package io.smallrye.jwt.auth.principal;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.eclipse.microprofile.jwt.Claims;
import org.jboss.logging.Logger;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwt.consumer.JwtContext;
import org.jose4j.keys.resolvers.JwksVerificationKeyResolver;
import org.jose4j.lang.JoseException;

/* loaded from: input_file:io/smallrye/jwt/auth/principal/DefaultJWTTokenParser.class */
public class DefaultJWTTokenParser {
    private static Logger logger = Logger.getLogger(DefaultJWTTokenParser.class);
    private static final String ROLE_MAPPINGS = "roleMappings";
    private HttpsJwks httpsJwks;

    public JwtContext parse(String str, JWTAuthContextInfo jWTAuthContextInfo) throws ParseException {
        try {
            JwtConsumerBuilder jwsAlgorithmConstraints = new JwtConsumerBuilder().setRequireExpirationTime().setRequireSubject().setSkipDefaultAudienceValidation().setJwsAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.WHITELIST, new String[]{"RS256"}));
            if (jWTAuthContextInfo.isRequireIssuer()) {
                jwsAlgorithmConstraints.setExpectedIssuer(true, jWTAuthContextInfo.getIssuedBy());
            } else {
                jwsAlgorithmConstraints.setExpectedIssuer(false, (String) null);
            }
            if (jWTAuthContextInfo.getSignerKey() != null) {
                jwsAlgorithmConstraints.setVerificationKey(jWTAuthContextInfo.getSignerKey());
            } else if (jWTAuthContextInfo.isFollowMpJwt11Rules()) {
                jwsAlgorithmConstraints.setVerificationKeyResolver(new KeyLocationResolver(jWTAuthContextInfo.getJwksUri()));
            } else {
                jwsAlgorithmConstraints.setVerificationKeyResolver(new JwksVerificationKeyResolver(loadJsonWebKeys(jWTAuthContextInfo)));
            }
            if (jWTAuthContextInfo.getExpGracePeriodSecs() > 0) {
                jwsAlgorithmConstraints.setAllowedClockSkewInSeconds(jWTAuthContextInfo.getExpGracePeriodSecs());
            } else {
                jwsAlgorithmConstraints.setEvaluationTime(NumericDate.fromSeconds(0L));
            }
            JwtConsumer build = jwsAlgorithmConstraints.build();
            JwtContext process = build.process(str);
            build.processContext(process);
            JwtClaims jwtClaims = process.getJwtClaims();
            jwtClaims.setClaim(Claims.raw_token.name(), str);
            if (jwtClaims.hasClaim(ROLE_MAPPINGS)) {
                try {
                    Map map = (Map) jwtClaims.getClaimValue(ROLE_MAPPINGS, Map.class);
                    List stringListClaimValue = jwtClaims.getStringListClaimValue(Claims.groups.name());
                    ArrayList arrayList = new ArrayList(stringListClaimValue);
                    for (String str2 : map.keySet()) {
                        if (stringListClaimValue.contains(str2)) {
                            arrayList.add((String) map.get(str2));
                        }
                    }
                    jwtClaims.setStringListClaim("groups", arrayList);
                    logger.infof("Updated groups to: %s", arrayList);
                } catch (Exception e) {
                    logger.warnf(e, "Failed to access rolesMapping claim", new Object[0]);
                }
            }
            return process;
        } catch (InvalidJwtException e2) {
            throw new ParseException("Failed to verify token", e2);
        }
    }

    protected List<JsonWebKey> loadJsonWebKeys(JWTAuthContextInfo jWTAuthContextInfo) {
        synchronized (this) {
            if (jWTAuthContextInfo.getJwksUri() == null) {
                return Collections.emptyList();
            }
            if (this.httpsJwks == null) {
                this.httpsJwks = new HttpsJwks(jWTAuthContextInfo.getJwksUri());
                this.httpsJwks.setDefaultCacheDuration(jWTAuthContextInfo.getJwksRefreshInterval().longValue() * 60);
            }
            try {
                return (List) this.httpsJwks.getJsonWebKeys().stream().filter(jsonWebKey -> {
                    return "sig".equals(jsonWebKey.getUse());
                }).filter(jsonWebKey2 -> {
                    return "RS256".equals(jsonWebKey2.getAlgorithm());
                }).collect(Collectors.toList());
            } catch (IOException | JoseException e) {
                throw new IllegalStateException(String.format("Unable to fetch JWKS from %s.", jWTAuthContextInfo.getJwksUri()), e);
            }
        }
    }
}
