package be.atbash.ee.security.octopus.jwt.decoder;

import be.atbash.ee.security.octopus.jwt.InvalidJWTException;
import be.atbash.ee.security.octopus.jwt.JWTEncoding;
import be.atbash.ee.security.octopus.jwt.JWTValidationConstant;
import be.atbash.ee.security.octopus.keys.selector.KeySelector;
import be.atbash.ee.security.octopus.nimbus.jose.HeaderParameterNames;
import be.atbash.ee.security.octopus.nimbus.jwt.EncryptedJWT;
import be.atbash.ee.security.octopus.nimbus.jwt.JWTClaimsSet;
import be.atbash.ee.security.octopus.nimbus.jwt.PlainJWT;
import be.atbash.ee.security.octopus.nimbus.jwt.SignedJWT;
import be.atbash.ee.security.octopus.nimbus.jwt.proc.DefaultJWTProcessor;
import be.atbash.ee.security.octopus.nimbus.jwt.proc.JWTProcessor;
import be.atbash.ee.security.octopus.util.JsonbUtil;
import be.atbash.util.PublicAPI;
import be.atbash.util.StringUtils;
import be.atbash.util.exception.AtbashIllegalActionException;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.json.JsonObject;
import java.text.ParseException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.ServiceLoader;
import java.util.Set;
import org.slf4j.MDC;

@PublicAPI
@ApplicationScoped
/* loaded from: input_file:be/atbash/ee/security/octopus/jwt/decoder/JWTDecoder.class */
public class JWTDecoder {
    private JWTProcessor jwtProcessor;

    public <T> JWTData<T> decode(String str, Class<T> cls) {
        return decode(str, cls, (KeySelector) null, (JWTVerifier) null, new String[0]);
    }

    public <T> JWTData<T> decode(String str, Class<T> cls, KeySelector keySelector) {
        return decode(str, cls, keySelector, (JWTVerifier) null, new String[0]);
    }

    public <T> JWTData<T> decode(String str, Class<T> cls, JWTVerifier jWTVerifier) {
        return decode(str, cls, (KeySelector) null, jWTVerifier, new String[0]);
    }

    public <T> JWTData<T> decode(String str, Class<T> cls, KeySelector keySelector, String... strArr) {
        return decode(str, cls, keySelector, (JWTVerifier) null, strArr);
    }

    public <T> JWTData<T> decode(String str, Class<T> cls, KeySelector keySelector, JWTVerifier jWTVerifier, String... strArr) {
        JWTData<T> readEncryptedJWT;
        JWTEncoding determineEncoding = determineEncoding(str);
        if (determineEncoding == null) {
            MDC.put(JWTValidationConstant.JWT_VERIFICATION_FAIL_REASON, "Unable to determine the encoding of the provided token");
            throw new IllegalArgumentException("Unable to determine the encoding of the data");
        }
        MDC.put(JWTValidationConstant.JWT_VERIFICATION_FAIL_REASON, String.format("The encoding of the provided token : %s", determineEncoding));
        try {
            switch (determineEncoding) {
                case NONE:
                    readEncryptedJWT = readJSONString(str, cls);
                    break;
                case PLAIN:
                    readEncryptedJWT = readPlainJWT(str, cls);
                    break;
                case JWS:
                    if (keySelector != null) {
                        readEncryptedJWT = readSignedJWT(str, keySelector, cls, jWTVerifier, getDefCritHeaders(strArr));
                        break;
                    } else {
                        throw new AtbashIllegalActionException("(OCT-DEV-101) keySelector required for decoding a JWT encoded value");
                    }
                case JWE:
                    if (keySelector != null) {
                        readEncryptedJWT = readEncryptedJWT(str, keySelector, cls, jWTVerifier, getDefCritHeaders(strArr));
                        break;
                    } else {
                        throw new AtbashIllegalActionException("(OCT-DEV-101) keySelector required for decoding a JWE encoded value");
                    }
                default:
                    throw new IllegalArgumentException(String.format("JWTEncoding not supported %s", determineEncoding));
            }
            return readEncryptedJWT;
        } catch (ParseException e) {
            MDC.put(JWTValidationConstant.JWT_VERIFICATION_FAIL_REASON, "The structure of the provided token was not valid");
            throw new InvalidJWTException("Invalid JWT structure", e);
        }
    }

    private HashSet<String> getDefCritHeaders(String[] strArr) {
        return strArr == null ? new HashSet<>() : new HashSet<>(Arrays.asList(strArr));
    }

    private <T> JWTData<T> readPlainJWT(String str, Class<T> cls) throws ParseException {
        return handlePlainJWT(PlainJWT.parse(str), cls);
    }

    private <T> JWTData<T> readEncryptedJWT(String str, KeySelector keySelector, Class<T> cls, JWTVerifier jWTVerifier, Set<String> set) throws ParseException {
        return handleEncryptedJWT(EncryptedJWT.parse(str), keySelector, cls, jWTVerifier, set);
    }

    private <T> JWTData<T> readSignedJWT(String str, KeySelector keySelector, Class<T> cls, JWTVerifier jWTVerifier, Set<String> set) throws ParseException {
        return handleSignedJWT(SignedJWT.parse(str), keySelector, cls, jWTVerifier, set);
    }

    private <T> JWTData<T> readJSONString(String str, Class<T> cls) {
        return readJSONString(str, cls, new MetaJWTData());
    }

    private <T> JWTData<T> readJSONString(String str, Class<T> cls, MetaJWTData metaJWTData) {
        return new JWTData<>(JsonbUtil.getJsonb().fromJson(str, cls), metaJWTData);
    }

    public JWTEncoding determineEncoding(String str) {
        if (str == null) {
            return null;
        }
        JWTEncoding jWTEncoding = null;
        if (str.startsWith("{")) {
            jWTEncoding = JWTEncoding.NONE;
        }
        if (str.startsWith("ey")) {
            int countOccurrences = StringUtils.countOccurrences(str, '.');
            if (countOccurrences == 1) {
                jWTEncoding = JWTEncoding.PLAIN;
            }
            if (countOccurrences == 2) {
                jWTEncoding = str.lastIndexOf(46) == str.length() - 1 ? JWTEncoding.PLAIN : JWTEncoding.JWS;
            }
            if (countOccurrences == 4) {
                jWTEncoding = JWTEncoding.JWE;
            }
        }
        return jWTEncoding;
    }

    public <T> JWTData<T> decode(JsonObject jsonObject, Class<T> cls) {
        return decode(jsonObject, cls, (KeySelector) null, (JWTVerifier) null, new String[0]);
    }

    public <T> JWTData<T> decode(JsonObject jsonObject, Class<T> cls, KeySelector keySelector) {
        return decode(jsonObject, cls, keySelector, (JWTVerifier) null, new String[0]);
    }

    public <T> JWTData<T> decode(JsonObject jsonObject, Class<T> cls, JWTVerifier jWTVerifier) {
        return decode(jsonObject, cls, (KeySelector) null, jWTVerifier, new String[0]);
    }

    public <T> JWTData<T> decode(JsonObject jsonObject, Class<T> cls, KeySelector keySelector, String... strArr) {
        return decode(jsonObject, cls, keySelector, (JWTVerifier) null, strArr);
    }

    public <T> JWTData<T> decode(JsonObject jsonObject, Class<T> cls, KeySelector keySelector, JWTVerifier jWTVerifier, String... strArr) {
        JWTData<T> readEncryptedJWT;
        JWTEncoding determineEncoding = determineEncoding(jsonObject);
        if (determineEncoding == null) {
            throw new IllegalArgumentException("Unable to determine the encoding of the data");
        }
        try {
            switch (determineEncoding) {
                case PLAIN:
                    readEncryptedJWT = readPlainJWT(jsonObject, cls);
                    break;
                case JWS:
                    if (keySelector != null) {
                        readEncryptedJWT = readSignedJWT(jsonObject, keySelector, cls, jWTVerifier, getDefCritHeaders(strArr));
                        break;
                    } else {
                        throw new AtbashIllegalActionException("(OCT-DEV-101) keySelector required for decoding a JWT encoded value");
                    }
                case JWE:
                    if (keySelector != null) {
                        readEncryptedJWT = readEncryptedJWT(jsonObject, keySelector, cls, jWTVerifier, getDefCritHeaders(strArr));
                        break;
                    } else {
                        throw new AtbashIllegalActionException("(OCT-DEV-101) keySelector required for decoding a JWE encoded value");
                    }
                default:
                    throw new IllegalArgumentException(String.format("JWTEncoding not supported %s", determineEncoding));
            }
            return readEncryptedJWT;
        } catch (ParseException e) {
            throw new InvalidJWTException("Invalid JWT structure", e);
        }
    }

    private JWTEncoding determineEncoding(JsonObject jsonObject) {
        if (jsonObject == null) {
            return null;
        }
        if (!jsonObject.containsKey("header") && !jsonObject.containsKey("protected") && !jsonObject.containsKey("payload")) {
            return null;
        }
        JWTEncoding jWTEncoding = JWTEncoding.PLAIN;
        if (jsonObject.containsKey("signature")) {
            jWTEncoding = JWTEncoding.JWS;
        }
        if (jsonObject.containsKey("encrypted_key") && jsonObject.containsKey(HeaderParameterNames.INITIALIZATION_VECTOR) && jsonObject.containsKey("ciphertext") && jsonObject.containsKey(HeaderParameterNames.AUTHENTICATION_TAG)) {
            jWTEncoding = JWTEncoding.JWE;
        }
        return jWTEncoding;
    }

    private <T> JWTData<T> readPlainJWT(JsonObject jsonObject, Class<T> cls) throws ParseException {
        return handlePlainJWT(PlainJWT.parse(jsonObject), cls);
    }

    private <T> JWTData<T> handlePlainJWT(PlainJWT plainJWT, Class<T> cls) throws ParseException {
        MetaJWTData metaJWTData = new MetaJWTData(null, plainJWT.getHeader().getCustomParameters());
        JWTClaimsSet jWTClaimsSet = plainJWT.getJWTClaimsSet();
        return cls.equals(JWTClaimsSet.class) ? new JWTData<>(jWTClaimsSet, metaJWTData) : readJSONString(jWTClaimsSet.toJSONObject().toString(), cls, metaJWTData);
    }

    private <T> JWTData<T> readSignedJWT(JsonObject jsonObject, KeySelector keySelector, Class<T> cls, JWTVerifier jWTVerifier, Set<String> set) throws ParseException {
        return handleSignedJWT(SignedJWT.parse(jsonObject), keySelector, cls, jWTVerifier, set);
    }

    private <T> JWTData<T> handleSignedJWT(SignedJWT signedJWT, KeySelector keySelector, Class<T> cls, JWTVerifier jWTVerifier, Set<String> set) throws ParseException {
        JWTProcessor jwtProcessor = getJwtProcessor();
        jwtProcessor.setJWSKeySelector(keySelector);
        jwtProcessor.setDeferredCritHeaders(assembleAllCritHeaders(jWTVerifier, set));
        JWTClaimsSet process = jwtProcessor.process(signedJWT);
        if (jWTVerifier != null && !jWTVerifier.verify(signedJWT.getHeader(), signedJWT.getJWTClaimsSet())) {
            throw new InvalidJWTException("JWT verification failed");
        }
        MetaJWTData metaJWTData = new MetaJWTData(signedJWT.getHeader().getKeyID(), signedJWT.getHeader().getCustomParameters());
        return cls.equals(JWTClaimsSet.class) ? new JWTData<>(process, metaJWTData) : readJSONString(signedJWT.getPayload().toString(), cls, metaJWTData);
    }

    private Set<String> assembleAllCritHeaders(JWTVerifier jWTVerifier, Set<String> set) {
        Set<String> set2 = set;
        if (set2 == null) {
            set2 = new HashSet();
        }
        if (jWTVerifier != null) {
            set2.addAll(jWTVerifier.getSupportedCritHeaderValues());
        }
        return set2;
    }

    private <T> JWTData<T> readEncryptedJWT(JsonObject jsonObject, KeySelector keySelector, Class<T> cls, JWTVerifier jWTVerifier, Set<String> set) throws ParseException {
        return handleEncryptedJWT(EncryptedJWT.parse(jsonObject), keySelector, cls, jWTVerifier, set);
    }

    private <T> JWTData<T> handleEncryptedJWT(EncryptedJWT encryptedJWT, KeySelector keySelector, Class<T> cls, JWTVerifier jWTVerifier, Set<String> set) {
        String keyID = encryptedJWT.getHeader().getKeyID();
        JWTProcessor jwtProcessor = getJwtProcessor();
        jwtProcessor.setJWSKeySelector(keySelector);
        jwtProcessor.setJWEKeySelector(keySelector);
        jwtProcessor.setDeferredCritHeaders(set);
        JWTClaimsSet process = jwtProcessor.process(encryptedJWT);
        if (jWTVerifier != null && !jWTVerifier.verify(encryptedJWT.getHeader(), process)) {
            throw new InvalidJWTException("JWT verification failed");
        }
        MetaJWTData metaJWTData = new MetaJWTData(keyID, encryptedJWT.getHeader().getCustomParameters());
        return cls.equals(JWTClaimsSet.class) ? new JWTData<>(process, metaJWTData) : readJSONString(process.toJSONObject().toString(), cls, metaJWTData);
    }

    private synchronized JWTProcessor getJwtProcessor() {
        if (this.jwtProcessor == null) {
            Iterator it = ServiceLoader.load(JWTProcessor.class).iterator();
            if (it.hasNext()) {
                this.jwtProcessor = (JWTProcessor) it.next();
            } else {
                this.jwtProcessor = new DefaultJWTProcessor();
            }
        }
        return this.jwtProcessor;
    }
}
