package fun.mike.azure.auth;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.text.ParseException;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import javax.ws.rs.InternalServerErrorException;
import javax.ws.rs.NotAuthorizedException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.PreMatching;
import javax.ws.rs.ext.Provider;

@Provider
@PreMatching
/* loaded from: input_file:fun/mike/azure/auth/AzureAuthFilter.class */
public class AzureAuthFilter implements ContainerRequestFilter {
    private final String clientId;
    private final String tenantId;
    private final TypeReference STRING_MAP = new TypeReference<Map<String, Object>>() { // from class: fun.mike.azure.auth.AzureAuthFilter.1
    };

    public AzureAuthFilter(String str, String str2) {
        this.clientId = str;
        this.tenantId = str2;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        TokenValidationResult validateToken = validateToken(getBearerTokenFromAuthorizationHeader(containerRequestContext.getHeaderString("Authorization")), getJwksUrl());
        if (validateToken.failed()) {
            throw internalServerError(validateToken.getMessage());
        }
        if (!validateToken.valid()) {
            throw unauthorized(validateToken.getMessage());
        }
    }

    private String getBearerTokenFromAuthorizationHeader(String str) {
        if (str == null) {
            throw unauthorized("No \"Authorization\" header present.");
        }
        List asList = Arrays.asList(str.split(" "));
        if (asList.size() != 2) {
            throw unauthorized("Malformed \"Authorization\" header.");
        }
        String str2 = (String) asList.get(0);
        if ("Bearer".equals(str2)) {
            return (String) asList.get(1);
        }
        throw unauthorized(String.format("Unexpected authentication scheme %s in the \"Authorization\" header; expected \"Bearer\".", str2));
    }

    private String getJwksUrl() {
        String format = String.format("https://login.microsoftonline.com/%s/v2.0/.well-known/openid-configuration", this.tenantId);
        try {
            URL url = new URL(format);
            try {
                Map map = (Map) new ObjectMapper().readValue(url, this.STRING_MAP);
                if (map.containsKey("jwks_uri")) {
                    return (String) map.get("jwks_uri");
                }
                throw internalServerError(String.format("No jwks_uri property present in OpenID provider metadata retrieved from \"%s\".", format));
            } catch (IOException e) {
                throw internalServerError(String.format("Failed to parse OpenID provider metadata from \"%s\".", url));
            }
        } catch (MalformedURLException e2) {
            throw internalServerError(String.format("OpenID provider metadata URL \"%s\" is malformed.", format));
        }
    }

    private TokenValidationResult validateToken(String str, String str2) {
        try {
            return validateToken(str, (JWKSource<SecurityContext>) new RemoteJWKSet(new URL(str2)));
        } catch (MalformedURLException e) {
            return TokenValidationResult.failed(String.format("JWKS URL \"%s\" retrieved from OpenID provider is malformed.", str2));
        }
    }

    private TokenValidationResult validateToken(String str, JWKSource<SecurityContext> jWKSource) {
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(JWSAlgorithm.RS256, jWKSource));
        defaultJWTProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier() { // from class: fun.mike.azure.auth.AzureAuthFilter.2
            public void verify(JWTClaimsSet jWTClaimsSet) throws BadJWTException {
                super.verify(jWTClaimsSet);
                if (jWTClaimsSet.getExpirationTime() == null) {
                    throw new BadJWTException("Missing required token expiration claim.");
                }
                String subject = jWTClaimsSet.getSubject();
                if (AzureAuthFilter.this.clientId.equals(jWTClaimsSet.getSubject())) {
                    throw new BadJWTException(String.format("Expected subject \"%s\" to be \"%s\".", AzureAuthFilter.this.clientId, subject));
                }
                String format = String.format("https://sts.windows.net/%s/", AzureAuthFilter.this.tenantId);
                if (!format.equals(jWTClaimsSet.getIssuer())) {
                    throw new BadJWTException(String.format("Expected issuer \"%s\" to be \"%s\".", AzureAuthFilter.this.clientId, format));
                }
            }
        });
        try {
            return TokenValidationResult.valid(defaultJWTProcessor.process(str, (SecurityContext) null).getClaims());
        } catch (ParseException | JOSEException | BadJOSEException e) {
            return TokenValidationResult.invalid(e.getMessage());
        }
    }

    private InternalServerErrorException internalServerError(String str) {
        return new InternalServerErrorException(str);
    }

    private NotAuthorizedException unauthorized(String str) {
        return new NotAuthorizedException(str, new Object[0]);
    }
}
