package com.vmware.l10n.conf;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.vmware.vip.common.csp.Claim;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.text.ParseException;
import java.time.Instant;
import java.util.Iterator;
import org.apache.http.cookie.ClientCookie;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;

@Service
/* loaded from: input_file:BOOT-INF/classes/com/vmware/l10n/conf/CspValidateService.class */
public class CspValidateService {
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) CspValidateService.class);

    @Value("${csp.auth.issuer:###}")
    private String issuer;

    @Value("${csp.auth.url:###}")
    private String jwksUri;

    @Value("${csp.auth.refresh-interval-sec:30}")
    private int refreshIntervalSec;
    private Instant keyRotateEndpointLastAccess;
    private URL url;
    private JWKSet jwksInMem;

    public boolean isTokenValid(String str) {
        return getTokenClaims(str) != null;
    }

    public Claim getTokenClaims(String str) {
        if (this.jwksInMem == null || this.jwksInMem.getKeys() == null) {
            callCspJwksEndpoint();
        }
        try {
            return validate(str);
        } catch (JOSEException e) {
            LOGGER.error("Internal processing of token failed", (Throwable) e);
            return null;
        } catch (BadJWTException e2) {
            LOGGER.error("Token is not valid", (Throwable) e2);
            return null;
        } catch (BadJOSEException e3) {
            LOGGER.error("Bad JSON Object Signing and Encryption found", (Throwable) e3);
            return null;
        } catch (ParseException e4) {
            LOGGER.error("Error while parsing token string", (Throwable) e4);
            return null;
        }
    }

    private Claim validate(String str) throws ParseException, BadJOSEException, JOSEException {
        if (str == null) {
            return null;
        }
        String keyID = SignedJWT.parse(str).getHeader().getKeyID();
        JWK jwk = null;
        Iterator<JWK> it = this.jwksInMem.getKeys().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            JWK next = it.next();
            if (next.getKeyID().equals(keyID)) {
                jwk = next;
                break;
            }
        }
        if (jwk == null && !allowRefreshJwkset(getRefreshIntervalSec())) {
            LOGGER.info("Trying to hit public key endpoint within {} sec, possibly a DoS (Denial of Service) attack", Integer.valueOf(getRefreshIntervalSec()));
        }
        if (jwk == null) {
            return null;
        }
        JWSAlgorithm keyAlg = getKeyAlg(jwk);
        DefaultResourceRetriever defaultResourceRetriever = new DefaultResourceRetriever(2000, 2000);
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(keyAlg, new RemoteJWKSet(this.url, defaultResourceRetriever)));
        JWTClaimsSet process = defaultJWTProcessor.process(str, (String) null);
        defaultJWTProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier() { // from class: com.vmware.l10n.conf.CspValidateService.1
            @Override // com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier, com.nimbusds.jwt.proc.JWTClaimsSetVerifier
            public void verify(JWTClaimsSet jWTClaimsSet, SecurityContext securityContext) throws BadJWTException {
                if (!CspValidateService.this.getIssuer().equals(jWTClaimsSet.getIssuer())) {
                    throw new BadJWTException("Invalid token issuer");
                }
            }
        });
        defaultJWTProcessor.getJWTClaimsSetVerifier().verify(process, null);
        Claim claim = new Claim();
        claim.setSub(process.getClaim("sub").toString());
        claim.setExp(process.getClaim("exp").toString());
        claim.setIat(process.getClaim("iat").toString());
        claim.setContextName(process.getClaim("context_name").toString());
        if (process.getClaim("acct") != null) {
            claim.setAcct(process.getClaim("acct").toString());
        }
        if (process.getClaim(ClientCookie.DOMAIN_ATTR) != null) {
            claim.setDomain(process.getClaim(ClientCookie.DOMAIN_ATTR).toString());
        }
        if (process.getClaim("context") != null) {
            claim.setContext(process.getClaim("context").toString());
        }
        if (process.getStringArrayClaim("perms") != null) {
            claim.setPerms(process.getStringArrayClaim("perms"));
        }
        return claim;
    }

    private JWSAlgorithm getKeyAlg(JWK jwk) throws BadJOSEException {
        if (jwk.getKeyType().toString().equals("RSA")) {
            return JWSAlgorithm.RS256;
        }
        throw new BadJOSEException("Unsupported algorithm by CSP");
    }

    private synchronized void callCspJwksEndpoint() {
        try {
            this.url = new URL(getJwksUri());
            this.jwksInMem = JWKSet.load(this.url);
            this.keyRotateEndpointLastAccess = Instant.now();
        } catch (MalformedURLException e) {
            LOGGER.error("End Point URL not proper", (Throwable) e);
        } catch (IOException e2) {
            LOGGER.error("IO issue", (Throwable) e2);
        } catch (ParseException e3) {
            LOGGER.error("JSON KeySet is not proper, could not parse", (Throwable) e3);
        }
    }

    private synchronized boolean allowRefreshJwkset(int i) {
        if (Instant.now().compareTo(this.keyRotateEndpointLastAccess.plusSeconds(i)) <= 0) {
            return false;
        }
        callCspJwksEndpoint();
        return true;
    }

    public String getIssuer() {
        return this.issuer;
    }

    public String getJwksUri() {
        return this.jwksUri;
    }

    public int getRefreshIntervalSec() {
        return this.refreshIntervalSec;
    }
}
