package edu.kit.datamanager.security.filter;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.RemoteKeySourceException;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.jwk.source.JWKSource;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSKeySelector;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.BadJWTException;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.Jwts;
import java.io.IOException;
import java.net.URL;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:edu/kit/datamanager/security/filter/KeycloakTokenValidator.class */
public class KeycloakTokenValidator {
    private static final Logger LOG = LoggerFactory.getLogger(KeycloakTokenValidator.class);
    public static final String JWT_AUD = "aud";
    private String jwkUrl;
    private String resource;
    private String jwtClaim;
    private int connectTimeoutms = 0;
    private int readTimeoutms = 0;
    private int sizeLimit = 0;
    private boolean initialized = false;
    private String jwtLocalSecret = null;
    private ConfigurableJWTProcessor jwtProcessor;

    /* loaded from: input_file:edu/kit/datamanager/security/filter/KeycloakTokenValidator$Builder.class */
    public static final class Builder {
        KeycloakTokenValidator accessTokenValidator;

        private Builder() {
            this.accessTokenValidator = new KeycloakTokenValidator();
        }

        public Builder connectTimeout(int i) {
            this.accessTokenValidator.connectTimeoutms = i;
            return this;
        }

        public Builder readTimeout(int i) {
            this.accessTokenValidator.readTimeoutms = i;
            return this;
        }

        public Builder sizeLimit(int i) {
            this.accessTokenValidator.sizeLimit = i;
            return this;
        }

        public Builder jwtProcessor(ConfigurableJWTProcessor configurableJWTProcessor) {
            this.accessTokenValidator.jwtProcessor = configurableJWTProcessor;
            return this;
        }

        public Builder jwtLocalSecret(String str) {
            this.accessTokenValidator.jwtLocalSecret = str;
            return this;
        }

        public KeycloakTokenValidator build(String str, String str2, String str3) {
            this.accessTokenValidator.resource = str2;
            this.accessTokenValidator.jwtClaim = str3;
            this.accessTokenValidator.jwkUrl = str;
            if (this.accessTokenValidator.jwtProcessor == null && str != null) {
                this.accessTokenValidator.jwtProcessor = new DefaultJWTProcessor();
                this.accessTokenValidator.init();
            }
            return this.accessTokenValidator;
        }
    }

    public void setJwtProcessor(ConfigurableJWTProcessor configurableJWTProcessor) {
        this.jwtProcessor = configurableJWTProcessor;
    }

    private JWSKeySelector keySelector(JWKSource jWKSource) {
        return new JWSVerificationKeySelector(JWSAlgorithm.RS256, jWKSource);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void init() {
        if (this.jwkUrl != null) {
            LOG.info("Initializing JWK set from {}.", this.jwkUrl);
            try {
                this.jwtProcessor.setJWSKeySelector(keySelector(new ImmutableJWKSet(getJwkSet(this.jwkUrl))));
                LOG.info("JWK set initialized successfully.");
                this.initialized = true;
            } catch (IOException | ParseException e) {
                throw new RuntimeException("Failed to initialize KeycloakTokenValidator.", e);
            }
        }
    }

    public JWKSet getJwkSet(String str) throws IOException, ParseException {
        return JWKSet.load(new URL(str), this.connectTimeoutms, this.readTimeoutms, this.sizeLimit);
    }

    public JwtAuthenticationToken validate(String str) throws BadJOSEException {
        try {
            JWTClaimsSet jwtClaimsSet = getJwtClaimsSet(str, null);
            if (jwtClaimsSet == null) {
                return null;
            }
            List audience = jwtClaimsSet.getAudience();
            if (audience == null || !audience.contains(this.resource)) {
                throw new BadJWTException("Invalid Keycloak Resource. Audience claim 'aud' is missing.");
            }
            ArrayList arrayList = null;
            Map jSONObjectClaim = jwtClaimsSet.getJSONObjectClaim("realm_access");
            if (jSONObjectClaim != null) {
                arrayList = (ArrayList) jSONObjectClaim.get("roles");
                LOG.trace("Obtained roles {} from JWT.", arrayList);
            }
            if (arrayList == null) {
                arrayList = new ArrayList();
                arrayList.add("GUEST");
                LOG.trace("No roles found in JWT. Using default roles {}.", arrayList);
            }
            HashMap hashMap = new HashMap();
            String arrayList2 = arrayList.toString();
            LOG.trace("Adding roles string {} to claims.", arrayList2);
            hashMap.put("username", jwtClaimsSet.getStringClaim(this.jwtClaim == null ? "preferred_user" : this.jwtClaim));
            hashMap.put("firstname", jwtClaimsSet.getStringClaim("given_name"));
            hashMap.put("lastname", jwtClaimsSet.getStringClaim("family_name"));
            hashMap.put("email", jwtClaimsSet.getStringClaim("email"));
            hashMap.put("roles", arrayList2);
            return JwtAuthenticationToken.factoryToken(str, hashMap);
        } catch (BadJWTException e) {
            LOG.warn("Invalid JWT received.", e);
            return null;
        } catch (ParseException | JOSEException e2) {
            LOG.error("Failed to parse JWT.", e2);
            return null;
        } catch (RemoteKeySourceException e3) {
            LOG.error("Failed to obtain remote key for JWT validation.", e3);
            return null;
        }
    }

    private JWTClaimsSet getJwtClaimsSet(String str, SecurityContext securityContext) throws ParseException, BadJOSEException, JOSEException {
        return this.jwtProcessor.process(str, securityContext);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Jws<Claims> getJwsClaims(String str) {
        return Jwts.parserBuilder().setSigningKey(this.jwtLocalSecret).build().parseClaimsJws(str);
    }

    public boolean supportsLocalJwt() {
        return Objects.nonNull(this.jwtLocalSecret);
    }

    public boolean isValid() {
        return this.initialized;
    }

    public static Builder builder() {
        return new Builder();
    }
}
