package app.utils.server.security.oauth;

import app.utils.config.AppConfig;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.JWKSourceBuilder;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.DefaultJOSEObjectTypeVerifier;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.Principal;
import java.text.ParseException;
import java.util.Set;
import javax.security.auth.Subject;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.eclipse.jetty.security.DefaultUserIdentity;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.UserAuthentication;
import org.eclipse.jetty.security.authentication.LoginAuthenticator;
import org.eclipse.jetty.server.Authentication;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:app/utils/server/security/oauth/JwtAccessTokenAuthenticator.class */
public class JwtAccessTokenAuthenticator extends LoginAuthenticator {
    private static final Set<String> REQUIRED_CLAIMS = Set.of("iss", "iat", "exp", "aud");
    private static Logger LOG = LoggerFactory.getLogger(JwtAccessTokenAuthenticator.class);
    private final JWKSource<SecurityContext> jwkSource;

    public JwtAccessTokenAuthenticator() {
        try {
            this.jwkSource = JWKSourceBuilder.create(new URI(AppConfig.getInstance().getConfigs().getString("oauth.provider.endpoint")).toURL()).cache(true).build();
        } catch (MalformedURLException | URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
        String substring;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String header = httpServletRequest.getHeader("Authorization");
        return (header == null || !header.startsWith("Bearer ") || (substring = header.substring("Bearer ".length())) == null || substring.isEmpty() || !verifyJWTAccessToken(httpServletRequest, substring)) ? Authentication.UNAUTHENTICATED : new UserAuthentication(getAuthMethod(), new DefaultUserIdentity((Subject) null, (Principal) null, new String[]{"user"}));
    }

    private boolean verifyJWTAccessToken(HttpServletRequest httpServletRequest, String str) {
        try {
            JWT parse = JWTParser.parse(str);
            String algorithm = parse.getHeader().getAlgorithm().toString();
            getProcessor(httpServletRequest, getAlgorithm(algorithm)).process(parse, (SecurityContext) null);
            LOG.debug("Access Token with algorithm {} is valid", algorithm);
            return true;
        } catch (ParseException | BadJOSEException | JOSEException e) {
            LOG.error("Access Token is not valid", e);
            return false;
        } catch (Exception e2) {
            LOG.error("An unexpected error occurred during Access Token validation", e2);
            return false;
        }
    }

    private JWSAlgorithm getAlgorithm(String str) throws BadJOSEException {
        switch (str.hashCode()) {
            case 78251122:
                if (str.equals("RS256")) {
                    return JWSAlgorithm.RS256;
                }
                break;
            case 78252174:
                if (str.equals("RS384")) {
                    return JWSAlgorithm.RS384;
                }
                break;
            case 78253877:
                if (str.equals("RS512")) {
                    return JWSAlgorithm.RS512;
                }
                break;
        }
        throw new BadJOSEException("Unsupported algorithm: " + str);
    }

    private ConfigurableJWTProcessor<SecurityContext> getProcessor(HttpServletRequest httpServletRequest, JWSAlgorithm jWSAlgorithm) {
        JWSVerificationKeySelector jWSVerificationKeySelector = new JWSVerificationKeySelector(jWSAlgorithm, this.jwkSource);
        JWTClaimsSet build = new JWTClaimsSet.Builder().audience(httpServletRequest.getRequestURL().toString()).build();
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSTypeVerifier(new DefaultJOSEObjectTypeVerifier(new JOSEObjectType[]{new JOSEObjectType("JWT")}));
        defaultJWTProcessor.setJWSKeySelector(jWSVerificationKeySelector);
        defaultJWTProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier(build, REQUIRED_CLAIMS));
        return defaultJWTProcessor;
    }

    public String getAuthMethod() {
        return "OAUTH";
    }

    public boolean secureResponse(ServletRequest servletRequest, ServletResponse servletResponse, boolean z, Authentication.User user) throws ServerAuthException {
        return true;
    }
}
