package au.csiro.pathling.security;

import au.csiro.pathling.config.AuthorizationConfiguration;
import au.csiro.pathling.config.ServerConfiguration;
import au.csiro.pathling.security.OidcConfiguration;
import au.csiro.pathling.utilities.Preconditions;
import ca.uhn.fhir.rest.server.exceptions.UnclassifiedServerFailureException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.KeySourceException;
import com.nimbusds.jose.jwk.source.RemoteJWKSet;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.Resource;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.jwt.proc.JWTClaimsSetAwareJWSKeySelector;
import com.nimbusds.jwt.proc.JWTProcessor;
import jakarta.annotation.Nonnull;
import jakarta.annotation.Nullable;
import java.io.IOException;
import java.net.URL;
import java.security.Key;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.context.annotation.Primary;
import org.springframework.context.annotation.Profile;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatusCode;
import org.springframework.http.MediaType;
import org.springframework.http.RequestEntity;
import org.springframework.http.ResponseEntity;
import org.springframework.security.oauth2.core.DelegatingOAuth2TokenValidator;
import org.springframework.security.oauth2.core.OAuth2TokenValidator;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.JwtIssuerValidator;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.stereotype.Component;
import org.springframework.web.client.RestOperations;
import org.springframework.web.client.RestTemplate;

@Profile({"server & !ga4gh"})
@ConditionalOnProperty(prefix = "pathling", name = {"auth.enabled"}, havingValue = "true")
@Component
@Primary
/* loaded from: input_file:au/csiro/pathling/security/PathlingJwtDecoderBuilder.class */
public class PathlingJwtDecoderBuilder implements JWTClaimsSetAwareJWSKeySelector<SecurityContext> {

    @Nonnull
    private final OidcConfiguration oidcConfiguration;

    @Nonnull
    private final RestOperations restOperations = new RestTemplate();

    /* loaded from: input_file:au/csiro/pathling/security/PathlingJwtDecoderBuilder$JwksRetriever.class */
    private static class JwksRetriever implements ResourceRetriever {
        private static final MediaType APPLICATION_JWK_SET_JSON = new MediaType("application", "jwk-set+json");
        private final RestOperations restOperations;

        private JwksRetriever(@Nonnull RestOperations restOperations) {
            this.restOperations = restOperations;
        }

        public Resource retrieveResource(@Nullable URL url) throws IOException {
            Preconditions.checkArgument(url != null, "url must not be null");
            HttpHeaders httpHeaders = new HttpHeaders();
            httpHeaders.setAccept(Arrays.asList(MediaType.APPLICATION_JSON, APPLICATION_JWK_SET_JSON));
            ResponseEntity<String> response = getResponse(url, httpHeaders);
            if (!HttpStatusCode.valueOf(200).equals(response.getStatusCode())) {
                throw new IOException(response.toString());
            }
            if (response.getBody() == null) {
                throw new UnclassifiedServerFailureException(502, "Request for JWKS returned empty body");
            }
            return new Resource((String) response.getBody(), "UTF-8");
        }

        @Nonnull
        private ResponseEntity<String> getResponse(@Nonnull URL url, @Nonnull HttpHeaders httpHeaders) throws IOException {
            try {
                return this.restOperations.exchange(new RequestEntity(httpHeaders, HttpMethod.GET, url.toURI()), String.class);
            } catch (Exception e) {
                throw new IOException(e);
            }
        }
    }

    public PathlingJwtDecoderBuilder(@Nonnull OidcConfiguration oidcConfiguration) {
        this.oidcConfiguration = oidcConfiguration;
    }

    public JwtDecoder build(@Nonnull ServerConfiguration serverConfiguration) {
        AuthorizationConfiguration authConfiguration = getAuthConfiguration(serverConfiguration);
        ArrayList arrayList = new ArrayList();
        authConfiguration.getIssuer().ifPresent(str -> {
            arrayList.add(new JwtIssuerValidator(str));
        });
        authConfiguration.getAudience().ifPresent(str2 -> {
            arrayList.add(new JwtAudienceValidator(str2));
        });
        return buildDecoderWithValidators(arrayList);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public AuthorizationConfiguration getAuthConfiguration(@Nullable ServerConfiguration serverConfiguration) {
        Preconditions.checkArgument(serverConfiguration != null, "configuration cannot be null");
        AuthorizationConfiguration auth = serverConfiguration.getAuth();
        Preconditions.check(auth.isEnabled());
        return auth;
    }

    public List<? extends Key> selectKeys(@Nullable JWSHeader jWSHeader, @Nullable JWTClaimsSet jWTClaimsSet, @Nullable SecurityContext securityContext) throws KeySourceException {
        Preconditions.checkArgument(jWTClaimsSet != null, "claimsSet cannot be null");
        String jwksUri = getJwksUri(jWTClaimsSet);
        try {
            return new JWSVerificationKeySelector(JWSAlgorithm.RS256, new RemoteJWKSet(new URL(jwksUri), new JwksRetriever(this.restOperations))).selectJWSKeys(jWSHeader, securityContext);
        } catch (IOException e) {
            throw new KeySourceException("Failed to retrieve keys from " + jwksUri, e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public NimbusJwtDecoder buildDecoderWithValidators(@Nonnull List<OAuth2TokenValidator<Jwt>> list) {
        DelegatingOAuth2TokenValidator delegatingOAuth2TokenValidator = new DelegatingOAuth2TokenValidator(list);
        NimbusJwtDecoder nimbusJwtDecoder = new NimbusJwtDecoder(processor());
        nimbusJwtDecoder.setJwtValidator(delegatingOAuth2TokenValidator);
        return nimbusJwtDecoder;
    }

    @Nonnull
    protected String getJwksUri(@Nonnull JWTClaimsSet jWTClaimsSet) {
        return (String) Preconditions.checkPresent(this.oidcConfiguration.get(OidcConfiguration.ConfigItem.JWKS_URI));
    }

    @Nonnull
    private JWTProcessor<SecurityContext> processor() {
        DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
        defaultJWTProcessor.setJWTClaimsSetAwareJWSKeySelector(this);
        return defaultJWTProcessor;
    }
}
