package com.alibaba.nacos.plugin.auth.impl.jwt;

import com.alibaba.nacos.common.utils.JacksonUtils;
import com.alibaba.nacos.common.utils.StringUtils;
import com.alibaba.nacos.plugin.auth.exception.AccessException;
import com.alibaba.nacos.plugin.auth.impl.users.NacosUser;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.crypto.Mac;

/* loaded from: input_file:com/alibaba/nacos/plugin/auth/impl/jwt/NacosSignatureAlgorithm.class */
public final class NacosSignatureAlgorithm {
    private static final String JWT_SEPERATOR = ".";
    private static final int HEADER_POSITION = 0;
    private static final int PAYLOAD_POSITION = 1;
    private static final int SIGNATURE_POSITION = 2;
    private static final int JWT_PARTS = 3;
    private final String algorithm;
    private final String jcaName;
    private final String header;
    private static final Base64.Encoder URL_BASE64_ENCODER = Base64.getUrlEncoder().withoutPadding();
    private static final Base64.Decoder URL_BASE64_DECODER = Base64.getUrlDecoder();
    private static final Map<String, NacosSignatureAlgorithm> MAP = new HashMap(4);
    private static final String HS256_JWT_HEADER = "eyJhbGciOiJIUzI1NiJ9";
    public static final NacosSignatureAlgorithm HS256 = new NacosSignatureAlgorithm("HS256", "HmacSHA256", HS256_JWT_HEADER);
    private static final String HS384_JWT_HEADER = "eyJhbGciOiJIUzM4NCJ9";
    public static final NacosSignatureAlgorithm HS384 = new NacosSignatureAlgorithm("HS384", "HmacSHA384", HS384_JWT_HEADER);
    private static final String HS512_JWT_HEADER = "eyJhbGciOiJIUzUxMiJ9";
    public static final NacosSignatureAlgorithm HS512 = new NacosSignatureAlgorithm("HS512", "HmacSHA512", HS512_JWT_HEADER);

    public static NacosUser verify(String str, Key key) throws AccessException {
        if (StringUtils.isBlank(str)) {
            throw new AccessException("user not found!");
        }
        String[] split = str.split("\\.");
        if (split.length != JWT_PARTS) {
            throw new AccessException("token invalid!");
        }
        String str2 = split[HEADER_POSITION];
        String str3 = split[PAYLOAD_POSITION];
        String str4 = split[SIGNATURE_POSITION];
        NacosSignatureAlgorithm nacosSignatureAlgorithm = MAP.get(str2);
        if (nacosSignatureAlgorithm == null) {
            throw new AccessException("unsupported signature algorithm");
        }
        NacosUser verify = nacosSignatureAlgorithm.verify(str2, str3, str4, key);
        verify.setToken(str);
        return verify;
    }

    public NacosUser verify(String str, String str2, String str3, Key key) throws AccessException {
        if (!URL_BASE64_ENCODER.encodeToString(getMacInstance(key).doFinal((str + JWT_SEPERATOR + str2).getBytes(StandardCharsets.US_ASCII))).equals(str3)) {
            throw new AccessException("Invalid signature");
        }
        NacosJwtPayload nacosJwtPayload = (NacosJwtPayload) JacksonUtils.toObj(URL_BASE64_DECODER.decode(str2), NacosJwtPayload.class);
        if (nacosJwtPayload.getExp() >= TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis())) {
            return new NacosUser(nacosJwtPayload.getSub());
        }
        throw new AccessException("token expired!");
    }

    public static long getExpiredTimeInSeconds(String str, Key key) throws AccessException {
        if (StringUtils.isBlank(str)) {
            throw new AccessException("user not found!");
        }
        String[] split = str.split("\\.");
        if (split.length != JWT_PARTS) {
            throw new AccessException("token invalid!");
        }
        String str2 = split[HEADER_POSITION];
        String str3 = split[PAYLOAD_POSITION];
        String str4 = split[SIGNATURE_POSITION];
        NacosSignatureAlgorithm nacosSignatureAlgorithm = MAP.get(str2);
        if (nacosSignatureAlgorithm == null) {
            throw new AccessException("unsupported signature algorithm");
        }
        return nacosSignatureAlgorithm.getExpireTimeInSeconds(str2, str3, str4, key);
    }

    public long getExpireTimeInSeconds(String str, String str2, String str3, Key key) throws AccessException {
        if (URL_BASE64_ENCODER.encodeToString(getMacInstance(key).doFinal((str + JWT_SEPERATOR + str2).getBytes(StandardCharsets.US_ASCII))).equals(str3)) {
            return ((NacosJwtPayload) JacksonUtils.toObj(URL_BASE64_DECODER.decode(str2), NacosJwtPayload.class)).getExp();
        }
        throw new AccessException("Invalid signature");
    }

    private NacosSignatureAlgorithm(String str, String str2, String str3) {
        this.algorithm = str;
        this.jcaName = str2;
        this.header = str3;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String sign(NacosJwtPayload nacosJwtPayload, Key key) {
        String str = this.header + JWT_SEPERATOR + URL_BASE64_ENCODER.encodeToString(nacosJwtPayload.toString().getBytes(StandardCharsets.UTF_8));
        return str + JWT_SEPERATOR + URL_BASE64_ENCODER.encodeToString(getMacInstance(key).doFinal(str.getBytes(StandardCharsets.US_ASCII)));
    }

    private Mac getMacInstance(Key key) {
        try {
            Mac mac = Mac.getInstance(this.jcaName);
            mac.init(key);
            return mac;
        } catch (InvalidKeyException e) {
            throw new IllegalArgumentException("Invalid key: " + key);
        } catch (NoSuchAlgorithmException e2) {
            throw new IllegalArgumentException("No Such Algorithm: " + this.jcaName);
        }
    }

    public String getAlgorithm() {
        return this.algorithm;
    }

    public String getJcaName() {
        return this.jcaName;
    }

    public String getHeader() {
        return this.header;
    }

    static {
        MAP.put(HS256_JWT_HEADER, HS256);
        MAP.put(HS384_JWT_HEADER, HS384);
        MAP.put(HS512_JWT_HEADER, HS512);
    }
}
