package com.atlassian.jwt.core.reader;

import com.atlassian.jwt.Jwt;
import com.atlassian.jwt.core.Clock;
import com.atlassian.jwt.core.SimpleJwt;
import com.atlassian.jwt.exception.JwtExpiredException;
import com.atlassian.jwt.exception.JwtInvalidClaimException;
import com.atlassian.jwt.exception.JwtParseException;
import com.atlassian.jwt.exception.JwtSignatureMismatchException;
import com.atlassian.jwt.exception.JwtTooEarlyException;
import com.atlassian.jwt.exception.JwtVerificationException;
import com.atlassian.jwt.reader.JwtClaimVerifier;
import com.atlassian.jwt.reader.JwtReader;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSObject;
import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.openid.connect.sdk.claims.IDTokenClaimsSet;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Date;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import net.minidev.json.JSONObject;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/atlassian-bundled-plugins/atlassian-universal-plugin-manager-plugin-4.0.1.jar:com/atlassian/jwt/core/reader/NimbusJwtReader.class
  input_file:WEB-INF/atlassian-bundled-plugins/base-hipchat-integration-plugin-8.3.0.jar:com/atlassian/jwt/core/reader/NimbusJwtReader.class
 */
/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/jwt-plugin-3.0.0.jar:com/atlassian/jwt/core/reader/NimbusJwtReader.class */
public class NimbusJwtReader implements JwtReader {
    private static final String UNEXPECTED_TYPE_MESSAGE_PREFIX = "Unexpected type of JSON object member with key ";
    private static final Set<String> NUMERIC_CLAIM_NAMES = new HashSet(Arrays.asList(IDTokenClaimsSet.EXP_CLAIM_NAME, IDTokenClaimsSet.IAT_CLAIM_NAME, "nbf"));
    private final String issuer;
    private final JWSVerifier verifier;
    private final Clock clock;

    public NimbusJwtReader(String str, JWSVerifier jWSVerifier, Clock clock) {
        this.issuer = str;
        this.verifier = jWSVerifier;
        this.clock = clock;
    }

    @Override // com.atlassian.jwt.reader.JwtReader
    @Nonnull
    public Jwt readUnverified(@Nonnull String str) throws JwtParseException, JwtVerificationException {
        return read(str, null, false);
    }

    @Override // com.atlassian.jwt.reader.JwtReader
    @Nonnull
    public Jwt readAndVerify(@Nonnull String str, @Nonnull Map<String, ? extends JwtClaimVerifier> map) throws JwtParseException, JwtVerificationException {
        return read(str, map, true);
    }

    @Override // com.atlassian.jwt.reader.JwtReader
    @Nonnull
    @Deprecated
    public Jwt read(@Nonnull String str, @Nonnull Map<String, ? extends JwtClaimVerifier> map) throws JwtParseException, JwtVerificationException {
        return read(str, map, true);
    }

    private Jwt read(@Nonnull String str, Map<String, ? extends JwtClaimVerifier> map, boolean z) throws JwtParseException, JwtVerificationException {
        JWSObject parse;
        if (z) {
            parse = verify(str);
        } else {
            try {
                parse = JWSObject.parse(str);
            } catch (ParseException e) {
                throw new JwtParseException(e);
            }
        }
        JSONObject jSONObject = parse.getPayload().toJSONObject();
        try {
            JWTClaimsSet parse2 = JWTClaimsSet.parse(jSONObject);
            if (parse2.getIssueTime() == null || parse2.getExpirationTime() == null) {
                throw new JwtInvalidClaimException("'exp' and 'iat' are required claims. Atlassian JWT does not allow JWTs with unlimited lifetimes.");
            }
            Date now = this.clock.now();
            Calendar calendar = Calendar.getInstance();
            calendar.setTime(now);
            calendar.add(13, -30);
            Date time = calendar.getTime();
            calendar.setTime(now);
            calendar.add(13, 30);
            Date time2 = calendar.getTime();
            if (null != parse2.getNotBeforeTime()) {
                if (!parse2.getExpirationTime().after(parse2.getNotBeforeTime())) {
                    throw new JwtInvalidClaimException(String.format("The expiration time must be after the not-before time but exp=%s and nbf=%s", parse2.getExpirationTime(), parse2.getNotBeforeTime()));
                }
                if (parse2.getNotBeforeTime().after(time2)) {
                    throw new JwtTooEarlyException(parse2.getNotBeforeTime(), now, 30);
                }
            }
            if (parse2.getExpirationTime().before(time)) {
                throw new JwtExpiredException(parse2.getExpirationTime(), now, 30);
            }
            if (map != null) {
                for (Map.Entry<String, ? extends JwtClaimVerifier> entry : map.entrySet()) {
                    entry.getValue().verify(parse2.getClaim(entry.getKey()));
                }
            }
            return new SimpleJwt(parse2.getIssuer(), parse2.getSubject(), jSONObject.toString());
        } catch (ParseException e2) {
            if (!e2.getMessage().startsWith(UNEXPECTED_TYPE_MESSAGE_PREFIX)) {
                throw new JwtParseException(e2);
            }
            String replaceAll = e2.getMessage().replace(UNEXPECTED_TYPE_MESSAGE_PREFIX, "").replaceAll("\"", "");
            if (NUMERIC_CLAIM_NAMES.contains(replaceAll)) {
                throw new JwtInvalidClaimException(String.format("Expecting claim '%s' to be numeric but it is a string", replaceAll), e2);
            }
            throw new JwtParseException("Perhaps a claim is of the wrong type (e.g. expecting integer but found string): " + e2.getMessage(), e2);
        }
    }

    private JWSObject verify(@Nonnull String str) throws JwtParseException, JwtVerificationException {
        try {
            JWSObject parse = JWSObject.parse(str);
            if (parse.verify(this.verifier)) {
                return parse;
            }
            throw new JwtSignatureMismatchException(str, this.issuer);
        } catch (JOSEException e) {
            throw new JwtSignatureMismatchException(e);
        } catch (ParseException e2) {
            throw new JwtParseException(e2);
        }
    }
}
