package org.radarbase.auth.authentication;

import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.exceptions.SignatureVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.net.URI;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collection;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import org.radarbase.auth.config.TokenValidatorConfig;
import org.radarbase.auth.config.TokenVerifierPublicKeyConfig;
import org.radarbase.auth.exception.TokenValidationException;
import org.radarbase.auth.security.jwk.JavaWebKeySet;
import org.radarbase.auth.token.JwtRadarToken;
import org.radarbase.auth.token.RadarToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/radarbase/auth/authentication/TokenValidator.class */
public class TokenValidator {
    private final TokenValidatorConfig config;
    private List<JWTVerifier> verifiers;
    private final Duration fetchTimeout;
    private Instant lastFetch;
    private static final long DEFAULT_TIMEOUT = 30;
    private final OkHttpClient client;
    private final ObjectMapper mapper;
    private final AlgorithmLoader algorithmLoader;
    private static final Logger LOGGER = LoggerFactory.getLogger(TokenValidator.class);
    private static final Duration FETCH_TIMEOUT_DEFAULT = Duration.ofMinutes(1);

    public TokenValidator() {
        this(TokenVerifierPublicKeyConfig.readFromFileOrClasspath(), FETCH_TIMEOUT_DEFAULT);
    }

    public TokenValidator(TokenValidatorConfig tokenValidatorConfig) {
        this(tokenValidatorConfig, FETCH_TIMEOUT_DEFAULT);
    }

    private TokenValidator(TokenValidatorConfig tokenValidatorConfig, Duration duration) {
        this.verifiers = new LinkedList();
        this.lastFetch = Instant.MIN;
        this.client = new OkHttpClient.Builder().connectTimeout(DEFAULT_TIMEOUT, TimeUnit.SECONDS).readTimeout(DEFAULT_TIMEOUT, TimeUnit.SECONDS).writeTimeout(DEFAULT_TIMEOUT, TimeUnit.SECONDS).build();
        this.mapper = new ObjectMapper();
        this.algorithmLoader = new AlgorithmLoader();
        this.fetchTimeout = duration;
        this.config = tokenValidatorConfig;
    }

    @Deprecated
    public TokenValidator(TokenValidatorConfig tokenValidatorConfig, long j) {
        this(tokenValidatorConfig, Duration.ofSeconds(j));
    }

    @Deprecated
    protected TokenValidator(List<JWTVerifier> list, TokenValidatorConfig tokenValidatorConfig) {
        this.verifiers = new LinkedList();
        this.lastFetch = Instant.MIN;
        this.client = new OkHttpClient.Builder().connectTimeout(DEFAULT_TIMEOUT, TimeUnit.SECONDS).readTimeout(DEFAULT_TIMEOUT, TimeUnit.SECONDS).writeTimeout(DEFAULT_TIMEOUT, TimeUnit.SECONDS).build();
        this.mapper = new ObjectMapper();
        this.algorithmLoader = new AlgorithmLoader();
        this.config = tokenValidatorConfig;
        this.verifiers = list;
        this.fetchTimeout = Duration.ofHours(1L);
    }

    public RadarToken validateAccessToken(String str) throws TokenValidationException {
        return validateAccessToken(str, true);
    }

    private RadarToken validateAccessToken(String str, boolean z) {
        for (JWTVerifier jWTVerifier : getVerifiers()) {
            try {
                DecodedJWT verify = jWTVerifier.verify(str);
                Map claims = verify.getClaims();
                LOGGER.debug("Verified JWT header {} and payload {}", verify.getHeader(), verify.getPayload());
                if (claims.containsKey(JwtRadarToken.SCOPE_CLAIM)) {
                    return new JwtRadarToken(verify);
                }
                throw new TokenValidationException("The required claim scopeis missing from the token");
            } catch (JWTVerificationException e) {
                LOGGER.debug("Verifier {} with implementation {} did not accept token", jWTVerifier, jWTVerifier.getClass());
            } catch (SignatureVerificationException e2) {
                LOGGER.debug("Client presented a token with an incorrect signature.");
                if (z) {
                    LOGGER.info("Trying to fetch public keys again...");
                    try {
                        refresh();
                    } catch (TokenValidationException e3) {
                        LOGGER.warn("Could not fetch public keys.", e3);
                    }
                    return validateAccessToken(str, false);
                }
            }
        }
        throw new TokenValidationException("No registered validator could authenticate this token");
    }

    private List<JWTVerifier> getVerifiers() {
        List<JWTVerifier> list;
        synchronized (this) {
            if (!this.verifiers.isEmpty()) {
                return this.verifiers;
            }
            List<JWTVerifier> loadVerifiers = loadVerifiers();
            synchronized (this) {
                this.verifiers = loadVerifiers;
                list = this.verifiers;
            }
            return list;
        }
    }

    public void refresh() throws TokenValidationException {
        List<JWTVerifier> loadVerifiers = loadVerifiers();
        if (loadVerifiers.isEmpty()) {
            return;
        }
        synchronized (this) {
            this.verifiers = loadVerifiers;
        }
    }

    private List<JWTVerifier> loadVerifiers() throws TokenValidationException {
        synchronized (this) {
            if (Instant.now().isBefore(this.lastFetch.plus((TemporalAmount) this.fetchTimeout))) {
                LOGGER.warn("Fetched public key less than {} ago, denied access.", this.fetchTimeout);
                throw new TokenValidationException("Not fetching public key more than once every " + this.fetchTimeout);
            }
            this.lastFetch = Instant.now();
        }
        Stream flatMap = streamEmptyIfNull(this.config.getPublicKeyEndpoints()).map(this::algorithmFromServerPublicKeyEndpoint).filter((v0) -> {
            return Objects.nonNull(v0);
        }).flatMap((v0) -> {
            return v0.stream();
        });
        Stream streamEmptyIfNull = streamEmptyIfNull(this.config.getPublicKeys());
        AlgorithmLoader algorithmLoader = this.algorithmLoader;
        Objects.requireNonNull(algorithmLoader);
        return (List) Stream.concat(flatMap, streamEmptyIfNull.map(algorithmLoader::loadDeprecatedAlgorithmFromPublicKey)).map(algorithm -> {
            return AlgorithmLoader.buildVerifier(algorithm, this.config.getResourceName());
        }).collect(Collectors.toList());
    }

    private List<Algorithm> algorithmFromServerPublicKeyEndpoint(URI uri) throws TokenValidationException {
        LOGGER.info("Getting the JWT public key at " + uri);
        try {
            Response execute = this.client.newCall(new Request.Builder().url(uri.toURL()).header("Accept", "application/json").build()).execute();
            if (!execute.isSuccessful() || execute.body() == null) {
                LOGGER.warn("Could not load newer public keys from {}", uri.toURL());
                return null;
            }
            JavaWebKeySet javaWebKeySet = (JavaWebKeySet) this.mapper.readValue(execute.body().string(), JavaWebKeySet.class);
            execute.close();
            LOGGER.debug("Processing {} public keys from public-key endpoint {}", Integer.valueOf(javaWebKeySet.getKeys().size()), uri.toURL());
            return this.algorithmLoader.loadAlgorithmsFromJavaWebKeys(javaWebKeySet);
        } catch (Exception e) {
            throw new TokenValidationException(e);
        }
    }

    private static <T> Stream<T> streamEmptyIfNull(Collection<T> collection) {
        return collection != null ? collection.stream() : Stream.empty();
    }
}
