package com.elitescloud.boot.auth.provider.sso2.support.convert;

import cn.hutool.core.lang.Assert;
import cn.hutool.core.text.CharSequenceUtil;
import com.elitescloud.boot.auth.provider.security.grant.InternalAuthenticationGranter;
import com.elitescloud.boot.auth.provider.sso2.common.SsoConvertProperty;
import com.elitescloud.boot.auth.provider.sso2.common.SsoTypeEnum;
import com.elitescloud.boot.auth.provider.sso2.support.convert.properties.JwtSsoConvertProperty;
import com.elitescloud.boot.exception.BusinessException;
import com.elitescloud.boot.util.RsaUtil;
import com.nimbusds.jose.crypto.AESDecrypter;
import com.nimbusds.jose.crypto.ECDSAVerifier;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jose.crypto.PasswordBasedDecrypter;
import com.nimbusds.jose.crypto.RSADecrypter;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.OctetSequenceKey;
import com.nimbusds.jwt.EncryptedJWT;
import com.nimbusds.jwt.PlainJWT;
import com.nimbusds.jwt.SignedJWT;
import java.nio.charset.StandardCharsets;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.Date;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/elitescloud/boot/auth/provider/sso2/support/convert/JwtSsoAuthenticationConvert.class */
public class JwtSsoAuthenticationConvert extends BasePlainSsoAuthenticationConvert {
    private static final Logger logger = LoggerFactory.getLogger(JwtSsoAuthenticationConvert.class);

    @Override // com.elitescloud.boot.auth.provider.sso2.common.SsoAuthenticationConvert
    public SsoTypeEnum supportType() {
        return SsoTypeEnum.JWT;
    }

    @Override // com.elitescloud.boot.auth.provider.sso2.common.SsoAuthenticationConvert
    public <T extends SsoConvertProperty> Class<T> propertyType() {
        return JwtSsoConvertProperty.class;
    }

    @Override // com.elitescloud.boot.auth.provider.sso2.common.SsoAuthenticationConvert
    @Nullable
    public <T extends SsoConvertProperty> InternalAuthenticationGranter.InternalAuthenticationToken convert(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, T t) {
        JwtSsoConvertProperty jwtSsoConvertProperty = (JwtSsoConvertProperty) t;
        String param = getParam(httpServletRequest, jwtSsoConvertProperty.getParamName(), jwtSsoConvertProperty.getParamIn());
        if (CharSequenceUtil.isBlank(param)) {
            throw new IllegalArgumentException("参数为空:" + jwtSsoConvertProperty.getParamName());
        }
        try {
            String stringClaim = (jwtSsoConvertProperty.isEncrypt() ? parseEncryptedJwt(param, jwtSsoConvertProperty) : jwtSsoConvertProperty.isSigned() ? parseSignedJwt(param, jwtSsoConvertProperty) : parsePlainJwt(param)).getJWTClaimsSet().getStringClaim(jwtSsoConvertProperty.getPayloadUserName());
            if (CharSequenceUtil.isBlank(stringClaim)) {
                throw new BusinessException("授权账户为空");
            }
            return new InternalAuthenticationGranter.InternalAuthenticationToken(jwtSsoConvertProperty.getIdType(), stringClaim);
        } catch (ParseException e) {
            throw new BusinessException("解析令牌异常", e);
        }
    }

    private PlainJWT parsePlainJwt(String str) {
        try {
            return PlainJWT.parse(str);
        } catch (Exception e) {
            throw new BusinessException("解析令牌异常", e);
        }
    }

    private SignedJWT parseSignedJwt(String str, JwtSsoConvertProperty jwtSsoConvertProperty) {
        Assert.notNull(jwtSsoConvertProperty.getSignType(), "签名类型为空", new Object[0]);
        Assert.notBlank(jwtSsoConvertProperty.getSignKey(), "签名密钥为空", new Object[0]);
        try {
            SignedJWT parse = SignedJWT.parse(str);
            MACVerifier mACVerifier = null;
            switch (jwtSsoConvertProperty.getSignType()) {
                case HMAC:
                    mACVerifier = new MACVerifier(new OctetSequenceKey.Builder(jwtSsoConvertProperty.getSignKey().getBytes(StandardCharsets.UTF_8)).algorithm(parse.getHeader().getAlgorithm()).build());
                    break;
                case RSA:
                    mACVerifier = new RSASSAVerifier((RSAPublicKey) ("X.509".equals(jwtSsoConvertProperty.getRsaFormat()) ? RsaUtil.convert2PublicKey(jwtSsoConvertProperty.getSignKey()) : RsaUtil.convert2PublicKeyForPkcs1(jwtSsoConvertProperty.getSignKey())));
                    break;
                case ECDSA:
                    mACVerifier = new ECDSAVerifier(ECKey.parse(jwtSsoConvertProperty.getSignKey()));
                    break;
                case NONE:
                    break;
                default:
                    throw new IllegalArgumentException("不支持的签名方式:" + jwtSsoConvertProperty.getSignType());
            }
            if (!(mACVerifier == null || parse.verify(mACVerifier))) {
                throw new BusinessException("令牌签名验证失败");
            }
            Date expirationTime = parse.getJWTClaimsSet().getExpirationTime();
            if (expirationTime == null || !expirationTime.before(new Date())) {
                return parse;
            }
            throw new BusinessException("令牌已过期");
        } catch (Exception e) {
            if (e instanceof BusinessException) {
                throw e;
            }
            throw new BusinessException("解析令牌异常", e);
        }
    }

    private EncryptedJWT parseEncryptedJwt(String str, JwtSsoConvertProperty jwtSsoConvertProperty) {
        Assert.notNull(jwtSsoConvertProperty.getEncryptType(), "加密方式为空", new Object[0]);
        Assert.notBlank(jwtSsoConvertProperty.getEncryptKey(), "密钥为空", new Object[0]);
        String encryptKey = jwtSsoConvertProperty.getEncryptKey();
        try {
            EncryptedJWT parse = EncryptedJWT.parse(str);
            switch (jwtSsoConvertProperty.getEncryptType()) {
                case RSA:
                    parse.decrypt(new RSADecrypter(RsaUtil.convert2PrivateKey(encryptKey)));
                    break;
                case AES:
                    parse.decrypt(new AESDecrypter(encryptKey.getBytes(StandardCharsets.UTF_8)));
                    break;
                case PASSWORD:
                    parse.decrypt(new PasswordBasedDecrypter(encryptKey));
                    break;
                default:
                    throw new IllegalArgumentException("不支持的加密方式:" + jwtSsoConvertProperty.getEncryptType());
            }
            return parse;
        } catch (Exception e) {
            throw new BusinessException("解析令牌异常", e);
        }
    }
}
