package com.atlassian.bitbucketci.common.credential;

import com.atlassian.bitbucketci.common.exception.JwtTokenValidationException;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import java.text.ParseException;
import java.time.Clock;
import java.util.Date;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.Pair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/bitbucketci/common/credential/JwtTokenValidatorImpl.class */
public class JwtTokenValidatorImpl implements JwtTokenValidator, JwtTokenDecoder {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) JwtTokenValidatorImpl.class);

    @Override // com.atlassian.bitbucketci.common.credential.JwtTokenValidator
    public JWTClaimsSet validate(JwtToken jwtToken, String str, String str2) {
        Pair<JWSObject, JWTClaimsSet> parseJWT = parseJWT(jwtToken);
        validateIssuerMatchesClientKey(parseJWT, str);
        validateSignature(parseJWT, str2);
        validateTimeBasedClaims(parseJWT.getRight());
        return parseJWT.getRight();
    }

    @Override // com.atlassian.bitbucketci.common.credential.JwtTokenDecoder
    public JWTClaimsSet decode(JwtToken jwtToken) {
        return parseJWT(jwtToken).getRight();
    }

    private void validateIssuerMatchesClientKey(Pair<JWSObject, JWTClaimsSet> pair, String str) {
        String issuer = pair.getRight().getIssuer();
        if (!StringUtils.equals(issuer, str)) {
            throw new JwtTokenValidationException(String.format("The issuer: %s of the JWT token does not match the expected issuer: %s.", issuer, str));
        }
    }

    private void validateSignature(Pair<JWSObject, JWTClaimsSet> pair, String str) {
        JWSObject left = pair.getLeft();
        String format = String.format("JWT verification failed for issuer %s", pair.getRight().getIssuer());
        try {
            if (left.verify(new MACVerifier(str))) {
            } else {
                throw new JwtTokenValidationException(format);
            }
        } catch (JOSEException e) {
            throw new JwtTokenValidationException(format);
        }
    }

    private void validateTimeBasedClaims(JWTClaimsSet jWTClaimsSet) {
        Date issueTime = jWTClaimsSet.getIssueTime();
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        Date date = new Date(Clock.systemUTC().millis());
        if (issueTime.after(expirationTime) || issueTime.after(date) || expirationTime.before(date)) {
            logger.debug("Failure validating time based claims. Issued at: {}, Expired at: {}, now: {}", issueTime, expirationTime, date);
            throw new JwtTokenValidationException("There was a problem with the jwt's time-based claims");
        }
    }

    private Pair<JWSObject, JWTClaimsSet> parseJWT(JwtToken jwtToken) {
        try {
            JWSObject parse = JWSObject.parse(jwtToken.toString());
            return Pair.of(parse, JWTClaimsSet.parse(parse.getPayload().toJSONObject()));
        } catch (ParseException e) {
            throw new JwtTokenValidationException("Invalid JWT token provided", e);
        }
    }
}
