package org.reaktivity.nukleus.oauth.internal.stream;

import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.util.Arrays;
import java.util.IdentityHashMap;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.function.LongConsumer;
import java.util.function.LongSupplier;
import java.util.function.LongUnaryOperator;
import java.util.function.ToIntFunction;
import java.util.function.ToLongFunction;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.agrona.DirectBuffer;
import org.agrona.MutableDirectBuffer;
import org.agrona.collections.Long2ObjectHashMap;
import org.agrona.collections.MutableInteger;
import org.agrona.concurrent.UnsafeBuffer;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.lang.JoseException;
import org.reaktivity.nukleus.concurrent.SignalingExecutor;
import org.reaktivity.nukleus.function.MessageConsumer;
import org.reaktivity.nukleus.oauth.internal.Capabilities;
import org.reaktivity.nukleus.oauth.internal.OAuthConfiguration;
import org.reaktivity.nukleus.oauth.internal.types.ArrayFW;
import org.reaktivity.nukleus.oauth.internal.types.Flyweight;
import org.reaktivity.nukleus.oauth.internal.types.HttpHeaderFW;
import org.reaktivity.nukleus.oauth.internal.types.OctetsFW;
import org.reaktivity.nukleus.oauth.internal.types.String16FW;
import org.reaktivity.nukleus.oauth.internal.types.StringFW;
import org.reaktivity.nukleus.oauth.internal.types.control.RouteFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.AbortFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.BeginFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.DataFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.EndFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.HttpBeginExFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.HttpChallengeExFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.ResetFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.SignalFW;
import org.reaktivity.nukleus.oauth.internal.types.stream.WindowFW;
import org.reaktivity.nukleus.oauth.internal.util.BufferUtil;
import org.reaktivity.nukleus.route.RouteManager;
import org.reaktivity.nukleus.stream.StreamFactory;

/* loaded from: input_file:org/reaktivity/nukleus/oauth/internal/stream/OAuthProxyFactory.class */
public class OAuthProxyFactory implements StreamFactory {
    private static final long EXPIRES_NEVER = Long.MAX_VALUE;
    private static final long EXPIRES_IMMEDIATELY = 0;
    private static final int GRANT_VALIDATION_SIGNAL = 1;
    private static final long REALM_MASK = -281474976710656L;
    private static final int SCOPE_BITS = 48;
    private final OAuthConfiguration config;
    private final RouteManager router;
    private final LongUnaryOperator supplyInitialId;
    private final LongSupplier supplyTrace;
    private final LongUnaryOperator supplyReplyId;
    private final Function<String, JsonWebKey> lookupKey;
    private final ToLongFunction<JsonWebSignature> lookupAuthorization;
    private final SignalingExecutor executor;
    private final Writer writer;
    private final UnsafeBuffer extensionBuffer;
    private final int httpTypeId;
    private final String challengeTimeoutClaimName;
    private static final Consumer<String> NOOP_CLEANER = str -> {
    };
    private static final Pattern QUERY_PARAMS = Pattern.compile("(?:\\?|.*?&)access_token=([^&#]+)(?:&.*)?");
    private static final byte[] BEARER_PREFIX = "Bearer ".getBytes(StandardCharsets.US_ASCII);
    private static final byte[] QUERY_PREFIX = "?".getBytes(StandardCharsets.US_ASCII);
    private static final byte[] AUTHORIZATION = "authorization".getBytes(StandardCharsets.US_ASCII);
    private static final byte[] PATH = ":path".getBytes(StandardCharsets.US_ASCII);
    private static final StringFW HEADER_NAME_METHOD = new StringFW(":method");
    private static final StringFW HEADER_NAME_CONTENT_TYPE = new StringFW("content-type");
    private static final StringFW HEADER_NAME_STATUS = new StringFW(":status");
    private static final StringFW HEADER_NAME_ACCESS_CONTROL_ALLOW_METHODS = new StringFW("access-control-allow-methods");
    private static final StringFW HEADER_NAME_ACCESS_CONTROL_ALLOW_HEADERS = new StringFW("access-control-allow-headers");
    private static final StringFW HEADER_NAME_ACCESS_CONTROL_REQUEST_METHOD = new StringFW("access-control-request-method");
    private static final StringFW HEADER_NAME_ACCESS_CONTROL_REQUEST_HEADERS = new StringFW("access-control-request-headers");
    private static final String16FW HEADER_VALUE_STATUS_204 = new String16FW("204");
    private static final String16FW HEADER_VALUE_METHOD_OPTIONS = new String16FW("OPTIONS");
    private static final String16FW HEADER_VALUE_METHOD_POST = new String16FW("POST");
    private static final String16FW CHALLENGE_RESPONSE_METHOD = HEADER_VALUE_METHOD_POST;
    private static final String END_CHALLENGE_TYPE = "application/x-challenge-response";
    private static final String16FW CHALLENGE_RESPONSE_CONTENT_TYPE = new String16FW(END_CHALLENGE_TYPE);
    private static final String16FW CORS_PREFLIGHT_METHOD = HEADER_VALUE_METHOD_OPTIONS;
    private static final String16FW CORS_ALLOWED_METHODS = HEADER_VALUE_METHOD_POST;
    private static final String16FW CORS_ALLOWED_HEADERS = new String16FW("authorization,content-type");
    private final RouteFW routeRO = new RouteFW();
    private final BeginFW beginRO = new BeginFW();
    private final DataFW dataRO = new DataFW();
    private final EndFW endRO = new EndFW();
    private final OctetsFW octetsRO = new OctetsFW().wrap((DirectBuffer) new UnsafeBuffer(new byte[0]), 0, 0);
    private final HttpBeginExFW httpBeginExRO = new HttpBeginExFW();
    private final HttpBeginExFW.Builder httpBeginExRW = new HttpBeginExFW.Builder();
    private final HttpChallengeExFW.Builder httpChallengeExRW = new HttpChallengeExFW.Builder();
    private final WindowFW windowRO = new WindowFW();
    private final ResetFW resetRO = new ResetFW();
    private final AbortFW abortRO = new AbortFW();
    private final SignalFW signalRO = new SignalFW();
    private final JsonWebSignature signature = new JsonWebSignature();
    private final Long2ObjectHashMap<OAuthProxy> correlations = new Long2ObjectHashMap<>();
    private final Long2ObjectHashMap<Map<String, OAuthAccessGrant>>[] grantsBySubjectByAffinityPerRealm = initGrantsBySubjectByAffinityPerRealm();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/reaktivity/nukleus/oauth/internal/stream/OAuthProxyFactory$OAuthAccessGrant.class */
    public final class OAuthAccessGrant {
        private String subject;
        private long authorization;
        private long expiresAtMillis;
        private long challengeTimeoutMillis;
        private long lastChallengedAt;
        private int referenceCount;
        private Consumer<String> cleaner;
        static final /* synthetic */ boolean $assertionsDisabled;

        private OAuthAccessGrant(Consumer<String> consumer) {
            this.cleaner = consumer;
        }

        private OAuthAccessGrant() {
            this.cleaner = OAuthProxyFactory.NOOP_CLEANER;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean reauthorize(String str, long j, long j2, long j3) {
            boolean z = false;
            if (this.referenceCount > 0) {
                long j4 = this.authorization;
                z = (j4 & j) == j4 && j2 > this.expiresAtMillis;
                if (z) {
                    this.expiresAtMillis = j2;
                    this.challengeTimeoutMillis = j3;
                }
            } else {
                this.subject = str != null ? str.intern() : null;
                this.authorization = j;
                this.expiresAtMillis = j2;
                this.challengeTimeoutMillis = j3;
            }
            return z;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void acquire() {
            if (!$assertionsDisabled && this.cleaner == null) {
                throw new AssertionError();
            }
            this.referenceCount++;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void release() {
            if (!$assertionsDisabled && (this.cleaner == null || this.referenceCount <= 0)) {
                throw new AssertionError();
            }
            this.referenceCount--;
            if (this.referenceCount == 0) {
                if (this.subject != null) {
                    this.cleaner.accept(this.subject);
                }
                this.cleaner = null;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public long challenge(long j, long j2, LongConsumer longConsumer) {
            long j3 = this.expiresAtMillis - j;
            long j4 = this.expiresAtMillis - this.challengeTimeoutMillis;
            if (j4 <= j && j < this.expiresAtMillis) {
                if (this.lastChallengedAt < j4) {
                    this.lastChallengedAt = j;
                    longConsumer.accept(j2);
                }
                if (!$assertionsDisabled && this.lastChallengedAt < j4) {
                    throw new AssertionError();
                }
            } else if (j < j4) {
                j3 = j4 - j;
            }
            return j3;
        }

        static {
            $assertionsDisabled = !OAuthProxyFactory.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/reaktivity/nukleus/oauth/internal/stream/OAuthProxyFactory$OAuthProxy.class */
    public final class OAuthProxy {
        private final MessageConsumer source;
        private final long sourceRouteId;
        private final long sourceStreamId;
        private final long sourceAuthorization;
        private final MutableInteger sourceCapabailities;
        private final MessageConsumer target;
        private final long targetRouteId;
        private final long targetStreamId;
        private final long targetAuthorization;
        private final MutableInteger targetCapabailities;
        private final long acceptReplyId;
        private final long connectReplyId;
        private final OAuthAccessGrant grant;
        private final boolean isCorsPreflight;
        private Future<?> signalFuture;
        static final /* synthetic */ boolean $assertionsDisabled;

        private OAuthProxy(MessageConsumer messageConsumer, long j, long j2, long j3, MutableInteger mutableInteger, long j4, long j5, long j6, MutableInteger mutableInteger2, long j7, long j8, long j9, OAuthAccessGrant oAuthAccessGrant, boolean z, MessageConsumer messageConsumer2, long j10) {
            this.source = messageConsumer;
            this.sourceRouteId = j;
            this.sourceStreamId = j2;
            this.sourceAuthorization = j3;
            this.sourceCapabailities = mutableInteger;
            this.target = messageConsumer2;
            this.targetRouteId = j4;
            this.targetStreamId = j5;
            this.targetAuthorization = j6;
            this.targetCapabailities = mutableInteger2;
            this.acceptReplyId = j10;
            this.connectReplyId = j7;
            this.grant = (OAuthAccessGrant) Objects.requireNonNull(oAuthAccessGrant);
            this.isCorsPreflight = z;
            this.grant.acquire();
            if (!$assertionsDisabled && j9 < OAuthProxyFactory.EXPIRES_IMMEDIATELY) {
                throw new AssertionError();
            }
            if (j8 != OAuthProxyFactory.EXPIRES_NEVER) {
                this.signalFuture = OAuthProxyFactory.this.executor.schedule((j8 - j9) - System.currentTimeMillis(), TimeUnit.MILLISECONDS, j4, this.targetStreamId, 1L);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void onStreamMessage(int i, DirectBuffer directBuffer, int i2, int i3) {
            switch (i) {
                case 1:
                    onBegin(OAuthProxyFactory.this.beginRO.wrap(directBuffer, i2, i2 + i3));
                    return;
                case 2:
                    onData(OAuthProxyFactory.this.dataRO.wrap(directBuffer, i2, i2 + i3));
                    return;
                case 3:
                    onEnd(OAuthProxyFactory.this.endRO.wrap(directBuffer, i2, i2 + i3));
                    return;
                case 4:
                    onAbort(OAuthProxyFactory.this.abortRO.wrap(directBuffer, i2, i2 + i3));
                    return;
                default:
                    OAuthProxyFactory.this.writer.doReset(this.source, this.sourceRouteId, this.sourceStreamId, OAuthProxyFactory.this.supplyTrace.getAsLong(), this.sourceAuthorization);
                    return;
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void onThrottleMessage(int i, DirectBuffer directBuffer, int i2, int i3) {
            switch (i) {
                case 1073741825:
                    onReset(OAuthProxyFactory.this.resetRO.wrap(directBuffer, i2, i2 + i3));
                    return;
                case 1073741826:
                    onWindow(OAuthProxyFactory.this.windowRO.wrap(directBuffer, i2, i2 + i3));
                    return;
                case 1073741827:
                    onSignal(OAuthProxyFactory.this.signalRO.wrap(directBuffer, i2, i2 + i3));
                    return;
                default:
                    return;
            }
        }

        private void onBegin(BeginFW beginFW) {
        }

        private void onData(DataFW dataFW) {
            long trace = dataFW.trace();
            int reserved = dataFW.reserved();
            OAuthProxyFactory.this.writer.doData(this.target, this.targetRouteId, this.targetStreamId, trace, dataFW.authorization(), dataFW.groupId(), reserved, dataFW.payload(), dataFW.extension());
        }

        private void onEnd(EndFW endFW) {
            OAuthProxyFactory.this.writer.doEnd(this.target, this.targetRouteId, this.targetStreamId, endFW.trace(), this.targetAuthorization, endFW.extension());
            cancelTimerIfNecessary();
        }

        private void onAbort(AbortFW abortFW) {
            OAuthProxyFactory.this.writer.doAbort(this.target, this.targetRouteId, this.targetStreamId, abortFW.trace(), this.targetAuthorization);
            cleanupCorrelationIfNecessary();
            cancelTimerIfNecessary();
        }

        private void onWindow(WindowFW windowFW) {
            int credit = windowFW.credit();
            long trace = windowFW.trace();
            int padding = windowFW.padding();
            long groupId = windowFW.groupId();
            this.targetCapabailities.value = windowFW.capabilities();
            OAuthProxyFactory.this.writer.doWindow(this.source, this.sourceRouteId, this.sourceStreamId, trace, this.sourceAuthorization, credit, padding, groupId, this.targetCapabailities.value);
        }

        /* JADX WARN: Type inference failed for: r0v20, types: [org.reaktivity.nukleus.oauth.internal.types.stream.HttpBeginExFW$Builder] */
        private void onReset(ResetFW resetFW) {
            long trace = resetFW.trace();
            boolean cleanupCorrelationIfNecessary = cleanupCorrelationIfNecessary();
            if (this.isCorsPreflight && this.sourceStreamId != this.connectReplyId && cleanupCorrelationIfNecessary) {
                OAuthProxyFactory.this.writer.doWindow(this.source, this.sourceRouteId, this.sourceStreamId, trace, OAuthProxyFactory.EXPIRES_IMMEDIATELY, 0, 0, OAuthProxyFactory.EXPIRES_IMMEDIATELY);
                HttpBeginExFW.Builder typeId = OAuthProxyFactory.this.httpBeginExRW.wrap2((MutableDirectBuffer) OAuthProxyFactory.this.extensionBuffer, 0, OAuthProxyFactory.this.extensionBuffer.capacity()).typeId(OAuthProxyFactory.this.httpTypeId);
                OAuthProxyFactory.setCorsPreflightResponse(typeId);
                long applyAsLong = OAuthProxyFactory.this.supplyReplyId.applyAsLong(this.sourceStreamId);
                OAuthProxyFactory.this.writer.doBegin(this.source, this.sourceRouteId, applyAsLong, trace, OAuthProxyFactory.EXPIRES_IMMEDIATELY, typeId.build());
                OAuthProxyFactory.this.writer.doEnd(this.source, this.sourceRouteId, applyAsLong, trace, OAuthProxyFactory.EXPIRES_IMMEDIATELY, OAuthProxyFactory.this.octetsRO);
            } else {
                OAuthProxyFactory.this.writer.doReset(this.source, this.sourceRouteId, this.sourceStreamId, trace, this.sourceAuthorization);
            }
            cancelTimerIfNecessary();
        }

        private void onSignal(SignalFW signalFW) {
            switch ((int) signalFW.signalId()) {
                case 1:
                    onGrantValidationSignal(signalFW);
                    return;
                default:
                    return;
            }
        }

        /* JADX WARN: Type inference failed for: r0v26, types: [org.reaktivity.nukleus.oauth.internal.types.stream.HttpBeginExFW$Builder] */
        private void onGrantValidationSignal(SignalFW signalFW) {
            long currentTimeMillis = System.currentTimeMillis();
            long j = this.grant.expiresAtMillis - currentTimeMillis;
            if (j > OAuthProxyFactory.EXPIRES_IMMEDIATELY) {
                if (Capabilities.canChallenge(this.sourceCapabailities.value)) {
                    j = this.grant.challenge(currentTimeMillis, signalFW.trace(), this::doChallenge);
                }
                this.signalFuture = OAuthProxyFactory.this.executor.schedule(j, TimeUnit.MILLISECONDS, this.targetRouteId, this.targetStreamId, 1L);
                return;
            }
            long trace = signalFW.trace();
            OAuthProxyFactory.this.writer.doReset(this.source, this.sourceRouteId, this.sourceStreamId, trace, this.sourceAuthorization);
            boolean cleanupCorrelationIfNecessary = cleanupCorrelationIfNecessary();
            if (this.sourceStreamId == this.connectReplyId && cleanupCorrelationIfNecessary) {
                OAuthProxyFactory.this.writer.doBegin(this.target, this.targetRouteId, this.targetStreamId, trace, this.targetAuthorization, OAuthProxyFactory.this.httpBeginExRW.wrap2((MutableDirectBuffer) OAuthProxyFactory.this.extensionBuffer, 0, OAuthProxyFactory.this.extensionBuffer.capacity()).typeId(OAuthProxyFactory.this.httpTypeId).headersItem(builder -> {
                    builder.name(OAuthProxyFactory.HEADER_NAME_STATUS).value("401");
                }).build());
                OAuthProxyFactory.this.writer.doEnd(this.target, this.targetRouteId, this.targetStreamId, trace, this.targetAuthorization, OAuthProxyFactory.this.octetsRO);
            } else {
                OAuthProxyFactory.this.writer.doAbort(this.target, this.targetRouteId, this.targetStreamId, trace, this.targetAuthorization);
            }
            this.grant.release();
        }

        /* JADX WARN: Type inference failed for: r0v3, types: [org.reaktivity.nukleus.oauth.internal.types.stream.HttpChallengeExFW$Builder] */
        private void doChallenge(long j) {
            OAuthProxyFactory.this.writer.doChallenge(this.source, this.sourceRouteId, this.sourceStreamId, j, this.sourceAuthorization, OAuthProxyFactory.this.httpChallengeExRW.wrap2((MutableDirectBuffer) OAuthProxyFactory.this.extensionBuffer, 0, OAuthProxyFactory.this.extensionBuffer.capacity()).typeId(OAuthProxyFactory.this.httpTypeId).headersItem(builder -> {
                builder.name(OAuthProxyFactory.HEADER_NAME_METHOD).value(OAuthProxyFactory.HEADER_VALUE_METHOD_POST);
            }).headersItem(builder2 -> {
                builder2.name(OAuthProxyFactory.HEADER_NAME_CONTENT_TYPE).value(OAuthProxyFactory.END_CHALLENGE_TYPE);
            }).build());
        }

        private boolean cleanupCorrelationIfNecessary() {
            OAuthProxy oAuthProxy = (OAuthProxy) OAuthProxyFactory.this.correlations.remove(this.connectReplyId);
            if (oAuthProxy != null) {
                OAuthProxyFactory.this.router.clearThrottle(this.acceptReplyId);
            }
            return oAuthProxy != null;
        }

        private void cancelTimerIfNecessary() {
            if (this.signalFuture != null) {
                this.signalFuture.cancel(true);
                this.signalFuture = null;
                this.grant.release();
            }
        }

        static {
            $assertionsDisabled = !OAuthProxyFactory.class.desiredAssertionStatus();
        }
    }

    public OAuthProxyFactory(OAuthConfiguration oAuthConfiguration, MutableDirectBuffer mutableDirectBuffer, LongUnaryOperator longUnaryOperator, LongSupplier longSupplier, ToIntFunction<String> toIntFunction, LongUnaryOperator longUnaryOperator2, Function<String, JsonWebKey> function, ToLongFunction<JsonWebSignature> toLongFunction, SignalingExecutor signalingExecutor, RouteManager routeManager) {
        this.config = oAuthConfiguration;
        this.router = (RouteManager) Objects.requireNonNull(routeManager);
        this.writer = new Writer(mutableDirectBuffer);
        this.extensionBuffer = new UnsafeBuffer(new byte[mutableDirectBuffer.capacity()]);
        this.supplyInitialId = (LongUnaryOperator) Objects.requireNonNull(longUnaryOperator);
        this.supplyReplyId = (LongUnaryOperator) Objects.requireNonNull(longUnaryOperator2);
        this.supplyTrace = (LongSupplier) Objects.requireNonNull(longSupplier);
        this.lookupKey = function;
        this.lookupAuthorization = toLongFunction;
        this.executor = signalingExecutor;
        this.httpTypeId = toIntFunction.applyAsInt("http");
        this.challengeTimeoutClaimName = String.format("%s%s", oAuthConfiguration.getCanonicalClaimNamespace(), oAuthConfiguration.getClaimNameChallengeTimeout());
    }

    public MessageConsumer newStream(int i, DirectBuffer directBuffer, int i2, int i3, MessageConsumer messageConsumer) {
        BeginFW wrap = this.beginRO.wrap(directBuffer, i2, i2 + i3);
        return (wrap.streamId() & 1) != EXPIRES_IMMEDIATELY ? newInitialStream(wrap, messageConsumer) : newReplyStream(wrap, messageConsumer);
    }

    /* JADX WARN: Type inference failed for: r0v94, types: [org.reaktivity.nukleus.oauth.internal.types.stream.HttpBeginExFW$Builder] */
    private MessageConsumer newInitialStream(BeginFW beginFW, MessageConsumer messageConsumer) {
        long authorization = beginFW.authorization();
        long routeId = beginFW.routeId();
        long streamId = beginFW.streamId();
        long affinity = beginFW.affinity();
        OctetsFW extension = beginFW.extension();
        HttpBeginExFW httpBeginExFW = this.httpBeginExRO;
        Objects.requireNonNull(httpBeginExFW);
        HttpBeginExFW httpBeginExFW2 = (HttpBeginExFW) extension.get(httpBeginExFW::tryWrap);
        JsonWebSignature verifiedSignature = verifiedSignature(beginFW);
        long j = authorization;
        if (verifiedSignature != null) {
            j = this.lookupAuthorization.applyAsLong(verifiedSignature);
        }
        String resolveSubject = resolveSubject(verifiedSignature);
        long expiresAtMillis = this.config.expireInFlightRequests() ? expiresAtMillis(verifiedSignature) : EXPIRES_NEVER;
        int i = (int) ((j & REALM_MASK) >> 48);
        RouteFW routeFW = (RouteFW) this.router.resolve(routeId, j, (i2, directBuffer, i3, i4) -> {
            return true;
        }, this::wrapRoute);
        MessageConsumer messageConsumer2 = null;
        if (isChallengeResponseRequest(httpBeginExFW2)) {
            long asLong = this.supplyTrace.getAsLong();
            long applyAsLong = this.supplyReplyId.applyAsLong(streamId);
            long resolveChallengeTimeout = resolveChallengeTimeout(verifiedSignature);
            OAuthAccessGrant lookupGrant = lookupGrant(i, affinity, resolveSubject);
            if (lookupGrant != null) {
                lookupGrant.reauthorize(resolveSubject, j, expiresAtMillis, resolveChallengeTimeout);
            }
            this.writer.doWindow(messageConsumer, routeId, streamId, asLong, EXPIRES_IMMEDIATELY, 0, 0, EXPIRES_IMMEDIATELY);
            this.writer.doBegin(messageConsumer, routeId, applyAsLong, asLong, EXPIRES_IMMEDIATELY, this.httpBeginExRW.wrap2((MutableDirectBuffer) this.extensionBuffer, 0, this.extensionBuffer.capacity()).typeId(this.httpTypeId).headers(OAuthProxyFactory::setChallengeResponseHeaders).build());
            this.writer.doEnd(messageConsumer, routeId, applyAsLong, asLong, EXPIRES_IMMEDIATELY, this.octetsRO);
            messageConsumer2 = (i5, directBuffer2, i6, i7) -> {
            };
        } else if (routeFW != null) {
            long trace = beginFW.trace();
            long applyAsLong2 = this.supplyReplyId.applyAsLong(streamId);
            long correlationId = routeFW.correlationId();
            long applyAsLong3 = this.supplyInitialId.applyAsLong(correlationId);
            MessageConsumer supplyReceiver = this.router.supplyReceiver(applyAsLong3);
            long applyAsLong4 = this.supplyReplyId.applyAsLong(applyAsLong3);
            HttpBeginExFW httpBeginExFW3 = this.httpBeginExRO;
            Objects.requireNonNull(httpBeginExFW3);
            boolean isCorsPreflightRequest = isCorsPreflightRequest((HttpBeginExFW) extension.get(httpBeginExFW3::tryWrap));
            long resolveChallengeTimeout2 = resolveChallengeTimeout(verifiedSignature);
            OAuthAccessGrant supplyGrant = supplyGrant(i, affinity, resolveSubject);
            supplyGrant.reauthorize(resolveSubject, j, expiresAtMillis, resolveChallengeTimeout2);
            MutableInteger mutableInteger = new MutableInteger();
            MutableInteger mutableInteger2 = new MutableInteger();
            OAuthProxy oAuthProxy = new OAuthProxy(messageConsumer, routeId, streamId, authorization, mutableInteger, correlationId, applyAsLong3, j, mutableInteger2, applyAsLong4, expiresAtMillis, EXPIRES_IMMEDIATELY, supplyGrant, isCorsPreflightRequest, supplyReceiver, applyAsLong2);
            OAuthProxy oAuthProxy2 = new OAuthProxy(supplyReceiver, correlationId, applyAsLong4, j, mutableInteger2, routeId, applyAsLong2, authorization, mutableInteger, applyAsLong4, expiresAtMillis, resolveChallengeTimeout2, supplyGrant, isCorsPreflightRequest, messageConsumer, applyAsLong2);
            this.correlations.put(applyAsLong4, oAuthProxy2);
            RouteManager routeManager = this.router;
            Objects.requireNonNull(oAuthProxy2);
            routeManager.setThrottle(applyAsLong2, (i8, directBuffer3, i9, i10) -> {
                oAuthProxy2.onThrottleMessage(i8, directBuffer3, i9, i10);
            });
            this.writer.doBegin(supplyReceiver, correlationId, applyAsLong3, trace, j, extension);
            RouteManager routeManager2 = this.router;
            Objects.requireNonNull(oAuthProxy);
            routeManager2.setThrottle(applyAsLong3, (i11, directBuffer4, i12, i13) -> {
                oAuthProxy.onThrottleMessage(i11, directBuffer4, i12, i13);
            });
            Objects.requireNonNull(oAuthProxy);
            messageConsumer2 = (i14, directBuffer5, i15, i16) -> {
                oAuthProxy.onStreamMessage(i14, directBuffer5, i15, i16);
            };
        }
        return messageConsumer2;
    }

    /* JADX WARN: Type inference failed for: r0v33, types: [org.reaktivity.nukleus.oauth.internal.types.stream.HttpBeginExFW$Builder] */
    private MessageConsumer newReplyStream(BeginFW beginFW, MessageConsumer messageConsumer) {
        long streamId = beginFW.streamId();
        long trace = beginFW.trace();
        long authorization = beginFW.authorization();
        OctetsFW extension = beginFW.extension();
        HttpBeginExFW httpBeginExFW = this.httpBeginExRO;
        Objects.requireNonNull(httpBeginExFW);
        HttpBeginExFW httpBeginExFW2 = (HttpBeginExFW) extension.get(httpBeginExFW::tryWrap);
        OAuthProxy oAuthProxy = (OAuthProxy) this.correlations.remove(streamId);
        MessageConsumer messageConsumer2 = null;
        if (oAuthProxy != null) {
            MessageConsumer messageConsumer3 = oAuthProxy.target;
            long j = oAuthProxy.targetRouteId;
            long j2 = oAuthProxy.targetStreamId;
            Flyweight flyweight = extension;
            if (oAuthProxy.isCorsPreflight) {
                HttpBeginExFW.Builder typeId = this.httpBeginExRW.wrap2((MutableDirectBuffer) this.extensionBuffer, 0, this.extensionBuffer.capacity()).typeId(this.httpTypeId);
                if (httpBeginExFW2 != null) {
                    httpBeginExFW2.headers().forEach(httpHeaderFW -> {
                        typeId.headersItem(builder -> {
                            builder.name(httpHeaderFW.name()).value(httpHeaderFW.value());
                        });
                    });
                }
                setCorsPreflightResponseHeaders(typeId);
                flyweight = typeId.build();
            }
            this.writer.doBegin(messageConsumer3, j, j2, trace, authorization, flyweight);
            Objects.requireNonNull(oAuthProxy);
            messageConsumer2 = (i, directBuffer, i2, i3) -> {
                oAuthProxy.onStreamMessage(i, directBuffer, i2, i3);
            };
        }
        return messageConsumer2;
    }

    private RouteFW wrapRoute(int i, DirectBuffer directBuffer, int i2, int i3) {
        return this.routeRO.wrap(directBuffer, i2, i2 + i3);
    }

    private long resolveChallengeTimeout(JsonWebSignature jsonWebSignature) {
        long j = 0;
        if (jsonWebSignature != null) {
            try {
                if (JwtClaims.parse(jsonWebSignature.getPayload()).getClaimValue(this.challengeTimeoutClaimName) != null) {
                    j = TimeUnit.SECONDS.toMillis(Integer.parseInt(r0.toString()));
                }
            } catch (InvalidJwtException | JoseException | NumberFormatException e) {
            }
        }
        return j;
    }

    private OAuthAccessGrant supplyGrant(int i, long j, String str) {
        OAuthAccessGrant oAuthAccessGrant;
        if (j == EXPIRES_IMMEDIATELY || str == null) {
            oAuthAccessGrant = new OAuthAccessGrant();
        } else {
            Map<String, OAuthAccessGrant> supplyGrantsBySubject = supplyGrantsBySubject(i, j);
            oAuthAccessGrant = supplyGrantsBySubject.computeIfAbsent(str.intern(), str2 -> {
                Objects.requireNonNull(supplyGrantsBySubject);
                return new OAuthAccessGrant((v1) -> {
                    r3.remove(v1);
                });
            });
        }
        return oAuthAccessGrant;
    }

    private Map<String, OAuthAccessGrant> supplyGrantsBySubject(int i, long j) {
        return (Map) this.grantsBySubjectByAffinityPerRealm[i].computeIfAbsent(j, j2 -> {
            return new IdentityHashMap();
        });
    }

    private OAuthAccessGrant lookupGrant(int i, long j, String str) {
        Map<String, OAuthAccessGrant> lookupGrantsBySubject;
        OAuthAccessGrant oAuthAccessGrant = null;
        if (j != EXPIRES_IMMEDIATELY && str != null && (lookupGrantsBySubject = lookupGrantsBySubject(i, j)) != null) {
            oAuthAccessGrant = lookupGrantsBySubject.get(str.intern());
        }
        return oAuthAccessGrant;
    }

    private Map<String, OAuthAccessGrant> lookupGrantsBySubject(int i, long j) {
        return (Map) this.grantsBySubjectByAffinityPerRealm[i].get(j);
    }

    private JsonWebSignature verifiedSignature(BeginFW beginFW) {
        OctetsFW extension = beginFW.extension();
        HttpBeginExFW httpBeginExFW = this.httpBeginExRO;
        Objects.requireNonNull(httpBeginExFW);
        JsonWebSignature jsonWebSignature = null;
        String bearerToken = bearerToken((HttpBeginExFW) extension.get(httpBeginExFW::tryWrap));
        if (bearerToken != null) {
            try {
                this.signature.setCompactSerialization(bearerToken);
                String keyIdHeaderValue = this.signature.getKeyIdHeaderValue();
                String algorithmHeaderValue = this.signature.getAlgorithmHeaderValue();
                JsonWebKey apply = this.lookupKey.apply(keyIdHeaderValue);
                if (algorithmHeaderValue != null && apply != null && algorithmHeaderValue.equals(apply.getAlgorithm())) {
                    this.signature.setKey((Key) null);
                    this.signature.setKey(apply.getKey());
                    JwtClaims parse = JwtClaims.parse(this.signature.getPayload());
                    NumericDate expirationTime = parse.getExpirationTime();
                    NumericDate notBefore = parse.getNotBefore();
                    long currentTimeMillis = System.currentTimeMillis();
                    if ((expirationTime == null || currentTimeMillis <= expirationTime.getValueInMillis()) && ((notBefore == null || currentTimeMillis >= notBefore.getValueInMillis()) && this.signature.verifySignature())) {
                        jsonWebSignature = this.signature;
                    }
                }
            } catch (JoseException | MalformedClaimException | InvalidJwtException e) {
            }
        }
        return jsonWebSignature;
    }

    private static String bearerToken(HttpBeginExFW httpBeginExFW) {
        String16FW value;
        int limitOfBytes;
        int indexOfBytes;
        String str = null;
        if (httpBeginExFW != null) {
            ArrayFW<HttpHeaderFW> headers = httpBeginExFW.headers();
            HttpHeaderFW matchFirst = headers.matchFirst(httpHeaderFW -> {
                return BufferUtil.equals(httpHeaderFW.name(), PATH);
            });
            if (matchFirst != null && (indexOfBytes = BufferUtil.indexOfBytes(matchFirst.value(), QUERY_PREFIX)) != -1) {
                Matcher matcher = QUERY_PARAMS.matcher(matchFirst.value().asString().substring(indexOfBytes));
                if (matcher.matches()) {
                    str = matcher.group(1);
                }
            }
            HttpHeaderFW matchFirst2 = headers.matchFirst(httpHeaderFW2 -> {
                return BufferUtil.equals(httpHeaderFW2.name(), AUTHORIZATION);
            });
            if (matchFirst2 != null && (limitOfBytes = BufferUtil.limitOfBytes((value = matchFirst2.value()), BEARER_PREFIX)) > 0) {
                str = value.buffer().getStringWithoutLengthUtf8(limitOfBytes, value.limit() - limitOfBytes);
            }
        }
        return str;
    }

    private static String resolveSubject(JsonWebSignature jsonWebSignature) {
        String str = null;
        if (jsonWebSignature != null) {
            try {
                str = JwtClaims.parse(jsonWebSignature.getPayload()).getSubject();
            } catch (InvalidJwtException | JoseException | MalformedClaimException e) {
            }
        }
        return str;
    }

    private static long expiresAtMillis(JsonWebSignature jsonWebSignature) {
        long j = Long.MAX_VALUE;
        if (jsonWebSignature != null) {
            try {
                NumericDate expirationTime = JwtClaims.parse(jsonWebSignature.getPayload()).getExpirationTime();
                if (expirationTime != null) {
                    j = expirationTime.getValueInMillis();
                }
            } catch (MalformedClaimException | InvalidJwtException | JoseException e) {
                j = 0;
            }
        }
        return j;
    }

    private static Long2ObjectHashMap<Map<String, OAuthAccessGrant>>[] initGrantsBySubjectByAffinityPerRealm() {
        Long2ObjectHashMap<Map<String, OAuthAccessGrant>>[] long2ObjectHashMapArr = new Long2ObjectHashMap[16];
        Arrays.setAll(long2ObjectHashMapArr, i -> {
            return new Long2ObjectHashMap();
        });
        return long2ObjectHashMapArr;
    }

    private static boolean isCorsPreflightRequest(HttpBeginExFW httpBeginExFW) {
        return httpBeginExFW != null && httpBeginExFW.headers().anyMatch(httpHeaderFW -> {
            return HEADER_NAME_METHOD.equals(httpHeaderFW.name()) && CORS_PREFLIGHT_METHOD.equals(httpHeaderFW.value());
        }) && httpBeginExFW.headers().anyMatch(httpHeaderFW2 -> {
            return HEADER_NAME_ACCESS_CONTROL_REQUEST_METHOD.equals(httpHeaderFW2.name()) || HEADER_NAME_ACCESS_CONTROL_REQUEST_HEADERS.equals(httpHeaderFW2.name());
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void setCorsPreflightResponse(HttpBeginExFW.Builder builder) {
        builder.headersItem(builder2 -> {
            builder2.name(HEADER_NAME_STATUS).value(HEADER_VALUE_STATUS_204);
        });
        setCorsPreflightResponseHeaders(builder);
    }

    private static void setCorsPreflightResponseHeaders(HttpBeginExFW.Builder builder) {
        builder.headersItem(builder2 -> {
            builder2.name(HEADER_NAME_ACCESS_CONTROL_ALLOW_METHODS).value(CORS_ALLOWED_METHODS);
        }).headersItem(builder3 -> {
            builder3.name(HEADER_NAME_ACCESS_CONTROL_ALLOW_HEADERS).value(CORS_ALLOWED_HEADERS);
        });
    }

    private static boolean isChallengeResponseRequest(HttpBeginExFW httpBeginExFW) {
        return httpBeginExFW != null && httpBeginExFW.headers().anyMatch(httpHeaderFW -> {
            return HEADER_NAME_METHOD.equals(httpHeaderFW.name()) && CHALLENGE_RESPONSE_METHOD.equals(httpHeaderFW.value());
        }) && httpBeginExFW.headers().anyMatch(httpHeaderFW2 -> {
            return HEADER_NAME_CONTENT_TYPE.equals(httpHeaderFW2.name()) && CHALLENGE_RESPONSE_CONTENT_TYPE.equals(httpHeaderFW2.value());
        });
    }

    private static void setChallengeResponseHeaders(ArrayFW.Builder<HttpHeaderFW.Builder, HttpHeaderFW> builder) {
        builder.item(builder2 -> {
            builder2.name(HEADER_NAME_STATUS).value(HEADER_VALUE_STATUS_204);
        });
    }
}
