package io.camunda.connector.inbound.authorization;

import com.auth0.jwk.JwkProvider;
import com.auth0.jwk.JwkProviderBuilder;
import com.fasterxml.jackson.databind.ObjectMapper;
import io.camunda.connector.api.inbound.webhook.MappedHttpRequest;
import io.camunda.connector.api.inbound.webhook.WebhookProcessingPayload;
import io.camunda.connector.api.inbound.webhook.WebhookTriggerResultContext;
import io.camunda.connector.inbound.model.WebhookAuthorization;
import io.camunda.connector.inbound.utils.HttpWebhookUtil;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.apache.tomcat.websocket.BasicAuthenticator;

/* loaded from: input_file:io/camunda/connector/inbound/authorization/WebhookAuthChecker.class */
public class WebhookAuthChecker {
    private final WebhookAuthorization authorization;
    private final JwkProvider jwkProvider;
    private ObjectMapper objectMapper;
    private static final String AUTH_HEADER_INVALID_MSG = "Authorization header is invalid";
    private static final String AUTH_HEADER_MISSING_MSG = "Authorization header is missing";

    public WebhookAuthChecker(WebhookAuthorization webhookAuthorization) {
        this.authorization = webhookAuthorization;
        if (!(webhookAuthorization instanceof WebhookAuthorization.JwtAuth)) {
            this.jwkProvider = null;
            return;
        }
        try {
            this.jwkProvider = new JwkProviderBuilder(URI.create(((WebhookAuthorization.JwtAuth) webhookAuthorization).jwt().jwkUrl()).toURL()).cached(10L, 10L, TimeUnit.MINUTES).rateLimited(10L, 1L, TimeUnit.MINUTES).build();
        } catch (Exception e) {
            throw new RuntimeException("Failed to initialize JWK provider", e);
        }
    }

    public WebhookAuthChecker(WebhookAuthorization webhookAuthorization, ObjectMapper objectMapper) {
        this(webhookAuthorization);
        this.objectMapper = objectMapper;
    }

    public void checkAuthorization(WebhookProcessingPayload webhookProcessingPayload) throws IOException {
        if (this.authorization == null || (this.authorization instanceof WebhookAuthorization.None)) {
            return;
        }
        WebhookAuthorization webhookAuthorization = this.authorization;
        if (webhookAuthorization instanceof WebhookAuthorization.BasicAuth) {
            checkBasicAuth((WebhookAuthorization.BasicAuth) webhookAuthorization, webhookProcessingPayload);
            return;
        }
        WebhookAuthorization webhookAuthorization2 = this.authorization;
        if (webhookAuthorization2 instanceof WebhookAuthorization.ApiKeyAuth) {
            checkApiKeyAuth((WebhookAuthorization.ApiKeyAuth) webhookAuthorization2, webhookProcessingPayload);
            return;
        }
        WebhookAuthorization webhookAuthorization3 = this.authorization;
        if (!(webhookAuthorization3 instanceof WebhookAuthorization.JwtAuth)) {
            throw new IllegalStateException("Unsupported auth type");
        }
        checkJwtAuth((WebhookAuthorization.JwtAuth) webhookAuthorization3, webhookProcessingPayload);
    }

    private void checkBasicAuth(WebhookAuthorization.BasicAuth basicAuth, WebhookProcessingPayload webhookProcessingPayload) throws IOException {
        String str = (String) ((Map) webhookProcessingPayload.headers().entrySet().stream().collect(Collectors.toMap(entry -> {
            return ((String) entry.getKey()).toLowerCase();
        }, (v0) -> {
            return v0.getValue();
        }))).get("Authorization".toLowerCase());
        if (str == null) {
            throw new IOException(AUTH_HEADER_MISSING_MSG);
        }
        String[] split = str.split(" ");
        if (split.length != 2) {
            throwInvalid();
        }
        String str2 = split[0];
        String str3 = split[1];
        if (!BasicAuthenticator.schemeName.equalsIgnoreCase(str2)) {
            throwInvalid();
        }
        if ((basicAuth.username() + ":" + basicAuth.password()).equals(new String(Base64.getDecoder().decode(str3.getBytes(StandardCharsets.UTF_8))))) {
            return;
        }
        throwInvalid();
    }

    private void checkApiKeyAuth(WebhookAuthorization.ApiKeyAuth apiKeyAuth, WebhookProcessingPayload webhookProcessingPayload) throws IOException {
        if (apiKeyAuth.apiKey().equals(apiKeyAuth.apiKeyLocator().apply(new WebhookTriggerResultContext(new MappedHttpRequest(HttpWebhookUtil.transformRawBodyToMap(webhookProcessingPayload.rawBody(), HttpWebhookUtil.extractContentType(webhookProcessingPayload.headers())), webhookProcessingPayload.headers(), webhookProcessingPayload.params()), Map.of())))) {
            return;
        }
        throwInvalid();
    }

    private void checkJwtAuth(WebhookAuthorization.JwtAuth jwtAuth, WebhookProcessingPayload webhookProcessingPayload) throws IOException {
        if (!JWTChecker.verify(jwtAuth.jwt(), webhookProcessingPayload.headers(), this.jwkProvider, this.objectMapper)) {
            throw new IOException("Webhook failed: JWT check didn't pass");
        }
    }

    private static void throwInvalid() throws IOException {
        throw new IOException(AUTH_HEADER_INVALID_MSG);
    }
}
