package org.camelbee.security.routes.routes;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import lombok.Generated;
import org.apache.camel.builder.RouteBuilder;
import org.camelbee.security.routes.exception.InvalidRequestException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.stereotype.Component;

@ConditionalOnProperty(value = {"camelbee.security.enabled"}, havingValue = "true")
@Component
/* loaded from: input_file:org/camelbee/security/routes/routes/JwtValidationRoute.class */
public class JwtValidationRoute extends RouteBuilder {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(JwtValidationRoute.class);

    @Value("${camelbee.security.issuer:test-issuer}")
    String jwkIssuer;

    @Value("${camelbee.security.audience:test-audience}")
    String jwkAudience;

    public void configure() throws Exception {
        from("direct:validateJWT").id("jwt-validation").errorHandler(noErrorHandler()).to("direct:fetchJWKS").id("fetchJWKSEndpoint").process(exchange -> {
            String str = (String) exchange.getIn().getHeader("Authorization", String.class);
            if (str == null || !str.startsWith("Bearer ")) {
                throw new InvalidRequestException("ERROR-AUTH001", "Authorization header is missing");
            }
            String substring = str.substring(7);
            JWKSet jWKSet = (JWKSet) exchange.getProperty("jwkSet", JWKSet.class);
            if (jWKSet == null) {
                throw new InvalidRequestException("ERROR-AUTH002", "JWKS not available");
            }
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(JWSAlgorithm.RS256, new ImmutableJWKSet(jWKSet)));
            JWTClaimsSet process = defaultJWTProcessor.process(substring, (SecurityContext) null);
            if (!this.jwkIssuer.equals(process.getIssuer())) {
                throw new InvalidRequestException("ERROR-AUTH003", "Invalid token issuer");
            }
            if (!this.jwkAudience.equals((String) process.getAudience().get(0))) {
                throw new InvalidRequestException("ERROR-AUTH004", "Invalid token audience");
            }
            exchange.getIn().setHeader("jwt.sub", process.getSubject());
            exchange.getIn().setHeader("jwt.scope", process.getStringClaim("scope"));
            exchange.getIn().setHeader("jwt.validated", true);
            exchange.getIn().setBody(true);
        });
    }

    @Generated
    public JwtValidationRoute() {
    }
}
