package org.thingsboard.server.service.security.auth.jwt.settings;

import java.util.Base64;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.RandomUtils;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.util.Arrays;
import org.springframework.stereotype.Component;
import org.thingsboard.server.common.data.security.model.JwtSettings;
import org.thingsboard.server.dao.exception.DataValidationException;
import org.thingsboard.server.service.security.model.token.JwtTokenFactory;

@Component
/* loaded from: input_file:org/thingsboard/server/service/security/auth/jwt/settings/DefaultJwtSettingsValidator.class */
public class DefaultJwtSettingsValidator implements JwtSettingsValidator {
    @Override // org.thingsboard.server.service.security.auth.jwt.settings.JwtSettingsValidator
    public void validate(JwtSettings jwtSettings) {
        if (StringUtils.isEmpty(jwtSettings.getTokenIssuer())) {
            throw new DataValidationException("JWT token issuer should be specified!");
        }
        if (((Integer) Optional.ofNullable(jwtSettings.getRefreshTokenExpTime()).orElse(0)).intValue() < TimeUnit.MINUTES.toSeconds(15L)) {
            throw new DataValidationException("JWT refresh token expiration time should be at least 15 minutes!");
        }
        if (((Integer) Optional.ofNullable(jwtSettings.getTokenExpirationTime()).orElse(0)).intValue() < TimeUnit.MINUTES.toSeconds(1L)) {
            throw new DataValidationException("JWT token expiration time should be at least 1 minute!");
        }
        if (jwtSettings.getTokenExpirationTime().intValue() >= jwtSettings.getRefreshTokenExpTime().intValue()) {
            throw new DataValidationException("JWT token expiration time should greater than JWT refresh token expiration time!");
        }
        if (StringUtils.isEmpty(jwtSettings.getTokenSigningKey())) {
            throw new DataValidationException("JWT token signing key should be specified!");
        }
        try {
            byte[] decode = Base64.getDecoder().decode(jwtSettings.getTokenSigningKey());
            if (Arrays.isNullOrEmpty(decode)) {
                throw new DataValidationException("JWT token signing key should be non-empty after Base64 decoding!");
            }
            if (decode.length * 8 < JwtTokenFactory.KEY_LENGTH && !DefaultJwtSettingsService.isSigningKeyDefault(jwtSettings)) {
                throw new DataValidationException("JWT token signing key should be a Base64 encoded string representing at least 512 bits of data!");
            }
            System.arraycopy(decode, 0, RandomUtils.nextBytes(decode.length), 0, decode.length);
        } catch (Exception e) {
            throw new DataValidationException("JWT token signing key should be a valid Base64 encoded string! " + e.getMessage());
        }
    }
}
