package io.hawt.web.auth.oidc;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKParameterNames;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.proc.JWKSecurityContext;
import io.hawt.util.Strings;
import io.hawt.web.auth.AuthenticationConfiguration;
import io.hawt.web.auth.oidc.token.ValidAccessToken;
import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.charset.Charset;
import java.security.KeyFactory;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PublicKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.HashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import org.apache.http.HttpEntity;
import org.apache.http.HttpHost;
import org.apache.http.HttpRequest;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.utils.URIUtils;
import org.apache.http.config.ConnectionConfig;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.config.SocketConfig;
import org.apache.http.conn.socket.PlainConnectionSocketFactory;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.entity.ContentType;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.http.message.BasicHttpRequest;
import org.apache.http.ssl.PrivateKeyStrategy;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.ssl.TrustStrategy;
import org.apache.http.util.EntityUtils;
import org.apache.logging.log4j.core.jackson.StackTraceElementConstants;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;
import org.quartz.DateBuilder;
import org.quartz.utils.PoolingConnectionProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.xml.BeanDefinitionParserDelegate;

/* loaded from: input_file:BOOT-INF/lib/hawtio-system-4.0.0-RC2.jar:io/hawt/web/auth/oidc/OidcConfiguration.class */
public class OidcConfiguration extends Configuration {
    public static final Logger LOG = LoggerFactory.getLogger((Class<?>) OidcConfiguration.class);
    public static final String OIDC_JAAS_CONFIGURATION = "OidcConfiguration";
    private URL providerURL;
    private String clientId;
    private ResponseMode responseMode;
    private String[] scopes;
    private URL redirectUri;
    private String codeChallengeMethod;
    private PromptType prompt;
    private String json;
    private AppConfigurationEntry[] jaasAppConfigurationEntries;
    private URL jwksURL;
    private volatile long cacheTime;
    private CloseableHttpClient httpClient;
    private String[] rolePrincipalClasses;
    private Class<?> roleClass;
    private String rolesPathConfig;
    private String[] rolesPath;
    private JWKSecurityContext jwkContext;
    private boolean offline;
    private final Set<String> supportedECCurves = Set.of("P-256", "P-384", "P-521");
    private final Map<String, PublicKey> publicKeys = new ConcurrentHashMap();
    private volatile long lastCheck = 0;
    private final Map<String, String> roleMapping = new HashMap();

    /* loaded from: input_file:BOOT-INF/lib/hawtio-system-4.0.0-RC2.jar:io/hawt/web/auth/oidc/OidcConfiguration$PromptType.class */
    public enum PromptType {
        NONE("none"),
        LOGIN("login"),
        CONSENT("consent"),
        SELECT_ACCOUNT("select_account");

        private final String mode;

        PromptType(String str) {
            this.mode = str;
        }

        public static PromptType fromString(String str) {
            if (!Strings.isNotBlank(str)) {
                return null;
            }
            for (PromptType promptType : values()) {
                if (promptType.mode.equals(str)) {
                    return promptType;
                }
            }
            return null;
        }

        public String asValue() {
            return this.mode;
        }
    }

    /* loaded from: input_file:BOOT-INF/lib/hawtio-system-4.0.0-RC2.jar:io/hawt/web/auth/oidc/OidcConfiguration$ResponseMode.class */
    public enum ResponseMode {
        FRAGMENT("fragment"),
        QUERY("query");

        private final String mode;

        ResponseMode(String str) {
            this.mode = str;
        }

        public static ResponseMode fromString(String str) {
            if (!Strings.isNotBlank(str)) {
                return null;
            }
            for (ResponseMode responseMode : values()) {
                if (responseMode.mode.equals(str)) {
                    return responseMode;
                }
            }
            return null;
        }

        public String asValue() {
            return this.mode;
        }
    }

    public OidcConfiguration(Properties properties) throws IOException {
        String property = properties.getProperty(PoolingConnectionProvider.POOLING_PROVIDER);
        if (Strings.isBlank(property)) {
            return;
        }
        this.providerURL = new URL(property);
        this.clientId = properties.getProperty("client_id");
        this.responseMode = ResponseMode.fromString(properties.getProperty("response_mode"));
        String property2 = properties.getProperty("redirect_uri");
        if (Strings.isNotBlank(property2)) {
            this.redirectUri = new URL(property2);
        }
        this.codeChallengeMethod = properties.getProperty("code_challenge_method");
        String property3 = properties.getProperty(BeanDefinitionParserDelegate.SCOPE_ATTRIBUTE);
        if (property3 == null) {
            this.scopes = new String[0];
        } else {
            this.scopes = (String[]) Arrays.stream(property3.split("\\s+")).map((v0) -> {
                return v0.trim();
            }).toArray(i -> {
                return new String[i];
            });
        }
        this.prompt = PromptType.fromString(properties.getProperty("prompt"));
        String property4 = properties.getProperty("jwks.cacheTime");
        if (property4 != null) {
            try {
                LOG.debug("Setting public key cache time to {} minutes", Integer.valueOf(Integer.parseInt(property4)));
                this.cacheTime = r0 * 60 * 1000;
            } catch (NumberFormatException e) {
                LOG.warn("Illegal value of min-time-between-jwks-requests property. Defaulting to 60 minutes.");
                this.cacheTime = DateBuilder.MILLISECONDS_IN_HOUR;
            }
        }
        String property5 = properties.getProperty("oidc.rolesPath");
        if (property5 == null || property5.isBlank()) {
            LOG.info("No oidc.rolesPath configured. Defaults to \"roles\".");
            property5 = AuthenticationConfiguration.ROLES;
        }
        this.rolesPathConfig = Strings.resolvePlaceholders(property5, properties);
        this.rolesPath = (String[]) Arrays.stream(this.rolesPathConfig.split("\\.")).map((v0) -> {
            return v0.trim();
        }).toArray(i2 -> {
            return new String[i2];
        });
        for (String str : properties.stringPropertyNames()) {
            if (str.startsWith("roleMapping.")) {
                this.roleMapping.put(str.substring("roleMapping.".length()), properties.getProperty(str));
            }
        }
        this.offline = booleanProperty(properties, "offline", false);
        if (!this.offline) {
            buildHttpClient(properties);
        }
        buildConfiguration(properties);
    }

    public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
        return this.jaasAppConfigurationEntries;
    }

    public URL getProviderURL() {
        return this.providerURL;
    }

    public String getClientId() {
        return this.clientId;
    }

    public ResponseMode getResponseMode() {
        return this.responseMode;
    }

    public String[] getScopes() {
        return this.scopes;
    }

    public URL getRedirectUri() {
        return this.redirectUri;
    }

    public String getCodeChallengeMethod() {
        return this.codeChallengeMethod;
    }

    public PromptType getPrompt() {
        return this.prompt;
    }

    public String[] getRolesPath() {
        return this.rolesPath;
    }

    public Class<?> getRoleClass() {
        return this.roleClass;
    }

    public Map<String, String> getRoleMapping() {
        return this.roleMapping;
    }

    public PublicKey findPublicKey(String str) {
        return this.publicKeys.get(str);
    }

    public String toJSON() {
        return this.json;
    }

    private void buildHttpClient(Properties properties) {
        SSLConnectionSocketFactory sSLConnectionSocketFactory;
        int integerProperty = integerProperty(properties, "http.connectionTimeout", 5000);
        int integerProperty2 = integerProperty(properties, "http.readTimeout", 10000);
        String stringProperty = stringProperty(properties, "http.proxyURL", null);
        String stringProperty2 = stringProperty(properties, "ssl.protocol", "TLSv1.3");
        String stringProperty3 = stringProperty(properties, "ssl.truststore", null);
        String stringProperty4 = stringProperty(properties, "ssl.truststorePassword", "");
        String stringProperty5 = stringProperty(properties, "ssl.keystore", null);
        String stringProperty6 = stringProperty(properties, "ssl.keystorePassword", "");
        String stringProperty7 = stringProperty(properties, "ssl.keyAlias", null);
        String stringProperty8 = stringProperty(properties, "ssl.keyPassword", "");
        RequestConfig.Builder custom = RequestConfig.custom();
        custom.setConnectTimeout(integerProperty);
        custom.setSocketTimeout(integerProperty2);
        SocketConfig.Builder custom2 = SocketConfig.custom();
        custom2.setSoTimeout(integerProperty2);
        ConnectionConfig.Builder custom3 = ConnectionConfig.custom();
        if (stringProperty3 == null && stringProperty5 == null) {
            sSLConnectionSocketFactory = SSLConnectionSocketFactory.getSystemSocketFactory();
        } else {
            String resolvePlaceholders = Strings.resolvePlaceholders(stringProperty3);
            String resolvePlaceholders2 = Strings.resolvePlaceholders(stringProperty5);
            SSLContextBuilder custom4 = SSLContexts.custom();
            custom4.setProtocol(stringProperty2);
            try {
                custom4.loadTrustMaterial((TrustStrategy) null);
                if (resolvePlaceholders != null) {
                    try {
                        custom4.loadTrustMaterial(new File(resolvePlaceholders), stringProperty4.toCharArray());
                    } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
                        throw new IllegalArgumentException("Problem loading truststore from " + resolvePlaceholders, e);
                    }
                }
                if (resolvePlaceholders2 != null) {
                    PrivateKeyStrategy privateKeyStrategy = null;
                    if (stringProperty7 != null) {
                        try {
                            privateKeyStrategy = (map, socket) -> {
                                if (map.containsKey(stringProperty7)) {
                                    return stringProperty7;
                                }
                                return null;
                            };
                        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e2) {
                            throw new IllegalArgumentException("Problem loading keystore from " + resolvePlaceholders2, e2);
                        }
                    }
                    custom4.loadKeyMaterial(new File(resolvePlaceholders2), stringProperty6.toCharArray(), stringProperty8.toCharArray(), privateKeyStrategy);
                }
                try {
                    sSLConnectionSocketFactory = new SSLConnectionSocketFactory(custom4.build(), new DefaultHostnameVerifier());
                } catch (KeyManagementException | NoSuchAlgorithmException e3) {
                    throw new IllegalArgumentException("Can't create SSL Socket Factory", e3);
                }
            } catch (KeyStoreException | NoSuchAlgorithmException e4) {
                throw new IllegalArgumentException("Problem loading default truststore", e4);
            }
        }
        RegistryBuilder.create().register("http", PlainConnectionSocketFactory.getSocketFactory()).register("https", sSLConnectionSocketFactory).build();
        PoolingHttpClientConnectionManager poolingHttpClientConnectionManager = new PoolingHttpClientConnectionManager();
        poolingHttpClientConnectionManager.setDefaultConnectionConfig(custom3.build());
        poolingHttpClientConnectionManager.setDefaultSocketConfig(custom2.build());
        poolingHttpClientConnectionManager.setMaxTotal(20);
        poolingHttpClientConnectionManager.setDefaultMaxPerRoute(poolingHttpClientConnectionManager.getMaxTotal());
        HttpClientBuilder custom5 = HttpClients.custom();
        custom5.useSystemProperties();
        custom5.setDefaultCookieStore(new NopCookieStore());
        custom5.setSSLSocketFactory(sSLConnectionSocketFactory);
        custom5.setConnectionManager(poolingHttpClientConnectionManager);
        custom5.setDefaultRequestConfig(custom.build());
        if (stringProperty != null) {
            URI create = URI.create(stringProperty);
            String scheme = create.getScheme();
            String scheme2 = create.getScheme();
            int port = create.getPort();
            if (port <= 0) {
                if (scheme.equals("http")) {
                    port = 80;
                } else if (scheme.equals("https")) {
                    port = 443;
                } else {
                    LOG.warn("Invalid proxy definition: {}", stringProperty);
                }
            }
            if (port > 0) {
                custom5.setProxy(new HttpHost(scheme2, port, scheme));
            }
        }
        this.httpClient = custom5.build();
    }

    private void buildConfiguration(Properties properties) throws IOException {
        JSONObject jSONObject = new JSONObject();
        jSONObject.put(StackTraceElementConstants.ATTR_METHOD, "oidc");
        if (this.providerURL != null) {
            jSONObject.put(PoolingConnectionProvider.POOLING_PROVIDER, this.providerURL.toString());
        }
        jSONObject.put("client_id", this.clientId);
        if (this.responseMode != null) {
            jSONObject.put("response_mode", this.responseMode.asValue());
        }
        if (this.scopes != null) {
            jSONObject.put(BeanDefinitionParserDelegate.SCOPE_ATTRIBUTE, String.join(" ", this.scopes));
        }
        if (this.redirectUri != null) {
            jSONObject.put("redirect_uri", this.redirectUri.toString());
        }
        jSONObject.put("code_challenge_method", this.codeChallengeMethod);
        if (this.prompt != null) {
            jSONObject.put("prompt", this.prompt.asValue());
        }
        String url = this.providerURL.toString();
        if (!url.endsWith("/")) {
            url = url + "/";
        }
        if (!booleanProperty(properties, "oidc.cacheConfig", true) || this.offline) {
            LOG.info("OpenID Connect configuration will not be loaded for {}", url);
        } else {
            JSONObject fetchJSON = fetchJSON(new URL(new URL(url), ".well-known/openid-configuration"));
            if (fetchJSON == null) {
                LOG.error("Problem getting OpenID Connect configuration. OpenID/OAuth2 authentication disabled.");
                jSONObject = new JSONObject();
            } else {
                String string = fetchJSON.getString("jwks_uri");
                if (string == null) {
                    LOG.error("No JWKS endpoint available - it is not possible to validate JWT access tokens. OpenID/OAuth2 authentication disabled.");
                    jSONObject = new JSONObject();
                } else {
                    URL url2 = new URL(string);
                    JSONObject fetchJSON2 = fetchJSON(url2);
                    if (fetchJSON2 == null) {
                        LOG.error("Problem getting JWKS configuration - it is not possible to validate JWT access tokens. OpenID/OAuth2 authentication disabled.");
                        jSONObject = new JSONObject();
                    } else {
                        this.jwksURL = url2;
                        cachePublicKeys(fetchJSON2);
                        this.lastCheck = System.currentTimeMillis();
                    }
                }
            }
            if (this.jwksURL != null) {
                jSONObject.put("openid-configuration", fetchJSON);
            }
        }
        this.json = jSONObject.toString();
        this.jaasAppConfigurationEntries = new AppConfigurationEntry[]{new AppConfigurationEntry(OidcLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, Map.of(OIDC_JAAS_CONFIGURATION, this))};
    }

    public boolean isEnabled() {
        return getProviderURL() != null;
    }

    public JWKSecurityContext getJwkContext() {
        return this.jwkContext;
    }

    public void refreshPublicKeysIfNeeded() {
        JSONObject fetchJSON;
        if (this.lastCheck + this.cacheTime > System.currentTimeMillis()) {
            return;
        }
        if (this.jwksURL != null && (fetchJSON = fetchJSON(this.jwksURL)) != null) {
            cachePublicKeys(fetchJSON);
        }
        this.lastCheck = System.currentTimeMillis();
    }

    public void cachePublicKeys(JSONObject jSONObject) {
        JSONArray jSONArray;
        this.publicKeys.clear();
        ArrayList arrayList = new ArrayList();
        try {
            jSONArray = jSONObject.getJSONArray("keys");
        } catch (JSONException e) {
            LOG.error("Problem caching public keys: {}", e.getMessage());
            return;
        }
        if (jSONArray != null) {
            for (int i = 0; i < jSONArray.length(); i++) {
                JSONObject jSONObject2 = jSONArray.getJSONObject(i);
                String string = jSONObject2.has(JWKParameterNames.KEY_TYPE) ? jSONObject2.getString(JWKParameterNames.KEY_TYPE) : null;
                String string2 = jSONObject2.has("kid") ? jSONObject2.getString("kid") : null;
                if (string != null && string2 != null) {
                    if ("RSA".equals(string)) {
                        String string3 = jSONObject2.has(JWKParameterNames.RSA_MODULUS) ? jSONObject2.getString(JWKParameterNames.RSA_MODULUS) : null;
                        String string4 = jSONObject2.has(JWKParameterNames.RSA_EXPONENT) ? jSONObject2.getString(JWKParameterNames.RSA_EXPONENT) : null;
                        if (string3 == null || string4 == null) {
                            LOG.warn("Invalid RSA key definition: {}", jSONObject2.toString());
                        } else {
                            try {
                                JWK parse = JWK.parse(jSONObject2.toMap());
                                if (parse.getKeyUse() == KeyUse.SIGNATURE) {
                                    cacheRSAKey(jSONObject2);
                                    arrayList.add(parse);
                                }
                            } catch (ParseException e2) {
                                LOG.warn("Problem parsing RSA key: {}", e2.getMessage());
                            }
                        }
                    } else if ("EC".equals(string)) {
                        String string5 = jSONObject2.has("crv") ? jSONObject2.getString("crv") : null;
                        if (string5 == null || !this.supportedECCurves.contains(string5)) {
                            LOG.warn("Unsupported \"crv\" parameter for EC key: {}", string5);
                        } else {
                            String string6 = jSONObject2.has("x") ? jSONObject2.getString("x") : null;
                            String string7 = jSONObject2.has(JWKParameterNames.ELLIPTIC_CURVE_Y_COORDINATE) ? jSONObject2.getString(JWKParameterNames.ELLIPTIC_CURVE_Y_COORDINATE) : null;
                            if (string6 == null || string7 == null) {
                                LOG.warn("Invalid EC key definition: {}", jSONObject2.toString());
                            } else {
                                try {
                                    JWK parse2 = JWK.parse(jSONObject2.toMap());
                                    if (parse2.getKeyUse() == KeyUse.SIGNATURE) {
                                        cacheECKey(jSONObject2, parse2.toECKey().toECPublicKey());
                                        arrayList.add(parse2);
                                    }
                                } catch (JOSEException | ParseException e3) {
                                    LOG.warn("Problem parsing EC key: {}", e3.getMessage());
                                }
                            }
                        }
                    }
                    LOG.error("Problem caching public keys: {}", e.getMessage());
                    return;
                }
                LOG.warn("Invalid key definition: {}", jSONObject2.toString());
            }
        }
        this.jwkContext = new JWKSecurityContext(arrayList);
    }

    private JSONObject fetchJSON(URL url) {
        try {
            BasicHttpRequest basicHttpRequest = new BasicHttpRequest("GET", url.toURI().toString());
            LOG.info("Fetching data: {}", basicHttpRequest.getRequestLine());
            CloseableHttpResponse execute = this.httpClient.execute(URIUtils.extractHost(url.toURI()), (HttpRequest) basicHttpRequest);
            try {
                if (execute.getStatusLine().getStatusCode() != 200) {
                    LOG.error("Invalid response from {}: {}", url, execute.getStatusLine());
                    if (execute != null) {
                        execute.close();
                    }
                    return null;
                }
                HttpEntity entity = execute.getEntity();
                if (entity != null) {
                    ContentType contentType = ContentType.get(entity);
                    if (contentType.getMimeType().equals(ContentType.APPLICATION_JSON.getMimeType())) {
                        JSONObject jSONObject = new JSONObject(EntityUtils.toString(entity, contentType.getCharset() == null ? Charset.defaultCharset() : contentType.getCharset()));
                        if (execute != null) {
                            execute.close();
                        }
                        return jSONObject;
                    }
                    LOG.warn("Expected {}, got {}", ContentType.APPLICATION_JSON, contentType);
                }
                if (execute != null) {
                    execute.close();
                }
                return null;
            } catch (Throwable th) {
                if (execute != null) {
                    try {
                        execute.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (IOException e) {
            LOG.error("Problem connecting to {}", url, e);
            return null;
        } catch (URISyntaxException e2) {
            LOG.error("Problem with URI {}", url, e2);
            return null;
        }
    }

    private void cacheRSAKey(JSONObject jSONObject) {
        String string = jSONObject.getString("kid");
        try {
            this.publicKeys.put(string, KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(new BigInteger(1, Base64.getUrlDecoder().decode(jSONObject.getString(JWKParameterNames.RSA_MODULUS))), new BigInteger(1, Base64.getUrlDecoder().decode(jSONObject.getString(JWKParameterNames.RSA_EXPONENT))))));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            LOG.warn("Can't cache RSA public key: {}", e.getMessage());
        }
    }

    private void cacheECKey(JSONObject jSONObject, PublicKey publicKey) {
        this.publicKeys.put(jSONObject.getString("kid"), publicKey);
    }

    private int integerProperty(Properties properties, String str, int i) {
        String property = properties.getProperty(str);
        if (property == null || property.isBlank()) {
            return i;
        }
        try {
            return Integer.parseInt(property);
        } catch (NumberFormatException e) {
            return i;
        }
    }

    private String stringProperty(Properties properties, String str, String str2) {
        String property = properties.getProperty(str);
        return (property == null || property.isBlank()) ? str2 : property;
    }

    private boolean booleanProperty(Properties properties, String str, boolean z) {
        String property = properties.getProperty(str);
        return (property == null || property.isBlank()) ? z : property.equalsIgnoreCase("true");
    }

    public void setRolePrincipalClasses(String str) {
        if (str == null || str.isBlank()) {
            this.rolePrincipalClasses = new String[0];
            this.roleClass = RolePrincipal.class;
            return;
        }
        this.rolePrincipalClasses = str.split("\\s*,\\s*");
        Class<?> cls = null;
        String[] strArr = this.rolePrincipalClasses;
        int length = strArr.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            String str2 = strArr[i];
            Class<?> tryLoadClass = tryLoadClass(str2);
            if (tryLoadClass != null) {
                try {
                    tryLoadClass.getConstructor(String.class);
                    if (Principal.class.isAssignableFrom(tryLoadClass)) {
                        cls = tryLoadClass;
                        break;
                    }
                    LOG.warn("Role class doesn't implement java.security.Principal");
                } catch (NoSuchMethodException e) {
                    LOG.warn("Can't role principal class {}: {}", str2, e.getMessage());
                }
            }
            i++;
        }
        if (cls == null) {
            cls = RolePrincipal.class;
        }
        this.roleClass = cls;
    }

    private Class<?> tryLoadClass(String str) {
        try {
            return getClass().getClassLoader().loadClass(str);
        } catch (ClassNotFoundException e) {
            try {
                return Thread.currentThread().getContextClassLoader().loadClass(str);
            } catch (ClassNotFoundException e2) {
                return null;
            }
        }
    }

    public String[] getRolePrincipalClasses() {
        return this.rolePrincipalClasses;
    }

    public String[] extractRoles(ValidAccessToken validAccessToken) {
        LinkedHashSet<String> linkedHashSet = new LinkedHashSet();
        try {
            Map<String, Object> jSONObject = validAccessToken.getJwt().getJWTClaimsSet().toJSONObject();
            String[] rolesPath = getRolesPath();
            int i = 0;
            while (true) {
                if (i >= rolesPath.length) {
                    break;
                }
                Object obj = jSONObject.get(rolesPath[i]);
                if (i < rolesPath.length - 1) {
                    if (!(obj instanceof Map)) {
                        LOG.warn("Wrong roles path for JWT: {}", this.rolesPathConfig);
                        break;
                    }
                    jSONObject = (Map) obj;
                    i++;
                } else if (obj instanceof String[]) {
                    linkedHashSet.addAll(Arrays.asList((String[]) obj));
                } else if (obj instanceof List) {
                    linkedHashSet.addAll((List) obj);
                } else {
                    LOG.warn("Wrong roles path for JWT: {}", this.rolesPathConfig);
                }
            }
            String[] strArr = new String[linkedHashSet.size()];
            if (strArr.length == 0) {
                return strArr;
            }
            int i2 = 0;
            for (String str : linkedHashSet) {
                int i3 = i2;
                i2++;
                strArr[i3] = this.roleMapping.getOrDefault(str, str);
            }
            return strArr;
        } catch (ParseException e) {
            throw new RuntimeException(e);
        }
    }
}
