package org.reaktivity.nukleus.oauth.internal;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.Map;
import org.agrona.LangUtil;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.lang.JoseException;
import org.reaktivity.nukleus.internal.CopyOnWriteHashMap;

/* loaded from: input_file:org/reaktivity/nukleus/oauth/internal/OAuthRealms.class */
public class OAuthRealms {
    private static final String SCOPE_CLAIM = "scope";
    private static final int MAX_REALMS = 16;
    private static final long REALM_MASK = -281474976710656L;
    private final Map<String, OAuthRealm> realmsByName;
    private int nextRealmBit;
    private final Map<String, JsonWebKey> keysByKid;
    private static final String[] EMPTY_STRING_ARRAY = new String[0];
    private static final Long NO_AUTHORIZATION = 0L;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/reaktivity/nukleus/oauth/internal/OAuthRealms$OAuthRealm.class */
    public final class OAuthRealm {
        private static final int MAX_SCOPES = 48;
        private final Map<String, Long> scopeBitsByName;
        private final long realmId;
        private final String realmName;
        private long nextScopeBit;
        static final /* synthetic */ boolean $assertionsDisabled;

        private OAuthRealm(String str) {
            this.scopeBitsByName = new CopyOnWriteHashMap();
            if (!$assertionsDisabled && OAuthRealms.this.nextRealmBit >= 16) {
                throw new AssertionError();
            }
            this.realmName = str;
            this.realmId = (1 << OAuthRealms.access$208(OAuthRealms.this)) << 48;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public long resolve(String[] strArr) {
            long longValue = OAuthRealms.NO_AUTHORIZATION.longValue();
            if (this.nextScopeBit + strArr.length < 48) {
                longValue = this.realmId;
                for (String str : strArr) {
                    longValue |= this.scopeBitsByName.computeIfAbsent(str, this::assignScopeBit).longValue();
                }
            }
            return longValue;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public long lookup(String[] strArr) {
            long j = this.realmId;
            for (String str : strArr) {
                j |= this.scopeBitsByName.getOrDefault(str, 0L).longValue();
            }
            return j;
        }

        private long assignScopeBit(String str) {
            if (!$assertionsDisabled && this.nextScopeBit >= 48) {
                throw new AssertionError();
            }
            long j = this.nextScopeBit;
            this.nextScopeBit = j + 1;
            return 1 << ((int) j);
        }

        public String toString() {
            return String.format("Realm name: %s\n\tRealm id: %s\n\tScope bits: %s", this.realmName, Long.valueOf(this.realmId), this.scopeBitsByName);
        }

        static {
            $assertionsDisabled = !OAuthRealms.class.desiredAssertionStatus();
        }
    }

    public OAuthRealms() {
        this((Map<String, JsonWebKey>) Collections.emptyMap());
    }

    public OAuthRealms(Path path) {
        this(parseKeyMap(path));
    }

    public OAuthRealms(String str) {
        this(toKeyMap(str));
    }

    private OAuthRealms(Map<String, JsonWebKey> map) {
        this.realmsByName = new CopyOnWriteHashMap();
        this.nextRealmBit = 0;
        this.keysByKid = map;
    }

    public long resolve(String str, String[] strArr) {
        long longValue = NO_AUTHORIZATION.longValue();
        if (this.nextRealmBit < 16) {
            longValue = this.realmsByName.computeIfAbsent(str, str2 -> {
                return new OAuthRealm(str2);
            }).resolve(strArr);
        }
        return longValue;
    }

    public long resolve(String str) {
        return resolve(str, EMPTY_STRING_ARRAY);
    }

    public long lookup(JsonWebSignature jsonWebSignature) {
        OAuthRealm oAuthRealm = this.realmsByName.get(jsonWebSignature.getKeyIdHeaderValue());
        long longValue = NO_AUTHORIZATION.longValue();
        if (oAuthRealm != null) {
            try {
                Object claimValue = JwtClaims.parse(jsonWebSignature.getPayload()).getClaimValue(SCOPE_CLAIM);
                longValue = oAuthRealm.lookup(claimValue != null ? claimValue.toString().split("\\s+") : EMPTY_STRING_ARRAY);
            } catch (JoseException | InvalidJwtException e) {
            }
        }
        return longValue;
    }

    public boolean unresolve(long j) {
        long j2 = j & REALM_MASK;
        return Long.bitCount(j2) <= 1 && this.realmsByName.entrySet().removeIf(entry -> {
            return ((OAuthRealm) entry.getValue()).realmId == j2;
        });
    }

    public JsonWebKey lookupKey(String str) {
        return this.keysByKid.get(str);
    }

    private static Map<String, JsonWebKey> parseKeyMap(Path path) {
        Map<String, JsonWebKey> emptyMap = Collections.emptyMap();
        if (Files.exists(path, new LinkOption[0])) {
            try {
                emptyMap = toKeyMap(new String(Files.readAllBytes(path), StandardCharsets.UTF_8));
            } catch (IOException e) {
                LangUtil.rethrowUnchecked(e);
            }
        }
        return emptyMap;
    }

    private static Map<String, JsonWebKey> toKeyMap(String str) {
        Map<String, JsonWebKey> emptyMap = Collections.emptyMap();
        try {
            JsonWebKeySet jsonWebKeySet = new JsonWebKeySet(str);
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            for (JsonWebKey jsonWebKey : jsonWebKeySet.getJsonWebKeys()) {
                String keyId = jsonWebKey.getKeyId();
                if (keyId == null) {
                    throw new IllegalArgumentException("Key without kid");
                }
                if (jsonWebKey.getAlgorithm() == null) {
                    throw new IllegalArgumentException("Key without alg");
                }
                if (((JsonWebKey) linkedHashMap.putIfAbsent(keyId, jsonWebKey)) != null) {
                    throw new IllegalArgumentException("Key with duplicate kid");
                }
            }
            emptyMap = Collections.unmodifiableMap(linkedHashMap);
        } catch (JoseException e) {
            LangUtil.rethrowUnchecked(e);
        }
        return emptyMap;
    }

    static /* synthetic */ int access$208(OAuthRealms oAuthRealms) {
        int i = oAuthRealms.nextRealmBit;
        oAuthRealms.nextRealmBit = i + 1;
        return i;
    }
}
