package fish.payara.microprofile.jwtauth.eesecurity;

import fish.payara.microprofile.jwtauth.jwt.JsonWebTokenImpl;
import fish.payara.microprofile.jwtauth.jwt.JwtTokenParser;
import java.io.IOException;
import java.net.URL;
import java.time.Duration;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Optional;
import java.util.Properties;
import java.util.Set;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.faces.validator.BeanValidator;
import javax.security.enterprise.identitystore.CredentialValidationResult;
import javax.security.enterprise.identitystore.IdentityStore;
import org.eclipse.microprofile.config.Config;
import org.eclipse.microprofile.config.ConfigProvider;
import org.eclipse.microprofile.jwt.config.Names;

/* loaded from: input_file:fish/payara/microprofile/jwtauth/eesecurity/SignedJWTIdentityStore.class */
public class SignedJWTIdentityStore implements IdentityStore {
    private static final Logger LOGGER = Logger.getLogger(SignedJWTIdentityStore.class.getName());
    private final String acceptedIssuer;
    private final Optional<List<String>> allowedAudience;
    private final Optional<Boolean> enabledNamespace;
    private final Optional<String> customNamespace;
    private final Optional<Boolean> disableTypeVerification;
    private final Config config = ConfigProvider.getConfig();
    private final JwtPublicKeyStore publicKeyStore;
    private final JwtPrivateKeyStore privateKeyStore;
    private final boolean isEncryptionRequired;

    public SignedJWTIdentityStore() {
        Optional<Properties> readVendorProperties = readVendorProperties();
        this.acceptedIssuer = readVendorIssuer(readVendorProperties).orElseGet(() -> {
            return (String) this.config.getOptionalValue(Names.ISSUER, String.class).orElseThrow(() -> {
                return new IllegalStateException("No issuer found");
            });
        });
        Optional<String> readAudience = readAudience(readVendorProperties);
        this.allowedAudience = (readAudience.isPresent() ? readAudience : this.config.getOptionalValue(Names.AUDIENCES, String.class)).map(str -> {
            return Arrays.asList(str.split(BeanValidator.VALIDATION_GROUPS_DELIMITER));
        });
        this.enabledNamespace = readEnabledNamespace(readVendorProperties);
        this.customNamespace = readCustomNamespace(readVendorProperties);
        this.disableTypeVerification = readDisableTypeVerification(readVendorProperties);
        Optional<String> readConfigOptional = readConfigOptional(Names.VERIFIER_PUBLIC_KEY_LOCATION, readVendorProperties, this.config);
        readConfigOptional(Names.VERIFIER_PUBLIC_KEY, readVendorProperties, this.config);
        Optional<String> readConfigOptional2 = readConfigOptional(Names.DECRYPTOR_KEY_LOCATION, readVendorProperties, this.config);
        this.publicKeyStore = new JwtPublicKeyStore(readPublicKeyCacheTTL(readVendorProperties), readConfigOptional);
        this.privateKeyStore = new JwtPrivateKeyStore(readPublicKeyCacheTTL(readVendorProperties), readConfigOptional2);
        this.isEncryptionRequired = readConfigOptional2.isPresent();
    }

    public CredentialValidationResult validate(SignedJWTCredential signedJWTCredential) {
        try {
            JsonWebTokenImpl parse = new JwtTokenParser(this.enabledNamespace, this.customNamespace, this.disableTypeVerification).parse(signedJWTCredential.getSignedJWT(), this.isEncryptionRequired, this.publicKeyStore, this.acceptedIssuer, this.privateKeyStore);
            Set<String> audience = parse.getAudience();
            if (!((Boolean) this.allowedAudience.map(list -> {
                return Boolean.valueOf(list.stream().anyMatch(str -> {
                    return audience != null && audience.contains(str);
                }));
            }).orElse(true)).booleanValue()) {
                throw new Exception("The intended audience " + audience + " is not a part of allowed audience.");
            }
            HashSet hashSet = new HashSet();
            Collection collection = (Collection) parse.getClaim("groups");
            if (collection != null) {
                hashSet.addAll(collection);
            }
            return new CredentialValidationResult(parse, hashSet);
        } catch (Exception e) {
            LOGGER.log(Level.INFO, "Exception trying to parse JWT token.", (Throwable) e);
            return CredentialValidationResult.INVALID_RESULT;
        }
    }

    public static Optional<Properties> readVendorProperties() {
        URL resource = Thread.currentThread().getContextClassLoader().getResource("/payara-mp-jwt.properties");
        Properties properties = null;
        if (resource != null) {
            try {
                properties = new Properties();
                properties.load(resource.openStream());
            } catch (IOException e) {
                throw new IllegalStateException("Failed to load Vendor properties from resource file", e);
            }
        }
        return Optional.ofNullable(properties);
    }

    private Optional<String> readVendorIssuer(Optional<Properties> optional) {
        return optional.isPresent() ? Optional.ofNullable(optional.get().getProperty("accepted.issuer")) : Optional.empty();
    }

    private Optional<Boolean> readEnabledNamespace(Optional<Properties> optional) {
        return optional.isPresent() ? Optional.ofNullable(Boolean.valueOf(optional.get().getProperty("enable.namespace", "false"))) : Optional.empty();
    }

    private Optional<String> readCustomNamespace(Optional<Properties> optional) {
        return optional.isPresent() ? Optional.ofNullable(optional.get().getProperty("custom.namespace", null)) : Optional.empty();
    }

    private Optional<Boolean> readDisableTypeVerification(Optional<Properties> optional) {
        return optional.isPresent() ? Optional.ofNullable(Boolean.valueOf(optional.get().getProperty("disable.type.verification", "false"))) : Optional.empty();
    }

    private Duration readPublicKeyCacheTTL(Optional<Properties> optional) {
        return (Duration) optional.map(properties -> {
            return properties.getProperty("publicKey.cache.ttl");
        }).map(Long::valueOf).map((v0) -> {
            return Duration.ofMillis(v0);
        }).orElseGet(() -> {
            return Duration.ofMinutes(5L);
        });
    }

    private Optional<String> readAudience(Optional<Properties> optional) {
        return optional.isPresent() ? Optional.ofNullable(optional.get().getProperty(Names.AUDIENCES)) : Optional.empty();
    }

    public static String readConfig(String str, Optional<Properties> optional, Config config, String str2) {
        return readConfigOptional(str, optional, config).orElse(str2);
    }

    public static Optional<String> readConfigOptional(String str, Optional<Properties> optional, Config config) {
        Optional map = optional.map(properties -> {
            return properties.getProperty(str);
        });
        if (!map.isPresent()) {
            map = config.getOptionalValue(str, String.class);
        }
        return map;
    }
}
