package org.aktin.broker.auth.openid;

import java.util.HashSet;
import java.util.Objects;
import java.util.function.Function;
import org.aktin.broker.server.auth.AuthInfo;
import org.aktin.broker.server.auth.AuthInfoImpl;
import org.aktin.broker.server.auth.AuthRole;
import org.aktin.broker.server.auth.HeaderAuthentication;
import org.aktin.broker.server.auth.HttpBearerAuthentication;
import org.jose4j.jwa.AlgorithmConstraints;
import org.jose4j.jwk.HttpsJwks;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.resolvers.HttpsJwksVerificationKeyResolver;

/* loaded from: input_file:org/aktin/broker/auth/openid/OpenIdAuthenticator.class */
public class OpenIdAuthenticator implements HeaderAuthentication {
    public static final String KEY_JWT_USERNAME = "clientId";
    private final OpenIdConfig config;

    public OpenIdAuthenticator(OpenIdConfig openIdConfig) {
        this.config = openIdConfig;
    }

    public AuthInfo authenticateByHeaders(Function<String, String> function) {
        Objects.requireNonNull(this.config);
        try {
            JwtClaims verifyToken = verifyToken(HttpBearerAuthentication.extractBearerToken(function.apply("Authorization")));
            String claimValueAsString = verifyToken.getClaimValueAsString(KEY_JWT_USERNAME);
            String claimValueAsString2 = verifyToken.getClaimValueAsString(this.config.getSiteNameClaim());
            HashSet hashSet = new HashSet();
            if (claimValueAsString2 == null || claimValueAsString2.isEmpty()) {
                claimValueAsString2 = claimValueAsString;
                hashSet.add(AuthRole.ADMIN_READ);
                hashSet.add(AuthRole.NODE_WRITE);
            } else {
                hashSet.add(AuthRole.NODE_READ);
                hashSet.add(AuthRole.NODE_WRITE);
            }
            return new AuthInfoImpl(claimValueAsString, "CN=" + claimValueAsString2, hashSet);
        } catch (IllegalAccessException e) {
            return null;
        }
    }

    private JwtClaims verifyToken(String str) throws IllegalAccessException {
        try {
            return new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(10).setRequireSubject().setExpectedIssuer(this.config.getAuth_host()).setSkipDefaultAudienceValidation().setVerificationKeyResolver(new HttpsJwksVerificationKeyResolver(new HttpsJwks(this.config.getJwks_uri()))).setJwsAlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, (String[]) this.config.getAllowedAlgorithms().toArray(new String[0])).build().processToClaims(str);
        } catch (InvalidJwtException e) {
            throw new IllegalAccessException();
        }
    }
}
