package org.reaktivity.nukleus.oauth.internal;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.CopyOnWriteArrayList;
import org.agrona.LangUtil;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.JsonWebKeySet;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.lang.JoseException;
import org.reaktivity.nukleus.internal.CopyOnWriteHashMap;

/* loaded from: input_file:org/reaktivity/nukleus/oauth/internal/OAuthRealms.class */
public class OAuthRealms {
    private static final String SCOPE_CLAIM = "scope";
    private static final int MAX_REALMS = 16;
    private static final long REALM_MASK = -281474976710656L;
    private final Map<String, OAuthRealm> realmsByName;
    private int nextRealmBit;
    private final Map<String, JsonWebKey> keysByKid;
    private static final String[] EMPTY_STRING_ARRAY = new String[0];
    private static final Long NO_AUTHORIZATION = 0L;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/reaktivity/nukleus/oauth/internal/OAuthRealms$OAuthRealm.class */
    public final class OAuthRealm {
        private static final int MAX_SCOPES = 48;
        private final List<OAuthRealmInfo> realmInfos;
        private final String realmName;
        private int nextScopeBit;
        static final /* synthetic */ boolean $assertionsDisabled;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:org/reaktivity/nukleus/oauth/internal/OAuthRealms$OAuthRealm$OAuthRealmInfo.class */
        public final class OAuthRealmInfo {
            private final Map<String, Long> scopeBitsByName;
            private final long realmId;
            private final Claims requiredClaims;
            static final /* synthetic */ boolean $assertionsDisabled;

            /* JADX INFO: Access modifiers changed from: private */
            /* loaded from: input_file:org/reaktivity/nukleus/oauth/internal/OAuthRealms$OAuthRealm$OAuthRealmInfo$Claims.class */
            public final class Claims {
                final String issuerName;
                final String audienceName;

                private Claims(String str, String str2) {
                    this.issuerName = str;
                    this.audienceName = str2;
                }

                /* JADX INFO: Access modifiers changed from: private */
                public boolean containsClaims(String str, String[] strArr) {
                    return (this.issuerName == null || Objects.equals(this.issuerName, str)) && (this.audienceName == null || (strArr != null && containsThisAudienceName(strArr)));
                }

                private boolean containsThisAudienceName(String[] strArr) {
                    return indexOfThisAudienceName(strArr) >= 0 && strArr[indexOfThisAudienceName(strArr)].equals(this.audienceName);
                }

                private int indexOfThisAudienceName(String[] strArr) {
                    int i = -1;
                    int i2 = 0;
                    while (true) {
                        if (i2 >= strArr.length) {
                            break;
                        }
                        if (strArr[i2].equals(this.audienceName)) {
                            i = i2;
                            break;
                        }
                        i2++;
                    }
                    return i;
                }

                public String toString() {
                    return String.format("issuer=\"%s\", audience=\"%s\"", this.issuerName, this.audienceName);
                }
            }

            private OAuthRealmInfo(long j, String str, String str2) {
                this.scopeBitsByName = new CopyOnWriteHashMap();
                this.realmId = j;
                this.requiredClaims = new Claims(str, str2);
            }

            /* JADX INFO: Access modifiers changed from: private */
            public long scopeBit(String str) {
                return this.scopeBitsByName.getOrDefault(str, 0L).longValue();
            }

            /* JADX INFO: Access modifiers changed from: private */
            public long supplyScopeBit(String str) {
                return this.scopeBitsByName.computeIfAbsent(str, this::assignScopeBit).longValue();
            }

            /* JADX INFO: Access modifiers changed from: private */
            public boolean containsClaims(String str, String... strArr) {
                return this.requiredClaims.containsClaims(str, strArr);
            }

            private long assignScopeBit(String str) {
                if ($assertionsDisabled || OAuthRealm.this.nextScopeBit < 48) {
                    return 1 << OAuthRealm.access$1008(OAuthRealm.this);
                }
                throw new AssertionError();
            }

            public String toString() {
                return String.format("Info: realm id=%d, claims=[%s], scope bits=%s", Long.valueOf(this.realmId), this.requiredClaims, this.scopeBitsByName);
            }

            static {
                $assertionsDisabled = !OAuthRealms.class.desiredAssertionStatus();
            }
        }

        private OAuthRealm(String str) {
            this.realmInfos = new CopyOnWriteArrayList();
            if (!$assertionsDisabled && OAuthRealms.this.nextRealmBit >= 16) {
                throw new AssertionError();
            }
            this.realmName = str;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public long resolve(String str, String str2, String[] strArr) {
            long longValue = OAuthRealms.NO_AUTHORIZATION.longValue();
            if (!$assertionsDisabled && OAuthRealms.this.nextRealmBit >= 16) {
                throw new AssertionError();
            }
            if (this.nextScopeBit + strArr.length < 48) {
                OAuthRealmInfo orElseGet = this.realmInfos.stream().filter(oAuthRealmInfo -> {
                    return oAuthRealmInfo.containsClaims(str, str2);
                }).findFirst().orElseGet(() -> {
                    return newRealmInfo(str, str2);
                });
                longValue = orElseGet.realmId;
                for (String str3 : strArr) {
                    longValue |= orElseGet.supplyScopeBit(str3);
                }
            }
            return longValue;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public long lookup(String str, String[] strArr, String[] strArr2) {
            OAuthRealmInfo orElse = this.realmInfos.stream().filter(oAuthRealmInfo -> {
                return oAuthRealmInfo.containsClaims(str, strArr);
            }).findFirst().orElse(null);
            long longValue = OAuthRealms.NO_AUTHORIZATION.longValue();
            if (orElse != null) {
                longValue = orElse.realmId;
                for (String str2 : strArr2) {
                    longValue |= orElse.scopeBit(str2);
                }
            }
            return longValue;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean unresolve(long j) {
            return this.realmInfos.removeIf(oAuthRealmInfo -> {
                return oAuthRealmInfo.realmId == j;
            });
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean isEmpty() {
            return this.realmInfos.isEmpty();
        }

        private OAuthRealmInfo newRealmInfo(String str, String str2) {
            OAuthRealmInfo oAuthRealmInfo = new OAuthRealmInfo((1 << OAuthRealms.access$208(OAuthRealms.this)) << 48, str, str2);
            this.realmInfos.add(oAuthRealmInfo);
            return oAuthRealmInfo;
        }

        public String toString() {
            return String.format("Realm name: \"%s\",\tRealm info: %s\n", this.realmName, this.realmInfos);
        }

        static /* synthetic */ int access$1008(OAuthRealm oAuthRealm) {
            int i = oAuthRealm.nextScopeBit;
            oAuthRealm.nextScopeBit = i + 1;
            return i;
        }

        static {
            $assertionsDisabled = !OAuthRealms.class.desiredAssertionStatus();
        }
    }

    public OAuthRealms() {
        this(Collections.emptyMap());
    }

    public OAuthRealms(Map<String, JsonWebKey> map) {
        this.realmsByName = new CopyOnWriteHashMap();
        this.nextRealmBit = 0;
        this.keysByKid = map;
    }

    public long resolve(String str, String str2, String str3, String[] strArr) {
        long longValue = NO_AUTHORIZATION.longValue();
        if (this.nextRealmBit < 16) {
            longValue = this.realmsByName.computeIfAbsent(str, str4 -> {
                return new OAuthRealm(str4);
            }).resolve(str2, str3, strArr);
        }
        return longValue;
    }

    public long resolve(String str) {
        return resolve(str, null, null, EMPTY_STRING_ARRAY);
    }

    public long lookup(JsonWebSignature jsonWebSignature) {
        OAuthRealm oAuthRealm = this.realmsByName.get(jsonWebSignature.getKeyIdHeaderValue());
        long longValue = NO_AUTHORIZATION.longValue();
        if (oAuthRealm != null) {
            try {
                JwtClaims parse = JwtClaims.parse(jsonWebSignature.getPayload());
                Object claimValue = parse.getClaimValue("iss");
                Object claimValue2 = parse.getClaimValue("aud");
                Object claimValue3 = parse.getClaimValue(SCOPE_CLAIM);
                longValue = oAuthRealm.lookup(claimValue != null ? claimValue.toString() : null, claimValue2 != null ? claimValue2.toString().split("\\s+") : null, claimValue3 != null ? claimValue3.toString().split("\\s+") : EMPTY_STRING_ARRAY);
            } catch (JoseException | InvalidJwtException e) {
            }
        }
        return longValue;
    }

    public boolean unresolve(long j) {
        long j2 = j & REALM_MASK;
        Collection<OAuthRealm> values = this.realmsByName.values();
        OAuthRealm orElse = values.stream().filter(oAuthRealm -> {
            return oAuthRealm.unresolve(j2);
        }).findFirst().orElse(null);
        values.removeIf(obj -> {
            return ((OAuthRealm) obj).isEmpty();
        });
        return Long.bitCount(j2) <= 1 && orElse != null;
    }

    public JsonWebKey lookupKey(String str) {
        return this.keysByKid.get(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Map<String, JsonWebKey> parseKeyMap(Path path) {
        Map<String, JsonWebKey> emptyMap = Collections.emptyMap();
        if (Files.exists(path, new LinkOption[0])) {
            try {
                emptyMap = toKeyMap(new String(Files.readAllBytes(path), StandardCharsets.UTF_8));
            } catch (IOException e) {
                LangUtil.rethrowUnchecked(e);
            }
        }
        return emptyMap;
    }

    private static Map<String, JsonWebKey> toKeyMap(String str) {
        Map<String, JsonWebKey> emptyMap = Collections.emptyMap();
        try {
            JsonWebKeySet jsonWebKeySet = new JsonWebKeySet(str);
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            for (JsonWebKey jsonWebKey : jsonWebKeySet.getJsonWebKeys()) {
                String keyId = jsonWebKey.getKeyId();
                if (keyId == null) {
                    throw new IllegalArgumentException("Key without kid");
                }
                if (jsonWebKey.getAlgorithm() == null) {
                    throw new IllegalArgumentException("Key without alg");
                }
                if (((JsonWebKey) linkedHashMap.putIfAbsent(keyId, jsonWebKey)) != null) {
                    throw new IllegalArgumentException("Key with duplicate kid");
                }
            }
            emptyMap = Collections.unmodifiableMap(linkedHashMap);
        } catch (JoseException e) {
            LangUtil.rethrowUnchecked(e);
        }
        return emptyMap;
    }

    static /* synthetic */ int access$208(OAuthRealms oAuthRealms) {
        int i = oAuthRealms.nextRealmBit;
        oAuthRealms.nextRealmBit = i + 1;
        return i;
    }
}
