package com.alibaba.nacos.plugin.auth.impl.jwt;

import com.alibaba.nacos.plugin.auth.exception.AccessException;
import com.alibaba.nacos.plugin.auth.impl.users.NacosUser;
import com.alibaba.nacos.plugin.auth.impl.utils.Base64Decode;
import java.security.Key;
import java.util.concurrent.TimeUnit;
import javax.crypto.spec.SecretKeySpec;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/alibaba/nacos/plugin/auth/impl/jwt/NacosJwtParser.class */
public class NacosJwtParser {
    private static final Logger LOG = LoggerFactory.getLogger(NacosJwtParser.class);
    private final NacosSignatureAlgorithm signatureAlgorithm;
    private final Key key;

    /* loaded from: input_file:com/alibaba/nacos/plugin/auth/impl/jwt/NacosJwtParser$JwtBuilder.class */
    public class JwtBuilder {
        private final NacosJwtPayload nacosJwtPayload = new NacosJwtPayload();

        public JwtBuilder() {
        }

        public JwtBuilder setUserName(String str) {
            this.nacosJwtPayload.setSub(str);
            return this;
        }

        public JwtBuilder setExpiredTime(long j) {
            this.nacosJwtPayload.setExp(TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis()) + j);
            return this;
        }

        public String compact() {
            return NacosJwtParser.this.sign(this.nacosJwtPayload);
        }
    }

    public NacosJwtParser(String str) {
        validKey(str);
        byte[] decode = Base64Decode.decode(str);
        int length = decode.length << 3;
        if (length < 256) {
            throw new IllegalArgumentException("The specified key byte array is " + length + " bits which is not secure enough for any JWT HMAC-SHA algorithm.  The JWT JWA Specification (RFC 7518, Section 3.2) states that keys used with HMAC-SHA algorithms MUST have a size >= 256 bits (the key size must be greater than or equal to the hash output size).  See https://tools.ietf.org/html/rfc7518#section-3.2 for more information.");
        }
        if (length < 384) {
            this.signatureAlgorithm = NacosSignatureAlgorithm.HS256;
        } else if (length < 512) {
            this.signatureAlgorithm = NacosSignatureAlgorithm.HS384;
        } else {
            this.signatureAlgorithm = NacosSignatureAlgorithm.HS512;
        }
        this.key = new SecretKeySpec(decode, this.signatureAlgorithm.getJcaName());
    }

    private void validKey(String str) {
        if (str.toCharArray().length % 4 != 0) {
            LOG.warn("The secret Key currently in use is not a standard Base64 encoding and will no longer be supported in future versions;");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String sign(NacosJwtPayload nacosJwtPayload) {
        return this.signatureAlgorithm.sign(nacosJwtPayload, this.key);
    }

    public JwtBuilder jwtBuilder() {
        return new JwtBuilder();
    }

    public NacosUser parse(String str) throws AccessException {
        return NacosSignatureAlgorithm.verify(str, this.key);
    }

    public long getExpireTimeInSeconds(String str) throws AccessException {
        return NacosSignatureAlgorithm.getExpiredTimeInSeconds(str, this.key);
    }
}
