package com.supwisdom.infras.security.configure.idtoken.util;

import com.supwisdom.infras.security.cert.CertUtil;
import com.supwisdom.infras.security.configure.jwt.util.HttpUtil;
import com.supwisdom.infras.security.utils.JWTValidateUtil;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureException;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.util.Arrays;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;

/* loaded from: input_file:com/supwisdom/infras/security/configure/idtoken/util/IdTokenUtil.class */
public class IdTokenUtil {
    private static final Logger logger = LoggerFactory.getLogger(IdTokenUtil.class);

    @Value("${infras.security.idtoken.signing.key.url:http://localhost:8080/cas/jwt/publicKey}")
    private String signingKeyUrl;

    @Value("${infras.security.idtoken.require.isses:}")
    private String requireIsses;

    @Value("${infras.security.idtoken.require.auds:}")
    private String requireAuds;

    @Value("${infras.security.idtoken.require.reqs:}")
    private String requireReqs;
    private final JWTValidateUtil jwtValidateUtil;
    private volatile RSAPublicKey casRSAPublicKey;

    public IdTokenUtil(JWTValidateUtil jWTValidateUtil) {
        this.jwtValidateUtil = jWTValidateUtil;
    }

    public void initRSAPublicKey() {
        if (this.signingKeyUrl == null || this.signingKeyUrl.length() <= 0 || this.casRSAPublicKey != null) {
            return;
        }
        String str = null;
        HttpResponse httpResponse = null;
        try {
            try {
                try {
                    try {
                        httpResponse = HttpUtil.executeGet(this.signingKeyUrl);
                        StringBuilder sb = new StringBuilder();
                        BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(httpResponse.getEntity().getContent(), "UTF-8"), 8192);
                        while (true) {
                            String readLine = bufferedReader.readLine();
                            if (readLine == null) {
                                break;
                            } else {
                                sb.append(readLine);
                            }
                        }
                        logger.debug("Fetch response [{}]", sb.toString());
                        str = sb.toString();
                        if (httpResponse != null) {
                            HttpUtil.close(httpResponse);
                        }
                    } catch (UnsupportedEncodingException e) {
                        e.printStackTrace();
                        if (httpResponse != null) {
                            HttpUtil.close(httpResponse);
                        }
                    }
                } catch (UnsupportedOperationException e2) {
                    e2.printStackTrace();
                    if (httpResponse != null) {
                        HttpUtil.close(httpResponse);
                    }
                }
            } catch (IOException e3) {
                e3.printStackTrace();
                if (httpResponse != null) {
                    HttpUtil.close(httpResponse);
                }
            }
            if (str != null) {
                try {
                    this.casRSAPublicKey = CertUtil.stringToPublicKey(str);
                } catch (NoSuchAlgorithmException e4) {
                    e4.printStackTrace();
                } catch (InvalidKeySpecException e5) {
                    e5.printStackTrace();
                }
            }
        } catch (Throwable th) {
            if (httpResponse != null) {
                HttpUtil.close(httpResponse);
            }
            throw th;
        }
    }

    public Claims getClaimsFromToken(String str) {
        initRSAPublicKey();
        Claims claims = null;
        int i = 0;
        while (i <= 1) {
            i++;
            if (this.casRSAPublicKey == null) {
                break;
            }
            try {
                claims = (Claims) Jwts.parser().setSigningKey(this.casRSAPublicKey).parseClaimsJws(str).getBody();
                break;
            } catch (SignatureException e) {
                logger.warn(e.getMessage());
                claims = null;
                this.casRSAPublicKey = null;
                initRSAPublicKey();
            } catch (Exception e2) {
                logger.error(e2.getMessage());
                claims = null;
            }
        }
        if (claims == null) {
            return this.jwtValidateUtil.getClaimsFromToken(str);
        }
        if (StringUtils.isNotBlank(this.requireIsses) && !Arrays.asList(this.requireIsses.split(",")).contains(claims.getIssuer())) {
            logger.error("claims issuer [{}] not matches requireIsses [{}]", claims.getIssuer(), this.requireIsses);
            return null;
        }
        if (StringUtils.isNotBlank(this.requireAuds) && !Arrays.asList(this.requireAuds.split(",")).contains(claims.getAudience())) {
            logger.error("claims audience [{}] not matches requireAuds [{}]", claims.getAudience(), this.requireAuds);
            return null;
        }
        if (!StringUtils.isNotBlank(this.requireReqs) || Arrays.asList(this.requireReqs.split(",")).contains(claims.get("req", String.class))) {
            return claims;
        }
        logger.error("claims req [{}] not matches requireReqs [{}]", claims.get("req", String.class), this.requireReqs);
        return null;
    }
}
