package one.jpro.platform.auth.core.jwt;

import com.auth0.jwt.JWT;
import com.auth0.jwt.exceptions.JWTDecodeException;
import java.util.Base64;
import java.util.Collections;
import java.util.Objects;
import java.util.concurrent.CompletableFuture;
import one.jpro.platform.auth.core.authentication.Authentication;
import one.jpro.platform.auth.core.authentication.AuthenticationException;
import one.jpro.platform.auth.core.authentication.AuthenticationProvider;
import one.jpro.platform.auth.core.authentication.CredentialValidationException;
import one.jpro.platform.auth.core.authentication.User;
import one.jpro.platform.auth.core.utils.AuthUtils;
import org.jetbrains.annotations.NotNull;
import org.json.JSONArray;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:one/jpro/platform/auth/core/jwt/JWTAuthenticationProvider.class */
public class JWTAuthenticationProvider implements AuthenticationProvider<TokenCredentials> {
    private static final Logger logger = LoggerFactory.getLogger(JWTAuthenticationProvider.class);
    private static final Base64.Decoder BASE64_DECODER = AuthUtils.BASE64_DECODER;

    @NotNull
    private final JWTAuthOptions authOptions;

    @NotNull
    private final JWTOptions options;

    @NotNull
    private final JWTAuthAPI api;

    public JWTAuthenticationProvider(@NotNull JWTAuthOptions jWTAuthOptions) {
        this.authOptions = (JWTAuthOptions) Objects.requireNonNull(jWTAuthOptions, "JWT authentication options cannot be null");
        this.options = (JWTOptions) Objects.requireNonNull(jWTAuthOptions.getJWTOptions(), "JWT options cannot be null");
        this.api = new JWTAuthAPI(jWTAuthOptions);
    }

    public CompletableFuture<TokenCredentials> token(@NotNull String str, @NotNull JSONObject jSONObject) {
        logger.debug("Requesting token from: {}, and authentication info: {}", this.authOptions.getSite() + str, jSONObject);
        return this.api.token(str, jSONObject).thenCompose(jSONObject2 -> {
            logger.info("Received token: {}", jSONObject2);
            return jSONObject2.has("token") ? CompletableFuture.completedFuture(new TokenCredentials(jSONObject2.getString("token"))) : CompletableFuture.failedFuture(new AuthenticationException("Invalid JWT token"));
        });
    }

    @Override // one.jpro.platform.auth.core.authentication.AuthenticationProvider
    public CompletableFuture<User> authenticate(@NotNull TokenCredentials tokenCredentials) {
        try {
            tokenCredentials.validate(null);
            try {
                JSONObject jSONObject = new JSONObject(new String(BASE64_DECODER.decode(JWT.decode(tokenCredentials.getToken()).getPayload())));
                if (this.options.getAudience() != null && jSONObject.has("aud")) {
                    if (Collections.disjoint(this.options.getAudience(), (jSONObject.get("aud") instanceof String ? new JSONArray().put(jSONObject.getString("aud")) : jSONObject.getJSONArray("aud")).toList())) {
                        return CompletableFuture.failedFuture(new AuthenticationException("Invalid JWT audience, expected: " + new JSONObject(this.options.getAudience())));
                    }
                }
                return (this.options.getIssuer() == null || !jSONObject.has("iss") || this.options.getIssuer().equals(jSONObject.getString("iss"))) ? CompletableFuture.completedFuture(createUser(tokenCredentials.getToken(), jSONObject)) : CompletableFuture.failedFuture(new AuthenticationException("Invalid JWT issuer, expected: " + this.options.getIssuer()));
            } catch (JWTDecodeException e) {
                logger.error("JWT token decoding failed", e);
                return CompletableFuture.failedFuture(e);
            }
        } catch (CredentialValidationException e2) {
            logger.error("JWT token validation failed", e2);
            return CompletableFuture.failedFuture(e2);
        }
    }

    private User createUser(@NotNull String str, @NotNull JSONObject jSONObject) {
        Objects.requireNonNull(str, "token can not be null");
        Objects.requireNonNull(jSONObject, "payload can not be null");
        JSONObject put = new JSONObject().put("access_token", str);
        JSONObject put2 = new JSONObject().put("token", str).put("token_type", "access_token");
        if (jSONObject.has("amr")) {
            put2.put("amr", jSONObject.getJSONArray("amr"));
        }
        if (jSONObject.has("sub")) {
            put2.put("sub", jSONObject.getString("sub"));
        }
        if (jSONObject.has("exp")) {
            put2.put("exp", jSONObject.getLong("exp"));
        }
        if (jSONObject.has("iat")) {
            put2.put("iat", jSONObject.getLong("iat"));
        }
        if (jSONObject.has("nbf")) {
            put2.put("nbf", jSONObject.getLong("nbf"));
        }
        put.put("accessToken", put2);
        JSONObject jSONObject2 = new JSONObject();
        if (jSONObject.has(Authentication.KEY_NAME)) {
            jSONObject2.put(Authentication.KEY_NAME, jSONObject.getString(Authentication.KEY_NAME));
        } else if (jSONObject.has("username")) {
            jSONObject2.put(Authentication.KEY_NAME, jSONObject.getString("username"));
        } else if (jSONObject.has("email")) {
            jSONObject2.put(Authentication.KEY_NAME, jSONObject.getString("email"));
        }
        if (jSONObject.has(Authentication.KEY_ROLES)) {
            jSONObject2.put(Authentication.KEY_ROLES, jSONObject.getJSONArray(Authentication.KEY_ROLES));
        } else if (jSONObject.has("permissions")) {
            jSONObject2.put(Authentication.KEY_ROLES, jSONObject.getJSONArray("permissions"));
        } else if (jSONObject.has("perms")) {
            jSONObject2.put(Authentication.KEY_ROLES, jSONObject.getJSONArray("perms"));
        }
        jSONObject2.put(Authentication.KEY_ATTRIBUTES, new JSONObject().put("auth", put));
        return new User(jSONObject2);
    }
}
