package no.nav.security.token.support.core.validation;

import java.lang.annotation.Annotation;
import java.lang.reflect.Method;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import no.nav.security.token.support.core.api.Protected;
import no.nav.security.token.support.core.api.ProtectedWithClaims;
import no.nav.security.token.support.core.api.Unprotected;
import no.nav.security.token.support.core.context.TokenValidationContextHolder;
import no.nav.security.token.support.core.exceptions.AnnotationRequiredException;
import no.nav.security.token.support.core.exceptions.JwtTokenInvalidClaimException;
import no.nav.security.token.support.core.exceptions.JwtTokenMissingException;
import no.nav.security.token.support.core.jwt.JwtToken;
import no.nav.security.token.support.core.utils.JwtTokenUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:no/nav/security/token/support/core/validation/JwtTokenAnnotationHandler.class */
public class JwtTokenAnnotationHandler {
    private static final Logger log = LoggerFactory.getLogger(JwtTokenAnnotationHandler.class);
    private final TokenValidationContextHolder tokenValidationContextHolder;

    public JwtTokenAnnotationHandler(TokenValidationContextHolder tokenValidationContextHolder) {
        this.tokenValidationContextHolder = tokenValidationContextHolder;
    }

    public boolean assertValidAnnotation(Method method) throws AnnotationRequiredException {
        Annotation annotation = getAnnotation(method, Arrays.asList(ProtectedWithClaims.class, Protected.class, Unprotected.class));
        if (annotation == null) {
            throw new AnnotationRequiredException("Server misconfigured - controller/method [" + method.getClass().getName() + "." + method.getName() + "] not annotated @Unprotected, @Protected or added to ignore list");
        }
        return assertValidAnnotation(annotation);
    }

    private boolean assertValidAnnotation(Annotation annotation) {
        if (annotation instanceof Unprotected) {
            log.debug("annotation is of type={}, no token validation performed.", Unprotected.class.getSimpleName());
            return true;
        }
        if (annotation instanceof ProtectedWithClaims) {
            log.debug("annotation is of type={}, do token validation and claim checking.", ProtectedWithClaims.class.getSimpleName());
            return handleProtectedWithClaimsAnnotation((ProtectedWithClaims) annotation);
        }
        if (!(annotation instanceof Protected)) {
            log.debug("annotation is unknown,  type={}, no token validation performed. but possible bug so throw exception", annotation.annotationType());
            return false;
        }
        log.debug("annotation is of type={}, check if context has valid token.", Protected.class.getSimpleName());
        if (JwtTokenUtil.contextHasValidToken(this.tokenValidationContextHolder)) {
            return true;
        }
        throw new JwtTokenMissingException("no valid token found in validation context");
    }

    protected Annotation getAnnotation(Method method, List<Class<? extends Annotation>> list) {
        Annotation findAnnotation = findAnnotation(method.getAnnotations(), list);
        if (findAnnotation != null) {
            log.debug("method " + method + " marked @{}", findAnnotation.annotationType());
            return findAnnotation;
        }
        Annotation findAnnotation2 = findAnnotation(method.getDeclaringClass().getAnnotations(), list);
        if (findAnnotation2 == null) {
            return null;
        }
        log.debug("method {} marked @{} through annotation on class", method, findAnnotation2.annotationType());
        return findAnnotation2;
    }

    private static Annotation findAnnotation(Annotation[] annotationArr, List<Class<? extends Annotation>> list) {
        if (annotationArr != null) {
            return (Annotation) Arrays.stream(annotationArr).filter(annotation -> {
                return list.contains(annotation.annotationType());
            }).findFirst().orElse(null);
        }
        return null;
    }

    protected boolean handleProtectedWithClaimsAnnotation(ProtectedWithClaims protectedWithClaims) {
        return handleProtectedWithClaims(protectedWithClaims.issuer(), protectedWithClaims.claimMap(), protectedWithClaims.combineWithOr());
    }

    protected boolean handleProtectedWithClaims(String str, String[] strArr, boolean z) {
        if (!Objects.nonNull(str) || str.length() <= 0 || containsRequiredClaims(JwtTokenUtil.getJwtToken(str, this.tokenValidationContextHolder).orElseThrow(() -> {
            return new JwtTokenMissingException("no valid token found in validation context");
        }), z, strArr)) {
            return true;
        }
        throw new JwtTokenInvalidClaimException("required claims not present in token." + Arrays.asList(strArr));
    }

    protected boolean containsRequiredClaims(JwtToken jwtToken, boolean z, String... strArr) {
        log.debug("choose matching logic based on combineWithOr=" + z);
        return z ? containsAnyClaim(jwtToken, strArr) : containsAllClaims(jwtToken, strArr);
    }

    private boolean containsAllClaims(JwtToken jwtToken, String... strArr) {
        if (strArr == null || strArr.length <= 0) {
            return true;
        }
        return Arrays.stream(strArr).map(str -> {
            return str.split("=");
        }).filter(strArr2 -> {
            return strArr2.length == 2;
        }).allMatch(strArr3 -> {
            return jwtToken.containsClaim(strArr3[0].trim(), strArr3[1].trim());
        });
    }

    private boolean containsAnyClaim(JwtToken jwtToken, String... strArr) {
        if (strArr != null && strArr.length > 0) {
            return Arrays.stream(strArr).map(str -> {
                return str.split("=");
            }).filter(strArr2 -> {
                return strArr2.length == 2;
            }).anyMatch(strArr3 -> {
                return jwtToken.containsClaim(strArr3[0].trim(), strArr3[1].trim());
            });
        }
        log.debug("no claims listed, so claim checking is ok.");
        return true;
    }
}
