package no.nav.security.token.support.core.validation;

import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import no.nav.security.token.support.core.api.Protected;
import no.nav.security.token.support.core.api.ProtectedWithClaims;
import no.nav.security.token.support.core.api.RequiredIssuers;
import no.nav.security.token.support.core.api.Unprotected;
import no.nav.security.token.support.core.context.TokenValidationContextHolder;
import no.nav.security.token.support.core.exceptions.AnnotationRequiredException;
import no.nav.security.token.support.core.exceptions.JwtTokenInvalidClaimException;
import no.nav.security.token.support.core.exceptions.JwtTokenMissingException;
import no.nav.security.token.support.core.jwt.JwtToken;
import no.nav.security.token.support.core.utils.JwtTokenUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:no/nav/security/token/support/core/validation/JwtTokenAnnotationHandler.class */
public class JwtTokenAnnotationHandler {
    private static final List<Class<? extends Annotation>> SUPPORTED_ANNOTATIONS = List.of(RequiredIssuers.class, ProtectedWithClaims.class, Protected.class, Unprotected.class);
    private static final Logger LOG = LoggerFactory.getLogger(JwtTokenAnnotationHandler.class);
    private final TokenValidationContextHolder tokenValidationContextHolder;

    public JwtTokenAnnotationHandler(TokenValidationContextHolder tokenValidationContextHolder) {
        this.tokenValidationContextHolder = tokenValidationContextHolder;
    }

    public boolean assertValidAnnotation(Method method) throws AnnotationRequiredException {
        return ((Boolean) Optional.ofNullable(getAnnotation(method, SUPPORTED_ANNOTATIONS)).map(this::assertValidAnnotation).orElseThrow(() -> {
            return new AnnotationRequiredException(method);
        })).booleanValue();
    }

    private boolean assertValidAnnotation(Annotation annotation) {
        if (annotation instanceof Unprotected) {
            LOG.debug("annotation is of type={}, no token validation performed.", Unprotected.class.getSimpleName());
            return true;
        }
        if (annotation instanceof RequiredIssuers) {
            return handleRequiredIssuers((RequiredIssuers) annotation);
        }
        if (annotation instanceof ProtectedWithClaims) {
            return handleProtectedWithClaims((ProtectedWithClaims) annotation);
        }
        if (annotation instanceof Protected) {
            return handleProtected();
        }
        LOG.debug("annotation is unknown,  type={}, no token validation performed. but possible bug so throw exception", annotation.annotationType());
        return false;
    }

    private boolean handleProtected() {
        LOG.debug("annotation is of type={}, check if context has valid token.", Protected.class.getSimpleName());
        if (JwtTokenUtil.contextHasValidToken(this.tokenValidationContextHolder)) {
            return true;
        }
        throw new JwtTokenMissingException();
    }

    private boolean handleProtectedWithClaims(ProtectedWithClaims protectedWithClaims) {
        LOG.debug("annotation is of type={}, do token validation and claim checking.", ProtectedWithClaims.class.getSimpleName());
        Optional<JwtToken> jwtToken = JwtTokenUtil.getJwtToken(protectedWithClaims.issuer(), this.tokenValidationContextHolder);
        if (jwtToken.isEmpty()) {
            throw new JwtTokenMissingException();
        }
        if (handleProtectedWithClaimsAnnotation(protectedWithClaims, jwtToken.get())) {
            return true;
        }
        throw new JwtTokenInvalidClaimException(protectedWithClaims);
    }

    private boolean handleRequiredIssuers(RequiredIssuers requiredIssuers) {
        boolean z = false;
        for (ProtectedWithClaims protectedWithClaims : requiredIssuers.value()) {
            Optional<JwtToken> jwtToken = JwtTokenUtil.getJwtToken(protectedWithClaims.issuer(), this.tokenValidationContextHolder);
            if (!jwtToken.isEmpty()) {
                if (handleProtectedWithClaimsAnnotation(protectedWithClaims, jwtToken.get())) {
                    return true;
                }
                z = true;
            }
        }
        if (z) {
            throw new JwtTokenInvalidClaimException(requiredIssuers);
        }
        throw new JwtTokenMissingException(requiredIssuers);
    }

    protected Annotation getAnnotation(Method method, List<Class<? extends Annotation>> list) {
        return (Annotation) Optional.ofNullable(findAnnotation(list, method.getAnnotations())).orElseGet(() -> {
            return findAnnotation(list, method.getDeclaringClass().getAnnotations());
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Annotation findAnnotation(List<Class<? extends Annotation>> list, Annotation... annotationArr) {
        return (Annotation) Arrays.stream(annotationArr).filter(annotation -> {
            return list.contains(annotation.annotationType());
        }).findFirst().orElse(null);
    }

    protected boolean handleProtectedWithClaimsAnnotation(ProtectedWithClaims protectedWithClaims, JwtToken jwtToken) {
        return handleProtectedWithClaims(protectedWithClaims.issuer(), protectedWithClaims.claimMap(), protectedWithClaims.combineWithOr(), jwtToken);
    }

    protected boolean handleProtectedWithClaims(String str, String[] strArr, boolean z, JwtToken jwtToken) {
        if (!Objects.nonNull(str) || str.length() <= 0) {
            return true;
        }
        return containsRequiredClaims(jwtToken, z, strArr);
    }

    protected boolean containsRequiredClaims(JwtToken jwtToken, boolean z, String... strArr) {
        LOG.debug("choose matching logic based on combineWithOr=" + z);
        return z ? containsAnyClaim(jwtToken, strArr) : containsAllClaims(jwtToken, strArr);
    }

    private boolean containsAllClaims(JwtToken jwtToken, String... strArr) {
        if (strArr == null || strArr.length <= 0) {
            return true;
        }
        return Arrays.stream(strArr).map(str -> {
            return str.split("=");
        }).filter(strArr2 -> {
            return strArr2.length == 2;
        }).allMatch(strArr3 -> {
            return jwtToken.containsClaim(strArr3[0].trim(), strArr3[1].trim());
        });
    }

    private boolean containsAnyClaim(JwtToken jwtToken, String... strArr) {
        if (strArr != null && strArr.length > 0) {
            return Arrays.stream(strArr).map(str -> {
                return str.split("=");
            }).filter(strArr2 -> {
                return strArr2.length == 2;
            }).anyMatch(strArr3 -> {
                return jwtToken.containsClaim(strArr3[0].trim(), strArr3[1].trim());
            });
        }
        LOG.debug("no claims listed, so claim checking is ok.");
        return true;
    }
}
