetchTokenKeys();
            if (!hasValidKeyId(keyId)) {
                throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.INVALID_KEY_ID, "Key Id present in token header does not match");
            }
        }
        if (!hasValidSignature(token, this.tokenKeys.get(keyId))) {
            throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.INVALID_SIGNATURE, "RSA Signature did not match content");
        }
    }

    private boolean hasValidKeyId(String str) {
        return this.tokenKeys.containsKey(str);
    }

    private boolean hasValidSignature(Token token, String str) {
        try {
            PublicKey publicKey = getPublicKey(str);
            Signature signature = Signature.getInstance("SHA256withRSA");
            signature.initVerify(publicKey);
            signature.update(token.getContent());
            return signature.verify(token.getSignature());
        } catch (GeneralSecurityException e) {
            return false;
        }
    }

    private PublicKey getPublicKey(String str) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(str.replace("-----BEGIN PUBLIC KEY-----\n", "").replace("-----END PUBLIC KEY-----", "").trim().replace("\n", ""))));
    }

    private void validateExpiry(Token token) {
        if (TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis()) > token.getExpiry()) {
            throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.TOKEN_EXPIRED, "Token expired");
        }
    }

    private void validateIssuer(Token token) {
        String uaaUrl = this.securityService.getUaaUrl();
        if (!String.format("%s/oauth/token", uaaUrl).equals(token.getIssuer())) {
            throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.INVALID_ISSUER, "Token issuer does not match " + uaaUrl + "/oauth/token");
        }
    }

    private void validateAudience(Token token) {
        if (!token.getScope().contains("actuator.read")) {
            throw new CloudFoundryAuthorizationException(CloudFoundryAuthorizationException.Reason.INVALID_AUDIENCE, "Token does not have audience actuator");
        }
    }
}
