package org.apache.james.jwt;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.CompressionCodecResolver;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.impl.compression.DefaultCompressionCodecResolver;
import java.security.PublicKey;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/james/jwt/JwtTokenVerifier.class */
public class JwtTokenVerifier {
    private static final CompressionCodecResolver DEFAULT_COMPRESSION_CODEC_RESOLVER = new DefaultCompressionCodecResolver();
    private static final CompressionCodecResolver SECURE_COMPRESSION_CODEC_RESOLVER = header -> {
        if (Optional.ofNullable(header.getCompressionAlgorithm()).isPresent()) {
            throw new RuntimeException("Rejecting a ZIP JWT. Usage of ZIPPED JWT can result in excessive memory usage with malicious JWT tokens. To activate support for ZIPPedJWT please run James with the -Djames.jwt.zip.allow=true system property.");
        }
        return DEFAULT_COMPRESSION_CODEC_RESOLVER.resolveCompressionCodec(header);
    };
    private static final boolean allowZipJWT = ((Boolean) Optional.ofNullable(System.getProperty("james.jwt.zip.allow")).map(Boolean::parseBoolean).orElse(false)).booleanValue();

    @VisibleForTesting
    static CompressionCodecResolver CONFIGURED_COMPRESSION_CODEC_RESOLVER = (CompressionCodecResolver) Optional.of(Boolean.valueOf(allowZipJWT)).filter(bool -> {
        return bool.booleanValue();
    }).map(bool2 -> {
        return DEFAULT_COMPRESSION_CODEC_RESOLVER;
    }).orElse(SECURE_COMPRESSION_CODEC_RESOLVER);
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) JwtTokenVerifier.class);
    private final List<JwtParser> jwtParsers;

    /* loaded from: input_file:org/apache/james/jwt/JwtTokenVerifier$Factory.class */
    public interface Factory {
        JwtTokenVerifier create();
    }

    public static JwtTokenVerifier create(JwtConfiguration jwtConfiguration) {
        return new JwtTokenVerifier(new DefaultPublicKeyProvider(jwtConfiguration, new PublicKeyReader()));
    }

    public JwtTokenVerifier(PublicKeyProvider publicKeyProvider) {
        this.jwtParsers = (List) publicKeyProvider.get().stream().map(this::toImmutableJwtParser).collect(ImmutableList.toImmutableList());
    }

    public Optional<String> verifyAndExtractLogin(String str) {
        return verifyAndExtractClaim(str, Claims.SUBJECT, String.class).filter(str2 -> {
            return !str2.isEmpty();
        });
    }

    public <T> Optional<T> verifyAndExtractClaim(String str, String str2, Class<T> cls) {
        return this.jwtParsers.stream().flatMap(jwtParser -> {
            return verifyAndExtractClaim(str, str2, cls, jwtParser).stream();
        }).findFirst();
    }

    private <T> Optional<T> verifyAndExtractClaim(String str, String str2, Class<T> cls, JwtParser jwtParser) {
        try {
            Object obj = jwtParser.parseClaimsJws(str).getBody().get(str2, cls);
            if (obj == null) {
                throw new MalformedJwtException("'" + str2 + "' field in token is mandatory");
            }
            return Optional.of(obj);
        } catch (JwtException e) {
            LOGGER.info("Failed Jwt verification", (Throwable) e);
            return Optional.empty();
        }
    }

    public boolean hasAttribute(String str, Object obj, String str2) {
        try {
            Optional verifyAndExtractClaim = verifyAndExtractClaim(str2, str, Object.class);
            Objects.requireNonNull(obj);
            return ((Boolean) verifyAndExtractClaim.map(obj::equals).orElse(false)).booleanValue();
        } catch (JwtException e) {
            LOGGER.info("Jwt validation failed for claim {} to {}", str, obj, e);
            return false;
        }
    }

    private JwtParser toImmutableJwtParser(PublicKey publicKey) {
        return Jwts.parserBuilder().setSigningKey(publicKey).setCompressionCodecResolver(CONFIGURED_COMPRESSION_CODEC_RESOLVER).build();
    }
}
