package org.opencastproject.security.jwt;

import com.auth0.jwk.JwkException;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.util.List;
import org.apache.commons.lang3.StringUtils;
import org.springframework.expression.EvaluationException;
import org.springframework.expression.ParseException;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.util.Assert;

/* loaded from: input_file:org/opencastproject/security/jwt/JWTVerifier.class */
public final class JWTVerifier {
    private JWTVerifier() {
    }

    public static DecodedJWT verify(String str, GuavaCachedUrlJwkProvider guavaCachedUrlJwkProvider, List<String> list) throws JwkException {
        Assert.notNull(str, "A token must be set");
        Assert.notNull(guavaCachedUrlJwkProvider, "A JWKS provider must be set");
        DecodedJWT decode = JWT.decode(str);
        try {
            return verify(decode, list, guavaCachedUrlJwkProvider.getAlgorithms(decode, false));
        } catch (JwkException | JWTVerificationException e) {
            return verify(decode, list, guavaCachedUrlJwkProvider.getAlgorithms(decode, true));
        }
    }

    public static DecodedJWT verify(String str, String str2, List<String> list) throws JWTVerificationException {
        Assert.notNull(str, "A token must be set");
        Assert.isTrue(StringUtils.isNotBlank(str2), "A secret must be set");
        DecodedJWT decode = JWT.decode(str);
        return verify(decode, list, AlgorithmBuilder.buildAlgorithm(decode, str2));
    }

    public static DecodedJWT verify(DecodedJWT decodedJWT, List<String> list, List<Algorithm> list2) throws JWTVerificationException {
        return verify(decodedJWT, list, (Algorithm[]) list2.toArray(new Algorithm[0]));
    }

    public static DecodedJWT verify(DecodedJWT decodedJWT, List<String> list, Algorithm... algorithmArr) throws JWTVerificationException {
        Assert.notNull(decodedJWT, "A decoded JWT must be set");
        Assert.notEmpty(list, "Claim constraints must be set");
        Assert.notEmpty(algorithmArr, "Algorithms must be set");
        Assert.isTrue(algorithmsMatch(algorithmArr), "Algorithms must be of same class");
        boolean z = false;
        JWTVerificationException jWTVerificationException = new JWTVerificationException("JWT could not be verified");
        int length = algorithmArr.length;
        int i = 0;
        loop0: while (true) {
            if (i >= length) {
                break;
            }
            try {
                JWT.require(algorithmArr[i]).build().verify(decodedJWT);
                SpelExpressionParser spelExpressionParser = new SpelExpressionParser();
                for (String str : list) {
                    if (!((Boolean) spelExpressionParser.parseExpression(str).getValue(decodedJWT.getClaims(), Boolean.class)).booleanValue()) {
                        throw new JWTVerificationException("The claims did not fulfill constraint '" + str + "'");
                        break;
                    }
                }
                z = true;
                break loop0;
            } catch (JWTVerificationException | EvaluationException | ParseException e) {
                jWTVerificationException = e;
                i++;
            }
        }
        if (z) {
            return decodedJWT;
        }
        throw new JWTVerificationException(jWTVerificationException.getMessage());
    }

    private static boolean algorithmsMatch(Algorithm... algorithmArr) {
        for (int i = 1; i < algorithmArr.length; i++) {
            if (!algorithmArr[i].getClass().equals(algorithmArr[0].getClass())) {
                return false;
            }
        }
        return true;
    }
}
