package org.activiti.cloud.services.identity.keycloak.validator;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.crypto.impl.RSASSAProvider;
import java.math.BigInteger;
import java.net.URL;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.RSAPublicKeySpec;
import java.text.ParseException;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.activiti.cloud.services.common.security.jwt.validator.ValidationCheck;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.oauth2.jwt.Jwt;

/* loaded from: input_file:org/activiti/cloud/services/identity/keycloak/validator/PublicKeyValidationCheck.class */
public class PublicKeyValidationCheck implements ValidationCheck {
    protected static final Logger LOGGER = LoggerFactory.getLogger(PublicKeyValidationCheck.class);
    private final String authServerUrl;
    private final String realm;
    private final ObjectMapper objectMapper;
    private final ConcurrentHashMap<String, PublicKey> publicKeys = new ConcurrentHashMap<>();

    public PublicKeyValidationCheck(String str, String str2, ObjectMapper objectMapper) {
        this.authServerUrl = str;
        this.realm = str2;
        this.objectMapper = objectMapper;
    }

    public boolean isValid(Jwt jwt) {
        boolean z = false;
        JWSObject jwsObject = getJwsObject(jwt);
        PublicKey publicKey = getPublicKey(jwsObject.getHeader());
        JWSAlgorithm algorithm = jwsObject.getHeader().getAlgorithm();
        if (isAlgorithmsSupported(algorithm)) {
            try {
                z = jwsObject.verify(new RSASSAVerifier((RSAPublicKey) publicKey));
            } catch (JOSEException e) {
                LOGGER.error("Cannot verify RSA public key", e);
            }
        } else {
            z = true;
            LOGGER.error("Unsupported JWS algorithm " + algorithm + ", must be " + RSASSAProvider.SUPPORTED_ALGORITHMS);
        }
        return z;
    }

    private boolean isAlgorithmsSupported(JWSAlgorithm jWSAlgorithm) {
        return RSASSAProvider.SUPPORTED_ALGORITHMS.contains(jWSAlgorithm);
    }

    private JWSObject getJwsObject(Jwt jwt) {
        JWSObject jWSObject = null;
        try {
            jWSObject = JWSObject.parse(jwt.getTokenValue());
        } catch (ParseException e) {
            LOGGER.error("Cannot parse token", e);
        }
        return jWSObject;
    }

    private PublicKey getPublicKey(JWSHeader jWSHeader) {
        return this.publicKeys.computeIfAbsent(getRealmCertsUrl(), str -> {
            return retrievePublicKeyFromCertsEndpoint(str, jWSHeader);
        });
    }

    private PublicKey retrievePublicKeyFromCertsEndpoint(String str, JWSHeader jWSHeader) {
        try {
            Map map = null;
            Iterator it = ((List) ((Map) this.objectMapper.readValue(new URL(str).openStream(), Map.class)).get("keys")).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Map map2 = (Map) it.next();
                if (jWSHeader.getKeyID().equals((String) map2.get("kid"))) {
                    map = map2;
                    break;
                }
            }
            if (map == null) {
                return null;
            }
            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
            String str2 = (String) map.get("n");
            String str3 = (String) map.get("e");
            Base64.Decoder urlDecoder = Base64.getUrlDecoder();
            return keyFactory.generatePublic(new RSAPublicKeySpec(new BigInteger(1, urlDecoder.decode(str2)), new BigInteger(1, urlDecoder.decode(str3))));
        } catch (Exception e) {
            LOGGER.error("Cannot retrieve public key", e);
            return null;
        }
    }

    private String getRealmCertsUrl() {
        return getRealmUrl() + "/protocol/openid-connect/certs";
    }

    private String getRealmUrl() {
        return String.format("%s/realms/%s", this.authServerUrl, this.realm);
    }
}
