package otoroshi.plugins.core.apikeys;

import akka.actor.ActorRef;
import akka.http.scaladsl.util.FastFuture$;
import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import java.util.concurrent.atomic.AtomicReference;
import otoroshi.env.Env;
import otoroshi.events.OtoroshiEvent;
import otoroshi.models.ApiKey;
import otoroshi.models.ServiceDescriptor;
import otoroshi.next.plugins.api.NgPluginCategory;
import otoroshi.next.plugins.api.NgPluginCategory$Apikey$;
import otoroshi.next.plugins.api.NgPluginVisibility;
import otoroshi.next.plugins.api.NgPluginVisibility$NgInternal$;
import otoroshi.next.plugins.api.NgStep;
import otoroshi.next.plugins.api.NgStep$PreRoute$;
import otoroshi.plugins.Keys$;
import otoroshi.script.NamedPlugin;
import otoroshi.script.PluginType;
import otoroshi.script.PreRouting;
import otoroshi.script.PreRoutingContext;
import otoroshi.ssl.DynamicSSLEngineProvider$;
import otoroshi.utils.http.RequestImplicits$;
import otoroshi.utils.http.RequestImplicits$EnhancedRequestHeader$;
import otoroshi.utils.syntax.implicits$;
import otoroshi.utils.syntax.implicits$BetterDecodedJWT$;
import otoroshi.utils.syntax.implicits$BetterSyntax$;
import play.api.libs.json.JsObject;
import play.api.libs.typedmap.TypedEntry;
import play.api.mvc.RequestHeader;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Option$;
import scala.Predef$;
import scala.Some;
import scala.collection.Seq;
import scala.collection.immutable.$colon;
import scala.collection.immutable.Nil$;
import scala.collection.immutable.StringOps;
import scala.concurrent.ExecutionContext;
import scala.concurrent.Future;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;
import scala.util.Failure;
import scala.util.Success;
import scala.util.Try;
import scala.util.Try$;

/* compiled from: apikeys.scala */
@ScalaSignature(bytes = "\u0006\u0001Y4A!\u0003\u0006\u0001'!)\u0001\u0005\u0001C\u0001C!)Q\u0002\u0001C!I!)\u0001\u0006\u0001C!S!)Q\u0007\u0001C!m!)!\b\u0001C\u0001w!)Q\t\u0001C\u0001\r\")1\u000b\u0001C\u0001)\")\u0011\f\u0001C!5\n\u0011\"j\u001e;Ba&\\W-_#yiJ\f7\r^8s\u0015\tYA\"A\u0004ba&\\W-_:\u000b\u00055q\u0011\u0001B2pe\u0016T!a\u0004\t\u0002\u000fAdWoZ5og*\t\u0011#\u0001\u0005pi>\u0014xn\u001d5j\u0007\u0001\u00192\u0001\u0001\u000b\u001b!\t)\u0002$D\u0001\u0017\u0015\u00059\u0012!B:dC2\f\u0017BA\r\u0017\u0005\u0019\te.\u001f*fMB\u00111DH\u0007\u00029)\u0011Q\u0004E\u0001\u0007g\u000e\u0014\u0018\u000e\u001d;\n\u0005}a\"A\u0003)sKJ{W\u000f^5oO\u00061A(\u001b8jiz\"\u0012A\t\t\u0003G\u0001i\u0011AC\u000b\u0002KA\u0011QCJ\u0005\u0003OY\u0011qAQ8pY\u0016\fg.\u0001\u0003oC6,W#\u0001\u0016\u0011\u0005-\u0012dB\u0001\u00171!\tic#D\u0001/\u0015\ty##\u0001\u0004=e>|GOP\u0005\u0003cY\ta\u0001\u0015:fI\u00164\u0017BA\u001a5\u0005\u0019\u0019FO]5oO*\u0011\u0011GF\u0001\fI\u0016\u001c8M]5qi&|g.F\u00018!\r)\u0002HK\u0005\u0003sY\u0011aa\u00149uS>t\u0017A\u0003<jg&\u0014\u0017\u000e\\5usV\tA\b\u0005\u0002>\u00076\taH\u0003\u0002@\u0001\u0006\u0019\u0011\r]5\u000b\u0005=\t%B\u0001\"\u0011\u0003\u0011qW\r\u001f;\n\u0005\u0011s$A\u0005(h!2,x-\u001b8WSNL'-\u001b7jif\f!bY1uK\u001e|'/[3t+\u00059\u0005c\u0001%N!:\u0011\u0011j\u0013\b\u0003[)K\u0011aF\u0005\u0003\u0019Z\tq\u0001]1dW\u0006<W-\u0003\u0002O\u001f\n\u00191+Z9\u000b\u000513\u0002CA\u001fR\u0013\t\u0011fH\u0001\tOOBcWoZ5o\u0007\u0006$XmZ8ss\u0006)1\u000f^3qgV\tQ\u000bE\u0002I\u001bZ\u0003\"!P,\n\u0005as$A\u0002(h'R,\u0007/\u0001\u0005qe\u0016\u0014v.\u001e;f)\tY\u0016\u000fF\u0002]K2\u00042!\u00181c\u001b\u0005q&BA0\u0017\u0003)\u0019wN\\2veJ,g\u000e^\u0005\u0003Cz\u0013aAR;ukJ,\u0007CA\u000bd\u0013\t!gC\u0001\u0003V]&$\b\"\u00024\t\u0001\b9\u0017aA3omB\u0011\u0001N[\u0007\u0002S*\u0011a\rE\u0005\u0003W&\u00141!\u00128w\u0011\u0015i\u0007\u0002q\u0001o\u0003\t)7\r\u0005\u0002^_&\u0011\u0001O\u0018\u0002\u0011\u000bb,7-\u001e;j_:\u001cuN\u001c;fqRDQA\u001d\u0005A\u0002M\f1a\u0019;y!\tYB/\u0003\u0002v9\t\t\u0002K]3S_V$\u0018N\\4D_:$X\r\u001f;")
/* loaded from: input_file:otoroshi/plugins/core/apikeys/JwtApikeyExtractor.class */
public class JwtApikeyExtractor implements PreRouting {
    private final AtomicReference<ActorRef> otoroshi$script$InternalEventListener$$ref;
    private final Future<BoxedUnit> funit;

    @Override // otoroshi.script.PreRouting, otoroshi.script.NamedPlugin
    public PluginType pluginType() {
        PluginType pluginType;
        pluginType = pluginType();
        return pluginType;
    }

    @Override // otoroshi.script.InternalEventListener
    public boolean listening() {
        boolean listening;
        listening = listening();
        return listening;
    }

    @Override // otoroshi.script.InternalEventListener
    public void onEvent(OtoroshiEvent otoroshiEvent, Env env) {
        onEvent(otoroshiEvent, env);
    }

    @Override // otoroshi.script.InternalEventListener
    public void startEvent(String str, Env env) {
        startEvent(str, env);
    }

    @Override // otoroshi.script.InternalEventListener
    public void stopEvent(Env env) {
        stopEvent(env);
    }

    @Override // otoroshi.script.NamedPlugin
    public boolean deprecated() {
        boolean deprecated;
        deprecated = deprecated();
        return deprecated;
    }

    @Override // otoroshi.script.NamedPlugin
    public String internalName() {
        String internalName;
        internalName = internalName();
        return internalName;
    }

    @Override // otoroshi.script.NamedPlugin
    public Option<String> documentation() {
        Option<String> documentation;
        documentation = documentation();
        return documentation;
    }

    @Override // otoroshi.script.NamedPlugin
    public Option<JsObject> defaultConfig() {
        Option<JsObject> defaultConfig;
        defaultConfig = defaultConfig();
        return defaultConfig;
    }

    @Override // otoroshi.script.NamedPlugin
    public Option<String> configRoot() {
        Option<String> configRoot;
        configRoot = configRoot();
        return configRoot;
    }

    @Override // otoroshi.script.NamedPlugin
    /* renamed from: configSchema */
    public Option<JsObject> mo650configSchema() {
        Option<JsObject> mo650configSchema;
        mo650configSchema = mo650configSchema();
        return mo650configSchema;
    }

    @Override // otoroshi.script.NamedPlugin
    public Seq<String> configFlow() {
        Seq<String> configFlow;
        configFlow = configFlow();
        return configFlow;
    }

    @Override // otoroshi.script.NamedPlugin
    public JsObject jsonDescription() {
        JsObject jsonDescription;
        jsonDescription = jsonDescription();
        return jsonDescription;
    }

    @Override // otoroshi.script.StartableAndStoppable
    public Future<BoxedUnit> startWithPluginId(String str, Env env) {
        Future<BoxedUnit> startWithPluginId;
        startWithPluginId = startWithPluginId(str, env);
        return startWithPluginId;
    }

    @Override // otoroshi.script.StartableAndStoppable
    public Future<BoxedUnit> start(Env env) {
        Future<BoxedUnit> start;
        start = start(env);
        return start;
    }

    @Override // otoroshi.script.StartableAndStoppable
    public Future<BoxedUnit> stop(Env env) {
        Future<BoxedUnit> stop;
        stop = stop(env);
        return stop;
    }

    @Override // otoroshi.script.InternalEventListener
    public AtomicReference<ActorRef> otoroshi$script$InternalEventListener$$ref() {
        return this.otoroshi$script$InternalEventListener$$ref;
    }

    @Override // otoroshi.script.InternalEventListener
    public final void otoroshi$script$InternalEventListener$_setter_$otoroshi$script$InternalEventListener$$ref_$eq(AtomicReference<ActorRef> atomicReference) {
        this.otoroshi$script$InternalEventListener$$ref = atomicReference;
    }

    @Override // otoroshi.script.StartableAndStoppable
    public Future<BoxedUnit> funit() {
        return this.funit;
    }

    @Override // otoroshi.script.StartableAndStoppable
    public void otoroshi$script$StartableAndStoppable$_setter_$funit_$eq(Future<BoxedUnit> future) {
        this.funit = future;
    }

    @Override // otoroshi.script.NamedPlugin
    public boolean core() {
        return true;
    }

    @Override // otoroshi.script.NamedPlugin
    public String name() {
        return "[CORE PLUGIN] Extract apikey from a JWT token";
    }

    @Override // otoroshi.script.NamedPlugin
    public Option<String> description() {
        return implicits$BetterSyntax$.MODULE$.some$extension(implicits$.MODULE$.BetterSyntax(new StringOps(Predef$.MODULE$.augmentString("This plugin extract an apikey from a JWT token signed by the apikey secret. It uses the service descriptor configuration.")).stripMargin()));
    }

    @Override // otoroshi.script.NamedPlugin
    public NgPluginVisibility visibility() {
        return NgPluginVisibility$NgInternal$.MODULE$;
    }

    @Override // otoroshi.script.NamedPlugin
    public Seq<NgPluginCategory> categories() {
        return new $colon.colon<>(NgPluginCategory$Apikey$.MODULE$, Nil$.MODULE$);
    }

    @Override // otoroshi.script.NamedPlugin
    public Seq<NgStep> steps() {
        return new $colon.colon<>(NgStep$PreRoute$.MODULE$, Nil$.MODULE$);
    }

    @Override // otoroshi.script.PreRouting
    public Future<BoxedUnit> preRoute(PreRoutingContext preRoutingContext, Env env, ExecutionContext executionContext) {
        Future<BoxedUnit> funit;
        Future<BoxedUnit> future;
        Option option = preRoutingContext.attrs().get(Keys$.MODULE$.ApiKeyKey());
        if (option instanceof Some) {
            future = implicits$BetterSyntax$.MODULE$.future$extension(implicits$.MODULE$.BetterSyntax(BoxedUnit.UNIT));
        } else {
            if (!None$.MODULE$.equals(option)) {
                throw new MatchError(option);
            }
            RequestHeader request = preRoutingContext.request();
            ServiceDescriptor descriptor = preRoutingContext.descriptor();
            Option filter = request.headers().get((String) descriptor.apiKeyConstraints().jwtAuth().headerName().getOrElse(() -> {
                return env.Headers().OtoroshiBearer();
            })).orElse(() -> {
                return request.headers().get("Authorization").filter(str -> {
                    return BoxesRunTime.boxToBoolean(str.startsWith("Bearer "));
                });
            }).map(str -> {
                return str.replace("Bearer ", "");
            }).orElse(() -> {
                return request.queryString().get(descriptor.apiKeyConstraints().jwtAuth().queryName().getOrElse(() -> {
                    return env.Headers().OtoroshiBearerAuthorization();
                })).flatMap(seq -> {
                    return seq.lastOption();
                });
            }).orElse(() -> {
                return request.cookies().get((String) descriptor.apiKeyConstraints().jwtAuth().cookieName().getOrElse(() -> {
                    return env.Headers().OtoroshiJWTAuthorization();
                })).map(cookie -> {
                    return cookie.value();
                });
            }).filter(str2 -> {
                return BoxesRunTime.boxToBoolean($anonfun$preRoute$11(str2));
            });
            if (filter.isDefined() && descriptor.apiKeyConstraints().jwtAuth().enabled()) {
                String str3 = (String) filter.get();
                funit = (Future) Try$.MODULE$.apply(() -> {
                    return JWT.decode(str3);
                }).map(decodedJWT -> {
                    Future future$extension;
                    Some orElse = implicits$BetterDecodedJWT$.MODULE$.claimStr$extension(implicits$.MODULE$.BetterDecodedJWT(decodedJWT), "clientId").orElse(() -> {
                        return implicits$BetterDecodedJWT$.MODULE$.claimStr$extension(implicits$.MODULE$.BetterDecodedJWT(decodedJWT), "client_id");
                    }).orElse(() -> {
                        return implicits$BetterDecodedJWT$.MODULE$.claimStr$extension(implicits$.MODULE$.BetterDecodedJWT(decodedJWT), "cid");
                    }).orElse(() -> {
                        return implicits$BetterDecodedJWT$.MODULE$.claimStr$extension(implicits$.MODULE$.BetterDecodedJWT(decodedJWT), "iss");
                    });
                    if (orElse instanceof Some) {
                        future$extension = env.datastores().apiKeyDataStore().findAuthorizeKeyFor((String) orElse.value(), descriptor.id(), executionContext, env).flatMap(option2 -> {
                            Future future$extension2;
                            Future future$extension3;
                            Future future$extension4;
                            if (option2 instanceof Some) {
                                ApiKey apiKey = (ApiKey) ((Some) option2).value();
                                Option option2 = apiKey.metadata().get("jwt-sign-keypair");
                                Option flatMap = Option$.MODULE$.apply(decodedJWT.getKeyId()).orElse(() -> {
                                    return option2;
                                }).filter(str4 -> {
                                    return BoxesRunTime.boxToBoolean($anonfun$preRoute$19(descriptor, str4));
                                }).filter(str5 -> {
                                    return BoxesRunTime.boxToBoolean($anonfun$preRoute$20(option2, str5));
                                }).flatMap(str6 -> {
                                    return DynamicSSLEngineProvider$.MODULE$.certificates().get(str6);
                                });
                                Some collect = Option$.MODULE$.apply(decodedJWT.getAlgorithm()).collect(new JwtApikeyExtractor$$anonfun$1(null, descriptor, apiKey, flatMap, flatMap.map(cert -> {
                                    return cert.cryptoKeyPair();
                                })));
                                Option map = Option$.MODULE$.apply(decodedJWT.getClaim("exp")).filterNot(claim -> {
                                    return BoxesRunTime.boxToBoolean(claim.isNull());
                                }).map(claim2 -> {
                                    return claim2.asLong();
                                });
                                Option map2 = Option$.MODULE$.apply(decodedJWT.getClaim("iat")).filterNot(claim3 -> {
                                    return BoxesRunTime.boxToBoolean(claim3.isNull());
                                }).map(claim4 -> {
                                    return claim4.asLong();
                                });
                                Option map3 = Option$.MODULE$.apply(decodedJWT.getClaim("httpPath")).filterNot(claim5 -> {
                                    return BoxesRunTime.boxToBoolean(claim5.isNull());
                                }).map(claim6 -> {
                                    return claim6.asString();
                                });
                                Option map4 = Option$.MODULE$.apply(decodedJWT.getClaim("httpVerb")).filterNot(claim7 -> {
                                    return BoxesRunTime.boxToBoolean(claim7.isNull());
                                }).map(claim8 -> {
                                    return claim8.asString();
                                });
                                Option map5 = Option$.MODULE$.apply(decodedJWT.getClaim("httpHost")).filterNot(claim9 -> {
                                    return BoxesRunTime.boxToBoolean(claim9.isNull());
                                }).map(claim10 -> {
                                    return claim10.asString();
                                });
                                if (collect instanceof Some) {
                                    JWTVerifier build = JWT.require((Algorithm) collect.value()).acceptLeeway(10L).build();
                                    Try filter2 = Try$.MODULE$.apply(() -> {
                                        return build.verify(str3);
                                    }).filter(decodedJWT -> {
                                        return BoxesRunTime.boxToBoolean($anonfun$preRoute$34(request, decodedJWT));
                                    }).filter(decodedJWT2 -> {
                                        return BoxesRunTime.boxToBoolean($anonfun$preRoute$35(descriptor, map, map2, decodedJWT2));
                                    }).filter(decodedJWT3 -> {
                                        return BoxesRunTime.boxToBoolean($anonfun$preRoute$38(descriptor, map3, request, map4, map5, env, decodedJWT3));
                                    });
                                    if (filter2 instanceof Success) {
                                        preRoutingContext.attrs().put(Predef$.MODULE$.wrapRefArray(new TypedEntry[]{Keys$.MODULE$.ApiKeyKey().$minus$greater(apiKey)}));
                                        future$extension4 = implicits$BetterSyntax$.MODULE$.future$extension(implicits$.MODULE$.BetterSyntax(BoxedUnit.UNIT));
                                    } else {
                                        if (!(filter2 instanceof Failure)) {
                                            throw new MatchError(filter2);
                                        }
                                        future$extension4 = implicits$BetterSyntax$.MODULE$.future$extension(implicits$.MODULE$.BetterSyntax(BoxedUnit.UNIT));
                                    }
                                    future$extension3 = future$extension4;
                                } else {
                                    if (!None$.MODULE$.equals(collect)) {
                                        throw new MatchError(collect);
                                    }
                                    future$extension3 = implicits$BetterSyntax$.MODULE$.future$extension(implicits$.MODULE$.BetterSyntax(BoxedUnit.UNIT));
                                }
                                future$extension2 = future$extension3;
                            } else {
                                if (!None$.MODULE$.equals(option2)) {
                                    throw new MatchError(option2);
                                }
                                future$extension2 = implicits$BetterSyntax$.MODULE$.future$extension(implicits$.MODULE$.BetterSyntax(BoxedUnit.UNIT));
                            }
                            return future$extension2;
                        }, executionContext);
                    } else {
                        if (!None$.MODULE$.equals(orElse)) {
                            throw new MatchError(orElse);
                        }
                        future$extension = implicits$BetterSyntax$.MODULE$.future$extension(implicits$.MODULE$.BetterSyntax(BoxedUnit.UNIT));
                    }
                    return future$extension;
                }).getOrElse(() -> {
                    return implicits$BetterSyntax$.MODULE$.future$extension(implicits$.MODULE$.BetterSyntax(BoxedUnit.UNIT));
                });
            } else {
                funit = funit();
            }
            future = funit;
        }
        return future;
    }

    public static final /* synthetic */ boolean $anonfun$preRoute$11(String str) {
        return str.split("\\.").length == 3;
    }

    public static final /* synthetic */ boolean $anonfun$preRoute$19(ServiceDescriptor serviceDescriptor, String str) {
        return serviceDescriptor.apiKeyConstraints().jwtAuth().keyPairSigned();
    }

    public static final /* synthetic */ boolean $anonfun$preRoute$20(Option option, String str) {
        if (!option.isDefined()) {
            return true;
        }
        Object obj = option.get();
        return obj != null ? obj.equals(str) : str == null;
    }

    public static final /* synthetic */ boolean $anonfun$preRoute$34(RequestHeader requestHeader, DecodedJWT decodedJWT) {
        Claim claim = decodedJWT.getClaim("xsrfToken");
        Option option = requestHeader.headers().get("X-XSRF-TOKEN");
        if (claim.isNull() || !option.isDefined()) {
            return claim.isNull() || !option.isEmpty();
        }
        String asString = claim.asString();
        Object obj = option.get();
        return asString != null ? asString.equals(obj) : obj == null;
    }

    public static final /* synthetic */ boolean $anonfun$preRoute$35(ServiceDescriptor serviceDescriptor, Option option, Option option2, DecodedJWT decodedJWT) {
        return BoxesRunTime.unboxToBoolean(serviceDescriptor.apiKeyConstraints().jwtAuth().maxJwtLifespanSecs().map(j -> {
            return (option.isEmpty() || option2.isEmpty() || Predef$.MODULE$.Long2long((Long) option.get()) - Predef$.MODULE$.Long2long((Long) option2.get()) > j) ? false : true;
        }).getOrElse(() -> {
            return true;
        }));
    }

    public static final /* synthetic */ boolean $anonfun$preRoute$39(RequestHeader requestHeader, String str) {
        String relativeUri$extension = RequestImplicits$EnhancedRequestHeader$.MODULE$.relativeUri$extension(RequestImplicits$.MODULE$.EnhancedRequestHeader(requestHeader));
        return str != null ? str.equals(relativeUri$extension) : relativeUri$extension == null;
    }

    public static final /* synthetic */ boolean $anonfun$preRoute$40(RequestHeader requestHeader, String str) {
        String lowerCase = str.toLowerCase();
        String lowerCase2 = requestHeader.method().toLowerCase();
        return lowerCase != null ? lowerCase.equals(lowerCase2) : lowerCase2 == null;
    }

    public static final /* synthetic */ boolean $anonfun$preRoute$41(RequestHeader requestHeader, Env env, String str) {
        String lowerCase = str.toLowerCase();
        String theHost$extension = RequestImplicits$EnhancedRequestHeader$.MODULE$.theHost$extension(RequestImplicits$.MODULE$.EnhancedRequestHeader(requestHeader), env);
        return lowerCase != null ? lowerCase.equals(theHost$extension) : theHost$extension == null;
    }

    public static final /* synthetic */ boolean $anonfun$preRoute$38(ServiceDescriptor serviceDescriptor, Option option, RequestHeader requestHeader, Option option2, Option option3, Env env, DecodedJWT decodedJWT) {
        if (serviceDescriptor.apiKeyConstraints().jwtAuth().includeRequestAttributes()) {
            return option.exists(str -> {
                return BoxesRunTime.boxToBoolean($anonfun$preRoute$39(requestHeader, str));
            }) && option2.exists(str2 -> {
                return BoxesRunTime.boxToBoolean($anonfun$preRoute$40(requestHeader, str2));
            }) && option3.exists(str3 -> {
                return BoxesRunTime.boxToBoolean($anonfun$preRoute$41(requestHeader, env, str3));
            });
        }
        return true;
    }

    public JwtApikeyExtractor() {
        otoroshi$script$StartableAndStoppable$_setter_$funit_$eq((Future) FastFuture$.MODULE$.successful().apply(BoxedUnit.UNIT));
        NamedPlugin.$init$(this);
        otoroshi$script$InternalEventListener$_setter_$otoroshi$script$InternalEventListener$$ref_$eq(new AtomicReference<>());
        PreRouting.$init$((PreRouting) this);
    }
}
