package io.toolsplus.atlassian.connect.play.auth.jwt;

import cats.data.EitherT;
import cats.implicits$;
import cats.syntax.EitherOps$;
import com.google.inject.Inject;
import com.nimbusds.jwt.JWTClaimsSet;
import io.toolsplus.atlassian.connect.play.api.models.AppProperties;
import io.toolsplus.atlassian.connect.play.api.models.AtlassianHost;
import io.toolsplus.atlassian.connect.play.api.models.AtlassianHostUser;
import io.toolsplus.atlassian.connect.play.api.models.DefaultAtlassianHostUser;
import io.toolsplus.atlassian.connect.play.api.repositories.AtlassianHostRepository;
import io.toolsplus.atlassian.jwt.HttpRequestCanonicalizer$;
import io.toolsplus.atlassian.jwt.Jwt;
import io.toolsplus.atlassian.jwt.JwtParser$;
import io.toolsplus.atlassian.jwt.JwtReader;
import play.api.Logger;
import play.api.Logger$;
import play.api.MarkerContext$;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Option$;
import scala.Some;
import scala.collection.JavaConverters$;
import scala.collection.LinearSeqOptimized;
import scala.collection.TraversableOnce;
import scala.collection.immutable.$colon;
import scala.collection.immutable.List;
import scala.collection.immutable.List$;
import scala.collection.immutable.Nil$;
import scala.concurrent.ExecutionContext$Implicits$;
import scala.concurrent.Future;
import scala.package$;
import scala.reflect.ScalaSignature;
import scala.util.Either;
import scala.util.Right;

/* compiled from: JwtAuthenticationProvider.scala */
@ScalaSignature(bytes = "\u0006\u0001\u0005%f\u0001B\u0001\u0003\u0001E\u0011\u0011DS<u\u0003V$\b.\u001a8uS\u000e\fG/[8o!J|g/\u001b3fe*\u00111\u0001B\u0001\u0004U^$(BA\u0003\u0007\u0003\u0011\tW\u000f\u001e5\u000b\u0005\u001dA\u0011\u0001\u00029mCfT!!\u0003\u0006\u0002\u000f\r|gN\\3di*\u00111\u0002D\u0001\nCRd\u0017m]:jC:T!!\u0004\b\u0002\u0013Q|w\u000e\\:qYV\u001c(\"A\b\u0002\u0005%|7\u0001A\n\u0003\u0001I\u0001\"a\u0005\f\u000e\u0003QQ\u0011!F\u0001\u0006g\u000e\fG.Y\u0005\u0003/Q\u0011a!\u00118z%\u00164\u0007\u0002C\r\u0001\u0005\u0003\u0005\u000b\u0011\u0002\u000e\u0002\u001d!|7\u000f\u001e*fa>\u001c\u0018\u000e^8ssB\u00111\u0004I\u0007\u00029)\u0011QDH\u0001\re\u0016\u0004xn]5u_JLWm\u001d\u0006\u0003?\u0019\t1!\u00199j\u0013\t\tCDA\fBi2\f7o]5b]\"{7\u000f\u001e*fa>\u001c\u0018\u000e^8ss\"A1\u0005\u0001B\u0001B\u0003%A%\u0001\nbI\u0012|gnQ8oM&<WO]1uS>t\u0007CA\u0013)\u001b\u00051#BA\u0014\u001f\u0003\u0019iw\u000eZ3mg&\u0011\u0011F\n\u0002\u000e\u0003B\u0004\bK]8qKJ$\u0018.Z:\t\u000b-\u0002A\u0011\u0001\u0017\u0002\rqJg.\u001b;?)\ris\u0006\r\t\u0003]\u0001i\u0011A\u0001\u0005\u00063)\u0002\rA\u0007\u0005\u0006G)\u0002\r\u0001\n\u0015\u0003UI\u0002\"a\r\u001e\u000e\u0003QR!!\u000e\u001c\u0002\r%t'.Z2u\u0015\t9\u0004(\u0001\u0004h_><G.\u001a\u0006\u0002s\u0005\u00191m\\7\n\u0005m\"$AB%oU\u0016\u001cG\u000fC\u0004>\u0001\t\u0007I\u0011\u0002 \u0002\r1|wmZ3s+\u0005y\u0004C\u0001!D\u001b\u0005\t%BA\u0010C\u0015\u00059\u0011B\u0001#B\u0005\u0019aunZ4fe\"1a\t\u0001Q\u0001\n}\nq\u0001\\8hO\u0016\u0014\b\u0005C\u0003I\u0001\u0011\u0005\u0011*\u0001\u0007bkRDWM\u001c;jG\u0006$X\r\u0006\u0002K=B)1\n\u0015*Y76\tAJ\u0003\u0002N\u001d\u0006!A-\u0019;b\u0015\u0005y\u0015\u0001B2biNL!!\u0015'\u0003\u000f\u0015KG\u000f[3s)B\u00111KV\u0007\u0002)*\u0011Q\u000bF\u0001\u000bG>t7-\u001e:sK:$\u0018BA,U\u0005\u00191U\u000f^;sKB\u0011a&W\u0005\u00035\n\u0011aCS<u\u0003V$\b.\u001a8uS\u000e\fG/[8o\u000bJ\u0014xN\u001d\t\u0003KqK!!\u0018\u0014\u0003#\u0005#H.Y:tS\u0006t\u0007j\\:u+N,'\u000fC\u0003`\u000f\u0002\u0007\u0001-\u0001\bkoR\u001c%/\u001a3f]RL\u0017\r\\:\u0011\u00059\n\u0017B\u00012\u0003\u00059Qu\u000f^\"sK\u0012,g\u000e^5bYNDQ\u0001\u001a\u0001\u0005\n\u0015\f\u0001\u0002]1sg\u0016Tu\u000f\u001e\u000b\u0003M^\u0004BaZ8Ye:\u0011\u0001.\u001c\b\u0003S2l\u0011A\u001b\u0006\u0003WB\ta\u0001\u0010:p_Rt\u0014\"A\u000b\n\u00059$\u0012a\u00029bG.\fw-Z\u0005\u0003aF\u0014a!R5uQ\u0016\u0014(B\u00018\u0015!\t\u0019X/D\u0001u\u0015\t\u0019!\"\u0003\u0002wi\n\u0019!j\u001e;\t\u000ba\u001c\u0007\u0019A=\u0002\rI\fwOS<u!\tQhP\u0004\u0002|yB\u0011\u0011\u000eF\u0005\u0003{R\ta\u0001\u0015:fI\u00164\u0017bA@\u0002\u0002\t11\u000b\u001e:j]\u001eT!! \u000b\t\u000f\u0005\u0015\u0001\u0001\"\u0003\u0002\b\u0005\u0001R\r\u001f;sC\u000e$8\t\\5f]R\\U-\u001f\u000b\u0005\u0003\u0013\tY\u0001\u0005\u0003h_bK\bBB\u0002\u0002\u0004\u0001\u0007!\u000fC\u0004\u0002\u0010\u0001!I!!\u0005\u0002%\u0019,Go\u00195Bi2\f7o]5b]\"{7\u000f\u001e\u000b\u0005\u0003'\tY\u0002\u0005\u0004L!JC\u0016Q\u0003\t\u0004K\u0005]\u0011bAA\rM\ti\u0011\t\u001e7bgNL\u0017M\u001c%pgRDq!!\b\u0002\u000e\u0001\u0007\u00110A\u0005dY&,g\u000e^&fs\"9\u0011\u0011\u0005\u0001\u0005\n\u0005\r\u0012!\u0003<fe&4\u0017PS<u)\u00151\u0017QEA\u0014\u0011\u0019y\u0016q\u0004a\u0001A\"A\u0011\u0011FA\u0010\u0001\u0004\t)\"\u0001\u0003i_N$\bbBA\u0017\u0001\u0011%\u0011qF\u0001\u001aSN\u001cV\r\u001c4BkRDWM\u001c;jG\u0006$\u0018n\u001c8U_.,g\u000e\u0006\u0004\u00022\u0005]\u0012Q\r\t\u0004'\u0005M\u0012bAA\u001b)\t9!i\\8mK\u0006t\u0007\u0002CA\u001d\u0003W\u0001\r!a\u000f\u0002\u0011\u0005$Gm\u001c8LKf\u0004B!!\u0010\u0002`9!\u0011qHA.\u001d\u0011\t\t%!\u0017\u000f\t\u0005\r\u0013q\u000b\b\u0005\u0003\u000b\n)F\u0004\u0003\u0002H\u0005Mc\u0002BA%\u0003#rA!a\u0013\u0002P9\u0019\u0011.!\u0014\n\u0003=I!!\u0004\b\n\u0005-a\u0011BA\u0005\u000b\u0013\t9\u0001\"\u0003\u0002 \r%\u0011qEH\u0005\u0004\u0003;2\u0013A\u0003)sK\u0012,g-\u001b8fI&!\u0011\u0011MA2\u0005\u0019\t\u0005\u000f]&fs*\u0019\u0011Q\f\u0014\t\u0011\u0005\u001d\u00141\u0006a\u0001\u0003S\n\u0001#\u001e8wKJLg-[3e\u00072\f\u0017.\\:\u0011\t\u0005-\u00141O\u0007\u0003\u0003[R1aAA8\u0015\r\t\t\bO\u0001\t]&l'-^:eg&!\u0011QOA7\u00051Qu\u000bV\"mC&l7oU3u\u0011\u001d\tI\b\u0001C\u0005\u0003w\nqE^1mS\u0012\fG/Z*fY\u001a\fU\u000f\u001e5f]RL7-\u0019;j_:$vn[3o\u0003V$\u0017.\u001a8dKR1\u0011QPAC\u0003\u000f\u0003RaZ8Y\u0003\u007f\u0002BaZAAs&\u0019\u00111Q9\u0003\t1K7\u000f\u001e\u0005\t\u0003s\t9\b1\u0001\u0002<!A\u0011qMA<\u0001\u0004\tI\u0007C\u0004\u0002\f\u0002!I!!$\u0002Q!|7\u000f^\"mS\u0016tGoS3z\rJ|WnU3mM\u0006+H\u000f[3oi&\u001c\u0017\r^5p]R{7.\u001a8\u0015\t\u0005%\u0011q\u0012\u0005\t\u0003O\nI\t1\u0001\u0002j!9\u00111\u0013\u0001\u0005\n\u0005U\u0015\u0001\u000b<bY&$\u0017\r^3TK24\u0017)\u001e;iK:$\u0018nY1uS>tGk\\6f]\u000ec\u0017.\u001a8u\u0017\u0016LH\u0003BA\u0005\u0003/C\u0001\"!'\u0002\u0012\u0002\u0007\u00111T\u0001\u0014[\u0006L(-Z\"mS\u0016tGoS3z\u00072\f\u0017.\u001c\t\u0005'\u0005u\u00150C\u0002\u0002 R\u0011aa\u00149uS>t\u0007bBAR\u0001\u0011%\u0011QU\u0001 Q>\u001cHo\u00117jK:$8*Z=Ge>l\u0017\t\u001e7bgNL\u0017M\u001c+pW\u0016tG\u0003BA\u0005\u0003OC\u0001\"!'\u0002\"\u0002\u0007\u00111\u0014")
/* loaded from: input_file:io/toolsplus/atlassian/connect/play/auth/jwt/JwtAuthenticationProvider.class */
public class JwtAuthenticationProvider {
    private final AtlassianHostRepository hostRepository;
    private final AppProperties addonConfiguration;
    private final Logger logger = Logger$.MODULE$.apply(JwtAuthenticationProvider.class);

    private Logger logger() {
        return this.logger;
    }

    public EitherT<Future, JwtAuthenticationError, AtlassianHostUser> authenticate(JwtCredentials jwtCredentials) {
        return EitherOps$.MODULE$.toEitherT$extension(implicits$.MODULE$.catsSyntaxEither(parseJwt(jwtCredentials.rawJwt())), implicits$.MODULE$.catsStdInstancesForFuture(ExecutionContext$Implicits$.MODULE$.global())).flatMap(jwt -> {
            return EitherOps$.MODULE$.toEitherT$extension(implicits$.MODULE$.catsSyntaxEither(this.extractClientKey(jwt)), implicits$.MODULE$.catsStdInstancesForFuture(ExecutionContext$Implicits$.MODULE$.global())).flatMap(str -> {
                return this.fetchAtlassianHost(str).flatMap(atlassianHost -> {
                    return EitherOps$.MODULE$.toEitherT$extension(implicits$.MODULE$.catsSyntaxEither(this.verifyJwt(jwtCredentials, atlassianHost)), implicits$.MODULE$.catsStdInstancesForFuture(ExecutionContext$Implicits$.MODULE$.global())).map(jwt -> {
                        return new DefaultAtlassianHostUser(atlassianHost, Option$.MODULE$.apply(jwt.claims().getSubject()));
                    }, implicits$.MODULE$.catsStdInstancesForFuture(ExecutionContext$Implicits$.MODULE$.global()));
                }, implicits$.MODULE$.catsStdInstancesForFuture(ExecutionContext$Implicits$.MODULE$.global()));
            }, implicits$.MODULE$.catsStdInstancesForFuture(ExecutionContext$Implicits$.MODULE$.global()));
        }, implicits$.MODULE$.catsStdInstancesForFuture(ExecutionContext$Implicits$.MODULE$.global()));
    }

    private Either<JwtAuthenticationError, Jwt> parseJwt(String str) {
        return EitherOps$.MODULE$.leftMap$extension(implicits$.MODULE$.catsSyntaxEither(JwtParser$.MODULE$.parse(str)), parsingFailure -> {
            this.logger().error(() -> {
                return new StringBuilder(23).append("Parsing of JWT failed: ").append(parsingFailure).toString();
            }, MarkerContext$.MODULE$.NoMarker());
            return new InvalidJwtError(parsingFailure.getMessage());
        });
    }

    private Either<JwtAuthenticationError, String> extractClientKey(Jwt jwt) {
        JWTClaimsSet claims = jwt.claims();
        String key = this.addonConfiguration.key();
        return isSelfAuthenticationToken(key, claims) ? validateSelfAuthenticationTokenAudience(key, claims).flatMap(list -> {
            return this.hostClientKeyFromSelfAuthenticationToken(claims);
        }) : hostClientKeyFromAtlassianToken(Option$.MODULE$.apply(claims.getIssuer()));
    }

    private EitherT<Future, JwtAuthenticationError, AtlassianHost> fetchAtlassianHost(String str) {
        return new EitherT<>(this.hostRepository.findByClientKey(str).map(option -> {
            Right apply;
            if (option instanceof Some) {
                apply = package$.MODULE$.Right().apply((AtlassianHost) ((Some) option).value());
            } else {
                if (!None$.MODULE$.equals(option)) {
                    throw new MatchError(option);
                }
                this.logger().error(() -> {
                    return new StringBuilder(62).append("Could not find an installed host for the provided client key: ").append(str).toString();
                }, MarkerContext$.MODULE$.NoMarker());
                apply = package$.MODULE$.Left().apply(new UnknownJwtIssuerError(str));
            }
            return apply;
        }, ExecutionContext$Implicits$.MODULE$.global()));
    }

    private Either<JwtAuthenticationError, Jwt> verifyJwt(JwtCredentials jwtCredentials, AtlassianHost atlassianHost) {
        return EitherOps$.MODULE$.leftMap$extension(implicits$.MODULE$.catsSyntaxEither(new JwtReader(atlassianHost.sharedSecret()).readAndVerify(jwtCredentials.rawJwt(), HttpRequestCanonicalizer$.MODULE$.computeCanonicalRequestHash(jwtCredentials.canonicalHttpRequest()))), error -> {
            this.logger().error(() -> {
                return new StringBuilder(38).append("Reading and validating of JWT failed: ").append(error).toString();
            }, MarkerContext$.MODULE$.NoMarker());
            return new InvalidJwtError(error.getMessage());
        });
    }

    private boolean isSelfAuthenticationToken(String str, JWTClaimsSet jWTClaimsSet) {
        String issuer = jWTClaimsSet.getIssuer();
        return str != null ? str.equals(issuer) : issuer == null;
    }

    private Either<JwtAuthenticationError, List<String>> validateSelfAuthenticationTokenAudience(String str, JWTClaimsSet jWTClaimsSet) {
        Right apply;
        $colon.colon list = ((TraversableOnce) JavaConverters$.MODULE$.asScalaBufferConverter(jWTClaimsSet.getAudience()).asScala()).toList();
        if (list instanceof $colon.colon) {
            $colon.colon colonVar = list;
            String str2 = (String) colonVar.head();
            if (Nil$.MODULE$.equals(colonVar.tl$access$1())) {
                apply = (str2 != null ? !str2.equals(str) : str != null) ? package$.MODULE$.Left().apply(new JwtBadCredentialsError(new StringBuilder(49).append("Invalid audience (").append(str2).append(") for self-authentication token").toString())) : package$.MODULE$.Right().apply(colonVar);
                return apply;
            }
        }
        Some unapplySeq = List$.MODULE$.unapplySeq(list);
        if (!unapplySeq.isEmpty() && unapplySeq.get() != null && ((LinearSeqOptimized) unapplySeq.get()).lengthCompare(1) == 0) {
            apply = package$.MODULE$.Left().apply(new JwtBadCredentialsError(new StringBuilder(49).append("Invalid audience (").append(list.mkString(",")).append(") for self-authentication token").toString()));
        } else {
            if (!Nil$.MODULE$.equals(list)) {
                throw new MatchError(list);
            }
            apply = package$.MODULE$.Left().apply(new JwtBadCredentialsError("Missing audience for self-authentication token"));
        }
        return apply;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Either<JwtAuthenticationError, String> hostClientKeyFromSelfAuthenticationToken(JWTClaimsSet jWTClaimsSet) {
        return validateSelfAuthenticationTokenClientKey(Option$.MODULE$.apply((String) jWTClaimsSet.getClaim(SelfAuthenticationTokenGenerator$.MODULE$.HostClientKeyClaim())));
    }

    private Either<JwtAuthenticationError, String> validateSelfAuthenticationTokenClientKey(Option<String> option) {
        Right apply;
        if (option instanceof Some) {
            apply = package$.MODULE$.Right().apply((String) ((Some) option).value());
        } else {
            if (!None$.MODULE$.equals(option)) {
                throw new MatchError(option);
            }
            apply = package$.MODULE$.Left().apply(new JwtBadCredentialsError("Missing client key claim for self-authentication token"));
        }
        return apply;
    }

    private Either<JwtAuthenticationError, String> hostClientKeyFromAtlassianToken(Option<String> option) {
        Right apply;
        if (option instanceof Some) {
            apply = package$.MODULE$.Right().apply((String) ((Some) option).value());
        } else {
            if (!None$.MODULE$.equals(option)) {
                throw new MatchError(option);
            }
            apply = package$.MODULE$.Left().apply(new JwtBadCredentialsError("Missing client key claim for Atlassian token"));
        }
        return apply;
    }

    @Inject
    public JwtAuthenticationProvider(AtlassianHostRepository atlassianHostRepository, AppProperties appProperties) {
        this.hostRepository = atlassianHostRepository;
        this.addonConfiguration = appProperties;
    }
}
