package io.onfhir.authz;

import akka.dispatch.MessageDispatcher;
import com.nimbusds.oauth2.sdk.ErrorObject;
import com.nimbusds.oauth2.sdk.TokenIntrospectionErrorResponse;
import com.nimbusds.oauth2.sdk.TokenIntrospectionRequest;
import com.nimbusds.oauth2.sdk.TokenIntrospectionResponse;
import com.nimbusds.oauth2.sdk.TokenIntrospectionSuccessResponse;
import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
import com.nimbusds.oauth2.sdk.auth.ClientAuthenticationMethod;
import com.nimbusds.oauth2.sdk.auth.ClientSecretBasic;
import com.nimbusds.oauth2.sdk.auth.PrivateKeyJWT;
import com.nimbusds.oauth2.sdk.token.BearerAccessToken;
import io.onfhir.Onfhir$;
import io.onfhir.config.AuthzConfig;
import io.onfhir.exception.InternalServerException;
import io.onfhir.exception.InternalServerException$;
import java.net.URI;
import java.security.Provider;
import java.util.Date;
import net.minidev.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Option$;
import scala.Predef$;
import scala.Predef$ArrowAssoc$;
import scala.Some;
import scala.collection.JavaConverters$;
import scala.collection.Seq;
import scala.collection.Seq$;
import scala.collection.TraversableOnce;
import scala.collection.immutable.List;
import scala.collection.immutable.List$;
import scala.collection.immutable.Nil$;
import scala.concurrent.Future;
import scala.concurrent.Future$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxesRunTime;
import scala.util.Try$;

/* compiled from: ResolverWithTokenIntrospection.scala */
@ScalaSignature(bytes = "\u0006\u0001\u0005\u0005a\u0001B\u0001\u0003\u0001%\u0011aDU3t_24XM],ji\"$vn[3o\u0013:$(o\\:qK\u000e$\u0018n\u001c8\u000b\u0005\r!\u0011!B1vi\"T(BA\u0003\u0007\u0003\u0019ygN\u001a5je*\tq!\u0001\u0002j_\u000e\u00011c\u0001\u0001\u000b!A\u00111BD\u0007\u0002\u0019)\tQ\"A\u0003tG\u0006d\u0017-\u0003\u0002\u0010\u0019\t1\u0011I\\=SK\u001a\u0004\"!\u0005\n\u000e\u0003\tI!a\u0005\u0002\u0003\u001d%#vn[3o%\u0016\u001cx\u000e\u001c<fe\"AQ\u0003\u0001B\u0001B\u0003%a#A\u0006bkRD'pQ8oM&<\u0007CA\f\u001b\u001b\u0005A\"BA\r\u0005\u0003\u0019\u0019wN\u001c4jO&\u00111\u0004\u0007\u0002\f\u0003V$\bN_\"p]\u001aLw\rC\u0003\u001e\u0001\u0011\u0005a$\u0001\u0004=S:LGO\u0010\u000b\u0003?\u0001\u0002\"!\u0005\u0001\t\u000bUa\u0002\u0019\u0001\f\t\u000f\t\u0002!\u0019!C\u0002G\u0005\u0001R\r_3dkRLwN\\\"p]R,\u0007\u0010^\u000b\u0002IA\u0011QEK\u0007\u0002M)\u0011q\u0005K\u0001\tI&\u001c\b/\u0019;dQ*\t\u0011&\u0001\u0003bW.\f\u0017BA\u0016'\u0005EiUm]:bO\u0016$\u0015n\u001d9bi\u000eDWM\u001d\u0005\u0007[\u0001\u0001\u000b\u0011\u0002\u0013\u0002#\u0015DXmY;uS>t7i\u001c8uKb$\b\u0005C\u00040\u0001\t\u0007I\u0011\u0003\u0019\u0002\r1|wmZ3s+\u0005\t\u0004C\u0001\u001a8\u001b\u0005\u0019$B\u0001\u001b6\u0003\u0015\u0019HN\u001a\u001bk\u0015\u00051\u0014aA8sO&\u0011\u0001h\r\u0002\u0007\u0019><w-\u001a:\t\ri\u0002\u0001\u0015!\u00032\u0003\u001dawnZ4fe\u0002BQ\u0001\u0010\u0001\u0005\nu\n1\u0004\u001d:fa\u0006\u0014Xm\u00117jK:$\u0018)\u001e;iK:$\u0018nY1uS>tG#\u0001 \u0011\u0007-y\u0014)\u0003\u0002A\u0019\t1q\n\u001d;j_:\u0004\"AQ'\u000e\u0003\rS!\u0001R#\u0002\t\u0005,H\u000f\u001b\u0006\u0003\r\u001e\u000b1a\u001d3l\u0015\tA\u0015*\u0001\u0004pCV$\bN\r\u0006\u0003\u0015.\u000b\u0001B\\5nEV\u001cHm\u001d\u0006\u0002\u0019\u0006\u00191m\\7\n\u00059\u001b%\u0001F\"mS\u0016tG/Q;uQ\u0016tG/[2bi&|g\u000eC\u0003Q\u0001\u0011\u0005\u0013+\u0001\u0007sKN|GN^3U_.,g\u000eF\u0002S7\"\u00042a\u0015,Y\u001b\u0005!&BA+\r\u0003)\u0019wN\\2veJ,g\u000e^\u0005\u0003/R\u0013aAR;ukJ,\u0007CA\tZ\u0013\tQ&A\u0001\u0007BkRD'pQ8oi\u0016DH\u000fC\u0003]\u001f\u0002\u0007Q,A\u0006bG\u000e,7o\u001d+pW\u0016t\u0007C\u00010f\u001d\ty6\r\u0005\u0002a\u00195\t\u0011M\u0003\u0002c\u0011\u00051AH]8pizJ!\u0001\u001a\u0007\u0002\rA\u0013X\rZ3g\u0013\t1wM\u0001\u0004TiJLgn\u001a\u0006\u0003I2Aq![(\u0011\u0002\u0003\u0007!.A\u0007gkJ$\b.\u001a:QCJ\fWn\u001d\t\u0004WBlfB\u00017o\u001d\t\u0001W.C\u0001\u000e\u0013\tyG\"A\u0004qC\u000e\\\u0017mZ3\n\u0005E\u0014(\u0001\u0002'jgRT!a\u001c\u0007\t\u000fQ\u0004\u0011\u0013!C!k\u00061\"/Z:pYZ,Gk\\6f]\u0012\"WMZ1vYR$#'F\u0001wU\tQwoK\u0001y!\tIh0D\u0001{\u0015\tYH0A\u0005v]\u000eDWmY6fI*\u0011Q\u0010D\u0001\u000bC:tw\u000e^1uS>t\u0017BA@{\u0005E)hn\u00195fG.,GMV1sS\u0006t7-\u001a")
/* loaded from: input_file:io/onfhir/authz/ResolverWithTokenIntrospection.class */
public class ResolverWithTokenIntrospection implements ITokenResolver {
    private final AuthzConfig authzConfig;
    private final MessageDispatcher executionContext = Onfhir$.MODULE$.actorSystem().dispatchers().lookup("akka.actor.onfhir-blocking-dispatcher");
    private final Logger logger = LoggerFactory.getLogger(getClass());

    public MessageDispatcher executionContext() {
        return this.executionContext;
    }

    public Logger logger() {
        return this.logger;
    }

    private Option<ClientAuthentication> prepareClientAuthentication() {
        Some some;
        ClientAuthenticationMethod tokenEndpointAuthMethod = this.authzConfig.protectedResourceInformation().getMetadata().getTokenEndpointAuthMethod();
        ClientAuthenticationMethod clientAuthenticationMethod = ClientAuthenticationMethod.CLIENT_SECRET_BASIC;
        if (clientAuthenticationMethod != null ? !clientAuthenticationMethod.equals(tokenEndpointAuthMethod) : tokenEndpointAuthMethod != null) {
            ClientAuthenticationMethod clientAuthenticationMethod2 = ClientAuthenticationMethod.PRIVATE_KEY_JWT;
            if (clientAuthenticationMethod2 != null ? !clientAuthenticationMethod2.equals(tokenEndpointAuthMethod) : tokenEndpointAuthMethod != null) {
                ClientAuthenticationMethod clientAuthenticationMethod3 = ClientAuthenticationMethod.NONE;
                if (clientAuthenticationMethod3 != null ? !clientAuthenticationMethod3.equals(tokenEndpointAuthMethod) : tokenEndpointAuthMethod != null) {
                    throw new MatchError(tokenEndpointAuthMethod);
                }
                some = None$.MODULE$;
            } else {
                some = new Some(new PrivateKeyJWT(this.authzConfig.protectedResourceInformation().getID(), (URI) this.authzConfig.authzServerMetadata().introspection_endpoint().get(), this.authzConfig.protectedResourceInformation().getMetadata().getTokenEndpointAuthJWSAlg(), this.authzConfig.protectedResourceJWKSet().getKeyByKeyId(this.authzConfig.protectedResourceCurrentSignerKeyId()).toRSAPrivateKey(), this.authzConfig.protectedResourceCurrentSignerKeyId(), (Provider) null));
            }
        } else {
            some = new Some(new ClientSecretBasic(this.authzConfig.protectedResourceInformation().getID(), this.authzConfig.protectedResourceInformation().getSecret()));
        }
        return some;
    }

    public Future<AuthzContext> resolveToken(String str, List<String> list) {
        return Future$.MODULE$.apply(() -> {
            TokenIntrospectionRequest tokenIntrospectionRequest;
            AuthzContext authzContext;
            Some prepareClientAuthentication = this.prepareClientAuthentication();
            if (None$.MODULE$.equals(prepareClientAuthentication)) {
                tokenIntrospectionRequest = new TokenIntrospectionRequest((URI) this.authzConfig.authzServerMetadata().introspection_endpoint().get(), new BearerAccessToken(str));
            } else {
                if (!(prepareClientAuthentication instanceof Some)) {
                    throw new MatchError(prepareClientAuthentication);
                }
                tokenIntrospectionRequest = new TokenIntrospectionRequest((URI) this.authzConfig.authzServerMetadata().introspection_endpoint().get(), (ClientAuthentication) prepareClientAuthentication.value(), new BearerAccessToken(str));
            }
            TokenIntrospectionRequest tokenIntrospectionRequest2 = tokenIntrospectionRequest;
            TokenIntrospectionSuccessResponse tokenIntrospectionSuccessResponse = (TokenIntrospectionResponse) Try$.MODULE$.apply(() -> {
                return TokenIntrospectionResponse.parse(tokenIntrospectionRequest2.toHTTPRequest().send());
            }).getOrElse(() -> {
                return new TokenIntrospectionErrorResponse(new ErrorObject("500", "Invalid token introspection response!"));
            });
            if (!(tokenIntrospectionSuccessResponse instanceof TokenIntrospectionSuccessResponse)) {
                if (!(tokenIntrospectionSuccessResponse instanceof TokenIntrospectionErrorResponse)) {
                    throw new MatchError(tokenIntrospectionSuccessResponse);
                }
                TokenIntrospectionErrorResponse tokenIntrospectionErrorResponse = (TokenIntrospectionErrorResponse) tokenIntrospectionSuccessResponse;
                this.logger().error(new StringBuilder(55).append("Error during authentication for token introspection; ").append(tokenIntrospectionErrorResponse.getErrorObject().getCode()).append(": ").append(tokenIntrospectionErrorResponse.getErrorObject().getDescription()).toString());
                throw new InternalServerException("Problem accessing to Authorization server for authorization, please try again later :)", InternalServerException$.MODULE$.$lessinit$greater$default$2());
            }
            TokenIntrospectionSuccessResponse tokenIntrospectionSuccessResponse2 = tokenIntrospectionSuccessResponse;
            if (BoxesRunTime.unboxToBoolean(Try$.MODULE$.apply(() -> {
                return tokenIntrospectionSuccessResponse2.isActive();
            }).getOrElse(() -> {
                return false;
            })) && BoxesRunTime.unboxToBoolean(Try$.MODULE$.apply(() -> {
                return tokenIntrospectionSuccessResponse2.getNotBeforeTime().getTime() < new Date().getTime();
            }).getOrElse(() -> {
                return true;
            })) && BoxesRunTime.unboxToBoolean(Try$.MODULE$.apply(() -> {
                return tokenIntrospectionSuccessResponse2.getExpirationTime().getTime() > new Date().getTime();
            }).getOrElse(() -> {
                return true;
            }))) {
                JSONObject jSONObject = tokenIntrospectionSuccessResponse2.toJSONObject();
                this.logger().debug(new StringBuilder(28).append("TokenIntrospection response:").append(jSONObject.toString()).toString());
                authzContext = new AuthzContext(true, Try$.MODULE$.apply(() -> {
                    return tokenIntrospectionSuccessResponse2.getClientID().getValue();
                }).toOption(), (Seq) Try$.MODULE$.apply(() -> {
                    return (Seq) ((TraversableOnce) JavaConverters$.MODULE$.asScalaIteratorConverter(tokenIntrospectionSuccessResponse2.getScope().iterator()).asScala()).toSeq().map(value -> {
                        return value.getValue();
                    }, Seq$.MODULE$.canBuildFrom());
                }).toOption().getOrElse(() -> {
                    return Nil$.MODULE$;
                }), Option$.MODULE$.apply(tokenIntrospectionSuccessResponse2.getExpirationTime()), (Seq) Try$.MODULE$.apply(() -> {
                    return (List) ((TraversableOnce) JavaConverters$.MODULE$.asScalaBufferConverter(tokenIntrospectionSuccessResponse2.getAudience()).asScala()).toList().map(audience -> {
                        return audience.getValue();
                    }, List$.MODULE$.canBuildFrom());
                }).toOption().getOrElse(() -> {
                    return Nil$.MODULE$;
                }), Try$.MODULE$.apply(() -> {
                    return tokenIntrospectionSuccessResponse2.getSubject().getValue();
                }).toOption(), ((TraversableOnce) list.map(str2 -> {
                    return Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc(str2), jSONObject.get(str2));
                }, List$.MODULE$.canBuildFrom())).toMap(Predef$.MODULE$.$conforms()), Option$.MODULE$.apply(tokenIntrospectionSuccessResponse2.getUsername()), AuthzContext$.MODULE$.apply$default$9());
            } else {
                authzContext = new AuthzContext(false, AuthzContext$.MODULE$.apply$default$2(), AuthzContext$.MODULE$.apply$default$3(), AuthzContext$.MODULE$.apply$default$4(), AuthzContext$.MODULE$.apply$default$5(), AuthzContext$.MODULE$.apply$default$6(), AuthzContext$.MODULE$.apply$default$7(), AuthzContext$.MODULE$.apply$default$8(), new Some("Token is not valid, expired or used before nbt!"));
            }
            return authzContext;
        }, executionContext());
    }

    public List<String> resolveToken$default$2() {
        return Nil$.MODULE$;
    }

    public ResolverWithTokenIntrospection(AuthzConfig authzConfig) {
        this.authzConfig = authzConfig;
    }
}
