package org.pac4j.jwt.credentials.authenticator;

import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.crypto.DirectDecrypter;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.SignedJWT;
import java.text.ParseException;
import org.pac4j.core.exception.CredentialsException;
import org.pac4j.core.exception.TechnicalException;
import org.pac4j.core.profile.ProfileHelper;
import org.pac4j.core.util.CommonHelper;
import org.pac4j.http.credentials.TokenCredentials;
import org.pac4j.http.credentials.authenticator.TokenAuthenticator;
import org.pac4j.jwt.profile.JwtProfile;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/pac4j/jwt/credentials/authenticator/JwtAuthenticator.class */
public class JwtAuthenticator implements TokenAuthenticator {
    protected final Logger logger;
    private String signingSecret;
    private String encryptionSecret;

    public JwtAuthenticator() {
        this.logger = LoggerFactory.getLogger(getClass());
    }

    public JwtAuthenticator(String str) {
        this(str, str);
        warning();
    }

    private void warning() {
        this.logger.warn("Using the same key for signing and encryption may lead to security vulnerabilities. Consider using different keys");
    }

    public JwtAuthenticator(String str, String str2) {
        this.logger = LoggerFactory.getLogger(getClass());
        this.signingSecret = str;
        this.encryptionSecret = str2;
    }

    public void validate(TokenCredentials tokenCredentials) {
        SignedJWT signedJWT;
        CommonHelper.assertNotBlank("signingSecret", this.signingSecret);
        String token = tokenCredentials.getToken();
        try {
            SignedJWT parse = JWTParser.parse(token);
            if (parse instanceof SignedJWT) {
                signedJWT = parse;
            } else {
                if (!(parse instanceof EncryptedJWT)) {
                    throw new TechnicalException("unsupported unsecured jwt");
                }
                JWEObject jWEObject = (JWEObject) parse;
                CommonHelper.assertNotBlank("encryptionSecret", this.encryptionSecret);
                jWEObject.decrypt(new DirectDecrypter(this.encryptionSecret.getBytes("UTF-8")));
                signedJWT = jWEObject.getPayload().toSignedJWT();
            }
            if (!signedJWT.verify(new MACVerifier(this.signingSecret))) {
                throw new CredentialsException("JWT verification failed: " + token);
            }
            try {
                createJwtProfile(tokenCredentials, signedJWT);
            } catch (Exception e) {
                throw new TechnicalException("Cannot get claimSet", e);
            }
        } catch (Exception e2) {
            throw new TechnicalException("Cannot decrypt / verify JWT", e2);
        }
    }

    private static void createJwtProfile(TokenCredentials tokenCredentials, SignedJWT signedJWT) throws ParseException {
        JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
        String subject = jWTClaimsSet.getSubject();
        if (!subject.contains("#")) {
            subject = JwtProfile.class.getSimpleName() + "#" + subject;
        }
        tokenCredentials.setUserProfile(ProfileHelper.buildProfile(subject, jWTClaimsSet.getClaims()));
    }

    public String getSigningSecret() {
        return this.signingSecret;
    }

    public void setSigningSecret(String str) {
        this.signingSecret = str;
    }

    public String getEncryptionSecret() {
        return this.encryptionSecret;
    }

    public void setEncryptionSecret(String str) {
        this.encryptionSecret = str;
    }

    @Deprecated
    public void setSecret(String str) {
        this.encryptionSecret = str;
        this.signingSecret = str;
        warning();
    }
}
