package com.google.api.auth;

import com.google.api.control.model.MethodRegistry;
import endpoints.repackaged.com.google.api.AuthProvider;
import endpoints.repackaged.com.google.api.Authentication;
import endpoints.repackaged.com.google.api.Service;
import endpoints.repackaged.com.google.api.client.http.GenericUrl;
import endpoints.repackaged.com.google.api.client.http.HttpRequestFactory;
import endpoints.repackaged.com.google.api.client.http.javanet.NetHttpTransport;
import endpoints.repackaged.com.google.api.client.util.Clock;
import endpoints.repackaged.com.google.api.client.util.Maps;
import endpoints.repackaged.com.google.api.config.ServiceConfigFetcher;
import endpoints.repackaged.com.google.common.annotations.VisibleForTesting;
import endpoints.repackaged.com.google.common.base.Optional;
import endpoints.repackaged.com.google.common.base.Preconditions;
import endpoints.repackaged.com.google.common.base.Strings;
import endpoints.repackaged.com.google.common.collect.ImmutableMap;
import endpoints.repackaged.com.google.common.collect.Sets;
import endpoints.repackaged.com.google.common.flogger.FluentLogger;
import endpoints.repackaged.org.jose4j.jwt.JwtClaims;
import endpoints.repackaged.org.jose4j.jwt.MalformedClaimException;
import endpoints.repackaged.org.jose4j.jwt.NumericDate;
import endpoints.repackaged.org.jose4j.jwt.ReservedClaimNames;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;

/* loaded from: input_file:com/google/api/auth/Authenticator.class */
public class Authenticator {
    private static final FluentLogger logger = FluentLogger.forEnclosingClass();
    private static final String ACCESS_TOKEN_PARAM_NAME = "access_token";
    private static final String BEARER_TOKEN_PREFIX = "Bearer ";
    private static final String EMAIL_CLAIM_NAME = "email";
    private final AuthTokenDecoder authTokenDecoder;
    private final Clock clock;
    private final Map<String, String> issuersToProviderIds;

    @VisibleForTesting
    Authenticator(AuthTokenDecoder authTokenDecoder, Clock clock, Map<String, String> map) {
        this.authTokenDecoder = authTokenDecoder;
        this.clock = clock;
        this.issuersToProviderIds = map;
    }

    public UserInfo authenticate(HttpServletRequest httpServletRequest, MethodRegistry.AuthInfo authInfo, String str) {
        Preconditions.checkNotNull(httpServletRequest);
        Preconditions.checkNotNull(authInfo);
        Optional<String> extractAuthToken = extractAuthToken(httpServletRequest);
        if (!extractAuthToken.isPresent()) {
            throw new UnauthenticatedException("No auth token is contained in the HTTP request");
        }
        JwtClaims decode = this.authTokenDecoder.decode(extractAuthToken.get());
        UserInfo userInfo = toUserInfo(decode);
        String issuer = userInfo.getIssuer();
        if (!this.issuersToProviderIds.containsKey(issuer)) {
            throw new UnauthenticatedException("Unknown issuer: " + issuer);
        }
        String str2 = this.issuersToProviderIds.get(issuer);
        if (!authInfo.isProviderIdAllowed(str2)) {
            throw new UnauthenticatedException("The requested method does not allowed this provider id: " + str2);
        }
        checkJwtClaims(decode);
        Set<String> audiences = userInfo.getAudiences();
        boolean contains = audiences.contains(str);
        Set<String> audiencesForProvider = authInfo.getAudiencesForProvider(str2);
        if (contains || !Sets.intersection(audiences, audiencesForProvider).isEmpty()) {
            return userInfo;
        }
        throw new UnauthenticatedException("Audiences not allowed");
    }

    private void checkJwtClaims(JwtClaims jwtClaims) {
        Optional<NumericDate> dateClaim = getDateClaim(ReservedClaimNames.EXPIRATION_TIME, jwtClaims);
        if (!dateClaim.isPresent()) {
            throw new UnauthenticatedException("Missing expiration field");
        }
        Optional<NumericDate> dateClaim2 = getDateClaim(ReservedClaimNames.NOT_BEFORE, jwtClaims);
        NumericDate fromMilliseconds = NumericDate.fromMilliseconds(this.clock.currentTimeMillis());
        if (dateClaim.get().isBefore(fromMilliseconds)) {
            throw new UnauthenticatedException("The auth token has already expired");
        }
        if (dateClaim2.isPresent() && dateClaim2.get().isAfter(fromMilliseconds)) {
            throw new UnauthenticatedException("Current time is earlier than the \"nbf\" time");
        }
    }

    public static Authenticator create() {
        Service fetch = ServiceConfigFetcher.create().fetch();
        if (fetch.hasAuthentication()) {
            return create(fetch.getAuthentication(), Clock.SYSTEM);
        }
        throw new IllegalArgumentException("Authentication is not defined in service config");
    }

    @VisibleForTesting
    static Authenticator create(Authentication authentication, Clock clock) {
        List<AuthProvider> providersList = authentication.getProvidersList();
        if (providersList == null || providersList.isEmpty()) {
            throw new IllegalArgumentException("No auth providers are defined in the config.");
        }
        Map<String, IssuerKeyUrlConfig> generateIssuerKeyConfig = generateIssuerKeyConfig(providersList);
        HashMap newHashMap = Maps.newHashMap();
        for (AuthProvider authProvider : providersList) {
            newHashMap.put(authProvider.getIssuer(), authProvider.getId());
        }
        HttpRequestFactory createRequestFactory = new NetHttpTransport().createRequestFactory();
        return new Authenticator(new CachingAuthTokenDecoder(new DefaultAuthTokenDecoder(new DefaultAuthTokenVerifier(new CachingJwksSupplier(new DefaultJwksSupplier(createRequestFactory, new DefaultKeyUriSupplier(createRequestFactory, generateIssuerKeyConfig)))))), clock, ImmutableMap.copyOf((Map) newHashMap));
    }

    private static Map<String, IssuerKeyUrlConfig> generateIssuerKeyConfig(List<AuthProvider> list) {
        ImmutableMap.Builder builder = ImmutableMap.builder();
        HashSet newHashSet = Sets.newHashSet();
        for (AuthProvider authProvider : list) {
            String issuer = authProvider.getIssuer();
            if (Strings.isNullOrEmpty(issuer)) {
                logger.atWarning().log("The 'issuer' field is not set in AuthProvider (%s)", authProvider);
            } else {
                if (newHashSet.contains(issuer)) {
                    throw new IllegalArgumentException("Configuration contains multiple auth provider for the same issuer: " + issuer);
                }
                newHashSet.add(issuer);
                String jwksUri = authProvider.getJwksUri();
                builder.put(issuer, Strings.isNullOrEmpty(jwksUri) ? new IssuerKeyUrlConfig(true, Optional.absent()) : new IssuerKeyUrlConfig(false, Optional.of(new GenericUrl(jwksUri))));
            }
        }
        return builder.build();
    }

    private static Optional<NumericDate> getDateClaim(String str, JwtClaims jwtClaims) {
        try {
            return Optional.fromNullable(jwtClaims.getNumericDateClaimValue(str));
        } catch (MalformedClaimException e) {
            throw new UnauthenticatedException(String.format("The \"%s\" claim is malformed", str));
        }
    }

    private static Optional<String> extractAuthToken(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header != null) {
            return header.startsWith(BEARER_TOKEN_PREFIX) ? Optional.of(header.substring(BEARER_TOKEN_PREFIX.length())) : Optional.absent();
        }
        String parameter = httpServletRequest.getParameter(ACCESS_TOKEN_PARAM_NAME);
        return parameter != null ? Optional.of(parameter) : Optional.absent();
    }

    private static UserInfo toUserInfo(JwtClaims jwtClaims) {
        try {
            List<String> audience = jwtClaims.getAudience();
            if (audience == null || audience.isEmpty()) {
                throw new UnauthenticatedException("Missing audience field");
            }
            String str = (String) jwtClaims.getClaimValue(EMAIL_CLAIM_NAME, String.class);
            String subject = jwtClaims.getSubject();
            if (subject == null) {
                throw new UnauthenticatedException("Missing subject field");
            }
            String issuer = jwtClaims.getIssuer();
            if (issuer == null) {
                throw new UnauthenticatedException("Missing issuer field");
            }
            return new UserInfo(audience, str, subject, issuer);
        } catch (MalformedClaimException e) {
            throw new UnauthenticatedException("Cannot read malformed claim", e);
        }
    }
}
