package de.cidaas.quarkus.extension.token.validation;

import de.cidaas.quarkus.extension.runtime.CacheService;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.json.JsonArray;
import jakarta.json.JsonObject;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import org.eclipse.microprofile.config.ConfigProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ApplicationScoped
/* loaded from: input_file:de/cidaas/quarkus/extension/token/validation/OfflineTokenValidationService.class */
public class OfflineTokenValidationService implements ValidationService {

    @Inject
    CacheService cacheService;
    private static final Logger LOG = LoggerFactory.getLogger(OfflineTokenValidationService.class);

    @Override // de.cidaas.quarkus.extension.token.validation.ValidationService
    public boolean validateToken(TokenValidationRequest tokenValidationRequest) {
        JsonObject decodePayload;
        JsonObject decodeHeader = JwtUtil.decodeHeader(tokenValidationRequest.getToken());
        if (decodeHeader == null || !validateTokenHeader(decodeHeader) || (decodePayload = JwtUtil.decodePayload(tokenValidationRequest.getToken())) == null || !validateGeneralInfo(decodePayload)) {
            return false;
        }
        ArrayList arrayList = new ArrayList();
        if (tokenValidationRequest.getScopes() != null && !tokenValidationRequest.getScopes().isEmpty()) {
            arrayList.add(Boolean.valueOf(validateScopes(tokenValidationRequest, decodePayload)));
        }
        if (tokenValidationRequest.getRoles() != null && !tokenValidationRequest.getRoles().isEmpty()) {
            arrayList.add(Boolean.valueOf(validateRoles(tokenValidationRequest, decodePayload)));
        }
        if (tokenValidationRequest.getGroups() != null && !tokenValidationRequest.getGroups().isEmpty()) {
            arrayList.add(Boolean.valueOf(validateGroups(tokenValidationRequest, decodePayload)));
        }
        if (arrayList.isEmpty()) {
            return true;
        }
        return tokenValidationRequest.isStrictValidation() ? !arrayList.contains(false) : arrayList.contains(true);
    }

    boolean validateTokenHeader(JsonObject jsonObject) {
        JsonObject jwks = this.cacheService.getJwks();
        if (jwks == null) {
            LOG.error("jwk is null!");
            throw new TokenValidationException("JWK invalid!");
        }
        JsonArray jsonArray = jwks.getJsonArray("keys");
        if (jsonArray == null || jsonArray.isEmpty()) {
            LOG.error("keys couldn't be found!");
            throw new TokenValidationException("JWK invalid!");
        }
        String string = jsonObject.getString("kid", (String) null);
        String string2 = jsonObject.getString("alg", (String) null);
        if (string == null || string2 == null) {
            LOG.error("header is invalid!");
            throw new TokenValidationException("Header invalid!");
        }
        for (int i = 0; i < jsonArray.size(); i++) {
            JsonObject jsonObject2 = jsonArray.getJsonObject(i);
            String string3 = jsonObject2.getString("kid");
            String string4 = jsonObject2.getString("alg");
            if (string.equals(string3) && string2.equals(string4)) {
                return true;
            }
        }
        return false;
    }

    boolean validateGeneralInfo(JsonObject jsonObject) {
        String str = (String) ConfigProvider.getConfig().getValue("de.cidaas.quarkus.extension.runtime.CidaasClient/mp-rest/url", String.class);
        if (jsonObject.getString("iss", (String) null) == null) {
            LOG.warn("token doesn't have iss!");
            return false;
        }
        if (!jsonObject.getString("iss").equals(str)) {
            LOG.warn("iss is invalid!");
            return false;
        }
        if (Instant.ofEpochSecond(jsonObject.getInt("exp")).compareTo(Instant.now()) >= 0) {
            return true;
        }
        LOG.warn("token is expired!");
        return false;
    }

    private boolean validateScopes(TokenValidationRequest tokenValidationRequest, JsonObject jsonObject) {
        JsonArray jsonArray = jsonObject.getJsonArray("scopes");
        if (jsonArray == null) {
            return false;
        }
        List valuesAs = jsonArray.getValuesAs((v0) -> {
            return v0.getString();
        });
        if (tokenValidationRequest.isStrictScopeValidation() && !valuesAs.containsAll(tokenValidationRequest.getScopes())) {
            LOG.warn("token doesn't have enough scopes!");
            return false;
        }
        if (tokenValidationRequest.isStrictScopeValidation() || valuesAs.stream().anyMatch(str -> {
            return tokenValidationRequest.getScopes().contains(str);
        })) {
            return true;
        }
        LOG.warn("token doesn't have enough scopes!");
        return false;
    }

    private boolean validateRoles(TokenValidationRequest tokenValidationRequest, JsonObject jsonObject) {
        JsonArray jsonArray = jsonObject.getJsonArray("roles");
        if (jsonArray == null) {
            return false;
        }
        List valuesAs = jsonArray.getValuesAs((v0) -> {
            return v0.getString();
        });
        if (tokenValidationRequest.isStrictRoleValidation() && !valuesAs.containsAll(tokenValidationRequest.getRoles())) {
            LOG.warn("token doesn't have enough roles!");
            return false;
        }
        if (tokenValidationRequest.isStrictRoleValidation() || valuesAs.stream().anyMatch(str -> {
            return tokenValidationRequest.getRoles().contains(str);
        })) {
            return true;
        }
        LOG.warn("token doesn't have enough roles!");
        return false;
    }

    private boolean validateGroups(TokenValidationRequest tokenValidationRequest, JsonObject jsonObject) {
        JsonArray jsonArray = jsonObject.getJsonArray("groups");
        if (jsonArray == null) {
            return false;
        }
        boolean isStrictGroupValidation = tokenValidationRequest.isStrictGroupValidation();
        boolean z = true;
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < jsonArray.size(); i++) {
            JsonObject jsonObject2 = jsonArray.getJsonObject(i);
            arrayList.add(new Group(jsonObject2.getString("groupId"), jsonObject2.getJsonArray("roles").getValuesAs((v0) -> {
                return v0.getString();
            })));
        }
        Iterator<Group> it = tokenValidationRequest.getGroups().iterator();
        while (it.hasNext()) {
            boolean validateGroup = validateGroup(it.next(), arrayList);
            if (validateGroup && !isStrictGroupValidation) {
                return true;
            }
            if (!validateGroup) {
                z = false;
                if (isStrictGroupValidation) {
                    LOG.warn("token doesn't have enough groups!");
                    return false;
                }
            }
        }
        return z;
    }

    private boolean validateGroup(Group group, List<Group> list) {
        String groupId = group.getGroupId();
        List<String> roles = group.getRoles();
        boolean isStrictRoleValidation = group.isStrictRoleValidation();
        for (Group group2 : list) {
            if (group2.getGroupId().equals(groupId)) {
                if (isStrictRoleValidation && group2.getRoles().containsAll(roles)) {
                    return true;
                }
                if (!isStrictRoleValidation && group2.getRoles().stream().anyMatch(str -> {
                    return roles.contains(str);
                })) {
                    return true;
                }
            }
        }
        LOG.warn("grouproles is invalid!");
        return false;
    }
}
