package fi.evolver.basics.spring.auth.alb.verify;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.json.JsonMapper;
import fi.evolver.utils.string.StringUtils;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.math.BigInteger;
import java.net.URI;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.Base64;
import java.util.List;
import java.util.NoSuchElementException;
import org.springframework.security.authentication.InternalAuthenticationServiceException;

/* loaded from: input_file:fi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier.class */
public class AlbAccessTokenVerifier extends AbstractTokenVerifier {
    private static final String PUBLIC_KEY_ENDPOINT = ".well-known/jwks.json";
    private final ObjectMapper jsonMapper = JsonMapper.builder().findAndAddModules().build();
    private final KeyFactory keyFactory = KeyFactory.getInstance("RSA");
    private final URI expectedAccessTokenIssuer;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:fi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse.class */
    public static final class KeysResponse extends Record {
        private final List<PublicKeyItem> keys;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:fi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem.class */
        public static final class PublicKeyItem extends Record {
            private final String kid;
            private final String alg;
            private final String kty;
            private final String e;
            private final String n;
            private final String use;

            PublicKeyItem(String str, String str2, String str3, String str4, String str5, String str6) {
                this.kid = str;
                this.alg = str2;
                this.kty = str3;
                this.e = str4;
                this.n = str5;
                this.use = str6;
            }

            @Override // java.lang.Record
            public final String toString() {
                return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, PublicKeyItem.class), PublicKeyItem.class, "kid;alg;kty;e;n;use", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->kid:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->alg:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->kty:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->e:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->n:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->use:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
            }

            @Override // java.lang.Record
            public final int hashCode() {
                return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, PublicKeyItem.class), PublicKeyItem.class, "kid;alg;kty;e;n;use", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->kid:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->alg:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->kty:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->e:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->n:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->use:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
            }

            @Override // java.lang.Record
            public final boolean equals(Object obj) {
                return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, PublicKeyItem.class, Object.class), PublicKeyItem.class, "kid;alg;kty;e;n;use", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->kid:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->alg:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->kty:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->e:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->n:Ljava/lang/String;", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse$PublicKeyItem;->use:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
            }

            public String kid() {
                return this.kid;
            }

            public String alg() {
                return this.alg;
            }

            public String kty() {
                return this.kty;
            }

            public String e() {
                return this.e;
            }

            public String n() {
                return this.n;
            }

            public String use() {
                return this.use;
            }
        }

        private KeysResponse(List<PublicKeyItem> list) {
            this.keys = list;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, KeysResponse.class), KeysResponse.class, "keys", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse;->keys:Ljava/util/List;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, KeysResponse.class), KeysResponse.class, "keys", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse;->keys:Ljava/util/List;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, KeysResponse.class, Object.class), KeysResponse.class, "keys", "FIELD:Lfi/evolver/basics/spring/auth/alb/verify/AlbAccessTokenVerifier$KeysResponse;->keys:Ljava/util/List;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public List<PublicKeyItem> keys() {
            return this.keys;
        }
    }

    public AlbAccessTokenVerifier(String str) throws NoSuchAlgorithmException {
        this.expectedAccessTokenIssuer = StringUtils.hasText(str) ? URI.create(str) : null;
    }

    @Override // fi.evolver.basics.spring.auth.alb.verify.AbstractTokenVerifier
    protected void checkTokenFields(DecodedJWT decodedJWT) {
        String asString = decodedJWT.getClaim("iss").asString();
        if (this.expectedAccessTokenIssuer.toString().equals(asString) || this.expectedAccessTokenIssuer.toString().equals(asString + "/")) {
            return;
        }
        badCredentials("Invalid issuer for token");
    }

    @Override // fi.evolver.basics.spring.auth.alb.verify.AbstractTokenVerifier
    protected JWTVerifier loadVerifier(String str) {
        try {
            this.verifierCache.cleanup();
            return buildVerifier(fetchPublicKey(str));
        } catch (InvalidKeySpecException e) {
            LOG.error("JWTVerifier initialization failed", e);
            return null;
        }
    }

    private RSAPublicKeySpec fetchPublicKey(String str) {
        try {
            KeysResponse.PublicKeyItem orElseThrow = ((KeysResponse) this.jsonMapper.readValue((String) this.client.send(HttpRequest.newBuilder(this.expectedAccessTokenIssuer.resolve(PUBLIC_KEY_ENDPOINT)).GET().build(), HttpResponse.BodyHandlers.ofString()).body(), KeysResponse.class)).keys().stream().filter(publicKeyItem -> {
                return "RS256".equals(publicKeyItem.alg());
            }).filter(publicKeyItem2 -> {
                return "RSA".equals(publicKeyItem2.kty());
            }).filter(publicKeyItem3 -> {
                return str.equals(publicKeyItem3.kid());
            }).findFirst().orElseThrow();
            Base64.Decoder urlDecoder = Base64.getUrlDecoder();
            return new RSAPublicKeySpec(new BigInteger(1, urlDecoder.decode(orElseThrow.n)), new BigInteger(1, urlDecoder.decode(orElseThrow.e)));
        } catch (IOException | InterruptedException e) {
            LOG.error("Public key GET request failed");
            throw new InternalAuthenticationServiceException("Public key GET request failed");
        } catch (IllegalArgumentException | JsonProcessingException e2) {
            LOG.error("Key decoding failed", e2);
            throw new InternalAuthenticationServiceException("Cannot decode key", e2);
        } catch (NoSuchElementException e3) {
            LOG.error("Requested key id not found");
            throw new InternalAuthenticationServiceException("Requested key id not found");
        }
    }

    private JWTVerifier buildVerifier(RSAPublicKeySpec rSAPublicKeySpec) throws InvalidKeySpecException {
        return JWT.require(Algorithm.RSA256((RSAPublicKey) this.keyFactory.generatePublic(rSAPublicKeySpec), emptyPrivateKey())).build();
    }

    private static RSAPrivateKey emptyPrivateKey() {
        return new RSAPrivateKey() { // from class: fi.evolver.basics.spring.auth.alb.verify.AlbAccessTokenVerifier.1
            @Override // java.security.Key
            public String getAlgorithm() {
                throw new UnsupportedOperationException("Unimplemented method 'getAlgorithm'");
            }

            @Override // java.security.Key
            public byte[] getEncoded() {
                throw new UnsupportedOperationException("Unimplemented method 'getEncoded'");
            }

            @Override // java.security.Key
            public String getFormat() {
                throw new UnsupportedOperationException("Unimplemented method 'getFormat'");
            }

            @Override // java.security.interfaces.RSAKey
            public BigInteger getModulus() {
                throw new UnsupportedOperationException("Unimplemented method 'getModulus'");
            }

            @Override // java.security.interfaces.RSAPrivateKey
            public BigInteger getPrivateExponent() {
                throw new UnsupportedOperationException("Unimplemented method 'getPrivateExponent'");
            }
        };
    }
}
