package com.daml.ledger.api.auth;

import com.auth0.jwt.JWT;
import com.daml.jwt.Error;
import com.daml.jwt.JwtFromBearerHeader$;
import com.daml.jwt.JwtVerifier;
import com.daml.jwt.domain.DecodedJwt;
import com.daml.jwt.domain.Jwt;
import com.daml.ledger.api.auth.ClaimSet;
import com.daml.ledger.api.auth.interceptor.IdentityProviderAwareAuthService;
import com.daml.ledger.api.domain;
import com.daml.logging.ContextualizedLogger;
import com.daml.logging.ContextualizedLogger$;
import com.daml.logging.LoggingContext;
import io.grpc.Metadata;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Option$;
import scala.Some;
import scala.Tuple2;
import scala.concurrent.ExecutionContext;
import scala.concurrent.Future;
import scala.concurrent.Future$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxedUnit;
import scala.util.Either;
import spray.json.JsonParser$;
import spray.json.ParserInput$;

/* compiled from: IdentityProviderAwareAuthServiceImpl.scala */
@ScalaSignature(bytes = "\u0006\u0005\u0005mg\u0001\u0002\u000b\u0016\u0001\u0001B\u0001\"\f\u0001\u0003\u0002\u0003\u0006IA\f\u0005\te\u0001\u0011\t\u0011)A\u0005g!Aa\u0007\u0001B\u0001B\u0003-q\u0007\u0003\u0005>\u0001\t\u0005\t\u0015a\u0003?\u0011\u0015!\u0005\u0001\"\u0001F\u0011\u001da\u0005A1A\u0005\f5Ca!\u0015\u0001!\u0002\u0013q\u0005\"\u0002*\u0001\t\u0003\u0019\u0006\"\u00023\u0001\t\u0013)\u0007\"B;\u0001\t\u00131\b\"B=\u0001\t\u0003Q\bbBA\u0002\u0001\u0011%\u0011Q\u0001\u0005\b\u0003;\u0001A\u0011BA\u0010\u0011\u001d\t\t\u0005\u0001C\u0005\u0003\u0007Bq!a\u001f\u0001\t\u0013\ti\bC\u0004\u0002\f\u0002!I!!$\t\u000f\u0005M\u0005\u0001\"\u0003\u0002\u0016\"A\u0011\u0011\u0014\u0001!\n\u0013\tY\nC\u0004\u0002 \u0002!I!!)\u0003I%#WM\u001c;jif\u0004&o\u001c<jI\u0016\u0014\u0018i^1sK\u0006+H\u000f[*feZL7-Z%na2T!AF\f\u0002\t\u0005,H\u000f\u001b\u0006\u00031e\t1!\u00199j\u0015\tQ2$\u0001\u0004mK\u0012<WM\u001d\u0006\u00039u\tA\u0001Z1nY*\ta$A\u0002d_6\u001c\u0001aE\u0002\u0001C\u001d\u0002\"AI\u0013\u000e\u0003\rR\u0011\u0001J\u0001\u0006g\u000e\fG.Y\u0005\u0003M\r\u0012a!\u00118z%\u00164\u0007C\u0001\u0015,\u001b\u0005I#B\u0001\u0016\u0016\u0003-Ig\u000e^3sG\u0016\u0004Ho\u001c:\n\u00051J#\u0001I%eK:$\u0018\u000e^=Qe>4\u0018\u000eZ3s\u0003^\f'/Z!vi\"\u001cVM\u001d<jG\u0016\fA$\u001b3f]RLG/\u001f)s_ZLG-\u001a:D_:4\u0017n\u001a'pC\u0012,'\u000f\u0005\u00020a5\tQ#\u0003\u00022+\ta\u0012\nZ3oi&$\u0018\u0010\u0015:pm&$WM]\"p]\u001aLw\rT8bI\u0016\u0014\u0018!\u00056xiZ+'/\u001b4jKJdu.\u00193feB\u0011q\u0006N\u0005\u0003kU\u0011\u0011CS<u-\u0016\u0014\u0018NZ5fe2{\u0017\rZ3s\u0003A)\u00070Z2vi&|gnQ8oi\u0016DH\u000f\u0005\u00029w5\t\u0011H\u0003\u0002;G\u0005Q1m\u001c8dkJ\u0014XM\u001c;\n\u0005qJ$\u0001E#yK\u000e,H/[8o\u0007>tG/\u001a=u\u00039awnZ4j]\u001e\u001cuN\u001c;fqR\u0004\"a\u0010\"\u000e\u0003\u0001S!!Q\u000e\u0002\u000f1|wmZ5oO&\u00111\t\u0011\u0002\u000f\u0019><w-\u001b8h\u0007>tG/\u001a=u\u0003\u0019a\u0014N\\5u}Q\u0019aIS&\u0015\u0007\u001dC\u0015\n\u0005\u00020\u0001!)a'\u0002a\u0002o!)Q(\u0002a\u0002}!)Q&\u0002a\u0001]!)!'\u0002a\u0001g\u00051An\\4hKJ,\u0012A\u0014\t\u0003\u007f=K!\u0001\u0015!\u0003)\r{g\u000e^3yiV\fG.\u001b>fI2{wmZ3s\u0003\u001dawnZ4fe\u0002\na\u0002Z3d_\u0012,W*\u001a;bI\u0006$\u0018\r\u0006\u0002U5B\u0019\u0001(V,\n\u0005YK$A\u0002$viV\u0014X\r\u0005\u000201&\u0011\u0011,\u0006\u0002\t\u00072\f\u0017.\\*fi\")1\f\u0003a\u00019\u00069\u0001.Z1eKJ\u001c\bCA/c\u001b\u0005q&BA0a\u0003\u00119'\u000f]2\u000b\u0003\u0005\f!![8\n\u0005\rt&\u0001C'fi\u0006$\u0017\r^1\u0002-\u001d,G/Q;uQ>\u0014\u0018N_1uS>t\u0007*Z1eKJ$\"A\u001a;\u0011\u0007\t:\u0017.\u0003\u0002iG\t1q\n\u001d;j_:\u0004\"A[9\u000f\u0005-|\u0007C\u00017$\u001b\u0005i'B\u00018 \u0003\u0019a$o\\8u}%\u0011\u0001oI\u0001\u0007!J,G-\u001a4\n\u0005I\u001c(AB*ue&twM\u0003\u0002qG!)1,\u0003a\u00019\u0006y\u0001/\u0019:tK*;F\u000bU1zY>\fG\r\u0006\u0002Uo\")\u0001P\u0003a\u0001S\u00061\u0001.Z1eKJ\fQ\"\u001a=ue\u0006\u001cGo\u00117bS6\u001cH\u0003\u0002+|{~DQ\u0001`\u0006A\u0002%\fQ\u0001^8lK:DQA`\u0006A\u0002\u0019\fa![:tk\u0016\u0014\bBBA\u0001\u0017\u0001\u0007a-A\u0003lKfLE-A\u0007dQ\u0016\u001c7.Q;eS\u0016t7-\u001a\u000b\u0007\u0003\u000f\ty!!\u0007\u0011\ta*\u0016\u0011\u0002\t\u0004E\u0005-\u0011bAA\u0007G\t!QK\\5u\u0011\u001d\t\t\u0002\u0004a\u0001\u0003'\tq\u0001]1zY>\fG\rE\u00020\u0003+I1!a\u0006\u0016\u0005U\tU\u000f\u001e5TKJ4\u0018nY3K/R\u0003\u0016-\u001f7pC\u0012Da!a\u0007\r\u0001\u00041\u0017A\u0004;be\u001e,G/Q;eS\u0016t7-Z\u0001\fm\u0016\u0014\u0018NZ=U_.,g\u000e\u0006\u0004\u0002\"\u0005M\u0012Q\u0007\t\u0005qU\u000b\u0019\u0003E\u0003\u0002&\u0005=\u0012.\u0004\u0002\u0002()!\u0011\u0011FA\u0016\u0003\u0019!w.\\1j]*\u0019\u0011QF\u000e\u0002\u0007)<H/\u0003\u0003\u00022\u0005\u001d\"A\u0003#fG>$W\r\u001a&xi\")A0\u0004a\u0001S\"9\u0011qG\u0007A\u0002\u0005e\u0012\u0001\u0003<fe&4\u0017.\u001a:\u0011\t\u0005m\u0012QH\u0007\u0003\u0003WIA!a\u0010\u0002,\tY!j\u001e;WKJLg-[3s\u0003!!xNR;ukJ,W\u0003BA#\u0003\u001b\"B!a\u0012\u0002`A!\u0001(VA%!\u0011\tY%!\u0014\r\u0001\u00119\u0011q\n\bC\u0002\u0005E#!\u0001+\u0012\t\u0005M\u0013\u0011\f\t\u0004E\u0005U\u0013bAA,G\t9aj\u001c;iS:<\u0007c\u0001\u0012\u0002\\%\u0019\u0011QL\u0012\u0003\u0007\u0005s\u0017\u0010C\u0004\u0002b9\u0001\r!a\u0019\u0002\u0003\u0015\u0004\u0002\"!\u001a\u0002p\u0005U\u0014\u0011\n\b\u0005\u0003O\nYGD\u0002m\u0003SJ\u0011\u0001J\u0005\u0004\u0003[\u001a\u0013a\u00029bG.\fw-Z\u0005\u0005\u0003c\n\u0019H\u0001\u0004FSRDWM\u001d\u0006\u0004\u0003[\u001a\u0003\u0003BA\u001e\u0003oJA!!\u001f\u0002,\t)QI\u001d:pe\u0006a\u0001/\u0019:tKB\u000b\u0017\u0010\\8bIR!\u0011qPAD!\u0011AT+!!\u0011\u0007=\n\u0019)C\u0002\u0002\u0006V\u0011!c\u0015;b]\u0012\f'\u000f\u001a&X)B\u000b\u0017\u0010\\8bI\"9\u0011\u0011R\bA\u0002\u0005M\u0011A\u00036xiB\u000b\u0017\u0010\\8bI\u0006)\u0001/\u0019:tKR1\u00111CAH\u0003#Ca!!#\u0011\u0001\u0004I\u0007BBA\u000e!\u0001\u0007a-A\fqCJ\u001cX-Q;uQN+'O^5dKB\u000b\u0017\u0010\\8bIR!\u00111CAL\u0011\u0019\tI)\u0005a\u0001S\u0006I\u0002/\u0019:tK\u0006+H-[3oG\u0016\u0014\u0015m]3e!\u0006LHn\\1e)\u0011\t\u0019\"!(\t\r\u0005%%\u00031\u0001j\u0003M!x.Q;uQ\u0016tG/[2bi\u0016$Wk]3s)\u0019\t\u0019+!-\u00024B!\u0011QUAV\u001d\ry\u0013qU\u0005\u0004\u0003S+\u0012\u0001C\"mC&l7+\u001a;\n\t\u00055\u0016q\u0016\u0002\u0012\u0003V$\b.\u001a8uS\u000e\fG/\u001a3Vg\u0016\u0014(bAAU+!9\u0011\u0011C\nA\u0002\u0005\u0005\u0005bBA['\u0001\u0007\u0011qW\u0001\u0003S\u0012\u0004B!!/\u0002V:!\u00111XAh\u001d\u0011\ti,!4\u000f\t\u0005}\u00161\u001a\b\u0005\u0003\u0003\fIM\u0004\u0003\u0002D\u0006\u001dgb\u00017\u0002F&\ta$\u0003\u0002\u001d;%\u0011!dG\u0005\u00031eI1!!\u000b\u0018\u0013\u0011\t\t.a5\u0002%%#WM\u001c;jif\u0004&o\u001c<jI\u0016\u0014\u0018\n\u001a\u0006\u0004\u0003S9\u0012\u0002BAl\u00033\u0014!!\u00133\u000b\t\u0005E\u00171\u001b")
/* loaded from: input_file:com/daml/ledger/api/auth/IdentityProviderAwareAuthServiceImpl.class */
public class IdentityProviderAwareAuthServiceImpl implements IdentityProviderAwareAuthService {
    private final IdentityProviderConfigLoader identityProviderConfigLoader;
    private final JwtVerifierLoader jwtVerifierLoader;
    private final ExecutionContext executionContext;
    public final LoggingContext com$daml$ledger$api$auth$IdentityProviderAwareAuthServiceImpl$$loggingContext;
    private final ContextualizedLogger com$daml$ledger$api$auth$IdentityProviderAwareAuthServiceImpl$$logger = ContextualizedLogger$.MODULE$.get(getClass());

    public ContextualizedLogger com$daml$ledger$api$auth$IdentityProviderAwareAuthServiceImpl$$logger() {
        return this.com$daml$ledger$api$auth$IdentityProviderAwareAuthServiceImpl$$logger;
    }

    @Override // com.daml.ledger.api.auth.interceptor.IdentityProviderAwareAuthService
    public Future<ClaimSet> decodeMetadata(Metadata metadata) {
        Some authorizationHeader = getAuthorizationHeader(metadata);
        if (None$.MODULE$.equals(authorizationHeader)) {
            return Future$.MODULE$.successful(ClaimSet$Unauthenticated$.MODULE$);
        }
        if (authorizationHeader instanceof Some) {
            return parseJWTPayload((String) authorizationHeader.value()).recover(new IdentityProviderAwareAuthServiceImpl$$anonfun$decodeMetadata$1(this), this.executionContext);
        }
        throw new MatchError(authorizationHeader);
    }

    private Option<String> getAuthorizationHeader(Metadata metadata) {
        return Option$.MODULE$.apply(metadata.get(AuthService$.MODULE$.AUTHORIZATION_KEY()));
    }

    private Future<ClaimSet> parseJWTPayload(String str) {
        return toFuture(JwtFromBearerHeader$.MODULE$.apply(str)).flatMap(str2 -> {
            return Future$.MODULE$.apply(() -> {
                return JWT.decode(str2);
            }, this.executionContext).flatMap(decodedJWT -> {
                return this.extractClaims(str2, Option$.MODULE$.apply(decodedJWT.getIssuer()), Option$.MODULE$.apply(decodedJWT.getKeyId())).map(claimSet -> {
                    return claimSet;
                }, this.executionContext);
            }, this.executionContext);
        }, this.executionContext);
    }

    public Future<ClaimSet> extractClaims(String str, Option<String> option, Option<String> option2) {
        if (None$.MODULE$.equals(option)) {
            return Future$.MODULE$.successful(ClaimSet$Unauthenticated$.MODULE$);
        }
        if (!(option instanceof Some)) {
            throw new MatchError(option);
        }
        return this.identityProviderConfigLoader.getIdentityProviderConfig((String) ((Some) option).value(), this.com$daml$ledger$api$auth$IdentityProviderAwareAuthServiceImpl$$loggingContext).flatMap(identityProviderConfig -> {
            return this.jwtVerifierLoader.loadJwtVerifier(identityProviderConfig.jwksUrl(), option2).flatMap(jwtVerifier -> {
                return this.verifyToken(str, jwtVerifier).flatMap(decodedJwt -> {
                    return Future$.MODULE$.apply(() -> {
                        return this.parse((String) decodedJwt.payload(), identityProviderConfig.audience());
                    }, this.executionContext).flatMap(authServiceJWTPayload -> {
                        return this.checkAudience(authServiceJWTPayload, identityProviderConfig.audience()).flatMap(boxedUnit -> {
                            return this.parsePayload(authServiceJWTPayload).map(standardJWTPayload -> {
                                return this.toAuthenticatedUser(standardJWTPayload, identityProviderConfig.identityProviderId());
                            }, this.executionContext);
                        }, this.executionContext);
                    }, this.executionContext);
                }, this.executionContext);
            }, this.executionContext);
        }, this.executionContext);
    }

    private Future<BoxedUnit> checkAudience(AuthServiceJWTPayload authServiceJWTPayload, Option<String> option) {
        Tuple2 tuple2 = new Tuple2(authServiceJWTPayload, option);
        if (tuple2 != null) {
            AuthServiceJWTPayload authServiceJWTPayload2 = (AuthServiceJWTPayload) tuple2._1();
            Some some = (Option) tuple2._2();
            if (authServiceJWTPayload2 instanceof StandardJWTPayload) {
                StandardJWTPayload standardJWTPayload = (StandardJWTPayload) authServiceJWTPayload2;
                if (some instanceof Some) {
                    if (standardJWTPayload.audiences().contains((String) some.value())) {
                        return Future$.MODULE$.unit();
                    }
                }
            }
        }
        if (tuple2 != null) {
            if (None$.MODULE$.equals((Option) tuple2._2())) {
                return Future$.MODULE$.unit();
            }
        }
        return Future$.MODULE$.failed(new Exception("JWT token has an audience which is not recognized"));
    }

    private Future<DecodedJwt<String>> verifyToken(String str, JwtVerifier jwtVerifier) {
        return toFuture(jwtVerifier.verify(new Jwt(str)).toEither());
    }

    private <T> Future<T> toFuture(Either<Error, T> either) {
        return (Future) either.fold(error -> {
            return Future$.MODULE$.failed(new Exception(error.message()));
        }, obj -> {
            return Future$.MODULE$.successful(obj);
        });
    }

    private Future<StandardJWTPayload> parsePayload(AuthServiceJWTPayload authServiceJWTPayload) {
        if (authServiceJWTPayload instanceof CustomDamlJWTPayload) {
            return Future$.MODULE$.failed(new Exception("Unexpected token payload format"));
        }
        if (!(authServiceJWTPayload instanceof StandardJWTPayload)) {
            throw new MatchError(authServiceJWTPayload);
        }
        return Future$.MODULE$.successful((StandardJWTPayload) authServiceJWTPayload);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AuthServiceJWTPayload parse(String str, Option<String> option) {
        return option.isDefined() ? parseAudienceBasedPayload(str) : parseAuthServicePayload(str);
    }

    private AuthServiceJWTPayload parseAuthServicePayload(String str) {
        return (AuthServiceJWTPayload) JsonParser$.MODULE$.apply(ParserInput$.MODULE$.apply(str)).convertTo(AuthServiceJWTCodec$JsonImplicits$AuthServiceJWTPayloadFormat$.MODULE$);
    }

    private AuthServiceJWTPayload parseAudienceBasedPayload(String str) {
        return (AuthServiceJWTPayload) JsonParser$.MODULE$.apply(ParserInput$.MODULE$.apply(str)).convertTo(AuthServiceJWTCodec$AudienceBasedTokenJsonImplicits$AuthServiceJWTPayloadFormat$.MODULE$);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public ClaimSet.AuthenticatedUser toAuthenticatedUser(StandardJWTPayload standardJWTPayload, domain.IdentityProviderId.Id id) {
        return new ClaimSet.AuthenticatedUser(id, standardJWTPayload.userId(), standardJWTPayload.participantId(), standardJWTPayload.exp());
    }

    public IdentityProviderAwareAuthServiceImpl(IdentityProviderConfigLoader identityProviderConfigLoader, JwtVerifierLoader jwtVerifierLoader, ExecutionContext executionContext, LoggingContext loggingContext) {
        this.identityProviderConfigLoader = identityProviderConfigLoader;
        this.jwtVerifierLoader = jwtVerifierLoader;
        this.executionContext = executionContext;
        this.com$daml$ledger$api$auth$IdentityProviderAwareAuthServiceImpl$$loggingContext = loggingContext;
    }
}
