package de.taimos.dvalin.jaxrs.security.jwt.cognito;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import de.taimos.daemon.spring.conditional.OnSystemProperty;
import de.taimos.dvalin.jaxrs.JaxRsComponent;
import de.taimos.dvalin.jaxrs.security.jwt.IJWTAuth;
import de.taimos.httputils.HTTPResponse;
import de.taimos.httputils.WS;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.annotation.PostConstruct;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;
import net.minidev.json.parser.JSONParser;
import net.minidev.json.parser.ParseException;
import org.springframework.beans.factory.BeanInitializationException;
import org.springframework.beans.factory.annotation.Value;

@JaxRsComponent
@OnSystemProperty(propertyName = "jwtauth.cognito.poolid")
/* loaded from: input_file:de/taimos/dvalin/jaxrs/security/jwt/cognito/CognitoJWTAuth.class */
public class CognitoJWTAuth implements IJWTAuth {

    @Value("${jwtauth.cognito.poolid}")
    private String cognitoPoolId;

    @Value("${jwtauth.cognito.region}")
    private String cognitoPoolRegion;

    @Value("${jwtauth.cognito.roles:cognito:groups}")
    private String cognitoRoles;
    private String issuer;
    private final Map<String, RSAKey> webKeys = new HashMap();

    @PostConstruct
    public void init() {
        try {
            this.issuer = "https://cognito-idp." + this.cognitoPoolRegion + ".amazonaws.com/" + this.cognitoPoolId;
            HTTPResponse hTTPResponse = WS.url(this.issuer + "/.well-known/jwks.json").accept("application/json").get();
            Throwable th = null;
            try {
                try {
                    JSONObject jSONObject = (JSONObject) new JSONParser(-1).parse(hTTPResponse.getResponseAsBytes());
                    if (hTTPResponse != null) {
                        if (0 != 0) {
                            try {
                                hTTPResponse.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            hTTPResponse.close();
                        }
                    }
                    Iterator it = ((JSONArray) jSONObject.get("keys")).iterator();
                    while (it.hasNext()) {
                        RSAKey parse = RSAKey.parse((JSONObject) it.next());
                        this.webKeys.put(parse.getKeyID(), parse);
                    }
                } finally {
                }
            } finally {
            }
        } catch (ParseException | java.text.ParseException e) {
            throw new BeanInitializationException("Cannot load secrets from WS Cognito User Pool", e);
        }
    }

    @Override // de.taimos.dvalin.jaxrs.security.jwt.IJWTAuth
    public CognitoUser validateToken(String str) throws java.text.ParseException {
        SignedJWT parse = SignedJWT.parse(str);
        if (!parse.getJWTClaimsSet().getIssuer().equals(this.issuer)) {
            throw new IllegalArgumentException("Invalid issuer for JWT: " + parse.getJWTClaimsSet().getIssuer());
        }
        String stringClaim = parse.getJWTClaimsSet().getStringClaim("token_use");
        if (!stringClaim.equals("access") && !stringClaim.equals("id")) {
            throw new IllegalArgumentException("Invalid token usage type: " + stringClaim);
        }
        String keyID = parse.getHeader().getKeyID();
        if (!this.webKeys.containsKey(keyID)) {
            throw new IllegalArgumentException("No key for kid: " + keyID);
        }
        try {
            if (!parse.verify(new RSASSAVerifier(this.webKeys.get(keyID)))) {
                return null;
            }
            JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
            if (jWTClaimsSet.getExpirationTime().before(new Date())) {
                return null;
            }
            return CognitoUser.parseClaims(jWTClaimsSet, this.cognitoRoles);
        } catch (JOSEException e) {
            throw new IllegalArgumentException("Cannot verify JWT", e);
        }
    }
}
