package io.jenkins.plugins.tuleap_oauth.checks;

import com.auth0.jwk.InvalidPublicKeyException;
import com.auth0.jwk.Jwk;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.exceptions.InvalidClaimException;
import com.auth0.jwt.exceptions.SignatureVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.google.inject.Inject;
import io.jenkins.plugins.tuleap_api.client.authentication.OpenIDClientApi;
import io.jenkins.plugins.tuleap_oauth.TuleapSecurityRealm;
import io.jenkins.plugins.tuleap_oauth.helper.PluginHelper;
import java.util.List;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.stapler.StaplerRequest;

/* loaded from: input_file:io/jenkins/plugins/tuleap_oauth/checks/IDTokenCheckerImpl.class */
public class IDTokenCheckerImpl implements IDTokenChecker {
    public static final String ALGORITHM = "RS256";
    private static final int ACCEPTED_LEEWAY_IN_SECONDS = 10;
    private final PluginHelper pluginHelper;
    private final OpenIDClientApi openIDClientApi;

    @Inject
    public IDTokenCheckerImpl(PluginHelper pluginHelper, OpenIDClientApi openIDClientApi) {
        this.pluginHelper = pluginHelper;
        this.openIDClientApi = openIDClientApi;
    }

    @Override // io.jenkins.plugins.tuleap_oauth.checks.IDTokenChecker
    public void checkPayloadAndSignature(DecodedJWT decodedJWT, List<Jwk> list, String str, String str2, StaplerRequest staplerRequest) throws InvalidPublicKeyException {
        String providerIssuer = this.openIDClientApi.getProviderIssuer();
        if (StringUtils.isBlank(providerIssuer)) {
            throw new InvalidClaimException("The issuer claim is blank or null");
        }
        String str3 = (String) staplerRequest.getSession().getAttribute(TuleapSecurityRealm.NONCE_ATTRIBUTE);
        for (Jwk jwk : list) {
            if (jwk.getAlgorithm().equals(ALGORITHM)) {
                try {
                    JWTVerifier build = JWT.require(this.pluginHelper.getAlgorithm(jwk)).withIssuer(new String[]{providerIssuer}).withAudience(new String[]{str2}).acceptLeeway(10L).withClaim(TuleapSecurityRealm.NONCE_ATTRIBUTE, str3).build();
                    if (StringUtils.isBlank(str2)) {
                        throw new InvalidClaimException("The audience claim is blank or null");
                    }
                    build.verify(decodedJWT);
                    return;
                } catch (SignatureVerificationException | InvalidPublicKeyException e) {
                }
            }
        }
        throw new InvalidPublicKeyException("No valid RS256 Key found", (Throwable) null);
    }
}
