package com.appiancorp.oauth.inbound.token;

import com.appiancorp.access.ServiceAccountMembershipCheck;
import com.appiancorp.exceptions.InboundAuthenticationException;
import com.appiancorp.oauth.inbound.authserver.exceptions.OAuthInvalidServiceAccountException;
import com.appiancorp.oauth.inbound.crypto.OAuthTokenRepository;
import com.appiancorp.oauth.inbound.exceptions.OAuthRuntimeException;
import com.appiancorp.oauth.inbound.persistence.OAuthConfigDaoService;
import com.appiancorp.oauth.inbound.resourceserver.exceptions.AccessTokenAuthenticationException;
import com.appiancorp.security.auth.InboundAuthUserService;
import com.appiancorp.security.auth.ServiceAccountStatus;
import com.google.common.base.Strings;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.oauth2.sdk.id.Issuer;
import com.nimbusds.oauth2.sdk.jarm.JARMValidator;
import java.util.Collections;
import java.util.List;
import javax.transaction.Transactional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/appiancorp/oauth/inbound/token/InternalAuthzOAuthTokenData.class */
public class InternalAuthzOAuthTokenData extends SignedJWTOAuthTokenData {
    private static final Logger LOG = LoggerFactory.getLogger(InternalAuthzOAuthTokenData.class);
    private final OAuthTokenRepository oAuthTokenRepository;
    private final InboundAuthUserService userService;
    private final OAuthConfigDaoService oAuthConfigDaoService;
    private final ServiceAccountMembershipCheck serviceAccountMembershipCheck;

    public InternalAuthzOAuthTokenData(String str, OAuthTokenRepository oAuthTokenRepository, InboundAuthUserService inboundAuthUserService, OAuthConfigDaoService oAuthConfigDaoService, ServiceAccountMembershipCheck serviceAccountMembershipCheck) {
        super(str);
        this.oAuthTokenRepository = oAuthTokenRepository;
        this.userService = inboundAuthUserService;
        this.oAuthConfigDaoService = oAuthConfigDaoService;
        this.serviceAccountMembershipCheck = serviceAccountMembershipCheck;
    }

    @Transactional
    public boolean verify() {
        try {
            String clientId = getClientId();
            try {
                this.oAuthConfigDaoService.getActiveConfigByClientId(clientId);
                new JARMValidator(new Issuer(getIssuer()), new ClientID(clientId), this.signedJWT.getHeader().getAlgorithm(), new JWKSet(Collections.singletonList(new RSAKey.Builder(this.oAuthTokenRepository.getPublicKey()).keyUse(KeyUse.SIGNATURE).build()))).validate(this.signedJWT);
                return true;
            } catch (Exception e) {
                LOG.error("Failed to verify the access token for client id: {}", clientId, e);
                return false;
            }
        } catch (Exception e2) {
            LOG.error(e2.getMessage(), e2);
            return false;
        }
    }

    public String resolveUsername() {
        String subject = this.jwtClaimsSet.getSubject();
        if (Strings.isNullOrEmpty(subject)) {
            throw new OAuthRuntimeException("Service account is not set in the JWT access token.");
        }
        try {
            String usernameFromId = this.userService.getUsernameFromId(Long.parseLong(subject));
            ServiceAccountStatus serviceAccountStatus = this.serviceAccountMembershipCheck.getServiceAccountStatus(usernameFromId);
            if (serviceAccountStatus == ServiceAccountStatus.VALID) {
                return usernameFromId;
            }
            LOG.error("Invalid service account  {} found in access token. Status: {}", usernameFromId, serviceAccountStatus);
            throw new AccessTokenAuthenticationException(new OAuthInvalidServiceAccountException());
        } catch (InboundAuthenticationException e) {
            LOG.debug("Unable to retrieve username from user id {}.", subject, e);
            throw new AccessTokenAuthenticationException(e);
        }
    }

    public String getClientId() {
        List audience = this.jwtClaimsSet.getAudience();
        if (audience.isEmpty() || Strings.isNullOrEmpty((String) audience.get(0))) {
            throw new OAuthRuntimeException("Client id is not set in the JWT access token.");
        }
        return (String) audience.get(0);
    }
}
