package org.reaktivity.nukleus.oauth.internal.stream;

import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.util.Objects;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import java.util.function.Function;
import java.util.function.LongSupplier;
import java.util.function.LongUnaryOperator;
import java.util.function.ToLongFunction;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.agrona.DirectBuffer;
import org.agrona.MutableDirectBuffer;
import org.agrona.collections.Long2ObjectHashMap;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.lang.JoseException;
import org.reaktivity.nukleus.concurrent.SignalingExecutor;
import org.reaktivity.nukleus.function.MessageConsumer;
import org.reaktivity.nukleus.oauth.internal.OAuthConfiguration;
import org.reaktivity.nukleus.oauth.internal.types.HttpHeaderFW;
import org.reaktivity.nukleus.oauth.internal.types.OctetsFW;
import org.reaktivity.nukleus.oauth.internal.types.String16FW;
import org.reaktivity.nukleus.oauth.internal.types.control.RouteFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.AbortFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.BeginFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.DataFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.EndFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.HttpBeginExFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.ResetFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.SignalFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.WindowFW;
import org.reaktivity.nukleus.oauth.internal.util.BufferUtil;
import org.reaktivity.nukleus.route.RouteManager;
import org.reaktivity.nukleus.stream.StreamFactory;

/* loaded from: input_file:org/reaktivity/nukleus/oauth/internal/stream/OAuthProxyFactory.class */
public class OAuthProxyFactory implements StreamFactory {
    private static final long EXPIRES_NEVER = Long.MAX_VALUE;
    private static final long EXPIRES_IMMEDIATELY = 0;
    private static final long REALM_MASK = -281474976710656L;
    private static final long TOKEN_EXPIRED_SIGNAL = 1;
    private static final Pattern QUERY_PARAMS = Pattern.compile("(?:\\?|.*?&)access_token=([^&#]+)(?:&.*)?");
    private static final byte[] BEARER_PREFIX = "Bearer ".getBytes(StandardCharsets.US_ASCII);
    private static final byte[] QUERY_PREFIX = "?".getBytes(StandardCharsets.US_ASCII);
    private static final byte[] AUTHORIZATION = "authorization".getBytes(StandardCharsets.US_ASCII);
    private static final byte[] PATH = ":path".getBytes(StandardCharsets.US_ASCII);
    private final RouteFW routeRO = new RouteFW();
    private final BeginFW beginRO = new BeginFW();
    private final DataFW dataRO = new DataFW();
    private final EndFW endRO = new EndFW();
    private final HttpBeginExFW httpBeginExRO = new HttpBeginExFW();
    private final WindowFW windowRO = new WindowFW();
    private final ResetFW resetRO = new ResetFW();
    private final AbortFW abortRO = new AbortFW();
    private final SignalFW signalRO = new SignalFW();
    private final JsonWebSignature signature = new JsonWebSignature();
    private final OAuthConfiguration config;
    private final RouteManager router;
    private final LongUnaryOperator supplyInitialId;
    private final LongSupplier supplyTrace;
    private final LongUnaryOperator supplyReplyId;
    private final Function<String, JsonWebKey> lookupKey;
    private final ToLongFunction<JsonWebSignature> lookupAuthorization;
    private final SignalingExecutor executor;
    private final Long2ObjectHashMap<OAuthProxy> correlations;
    private final Writer writer;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/reaktivity/nukleus/oauth/internal/stream/OAuthProxyFactory$OAuthProxy.class */
    public final class OAuthProxy {
        private final MessageConsumer source;
        private final long sourceRouteId;
        private final long sourceStreamId;
        private final long sourceAuthorization;
        private final MessageConsumer target;
        private final long targetRouteId;
        private final long targetStreamId;
        private final long targetAuthorization;
        private final long expiresAtMillis;
        private Future<?> expiryFuture;

        private OAuthProxy(MessageConsumer messageConsumer, long j, long j2, long j3, MessageConsumer messageConsumer2, long j4, long j5, long j6, long j7) {
            this.source = messageConsumer;
            this.sourceRouteId = j;
            this.sourceStreamId = j2;
            this.sourceAuthorization = j3;
            this.target = messageConsumer2;
            this.targetRouteId = j4;
            this.targetStreamId = j5;
            this.targetAuthorization = j6;
            this.expiresAtMillis = j7;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void onStreamMessage(int i, DirectBuffer directBuffer, int i2, int i3) {
            switch (i) {
                case 1:
                    onBegin(OAuthProxyFactory.this.beginRO.wrap(directBuffer, i2, i2 + i3));
                    return;
                case 2:
                    onData(OAuthProxyFactory.this.dataRO.wrap(directBuffer, i2, i2 + i3));
                    return;
                case 3:
                    onEnd(OAuthProxyFactory.this.endRO.wrap(directBuffer, i2, i2 + i3));
                    return;
                case 4:
                    onAbort(OAuthProxyFactory.this.abortRO.wrap(directBuffer, i2, i2 + i3));
                    return;
                case SignalFW.TYPE_ID /* 5 */:
                    onSignal(OAuthProxyFactory.this.signalRO.wrap(directBuffer, i2, i2 + i3));
                    return;
                default:
                    OAuthProxyFactory.this.writer.doReset(this.source, this.sourceRouteId, this.sourceStreamId, OAuthProxyFactory.this.supplyTrace.getAsLong(), this.sourceAuthorization);
                    return;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void onThrottleMessage(int i, DirectBuffer directBuffer, int i2, int i3) {
            switch (i) {
                case 1073741825:
                    onReset(OAuthProxyFactory.this.resetRO.wrap(directBuffer, i2, i2 + i3));
                    return;
                case 1073741826:
                    onWindow(OAuthProxyFactory.this.windowRO.wrap(directBuffer, i2, i2 + i3));
                    return;
                default:
                    return;
            }
        }

        private void onBegin(BeginFW beginFW) {
            if (this.expiresAtMillis != OAuthProxyFactory.EXPIRES_NEVER) {
                this.expiryFuture = OAuthProxyFactory.this.executor.schedule(this.expiresAtMillis - System.currentTimeMillis(), TimeUnit.MILLISECONDS, beginFW.routeId(), beginFW.streamId(), OAuthProxyFactory.TOKEN_EXPIRED_SIGNAL);
            }
        }

        private void onData(DataFW dataFW) {
            long trace = dataFW.trace();
            int padding = dataFW.padding();
            OAuthProxyFactory.this.writer.doData(this.target, this.targetRouteId, this.targetStreamId, trace, dataFW.authorization(), dataFW.groupId(), padding, dataFW.payload(), dataFW.extension());
        }

        private void onEnd(EndFW endFW) {
            OAuthProxyFactory.this.writer.doEnd(this.target, this.targetRouteId, this.targetStreamId, endFW.trace(), this.targetAuthorization, endFW.extension());
            cancelTimerIfNecessary();
        }

        private void onAbort(AbortFW abortFW) {
            OAuthProxyFactory.this.writer.doAbort(this.target, this.targetRouteId, this.targetStreamId, abortFW.trace(), this.targetAuthorization);
            cleanupCorrelationIfNecessary();
            cancelTimerIfNecessary();
        }

        private void onSignal(SignalFW signalFW) {
            if (signalFW.signalId() == OAuthProxyFactory.TOKEN_EXPIRED_SIGNAL) {
                long trace = signalFW.trace();
                OAuthProxyFactory.this.writer.doAbort(this.target, this.targetRouteId, this.targetStreamId, trace, this.targetAuthorization);
                OAuthProxyFactory.this.writer.doReset(this.source, this.sourceRouteId, this.sourceStreamId, trace, this.sourceAuthorization);
                cleanupCorrelationIfNecessary();
            }
        }

        private void onWindow(WindowFW windowFW) {
            int credit = windowFW.credit();
            OAuthProxyFactory.this.writer.doWindow(this.source, this.sourceRouteId, this.sourceStreamId, windowFW.trace(), this.sourceAuthorization, credit, windowFW.padding(), windowFW.groupId());
        }

        private void onReset(ResetFW resetFW) {
            OAuthProxyFactory.this.writer.doReset(this.source, this.sourceRouteId, this.sourceStreamId, resetFW.trace(), this.sourceAuthorization);
            cleanupCorrelationIfNecessary();
            cancelTimerIfNecessary();
        }

        private void cleanupCorrelationIfNecessary() {
            long j = this.targetStreamId | OAuthProxyFactory.TOKEN_EXPIRED_SIGNAL;
            if (this.targetStreamId == j) {
                OAuthProxyFactory.this.correlations.remove(OAuthProxyFactory.this.supplyReplyId.applyAsLong(j));
            }
        }

        private void cancelTimerIfNecessary() {
            if (this.expiryFuture != null) {
                this.expiryFuture.cancel(true);
                this.expiryFuture = null;
            }
        }
    }

    public OAuthProxyFactory(OAuthConfiguration oAuthConfiguration, MutableDirectBuffer mutableDirectBuffer, LongUnaryOperator longUnaryOperator, LongSupplier longSupplier, LongUnaryOperator longUnaryOperator2, Long2ObjectHashMap<OAuthProxy> long2ObjectHashMap, Function<String, JsonWebKey> function, ToLongFunction<JsonWebSignature> toLongFunction, SignalingExecutor signalingExecutor, RouteManager routeManager) {
        this.config = oAuthConfiguration;
        this.router = (RouteManager) Objects.requireNonNull(routeManager);
        this.writer = new Writer(mutableDirectBuffer);
        this.supplyInitialId = (LongUnaryOperator) Objects.requireNonNull(longUnaryOperator);
        this.supplyReplyId = (LongUnaryOperator) Objects.requireNonNull(longUnaryOperator2);
        this.supplyTrace = (LongSupplier) Objects.requireNonNull(longSupplier);
        this.correlations = long2ObjectHashMap;
        this.lookupKey = function;
        this.lookupAuthorization = toLongFunction;
        this.executor = signalingExecutor;
    }

    public MessageConsumer newStream(int i, DirectBuffer directBuffer, int i2, int i3, MessageConsumer messageConsumer) {
        BeginFW wrap = this.beginRO.wrap(directBuffer, i2, i2 + i3);
        return (wrap.streamId() & TOKEN_EXPIRED_SIGNAL) != EXPIRES_IMMEDIATELY ? newInitialStream(wrap, messageConsumer) : newReplyStream(wrap, messageConsumer);
    }

    private MessageConsumer newInitialStream(BeginFW beginFW, MessageConsumer messageConsumer) {
        long authorization = beginFW.authorization();
        JsonWebSignature verifiedSignature = verifiedSignature(beginFW);
        long j = authorization;
        if (verifiedSignature != null) {
            j = this.lookupAuthorization.applyAsLong(verifiedSignature);
        }
        long routeId = beginFW.routeId();
        RouteFW routeFW = (RouteFW) this.router.resolve(routeId, j, (i, directBuffer, i2, i3) -> {
            return true;
        }, this::wrapRoute);
        MessageConsumer messageConsumer2 = null;
        if (routeFW != null) {
            long streamId = beginFW.streamId();
            long trace = beginFW.trace();
            OctetsFW extension = beginFW.extension();
            long correlationId = routeFW.correlationId();
            long applyAsLong = this.supplyInitialId.applyAsLong(correlationId);
            MessageConsumer supplyReceiver = this.router.supplyReceiver(applyAsLong);
            long applyAsLong2 = this.supplyReplyId.applyAsLong(applyAsLong);
            OAuthProxy oAuthProxy = new OAuthProxy(messageConsumer, routeId, streamId, authorization, supplyReceiver, correlationId, applyAsLong, j, this.config.expireInFlightRequests() ? expiresAtMillis(verifiedSignature) : EXPIRES_NEVER);
            this.correlations.put(applyAsLong2, oAuthProxy);
            this.writer.doBegin(supplyReceiver, correlationId, applyAsLong, trace, j, extension);
            RouteManager routeManager = this.router;
            Objects.requireNonNull(oAuthProxy);
            routeManager.setThrottle(applyAsLong, (i4, directBuffer2, i5, i6) -> {
                oAuthProxy.onThrottleMessage(i4, directBuffer2, i5, i6);
            });
            Objects.requireNonNull(oAuthProxy);
            messageConsumer2 = (i7, directBuffer3, i8, i9) -> {
                oAuthProxy.onStreamMessage(i7, directBuffer3, i8, i9);
            };
        }
        return messageConsumer2;
    }

    private MessageConsumer newReplyStream(BeginFW beginFW, MessageConsumer messageConsumer) {
        long routeId = beginFW.routeId();
        long streamId = beginFW.streamId();
        long trace = beginFW.trace();
        long authorization = beginFW.authorization();
        OctetsFW extension = beginFW.extension();
        OAuthProxy oAuthProxy = (OAuthProxy) this.correlations.remove(streamId);
        MessageConsumer messageConsumer2 = null;
        if (oAuthProxy != null) {
            long j = oAuthProxy.sourceRouteId;
            MessageConsumer messageConsumer3 = oAuthProxy.source;
            long j2 = oAuthProxy.expiresAtMillis;
            long applyAsLong = this.supplyReplyId.applyAsLong(oAuthProxy.sourceStreamId);
            OAuthProxy oAuthProxy2 = new OAuthProxy(messageConsumer, routeId, streamId, oAuthProxy.targetAuthorization, messageConsumer3, j, applyAsLong, oAuthProxy.sourceAuthorization, j2);
            this.writer.doBegin(messageConsumer3, j, applyAsLong, trace, authorization, extension);
            RouteManager routeManager = this.router;
            Objects.requireNonNull(oAuthProxy2);
            routeManager.setThrottle(applyAsLong, (i, directBuffer, i2, i3) -> {
                oAuthProxy2.onThrottleMessage(i, directBuffer, i2, i3);
            });
            Objects.requireNonNull(oAuthProxy2);
            messageConsumer2 = (i4, directBuffer2, i5, i6) -> {
                oAuthProxy2.onStreamMessage(i4, directBuffer2, i5, i6);
            };
        }
        return messageConsumer2;
    }

    private RouteFW wrapRoute(int i, DirectBuffer directBuffer, int i2, int i3) {
        return this.routeRO.wrap(directBuffer, i2, i2 + i3);
    }

    private static long expiresAtMillis(JsonWebSignature jsonWebSignature) {
        long j = Long.MAX_VALUE;
        if (jsonWebSignature != null) {
            try {
                NumericDate expirationTime = JwtClaims.parse(jsonWebSignature.getPayload()).getExpirationTime();
                if (expirationTime != null) {
                    j = expirationTime.getValueInMillis();
                }
            } catch (MalformedClaimException | InvalidJwtException | JoseException e) {
                j = 0;
            }
        }
        return j;
    }

    private JsonWebSignature verifiedSignature(BeginFW beginFW) {
        JsonWebSignature jsonWebSignature = null;
        String bearerToken = bearerToken(beginFW);
        if (bearerToken != null) {
            try {
                this.signature.setCompactSerialization(bearerToken);
                String keyIdHeaderValue = this.signature.getKeyIdHeaderValue();
                String algorithmHeaderValue = this.signature.getAlgorithmHeaderValue();
                JsonWebKey apply = this.lookupKey.apply(keyIdHeaderValue);
                if (algorithmHeaderValue != null && apply != null && algorithmHeaderValue.equals(apply.getAlgorithm())) {
                    this.signature.setKey((Key) null);
                    this.signature.setKey(apply.getKey());
                    JwtClaims parse = JwtClaims.parse(this.signature.getPayload());
                    NumericDate expirationTime = parse.getExpirationTime();
                    NumericDate notBefore = parse.getNotBefore();
                    long currentTimeMillis = System.currentTimeMillis();
                    if ((expirationTime == null || currentTimeMillis <= expirationTime.getValueInMillis()) && ((notBefore == null || currentTimeMillis >= notBefore.getValueInMillis()) && this.signature.verifySignature())) {
                        jsonWebSignature = this.signature;
                    }
                }
            } catch (JoseException | MalformedClaimException | InvalidJwtException e) {
            }
        }
        return jsonWebSignature;
    }

    private String bearerToken(BeginFW beginFW) {
        String16FW value;
        int limitOfBytes;
        int indexOfBytes;
        String str = null;
        OctetsFW extension = beginFW.extension();
        HttpBeginExFW httpBeginExFW = this.httpBeginExRO;
        Objects.requireNonNull(httpBeginExFW);
        HttpBeginExFW httpBeginExFW2 = (HttpBeginExFW) extension.get(httpBeginExFW::tryWrap);
        if (httpBeginExFW2 != null) {
            HttpHeaderFW matchFirst = httpBeginExFW2.headers().matchFirst(httpHeaderFW -> {
                return BufferUtil.equals(httpHeaderFW.name(), PATH);
            });
            if (matchFirst != null && (indexOfBytes = BufferUtil.indexOfBytes(matchFirst.value(), QUERY_PREFIX)) != -1) {
                Matcher matcher = QUERY_PARAMS.matcher(matchFirst.value().asString().substring(indexOfBytes));
                if (matcher.matches()) {
                    str = matcher.group(1);
                }
            }
            HttpHeaderFW matchFirst2 = httpBeginExFW2.headers().matchFirst(httpHeaderFW2 -> {
                return BufferUtil.equals(httpHeaderFW2.name(), AUTHORIZATION);
            });
            if (matchFirst2 != null && (limitOfBytes = BufferUtil.limitOfBytes((value = matchFirst2.value()), BEARER_PREFIX)) > 0) {
                str = value.buffer().getStringWithoutLengthUtf8(limitOfBytes, value.limit() - limitOfBytes);
            }
        }
        return str;
    }
}
