package com.appiancorp.oauth.inbound.token;

import com.appiancorp.access.ServiceAccountMembershipCheck;
import com.appiancorp.exceptions.InboundAuthenticationException;
import com.appiancorp.oauth.inbound.DocumentRetrievalService;
import com.appiancorp.oauth.inbound.authserver.exceptions.OAuthInvalidServiceAccountException;
import com.appiancorp.oauth.inbound.monitor.ThirdPartyOAuthInboundPerformanceMetricsLogger;
import com.appiancorp.oauth.inbound.persistence.ThirdPartyOAuthConfigDaoService;
import com.appiancorp.oauth.inbound.persistence.ThirdPartyOAuthConfigEntity;
import com.appiancorp.oauth.inbound.resourceserver.exceptions.AccessTokenAuthenticationException;
import com.appiancorp.security.auth.InboundAuthUserService;
import com.appiancorp.security.auth.ServiceAccountStatus;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.DefaultJWTClaimsVerifier;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.io.File;
import java.net.URL;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Objects;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/appiancorp/oauth/inbound/token/ThirdPartyAuthzOAuthTokenData.class */
public class ThirdPartyAuthzOAuthTokenData extends SignedJWTOAuthTokenData {
    private static final Logger LOG = LoggerFactory.getLogger(ThirdPartyAuthzOAuthTokenData.class);
    public static final int TPO_HTTP_CONNECT_TIMEOUT = 5000;
    public static final int TPO_HTTP_READ_TIMEOUT = 5000;
    private final ThirdPartyOAuthConfigDaoService thirdPartyOAuthConfigDaoService;
    private final DocumentRetrievalService documentRetrievalService;
    private final InboundAuthUserService userService;
    private final ServiceAccountMembershipCheck serviceAccountMembershipCheck;
    private ThirdPartyOAuthConfigEntity thirdPartyOAuthConfigEntity;
    private String jwkSourceType;

    public ThirdPartyAuthzOAuthTokenData(String str, ThirdPartyOAuthConfigDaoService thirdPartyOAuthConfigDaoService, DocumentRetrievalService documentRetrievalService, InboundAuthUserService inboundAuthUserService, ServiceAccountMembershipCheck serviceAccountMembershipCheck) {
        super(str);
        this.thirdPartyOAuthConfigDaoService = thirdPartyOAuthConfigDaoService;
        this.documentRetrievalService = documentRetrievalService;
        this.userService = inboundAuthUserService;
        this.serviceAccountMembershipCheck = serviceAccountMembershipCheck;
    }

    public boolean verify() {
        long currentTimeMillis = System.currentTimeMillis();
        try {
            getConfig();
            currentTimeMillis = System.currentTimeMillis();
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(this.signedJWT.getHeader().getAlgorithm(), getJWKSource()));
            defaultJWTProcessor.setJWTClaimsSetVerifier(new DefaultJWTClaimsVerifier(new JWTClaimsSet.Builder().issuer(this.thirdPartyOAuthConfigEntity.getIssuer()).audience(this.thirdPartyOAuthConfigEntity.getAudience()).build(), new HashSet(Arrays.asList("exp"))));
            defaultJWTProcessor.process(this.signedJWT, (SecurityContext) null);
            ThirdPartyOAuthInboundPerformanceMetricsLogger.logJWKValidationTime("validation_success", this.jwkSourceType, System.currentTimeMillis() - currentTimeMillis);
            LOG.debug("Verification successful with the config which having client id: {} and issuer: {}", getClientId(), getIssuer());
            return true;
        } catch (Exception e) {
            ThirdPartyOAuthInboundPerformanceMetricsLogger.logJWKValidationTime("validation_failure", this.jwkSourceType, System.currentTimeMillis() - currentTimeMillis);
            LOG.error("Failed to verify the access token from issuer : {}", getIssuer(), e);
            return false;
        }
    }

    public String resolveUsername() {
        try {
            getConfig();
            String usernameFromId = this.userService.getUsernameFromId(this.thirdPartyOAuthConfigEntity.getServiceAccountId().longValue());
            ServiceAccountStatus serviceAccountStatus = this.serviceAccountMembershipCheck.getServiceAccountStatus(usernameFromId);
            if (serviceAccountStatus != ServiceAccountStatus.VALID) {
                LOG.error("Invalid service account  {} found in access token. Status: {}", usernameFromId, serviceAccountStatus);
                throw new AccessTokenAuthenticationException(new OAuthInvalidServiceAccountException());
            }
            LOG.debug("Successfully resolved the Service Account Username: {}", usernameFromId);
            return usernameFromId;
        } catch (Exception e) {
            LOG.error("Unexpected error while retrieving username the Service Account ID: {}", this.thirdPartyOAuthConfigEntity.getServiceAccountId(), e);
            throw new RuntimeException(e);
        } catch (InboundAuthenticationException e2) {
            LOG.error("Unable to retrieve username from the Service Account ID: {}", this.thirdPartyOAuthConfigEntity.getServiceAccountId(), e2);
            throw new AccessTokenAuthenticationException(e2);
        }
    }

    public JWKSource getJWKSource() throws Exception {
        if (this.thirdPartyOAuthConfigEntity.getJwkSetSourceType().equals("upload")) {
            this.jwkSourceType = "upload";
            Long valueOf = Long.valueOf(this.thirdPartyOAuthConfigEntity.getJwkSetFileId());
            File documentFile = this.documentRetrievalService.getDocumentFile(valueOf);
            LOG.debug("Successfully fetched the document - {}", valueOf);
            return new ImmutableJWKSet(JWKSet.load(documentFile));
        }
        if (this.thirdPartyOAuthConfigEntity.getJwkSetSourceType().equals("uri")) {
            this.jwkSourceType = "uri";
            return new RemoteJWKSet(new URL(this.thirdPartyOAuthConfigEntity.getJwkSetUri()), new LoggingResourceRetriever(5000, 5000, 51200));
        }
        LOG.error("Unrecognized source type for issuer: {}", getIssuer());
        throw new RuntimeException(String.format("Unrecognized source type for issuer {}", getIssuer()));
    }

    private ThirdPartyOAuthConfigEntity getConfig() throws Exception {
        if (this.thirdPartyOAuthConfigEntity != null) {
            return this.thirdPartyOAuthConfigEntity;
        }
        Optional findFirst = this.thirdPartyOAuthConfigDaoService.getAllActiveConfigsByIssuer(getIssuer()).stream().filter(thirdPartyOAuthConfigEntity -> {
            return Objects.equals(this.jwtClaimsSet.getClaim(thirdPartyOAuthConfigEntity.getClientIdMapping()), thirdPartyOAuthConfigEntity.getClientId());
        }).findFirst();
        if (!findFirst.isPresent()) {
            LOG.error("There is no existing config associated with the issuer: {}", getIssuer());
            throw new Exception("There is no existing config associated with the issuer: " + getIssuer());
        }
        this.thirdPartyOAuthConfigEntity = (ThirdPartyOAuthConfigEntity) findFirst.get();
        LOG.debug("Found an existing config associated with the client id: {} and issuer: {}", this.thirdPartyOAuthConfigEntity.getClientId(), getIssuer());
        return this.thirdPartyOAuthConfigEntity;
    }

    public String getClientId() throws Exception {
        return getConfig().getClientId();
    }
}
