package io.camunda.connector.inbound.authorization;

import com.auth0.jwk.InvalidPublicKeyException;
import com.auth0.jwk.Jwk;
import com.auth0.jwk.JwkException;
import com.auth0.jwk.JwkProvider;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.SignatureVerificationException;
import com.auth0.jwt.exceptions.TokenExpiredException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.google.common.net.HttpHeaders;
import connector.com.fasterxml.jackson.core.JsonProcessingException;
import connector.com.fasterxml.jackson.databind.JsonNode;
import connector.com.fasterxml.jackson.databind.ObjectMapper;
import io.camunda.connector.api.inbound.webhook.WebhookProcessingPayload;
import io.camunda.connector.feel.FeelEngineWrapperException;
import io.camunda.connector.inbound.authorization.AuthorizationResult;
import io.camunda.connector.inbound.model.JWTProperties;
import io.camunda.connector.inbound.model.WebhookAuthorization;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/camunda/connector/inbound/authorization/JWTAuthHandler.class */
final class JWTAuthHandler extends WebhookAuthorizationHandler<WebhookAuthorization.JwtAuth> {
    private final JwkProvider jwkProvider;
    private final ObjectMapper objectMapper;
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) JWTAuthHandler.class);
    private static final AuthorizationResult JWT_AUTH_FAILED_RESULT = new AuthorizationResult.Failure.InvalidCredentials("JWT auth failed");
    private static final AuthorizationResult JWT_AUTH_MISSING_PERMISSIONS_RESULT = new AuthorizationResult.Failure.Forbidden("Missing required permissions");

    public JWTAuthHandler(WebhookAuthorization.JwtAuth jwtAuth, JwkProvider jwkProvider, ObjectMapper objectMapper) {
        super(jwtAuth);
        this.jwkProvider = jwkProvider;
        this.objectMapper = objectMapper;
    }

    @Override // io.camunda.connector.inbound.authorization.WebhookAuthorizationHandler
    public AuthorizationResult checkAuthorization(WebhookProcessingPayload webhookProcessingPayload) {
        JWTProperties jwt = ((WebhookAuthorization.JwtAuth) this.expectedAuthorization).jwt();
        Optional<DecodedJWT> decodedVerifiedJWT = getDecodedVerifiedJWT(webhookProcessingPayload.headers(), this.jwkProvider);
        if (decodedVerifiedJWT.isEmpty()) {
            return JWT_AUTH_FAILED_RESULT;
        }
        if (jwt.requiredPermissions() == null || jwt.requiredPermissions().isEmpty() || extractRoles(jwt, decodedVerifiedJWT.get(), this.objectMapper).containsAll(jwt.requiredPermissions())) {
            LOGGER.debug("JWT auth was successful");
            return AuthorizationResult.Success.INSTANCE;
        }
        LOGGER.debug("JWT auth failed");
        return JWT_AUTH_MISSING_PERMISSIONS_RESULT;
    }

    private static Optional<DecodedJWT> getDecodedVerifiedJWT(Map<String, String> map, JwkProvider jwkProvider) {
        try {
            return Optional.of(verifyJWT(extractJWTFomHeader(map).orElseThrow(() -> {
                return new RuntimeException("Cannot extract JWT from header!");
            }), jwkProvider));
        } catch (JWTDecodeException e) {
            LOGGER.warn("Failed to decode JWT token! Cause: " + String.valueOf(e.getCause()));
            return Optional.empty();
        } catch (SignatureVerificationException e2) {
            LOGGER.warn("Failed to verify JWT token! Cause: " + String.valueOf(e2.getCause()));
            return Optional.empty();
        } catch (TokenExpiredException e3) {
            LOGGER.warn("JWT token expired! Cause: " + String.valueOf(e3.getCause()));
            return Optional.empty();
        }
    }

    private static List<String> extractRoles(JWTProperties jWTProperties, DecodedJWT decodedJWT, ObjectMapper objectMapper) {
        try {
            return jWTProperties.permissionsExpression().apply(getJsonPayloadFromToken(decodedJWT, objectMapper));
        } catch (FeelEngineWrapperException e) {
            LOGGER.warn("Failed to evaluate FEEL expression! Reason: " + e.getReason());
            return new ArrayList();
        }
    }

    private static JsonNode getJsonPayloadFromToken(DecodedJWT decodedJWT, ObjectMapper objectMapper) {
        return (JsonNode) Optional.ofNullable(decodedJWT.getPayload()).map(str -> {
            return Base64.getDecoder().decode(str);
        }).map(String::new).map(str2 -> {
            try {
                return objectMapper.readTree(str2);
            } catch (JsonProcessingException e) {
                throw new RuntimeException(e);
            }
        }).orElseThrow(() -> {
            return new RuntimeException("JWT payload is null!");
        });
    }

    private static Optional<String> extractJWTFomHeader(Map<String, String> map) {
        return Optional.ofNullable((String) Optional.ofNullable(map.get(HttpHeaders.AUTHORIZATION)).orElse(map.get("authorization"))).map(str -> {
            return str.replace("Bearer", "").trim();
        });
    }

    private static DecodedJWT verifyJWT(String str, JwkProvider jwkProvider) throws SignatureVerificationException, TokenExpiredException {
        DecodedJWT decodedJWT = (DecodedJWT) Optional.ofNullable(JWT.decode(str)).map(decodedJWT2 -> {
            try {
                return jwkProvider.get(decodedJWT2.getKeyId());
            } catch (JwkException e) {
                LOGGER.warn("Cannot find JWK for the JWT token: " + e.getMessage());
                throw new RuntimeException(e);
            }
        }).map(jwk -> {
            try {
                return JWT.require(getAlgorithm(jwk)).build();
            } catch (InvalidPublicKeyException e) {
                LOGGER.warn("Token verification failed: " + e.getMessage());
                throw new RuntimeException(e);
            }
        }).map(jWTVerifier -> {
            return jWTVerifier.verify(str);
        }).orElseThrow(() -> {
            return new RuntimeException("Cannot decode jwtToken!");
        });
        LOGGER.debug("Token verified successfully!");
        return decodedJWT;
    }

    private static Algorithm getAlgorithm(Jwk jwk) throws InvalidPublicKeyException {
        String algorithm = jwk.getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case 66245349:
                if (algorithm.equals("ES256")) {
                    z = 3;
                    break;
                }
                break;
            case 66246401:
                if (algorithm.equals("ES384")) {
                    z = 4;
                    break;
                }
                break;
            case 66248104:
                if (algorithm.equals("ES512")) {
                    z = 5;
                    break;
                }
                break;
            case 78251122:
                if (algorithm.equals("RS256")) {
                    z = false;
                    break;
                }
                break;
            case 78252174:
                if (algorithm.equals("RS384")) {
                    z = true;
                    break;
                }
                break;
            case 78253877:
                if (algorithm.equals("RS512")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey());
            case true:
                return Algorithm.RSA384((RSAPublicKey) jwk.getPublicKey());
            case true:
                return Algorithm.RSA512((RSAPublicKey) jwk.getPublicKey());
            case true:
                return Algorithm.ECDSA256((ECPublicKey) jwk.getPublicKey(), null);
            case true:
                return Algorithm.ECDSA384((ECPublicKey) jwk.getPublicKey(), null);
            case true:
                return Algorithm.ECDSA512((ECPublicKey) jwk.getPublicKey(), null);
            default:
                throw new RuntimeException("Unknown algorithm!");
        }
    }
}
