package org.eclipse.ditto.gateway.service.security.authentication.jwt;

import akka.http.javadsl.model.HttpRequest;
import akka.http.javadsl.model.HttpResponse;
import akka.stream.Materializer;
import akka.stream.SystemMaterializer;
import akka.stream.javadsl.Sink;
import akka.util.ByteString;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.github.benmanes.caffeine.cache.RemovalCause;
import com.github.benmanes.caffeine.cache.RemovalListener;
import io.jsonwebtoken.Jwts;
import java.lang.invoke.SerializedLambda;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.text.MessageFormat;
import java.util.Iterator;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.CompletableFuture;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.Executor;
import java.util.function.Function;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.eclipse.ditto.base.model.common.ConditionChecker;
import org.eclipse.ditto.base.model.exceptions.DittoRuntimeException;
import org.eclipse.ditto.base.model.signals.commands.exceptions.GatewayAuthenticationProviderUnavailableException;
import org.eclipse.ditto.base.model.signals.commands.exceptions.GatewayJwtIssuerNotSupportedException;
import org.eclipse.ditto.gateway.service.security.cache.PublicKeyIdWithIssuer;
import org.eclipse.ditto.gateway.service.security.utils.HttpClientFacade;
import org.eclipse.ditto.gateway.service.util.config.security.OAuthConfig;
import org.eclipse.ditto.internal.utils.cache.Cache;
import org.eclipse.ditto.internal.utils.cache.CaffeineCache;
import org.eclipse.ditto.internal.utils.cache.config.CacheConfig;
import org.eclipse.ditto.internal.utils.jwt.JjwtDeserializer;
import org.eclipse.ditto.json.JsonArray;
import org.eclipse.ditto.json.JsonFactory;
import org.eclipse.ditto.json.JsonFieldDefinition;
import org.eclipse.ditto.json.JsonFieldMarker;
import org.eclipse.ditto.json.JsonMissingFieldException;
import org.eclipse.ditto.json.JsonObject;
import org.eclipse.ditto.json.JsonPointer;
import org.eclipse.ditto.json.JsonValue;
import org.eclipse.ditto.jwt.model.ImmutableJsonWebKey;
import org.eclipse.ditto.jwt.model.JsonWebKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/ditto/gateway/service/security/authentication/jwt/DittoPublicKeyProvider.class */
public final class DittoPublicKeyProvider implements PublicKeyProvider {
    private static final String OPENID_CONNECT_DISCOVERY_PATH = "/.well-known/openid-configuration";
    private final JwtSubjectIssuersConfig jwtSubjectIssuersConfig;
    private final HttpClientFacade httpClient;
    private final Materializer materializer;
    private final OAuthConfig oAuthConfig;
    private final Cache<PublicKeyIdWithIssuer, PublicKeyWithParser> publicKeyCache;
    private static final Logger LOGGER = LoggerFactory.getLogger(DittoPublicKeyProvider.class);
    private static final JsonFieldDefinition<String> JSON_JWKS_URI = JsonFieldDefinition.ofString("jwks_uri", new JsonFieldMarker[0]);

    /* loaded from: input_file:org/eclipse/ditto/gateway/service/security/authentication/jwt/DittoPublicKeyProvider$CacheRemovalListener.class */
    private static final class CacheRemovalListener implements RemovalListener<PublicKeyIdWithIssuer, PublicKeyWithParser> {
        private CacheRemovalListener() {
        }

        public void onRemoval(@Nullable PublicKeyIdWithIssuer publicKeyIdWithIssuer, @Nullable PublicKeyWithParser publicKeyWithParser, @Nonnull RemovalCause removalCause) {
            DittoPublicKeyProvider.LOGGER.debug("Removed PublicKey with ID <{}> from cache due to cause '{}'.", publicKeyIdWithIssuer, removalCause);
        }
    }

    private DittoPublicKeyProvider(JwtSubjectIssuersConfig jwtSubjectIssuersConfig, HttpClientFacade httpClientFacade, CacheConfig cacheConfig, String str, OAuthConfig oAuthConfig) {
        this.jwtSubjectIssuersConfig = (JwtSubjectIssuersConfig) ConditionChecker.argumentNotNull(jwtSubjectIssuersConfig);
        this.httpClient = (HttpClientFacade) ConditionChecker.argumentNotNull(httpClientFacade);
        Objects.requireNonNull(httpClientFacade);
        this.materializer = SystemMaterializer.get(httpClientFacade::getActorSystem).materializer();
        this.oAuthConfig = oAuthConfig;
        ConditionChecker.argumentNotNull(cacheConfig, "config of the public keys cache");
        ConditionChecker.argumentNotNull(str);
        this.publicKeyCache = CaffeineCache.of(Caffeine.newBuilder().maximumSize(cacheConfig.getMaximumSize()).expireAfterWrite(cacheConfig.getExpireAfterWrite()).removalListener(new CacheRemovalListener()), this::loadPublicKeyWithParser, str);
    }

    public static PublicKeyProvider of(JwtSubjectIssuersConfig jwtSubjectIssuersConfig, HttpClientFacade httpClientFacade, CacheConfig cacheConfig, String str, OAuthConfig oAuthConfig) {
        return new DittoPublicKeyProvider(jwtSubjectIssuersConfig, httpClientFacade, cacheConfig, str, oAuthConfig);
    }

    @Override // org.eclipse.ditto.gateway.service.security.authentication.jwt.PublicKeyProvider
    public CompletableFuture<Optional<PublicKeyWithParser>> getPublicKeyWithParser(String str, String str2) {
        ConditionChecker.argumentNotNull(str);
        ConditionChecker.argumentNotNull(str2);
        return this.publicKeyCache.get(PublicKeyIdWithIssuer.of(str2, str));
    }

    private CompletableFuture<PublicKeyWithParser> loadPublicKeyWithParser(PublicKeyIdWithIssuer publicKeyIdWithIssuer, Executor executor) {
        String issuer = publicKeyIdWithIssuer.getIssuer();
        String keyId = publicKeyIdWithIssuer.getKeyId();
        LOGGER.debug("Loading public key with id <{}> from issuer <{}>.", keyId, issuer);
        Optional<JwtSubjectIssuerConfig> configItem = this.jwtSubjectIssuersConfig.getConfigItem(issuer);
        if (configItem.isEmpty()) {
            LOGGER.info("The JWT issuer <{}> is not included in Ditto's gateway configuration at 'ditto.gateway.authentication.oauth.openid-connect-issuers', supported are: <{}>", issuer, this.jwtSubjectIssuersConfig);
            return CompletableFuture.failedFuture(GatewayJwtIssuerNotSupportedException.newBuilder(issuer).build());
        }
        String discoveryEndpoint = getDiscoveryEndpoint(configItem.get().getIssuer());
        return getPublicKeysFromDiscoveryEndpoint(discoveryEndpoint).thenCompose(this::mapResponseToJsonArray).thenApply(jsonArray -> {
            return mapToPublicKey(jsonArray, keyId, discoveryEndpoint);
        }).thenApply(publicKey -> {
            return mapToPublicKeyWithParser(publicKey);
        }).toCompletableFuture();
    }

    private String getDiscoveryEndpoint(String str) {
        return this.jwtSubjectIssuersConfig.getProtocolPrefix() + (str.endsWith("/") ? str.substring(0, str.length() - 1) : str) + "/.well-known/openid-configuration";
    }

    private CompletableFuture<JsonArray> mapResponseToJsonArray(HttpResponse httpResponse) {
        CompletionStage<JsonObject> mapResponseToJsonObject = mapResponseToJsonObject(httpResponse);
        JsonPointer of = JsonPointer.of("keys");
        return mapResponseToJsonObject.toCompletableFuture().thenApply(jsonObject -> {
            return (JsonArray) jsonObject.getValue(of).map((v0) -> {
                return v0.asArray();
            }).orElseThrow(() -> {
                return new JsonMissingFieldException(of);
            });
        }).exceptionally((Function<Throwable, ? extends U>) th -> {
            String format = MessageFormat.format("Failed to extract public keys from JSON response <{0}>", mapResponseToJsonObject);
            LOGGER.warn(format, th);
            throw ((PublicKeyProviderUnavailableException) PublicKeyProviderUnavailableException.newBuilder().cause(new IllegalStateException(format, th)).build());
        });
    }

    private CompletionStage<HttpResponse> getPublicKeysFromDiscoveryEndpoint(String str) {
        LOGGER.debug("Loading public keys from discovery endpoint <{}>.", str);
        return this.httpClient.createSingleHttpRequest(HttpRequest.GET(str)).thenCompose(this::mapResponseToJsonObject).thenApply(jsonObject -> {
            return (String) jsonObject.getValueOrThrow(JSON_JWKS_URI);
        }).thenCompose(str2 -> {
            return this.httpClient.createSingleHttpRequest(HttpRequest.GET(str2));
        }).exceptionally(th -> {
            throw DittoRuntimeException.asDittoRuntimeException(th, th -> {
                return handleUnexpectedException(th, str);
            });
        });
    }

    private CompletionStage<JsonObject> mapResponseToJsonObject(HttpResponse httpResponse) {
        if (!httpResponse.status().isSuccess()) {
            handleNonSuccessResponse(httpResponse);
        }
        return (CompletionStage) httpResponse.entity().getDataBytes().fold(ByteString.emptyByteString(), (v0, v1) -> {
            return v0.concat(v1);
        }).map((v0) -> {
            return v0.utf8String();
        }).map(JsonFactory::readFrom).map((v0) -> {
            return v0.asObject();
        }).runWith(Sink.head(), this.materializer);
    }

    private void handleNonSuccessResponse(HttpResponse httpResponse) {
        getBodyAsString(httpResponse).thenAccept(str -> {
            LOGGER.info("Got non success response from public key provider with status code: <{}> and body: <{}>.", httpResponse.status(), str);
        });
        throw GatewayAuthenticationProviderUnavailableException.newBuilder().message("Got unexpected response from public key provider.").build();
    }

    private CompletionStage<String> getBodyAsString(HttpResponse httpResponse) {
        return (CompletionStage) httpResponse.entity().getDataBytes().fold(ByteString.emptyByteString(), (v0, v1) -> {
            return v0.concat(v1);
        }).map((v0) -> {
            return v0.utf8String();
        }).runWith(Sink.head(), this.materializer);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static PublicKeyProviderUnavailableException handleUnexpectedException(Throwable th, String str) {
        LOGGER.warn(MessageFormat.format("Got Exception from discovery endpoint <{0}>.", str), th);
        return (PublicKeyProviderUnavailableException) PublicKeyProviderUnavailableException.newBuilder().cause(th).build();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static PublicKey mapToPublicKey(JsonArray jsonArray, String str, String str2) {
        LOGGER.debug("Trying to find key with id <{}> in json array <{}>.", str, jsonArray);
        Iterator it = jsonArray.iterator();
        while (it.hasNext()) {
            try {
                JsonWebKey fromJson = ImmutableJsonWebKey.fromJson(((JsonValue) it.next()).asObject());
                if (fromJson.getId().equals(str)) {
                    LOGGER.debug("Found matching JsonWebKey for id <{}>: <{}>.", str, fromJson);
                    return KeyFactory.getInstance(fromJson.getType()).generatePublic(new RSAPublicKeySpec(fromJson.getModulus(), fromJson.getExponent()));
                }
            } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                String format = MessageFormat.format("Got invalid key from JwkResource provider at discovery endpoint <{0}>", str2);
                LOGGER.warn(format, e);
                throw ((PublicKeyProviderUnavailableException) PublicKeyProviderUnavailableException.newBuilder().cause(new IllegalStateException(format, e)).build());
            }
        }
        LOGGER.debug("Did not find key with id <{}>.", str);
        return null;
    }

    private PublicKeyWithParser mapToPublicKeyWithParser(PublicKey publicKey) {
        if (publicKey == null) {
            return null;
        }
        return new PublicKeyWithParser(publicKey, Jwts.parserBuilder().deserializeJsonWith(JjwtDeserializer.getInstance()).setSigningKey(publicKey).setAllowedClockSkewSeconds(this.oAuthConfig.getAllowedClockSkew().getSeconds()).build());
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -1406915055:
                if (implMethodName.equals("asObject")) {
                    z = 2;
                    break;
                }
                break;
            case -1354795244:
                if (implMethodName.equals("concat")) {
                    z = 3;
                    break;
                }
                break;
            case -867947936:
                if (implMethodName.equals("readFrom")) {
                    z = true;
                    break;
                }
                break;
            case 1591878370:
                if (implMethodName.equals("utf8String")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 5 && serializedLambda.getFunctionalInterfaceClass().equals("akka/japi/function/Function") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljava/lang/Object;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("akka/util/ByteString") && serializedLambda.getImplMethodSignature().equals("()Ljava/lang/String;")) {
                    return (v0) -> {
                        return v0.utf8String();
                    };
                }
                if (serializedLambda.getImplMethodKind() == 5 && serializedLambda.getFunctionalInterfaceClass().equals("akka/japi/function/Function") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljava/lang/Object;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("akka/util/ByteString") && serializedLambda.getImplMethodSignature().equals("()Ljava/lang/String;")) {
                    return (v0) -> {
                        return v0.utf8String();
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("akka/japi/function/Function") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljava/lang/Object;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("org/eclipse/ditto/json/JsonFactory") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;)Lorg/eclipse/ditto/json/JsonValue;")) {
                    return JsonFactory::readFrom;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 9 && serializedLambda.getFunctionalInterfaceClass().equals("akka/japi/function/Function") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljava/lang/Object;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("org/eclipse/ditto/json/JsonValue") && serializedLambda.getImplMethodSignature().equals("()Lorg/eclipse/ditto/json/JsonObject;")) {
                    return (v0) -> {
                        return v0.asObject();
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 5 && serializedLambda.getFunctionalInterfaceClass().equals("akka/japi/function/Function2") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("akka/util/ByteString") && serializedLambda.getImplMethodSignature().equals("(Lakka/util/ByteString;)Lakka/util/ByteString;")) {
                    return (v0, v1) -> {
                        return v0.concat(v1);
                    };
                }
                if (serializedLambda.getImplMethodKind() == 5 && serializedLambda.getFunctionalInterfaceClass().equals("akka/japi/function/Function2") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("akka/util/ByteString") && serializedLambda.getImplMethodSignature().equals("(Lakka/util/ByteString;)Lakka/util/ByteString;")) {
                    return (v0, v1) -> {
                        return v0.concat(v1);
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
