package tech.bilal.akka.http.auth.adapter;

import io.circe.Decoder;
import io.circe.parser.package$;
import java.security.PublicKey;
import pdi.jwt.Jwt$;
import pdi.jwt.JwtOptions;
import pdi.jwt.JwtOptions$;
import scala.$less$colon$less$;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Some;
import scala.Some$;
import scala.Tuple2;
import scala.Tuple2$;
import scala.concurrent.ExecutionContext$Implicits$;
import scala.concurrent.Future;
import scala.concurrent.Future$;
import scala.runtime.BoxedUnit;
import scala.util.Left;
import scala.util.Right;
import scala.util.Try;
import tech.bilal.akka.http.auth.adapter.crypto.Algorithm$;
import tech.bilal.akka.http.oidc.client.OIDCClient;
import tech.bilal.akka.http.oidc.client.models.Key;

/* compiled from: JwtVerifier.scala */
/* loaded from: input_file:tech/bilal/akka/http/auth/adapter/JwtVerifier.class */
public class JwtVerifier {
    private final OIDCClient oidcClient;
    private final PublicKeyManager publicKeyManager;
    private final AuthConfig authConfig;

    public JwtVerifier(OIDCClient oIDCClient, PublicKeyManager publicKeyManager, AuthConfig authConfig) {
        this.oidcClient = oIDCClient;
        this.publicKeyManager = publicKeyManager;
        this.authConfig = authConfig;
    }

    public <T> Future<Option<T>> verifyAndDecode(String str, Decoder<T> decoder) {
        JwtOptions apply = JwtOptions$.MODULE$.apply(true, true, true, JwtOptions$.MODULE$.$lessinit$greater$default$4());
        return Future$.MODULE$.fromTry(getKIDAndContents(str)).withFilter(tuple2 -> {
            if (tuple2 == null) {
                return false;
            }
            return true;
        }, ExecutionContext$Implicits$.MODULE$.global()).flatMap(tuple22 -> {
            if (tuple22 == null) {
                throw new MatchError(tuple22);
            }
            JWTHeader jWTHeader = (JWTHeader) tuple22._1();
            String str2 = (String) tuple22._2();
            return this.publicKeyManager.getKey(jWTHeader.kid()).map(either -> {
                if (either instanceof Right) {
                    return Tuple2$.MODULE$.apply(either, (Key) ((Right) either).value());
                }
                if (either instanceof Left) {
                    KeyError keyError = (KeyError) ((Left) either).value();
                    KeyError keyError2 = KeyError$.KeyNotFound;
                    if (keyError2 != null ? keyError2.equals(keyError) : keyError == null) {
                        throw new RuntimeException("could not find key with kid: " + jWTHeader.kid());
                    }
                    KeyError keyError3 = KeyError$.AuthServerDisconnected;
                    if (keyError3 != null ? keyError3.equals(keyError) : keyError == null) {
                        throw new RuntimeException("unabled to fetch keys from auth server");
                    }
                }
                throw new MatchError(either);
            }, ExecutionContext$Implicits$.MODULE$.global()).flatMap(tuple22 -> {
                if (tuple22 == null) {
                    throw new MatchError(tuple22);
                }
                Key key = (Key) tuple22._2();
                return this.oidcClient.fetchOIDCConfig().map(oIDCConfig -> {
                    return oIDCConfig.issuer();
                }, ExecutionContext$Implicits$.MODULE$.global()).map(str3 -> {
                    return Tuple2$.MODULE$.apply(str3, (Try) this.authConfig.supportedAlgorithms().find(str3 -> {
                        String lowerCase = str3.toLowerCase();
                        String lowerCase2 = jWTHeader.alg().toLowerCase();
                        return lowerCase != null ? lowerCase.equals(lowerCase2) : lowerCase2 == null;
                    }).map(str4 -> {
                        return Algorithm$.MODULE$.apply(str4);
                    }).getOrElse(() -> {
                        return $anonfun$3(r1);
                    }));
                }, ExecutionContext$Implicits$.MODULE$.global()).flatMap(tuple22 -> {
                    if (tuple22 != null) {
                        Try r0 = (Try) tuple22._2();
                        String str4 = (String) tuple22._1();
                        if (r0 instanceof Try) {
                            return Future$.MODULE$.fromTry(r0.flatMap(algorithm -> {
                                return algorithm.publicKey(key, jWTHeader);
                            })).map(publicKey -> {
                                Jwt$.MODULE$.validate(str, publicKey, apply);
                                BoxedUnit boxedUnit = BoxedUnit.UNIT;
                                return Tuple2$.MODULE$.apply(publicKey, BoxedUnit.UNIT);
                            }, ExecutionContext$Implicits$.MODULE$.global()).flatMap(tuple22 -> {
                                if (tuple22 == null || ((PublicKey) tuple22._1()) == null) {
                                    throw new MatchError(tuple22);
                                }
                                return Future$.MODULE$.fromTry(package$.MODULE$.decode(str2, decoder).toTry($less$colon$less$.MODULE$.refl())).map(obj -> {
                                    if (this.authConfig.issuerCheck()) {
                                        Some flatMap = package$.MODULE$.parse(str2).toOption().flatMap(json -> {
                                            return json.asObject();
                                        }).flatMap(jsonObject -> {
                                            return jsonObject.apply("iss");
                                        }).flatMap(json2 -> {
                                            return json2.asString();
                                        });
                                        if (!(flatMap instanceof Some)) {
                                            if (None$.MODULE$.equals(flatMap)) {
                                                throw new RuntimeException("token does not have issuer");
                                            }
                                            throw new MatchError(flatMap);
                                        }
                                        String str5 = (String) flatMap.value();
                                        if (str4 != null ? !str4.equals(str5) : str5 != null) {
                                            throw new RuntimeException("issuer check failed. " + str5 + " != " + str4);
                                        }
                                    }
                                    BoxedUnit boxedUnit = BoxedUnit.UNIT;
                                    return Tuple2$.MODULE$.apply(obj, BoxedUnit.UNIT);
                                }, ExecutionContext$Implicits$.MODULE$.global()).map(tuple22 -> {
                                    if (tuple22 == null) {
                                        throw new MatchError(tuple22);
                                    }
                                    return Some$.MODULE$.apply(tuple22._1());
                                }, ExecutionContext$Implicits$.MODULE$.global());
                            }, ExecutionContext$Implicits$.MODULE$.global());
                        }
                    }
                    throw new MatchError(tuple22);
                }, ExecutionContext$Implicits$.MODULE$.global());
            }, ExecutionContext$Implicits$.MODULE$.global());
        }, ExecutionContext$Implicits$.MODULE$.global());
    }

    private Try<Tuple2<JWTHeader, String>> getKIDAndContents(String str) {
        return Jwt$.MODULE$.decodeRawAll(str, JwtOptions$.MODULE$.apply(false, false, false, JwtOptions$.MODULE$.$lessinit$greater$default$4())).flatMap(tuple3 -> {
            if (tuple3 == null) {
                throw new MatchError(tuple3);
            }
            String str2 = (String) tuple3._1();
            String str3 = (String) tuple3._2();
            return package$.MODULE$.decode(str2, JWTHeader$.MODULE$.given_Decoder_JWTHeader()).map(jWTHeader -> {
                return Tuple2$.MODULE$.apply(jWTHeader, str3);
            }).toTry($less$colon$less$.MODULE$.refl());
        });
    }

    private static final Try $anonfun$3(JWTHeader jWTHeader) {
        throw new RuntimeException("unsupported algorithm - " + jWTHeader.alg());
    }
}
