package org.apache.cxf.rs.security.jose.jaxrs;

import java.io.IOException;
import java.util.logging.Logger;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import org.apache.cxf.common.logging.LogUtils;
import org.apache.cxf.jaxrs.utils.JAXRSUtils;
import org.apache.cxf.message.MessageUtils;
import org.apache.cxf.rs.security.jose.common.JoseConstants;
import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
import org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer;
import org.apache.cxf.rs.security.jose.jwt.JwtToken;
import org.apache.cxf.rs.security.jose.jwt.JwtUtils;
import org.apache.cxf.security.SecurityContext;

@Priority(1000)
@PreMatching
/* loaded from: input_file:org/apache/cxf/rs/security/jose/jaxrs/AbstractJwtAuthenticationFilter.class */
public abstract class AbstractJwtAuthenticationFilter extends JoseJwtConsumer implements ContainerRequestFilter {
    protected static final Logger LOG = LogUtils.getL7dLogger(AbstractJwtAuthenticationFilter.class);
    private String roleClaim;
    private boolean validateAudience = true;

    @Override // javax.ws.rs.container.ContainerRequestFilter
    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        SecurityContext configureSecurityContext = configureSecurityContext(super.getJwtToken(getEncodedJwtToken(containerRequestContext)));
        if (configureSecurityContext != null) {
            JAXRSUtils.getCurrentMessage().put((Class<Class>) SecurityContext.class, (Class) configureSecurityContext);
        }
    }

    protected abstract String getEncodedJwtToken(ContainerRequestContext containerRequestContext);

    protected SecurityContext configureSecurityContext(JwtToken jwtToken) {
        boolean contextualBoolean = MessageUtils.getContextualBoolean(JAXRSUtils.getCurrentMessage(), JoseConstants.ENABLE_UNSIGNED_JWT_PRINCIPAL, false);
        if (jwtToken.getClaims().getSubject() == null) {
            return null;
        }
        if (isVerifiedWithAPublicKey(jwtToken) || contextualBoolean) {
            return new JwtTokenSecurityContext(jwtToken, this.roleClaim);
        }
        return null;
    }

    private boolean isVerifiedWithAPublicKey(JwtToken jwtToken) {
        if (isJwsRequired()) {
            return SignatureAlgorithm.isPublicKeyAlgorithm(SignatureAlgorithm.getAlgorithm((String) jwtToken.getJwsHeader("alg")));
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.cxf.rs.security.jose.jwt.JoseJwtConsumer
    public void validateToken(JwtToken jwtToken) {
        JwtUtils.validateTokenClaims(jwtToken.getClaims(), getTtl(), getClockOffset(), isValidateAudience());
    }

    public String getRoleClaim() {
        return this.roleClaim;
    }

    public void setRoleClaim(String str) {
        this.roleClaim = str;
    }

    public boolean isValidateAudience() {
        return this.validateAudience;
    }

    public void setValidateAudience(boolean z) {
        this.validateAudience = z;
    }
}
