package pl.edu.icm.unity.rest.jwt.authn;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jwt.JWTClaimsSet;
import eu.unicore.util.configuration.ConfigurationException;
import java.io.CharArrayWriter;
import java.io.IOException;
import java.io.StringReader;
import java.text.ParseException;
import java.util.List;
import java.util.Properties;
import org.springframework.beans.factory.ObjectFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.engine.api.authn.AbstractCredentialVerificatorFactory;
import pl.edu.icm.unity.engine.api.authn.AbstractVerificator;
import pl.edu.icm.unity.engine.api.authn.AuthenticatedEntity;
import pl.edu.icm.unity.engine.api.authn.AuthenticationException;
import pl.edu.icm.unity.engine.api.authn.AuthenticationResult;
import pl.edu.icm.unity.engine.api.authn.CredentialVerificator;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.utils.PrototypeComponent;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.rest.jwt.JWTAuthenticationProperties;
import pl.edu.icm.unity.rest.jwt.JWTUtils;

@PrototypeComponent
/* loaded from: input_file:pl/edu/icm/unity/rest/jwt/authn/JWTVerificator.class */
public class JWTVerificator extends AbstractVerificator implements JWTExchange {
    public static final String NAME = "jwt";
    public static final String DESC = "Verifies JWT";
    private static final String[] IDENTITY_TYPES = {"persistent"};
    private PKIManagement pkiManagement;
    private JWTAuthenticationProperties config;

    @Component
    /* loaded from: input_file:pl/edu/icm/unity/rest/jwt/authn/JWTVerificator$Factory.class */
    public static class Factory extends AbstractCredentialVerificatorFactory {
        @Autowired
        public Factory(ObjectFactory<JWTVerificator> objectFactory) throws EngineException {
            super(JWTVerificator.NAME, JWTVerificator.DESC, objectFactory);
        }
    }

    @Autowired
    public JWTVerificator(PKIManagement pKIManagement) {
        super(NAME, DESC, JWTExchange.ID);
        this.pkiManagement = pKIManagement;
    }

    public String getSerializedConfiguration() throws InternalException {
        CharArrayWriter charArrayWriter = new CharArrayWriter();
        try {
            this.config.getProperties().store(charArrayWriter, "");
            return charArrayWriter.toString();
        } catch (IOException e) {
            throw new IllegalStateException("Can not serialize JWT verificator's configuration", e);
        }
    }

    public void setSerializedConfiguration(String str) throws InternalException {
        Properties properties = new Properties();
        try {
            properties.load(new StringReader(str));
            this.config = new JWTAuthenticationProperties(properties);
        } catch (Exception e) {
            throw new ConfigurationException("Can't initialize the the JWT verificator's configuration", e);
        }
    }

    @Override // pl.edu.icm.unity.rest.jwt.authn.JWTExchange
    public AuthenticationResult checkJWT(String str) throws EngineException {
        try {
            JWTClaimsSet parseAndValidate = JWTUtils.parseAndValidate(str, this.pkiManagement.getCredential(this.config.getValue(JWTAuthenticationProperties.SIGNING_CREDENTIAL)));
            String safeGetRealm = InvocationContext.safeGetRealm();
            List audience = parseAndValidate.getAudience();
            if (audience.size() != 1) {
                throw new AuthenticationException("Invalid audiences specification: must have exactly one audience");
            }
            String str2 = (String) audience.get(0);
            int lastIndexOf = str2.lastIndexOf(35);
            if (lastIndexOf < 0) {
                throw new AuthenticationException("Invalid audience specification: no realm specification");
            }
            String substring = str2.substring(lastIndexOf + 1);
            if (!substring.equals(safeGetRealm)) {
                throw new AuthenticationException("Token's realm '" + substring + "' is different from the endpoint's realm: " + safeGetRealm);
            }
            return new AuthenticationResult(AuthenticationResult.Status.success, new AuthenticatedEntity(Long.valueOf(this.identityResolver.resolveIdentity(parseAndValidate.getSubject(), IDENTITY_TYPES, (String) null).getEntityId()), parseAndValidate.getSubject(), (String) null));
        } catch (ParseException | JOSEException e) {
            throw new AuthenticationException("Token is invalid", e);
        }
    }

    public CredentialVerificator.VerificatorType getType() {
        return CredentialVerificator.VerificatorType.Remote;
    }
}
