package de.taimos.dvalin.jaxrs.security.jwt.cognito;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.LoadingCache;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import de.taimos.daemon.spring.conditional.OnSystemProperty;
import de.taimos.dvalin.jaxrs.JaxRsComponent;
import de.taimos.dvalin.jaxrs.security.jwt.IJWTAuth;
import de.taimos.dvalin.jaxrs.security.jwt.JWKSKeyLoader;
import java.text.ParseException;
import java.util.Date;
import java.util.concurrent.TimeUnit;
import javax.annotation.PostConstruct;
import org.springframework.beans.factory.annotation.Value;

@JaxRsComponent
@OnSystemProperty(propertyName = "jwtauth.cognito.poolid")
/* loaded from: input_file:de/taimos/dvalin/jaxrs/security/jwt/cognito/CognitoJWTAuth.class */
public class CognitoJWTAuth implements IJWTAuth {

    @Value("${jwtauth.cognito.poolid}")
    private String cognitoPoolId;

    @Value("${jwtauth.cognito.region}")
    private String cognitoPoolRegion;

    @Value("${jwtauth.cognito.roles:cognito:groups}")
    private String cognitoRoles;
    private String issuer;
    private LoadingCache<String, RSAKey> jwtKeyCache;

    @PostConstruct
    public void init() {
        this.issuer = "https://cognito-idp." + this.cognitoPoolRegion + ".amazonaws.com/" + this.cognitoPoolId;
        this.jwtKeyCache = CacheBuilder.newBuilder().expireAfterWrite(1L, TimeUnit.HOURS).build(new JWKSKeyLoader(this.issuer));
    }

    @Override // de.taimos.dvalin.jaxrs.security.jwt.IJWTAuth
    public CognitoUser validateToken(String str) throws ParseException {
        SignedJWT parse = SignedJWT.parse(str);
        if (!parse.getJWTClaimsSet().getIssuer().equals(this.issuer)) {
            throw new IllegalArgumentException("Invalid issuer for JWT: " + parse.getJWTClaimsSet().getIssuer());
        }
        String stringClaim = parse.getJWTClaimsSet().getStringClaim("token_use");
        if (!stringClaim.equals("access") && !stringClaim.equals("id")) {
            throw new IllegalArgumentException("Invalid token usage type: " + stringClaim);
        }
        String keyID = parse.getHeader().getKeyID();
        RSAKey rSAKey = (RSAKey) this.jwtKeyCache.getUnchecked(keyID);
        if (rSAKey == null) {
            throw new IllegalArgumentException("No key for kid: " + keyID);
        }
        try {
            if (!parse.verify(new RSASSAVerifier(rSAKey))) {
                return null;
            }
            JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
            if (jWTClaimsSet.getExpirationTime().before(new Date())) {
                return null;
            }
            return CognitoUser.parseClaims(jWTClaimsSet, this.cognitoRoles);
        } catch (JOSEException e) {
            throw new IllegalArgumentException("Cannot verify JWT", e);
        }
    }
}
