package com.sap.cloud.sdk.cloudplatform.security;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.google.common.collect.Lists;
import com.google.common.collect.Streams;
import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import com.google.json.JsonSanitizer;
import com.sap.cloud.sdk.cloudplatform.CloudPlatformAccessor;
import com.sap.cloud.sdk.cloudplatform.ScpCfCloudPlatform;
import com.sap.cloud.sdk.cloudplatform.connectivity.HttpClientAccessor;
import com.sap.cloud.sdk.cloudplatform.connectivity.HttpEntityUtil;
import com.sap.cloud.sdk.cloudplatform.exception.ShouldNotHappenException;
import com.sap.cloud.sdk.cloudplatform.security.exception.AuthTokenAccessException;
import com.sap.cloud.sdk.cloudplatform.security.exception.TokenRequestFailedException;
import io.vavr.control.Option;
import io.vavr.control.Try;
import java.io.IOException;
import java.lang.invoke.SerializedLambda;
import java.net.URI;
import java.security.KeyFactory;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import lombok.Generated;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.entity.ContentType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/sap/cloud/sdk/cloudplatform/security/AuthTokenValidator.class */
public class AuthTokenValidator {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(AuthTokenValidator.class);
    static Caffeine<Object, Object> tokenCacheBuilder = Caffeine.newBuilder().maximumSize(100000).expireAfterAccess(5, TimeUnit.MINUTES);
    static Cache<URI, List<String>> publicTokenKeyCache = tokenCacheBuilder.build();
    private final List<JWTVerifier> verifiers;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthTokenValidator(@Nonnull String str, @Nonnull List<RSAPublicKey> list) {
        this.verifiers = (List) list.stream().map(rSAPublicKey -> {
            return tryGetVerifierFromAlgorithm(rSAPublicKey, str);
        }).filter((v0) -> {
            return v0.isSuccess();
        }).map((v0) -> {
            return v0.get();
        }).collect(Collectors.toList());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public Optional<DecodedJWT> verifyToken(@Nonnull String str) {
        return this.verifiers.stream().map(jWTVerifier -> {
            return Try.of(() -> {
                return jWTVerifier.verify(str);
            });
        }).filter(r3 -> {
            return r3.onFailure(th -> {
                log.debug("Failed token verification.", th);
            }).isSuccess();
        }).findFirst().map((v0) -> {
            return v0.get();
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public static List<RSAPublicKey> getVerificationPublicKeysForJwt(@Nonnull DecodedJWT decodedJWT) throws AuthTokenAccessException {
        return (List) getPublicKeysFromCredentials((JsonObject) Try.of(() -> {
            return getCloudPlatform().getXsuaaServiceCredentials(decodedJWT);
        }).getOrElseThrow(th -> {
            return new AuthTokenAccessException("Failed to verify JWT bearer.", th);
        })).stream().map(str -> {
            return str.replaceAll("\\n", "");
        }).map(str2 -> {
            return str2.replace("-----BEGIN PUBLIC KEY-----", "");
        }).map(str3 -> {
            return str3.replace("-----END PUBLIC KEY-----", "");
        }).map(str4 -> {
            return Try.of(() -> {
                return new X509EncodedKeySpec(Base64.getDecoder().decode(str4));
            });
        }).map(r3 -> {
            return r3.mapTry(x509EncodedKeySpec -> {
                return KeyFactory.getInstance("RSA").generatePublic(x509EncodedKeySpec);
            });
        }).map(r4 -> {
            Class<RSAPublicKey> cls = RSAPublicKey.class;
            RSAPublicKey.class.getClass();
            return r4.mapTry((v1) -> {
                return r1.cast(v1);
            });
        }).filter(r32 -> {
            return r32.onFailure(th2 -> {
                log.warn("Failed to parse public key.", th2);
            }).isSuccess();
        }).map((v0) -> {
            return v0.get();
        }).collect(Collectors.toList());
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Nonnull
    public static Try<JWTVerifier> tryGetVerifierFromAlgorithm(@Nonnull RSAPublicKey rSAPublicKey, @Nullable String str) {
        Algorithm RSA512;
        if (str == null) {
            return Try.failure(new AuthTokenAccessException("Failed to verify JWT bearer: no algorithm specified in token header."));
        }
        boolean z = -1;
        switch (str.hashCode()) {
            case 78251122:
                if (str.equals("RS256")) {
                    z = false;
                    break;
                }
                break;
            case 78252174:
                if (str.equals("RS384")) {
                    z = true;
                    break;
                }
                break;
            case 78253877:
                if (str.equals("RS512")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                RSA512 = Algorithm.RSA256(rSAPublicKey, (RSAPrivateKey) null);
                break;
            case true:
                RSA512 = Algorithm.RSA384(rSAPublicKey, (RSAPrivateKey) null);
                break;
            case true:
                RSA512 = Algorithm.RSA512(rSAPublicKey, (RSAPrivateKey) null);
                break;
            default:
                return Try.failure(new AuthTokenAccessException("Failed to verify JWT bearer: algorithm '" + str + "' not supported."));
        }
        Algorithm algorithm = RSA512;
        return Try.of(() -> {
            return JWT.require(algorithm).build();
        }).onFailure(th -> {
            log.debug("Failed to instantiate token validator from algorithm.", th);
        });
    }

    private static ScpCfCloudPlatform getCloudPlatform() {
        ScpCfCloudPlatform cloudPlatform = CloudPlatformAccessor.getCloudPlatform();
        if (cloudPlatform instanceof ScpCfCloudPlatform) {
            return cloudPlatform;
        }
        throw new ShouldNotHappenException("The current Cloud platform is not an instance of " + ScpCfCloudPlatform.class.getSimpleName() + ". Please make sure to specify a dependency to com.sap.cloud.sdk.cloudplatform:core-scp-cf.");
    }

    private static List<String> getPublicKeysFromCredentials(JsonObject jsonObject) throws AuthTokenAccessException {
        ArrayList newArrayList = Lists.newArrayList();
        Try onFailure = Try.of(() -> {
            return getCachedRemotePublicKeys(jsonObject);
        }).onFailure(th -> {
            log.warn("Failed to load remote public keys.", th);
        });
        newArrayList.getClass();
        onFailure.onSuccess((v1) -> {
            r1.addAll(v1);
        });
        Try onFailure2 = Try.of(() -> {
            return getLocalPublicKey(jsonObject);
        }).onFailure(th2 -> {
            log.warn("Failed to load local public key.", th2);
        });
        newArrayList.getClass();
        onFailure2.onSuccess((v1) -> {
            r1.add(v1);
        });
        if (newArrayList.isEmpty()) {
            throw new AuthTokenAccessException("Unable to resolve any public keys from local environment or remote endpoints.");
        }
        return newArrayList;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getLocalPublicKey(JsonObject jsonObject) throws AuthTokenAccessException {
        return (String) Option.of(jsonObject.get("verificationkey")).map((v0) -> {
            return v0.getAsString();
        }).getOrElseThrow(() -> {
            return new AuthTokenAccessException("Failed to verify JWT bearer: no verification key found in XSUAA service credentials.");
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static List<String> getCachedRemotePublicKeys(JsonObject jsonObject) throws IOException {
        String asString = jsonObject.get("url").getAsString();
        URI create = URI.create((asString.endsWith("/") ? asString : asString + "/") + "token_keys");
        List<String> list = (List) publicTokenKeyCache.getIfPresent(create);
        if (list == null) {
            list = getRemotePublicKeysFromUri(create);
            publicTokenKeyCache.put(create, list);
        }
        return list;
    }

    private static List<String> getRemotePublicKeysFromUri(URI uri) throws IOException {
        HttpGet httpGet = new HttpGet(uri);
        httpGet.setHeader("Accept", ContentType.APPLICATION_JSON.toString());
        HttpResponse execute = HttpClientAccessor.getHttpClient().execute(httpGet);
        int statusCode = execute.getStatusLine().getStatusCode();
        if (statusCode < 400 || statusCode > 599) {
            return (List) Streams.stream(JsonParser.parseString(JsonSanitizer.sanitize(HttpEntityUtil.getResponseBody(execute))).getAsJsonObject().getAsJsonArray("keys")).map(AuthTokenValidator::tryParseRemotePublicKey).filter((v0) -> {
                return v0.isSuccess();
            }).map((v0) -> {
                return v0.get();
            }).collect(Collectors.toList());
        }
        throw new TokenRequestFailedException("Refresh JWT request failed with status code " + statusCode + ": " + execute.getStatusLine().getReasonPhrase());
    }

    private static Try<String> tryParseRemotePublicKey(@Nullable JsonElement jsonElement) {
        return jsonElement == null ? Try.failure(new IOException("Detected missing key value.")) : Try.of(() -> {
            return jsonElement.getAsJsonObject().getAsJsonPrimitive("value").getAsString();
        }).onFailure(th -> {
            log.debug("Failed to read value for public key.", th);
        });
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -2118392816:
                if (implMethodName.equals("lambda$getVerificationPublicKeysForJwt$708ef91$1")) {
                    z = 6;
                    break;
                }
                break;
            case -2108495849:
                if (implMethodName.equals("lambda$tryParseRemotePublicKey$bba1852f$1")) {
                    z = 3;
                    break;
                }
                break;
            case -1963479636:
                if (implMethodName.equals("lambda$null$9ff426aa$1")) {
                    z = 5;
                    break;
                }
                break;
            case -1265348406:
                if (implMethodName.equals("lambda$tryGetVerifierFromAlgorithm$10b6cbca$1")) {
                    z = 7;
                    break;
                }
                break;
            case -965389478:
                if (implMethodName.equals("lambda$getPublicKeysFromCredentials$25b8423a$1")) {
                    z = 8;
                    break;
                }
                break;
            case 3046207:
                if (implMethodName.equals("cast")) {
                    z = false;
                    break;
                }
                break;
            case 395522630:
                if (implMethodName.equals("lambda$getPublicKeysFromCredentials$113b1520$1")) {
                    z = 2;
                    break;
                }
                break;
            case 397891989:
                if (implMethodName.equals("lambda$null$27fec10f$1")) {
                    z = true;
                    break;
                }
                break;
            case 1415451316:
                if (implMethodName.equals("lambda$null$b1d8dfce$1")) {
                    z = 4;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 5 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction1") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljava/lang/Object;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("java/lang/Class") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/Object;)Ljava/lang/Object;")) {
                    Class cls = (Class) serializedLambda.getCapturedArg(0);
                    return (v1) -> {
                        return r0.cast(v1);
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction1") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljava/lang/Object;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenValidator") && serializedLambda.getImplMethodSignature().equals("(Ljava/security/spec/X509EncodedKeySpec;)Ljava/security/PublicKey;")) {
                    return x509EncodedKeySpec -> {
                        return KeyFactory.getInstance("RSA").generatePublic(x509EncodedKeySpec);
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenValidator") && serializedLambda.getImplMethodSignature().equals("(Lcom/google/gson/JsonObject;)Ljava/util/List;")) {
                    JsonObject jsonObject = (JsonObject) serializedLambda.getCapturedArg(0);
                    return () -> {
                        return getCachedRemotePublicKeys(jsonObject);
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenValidator") && serializedLambda.getImplMethodSignature().equals("(Lcom/google/gson/JsonElement;)Ljava/lang/String;")) {
                    JsonElement jsonElement = (JsonElement) serializedLambda.getCapturedArg(0);
                    return () -> {
                        return jsonElement.getAsJsonObject().getAsJsonPrimitive("value").getAsString();
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenValidator") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;)Ljava/security/spec/X509EncodedKeySpec;")) {
                    String str = (String) serializedLambda.getCapturedArg(0);
                    return () -> {
                        return new X509EncodedKeySpec(Base64.getDecoder().decode(str));
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenValidator") && serializedLambda.getImplMethodSignature().equals("(Lcom/auth0/jwt/JWTVerifier;Ljava/lang/String;)Lcom/auth0/jwt/interfaces/DecodedJWT;")) {
                    JWTVerifier jWTVerifier = (JWTVerifier) serializedLambda.getCapturedArg(0);
                    String str2 = (String) serializedLambda.getCapturedArg(1);
                    return () -> {
                        return jWTVerifier.verify(str2);
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenValidator") && serializedLambda.getImplMethodSignature().equals("(Lcom/auth0/jwt/interfaces/DecodedJWT;)Lcom/google/gson/JsonObject;")) {
                    DecodedJWT decodedJWT = (DecodedJWT) serializedLambda.getCapturedArg(0);
                    return () -> {
                        return getCloudPlatform().getXsuaaServiceCredentials(decodedJWT);
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenValidator") && serializedLambda.getImplMethodSignature().equals("(Lcom/auth0/jwt/algorithms/Algorithm;)Lcom/auth0/jwt/JWTVerifier;")) {
                    Algorithm algorithm = (Algorithm) serializedLambda.getCapturedArg(0);
                    return () -> {
                        return JWT.require(algorithm).build();
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenValidator") && serializedLambda.getImplMethodSignature().equals("(Lcom/google/gson/JsonObject;)Ljava/lang/String;")) {
                    JsonObject jsonObject2 = (JsonObject) serializedLambda.getCapturedArg(0);
                    return () -> {
                        return getLocalPublicKey(jsonObject2);
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
