package org.aktin.broker.auth.openid;

import com.google.gson.JsonElement;
import com.google.gson.JsonParser;
import java.util.HashSet;
import java.util.Objects;
import java.util.function.Function;
import javax.ws.rs.client.ClientBuilder;
import javax.ws.rs.client.Entity;
import javax.ws.rs.client.WebTarget;
import javax.ws.rs.core.MultivaluedHashMap;
import org.aktin.broker.server.auth.AuthInfo;
import org.aktin.broker.server.auth.AuthInfoImpl;
import org.aktin.broker.server.auth.AuthRole;
import org.aktin.broker.server.auth.HeaderAuthentication;
import org.aktin.broker.server.auth.HttpBearerAuthentication;

/* loaded from: input_file:org/aktin/broker/auth/openid/OpenIdAuthenticator.class */
public class OpenIdAuthenticator implements HeaderAuthentication {
    public static final String CLIENT_ID = "client_id";
    public static final String CLIENT_SECRET = "client_secret";
    public static final String TOKEN = "token";
    public static final String TOKEN_INTROSPECTION_PATH = "protocol/openid-connect/token/introspect";
    public static final String KEY_JWT_USERNAME = "clientId";
    private final OpenIdConfig config;

    public OpenIdAuthenticator(OpenIdConfig openIdConfig) {
        this.config = openIdConfig;
    }

    public AuthInfo authenticateByHeaders(Function<String, String> function) {
        Objects.requireNonNull(this.config);
        JsonElement parseString = JsonParser.parseString(introspectToken(HttpBearerAuthentication.extractBearerToken(function.apply("Authorization"))));
        String asString = parseString.getAsJsonObject().get(KEY_JWT_USERNAME).getAsString();
        String asString2 = parseString.getAsJsonObject().get(this.config.getSiteNameClaim()).getAsString();
        HashSet hashSet = new HashSet();
        if (asString2 != null && !asString2.isEmpty()) {
            hashSet.add(AuthRole.NODE_READ);
            hashSet.add(AuthRole.NODE_WRITE);
        }
        return new AuthInfoImpl(asString, "CN=" + asString2, hashSet);
    }

    private String introspectToken(String str) {
        WebTarget path = ClientBuilder.newClient().target(this.config.getAuth_host()).path(TOKEN_INTROSPECTION_PATH);
        MultivaluedHashMap multivaluedHashMap = new MultivaluedHashMap();
        multivaluedHashMap.add(CLIENT_ID, this.config.getClientId());
        multivaluedHashMap.add(CLIENT_SECRET, this.config.getClientSecret());
        multivaluedHashMap.add(TOKEN, str);
        return (String) path.request().post(Entity.form(multivaluedHashMap)).readEntity(String.class);
    }
}
