package io.camunda.operate.webapp.security.oauth2;

import io.camunda.operate.exceptions.OperateRuntimeException;
import io.camunda.operate.property.OperateProperties;
import io.camunda.operate.util.CollectionUtil;
import io.camunda.operate.util.ConversionUtils;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Profile;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.stereotype.Component;

@Profile({"!identity-auth"})
@Component
/* loaded from: input_file:io/camunda/operate/webapp/security/oauth2/CCSaaSJwtAuthenticationTokenValidator.class */
public class CCSaaSJwtAuthenticationTokenValidator implements JwtAuthenticationTokenValidator {
    public static final String AUDIENCE = "aud";
    public static final String CLUSTER_ID_CLAIM = "https://camunda.com/clusterId";
    protected final Logger logger = LoggerFactory.getLogger(getClass());

    @Autowired
    private OperateProperties operateProperties;

    @Override // io.camunda.operate.webapp.security.oauth2.JwtAuthenticationTokenValidator
    public boolean isValid(JwtAuthenticationToken jwtAuthenticationToken) {
        return isValid(jwtAuthenticationToken.getTokenAttributes());
    }

    private boolean isValid(Map<String, Object> map) {
        try {
            if (getClusterId(map).equals(getClusterIdFromConfiguration())) {
                if (getAudience(map).equals(getAudienceFromConfiguration())) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            this.logger.error(String.format("Validation of JWT payload failed due to %s. Request is not authenticated.", e.getMessage()), e);
            return false;
        }
    }

    private String getClusterId(Map<String, Object> map) {
        Object obj = map.get(CLUSTER_ID_CLAIM);
        if (obj == null) {
            throw new OperateRuntimeException("Couldn't get clusterId from JWT payload. Maybe wrong clusterId configuration?");
        }
        if (obj instanceof String) {
            return (String) obj;
        }
        if (obj instanceof List) {
            return (String) CollectionUtil.firstOrDefault((List) CollectionUtil.getOrDefaultFromMap(map, AUDIENCE, Collections.emptyList()), (Object) null);
        }
        throw new OperateRuntimeException("Couldn't get clusterId from JWT payload as String or list of Strings. Maybe wrong clusterId configuration?");
    }

    private String getAudience(Map<String, Object> map) {
        Object obj = map.get(AUDIENCE);
        if (obj == null) {
            throw new OperateRuntimeException("Couldn't get audience from JWT payload.");
        }
        if (obj instanceof String) {
            return (String) obj;
        }
        if (obj instanceof List) {
            return (String) ((List) obj).get(0);
        }
        throw new OperateRuntimeException("Couldn't get audience from JWT payload as String or array of Strings.");
    }

    private String getClusterIdFromConfiguration() {
        String clusterId = this.operateProperties.getCloud().getClusterId();
        if (ConversionUtils.stringIsEmpty(clusterId)) {
            this.logger.warn("ClusterId should come from 'CAMUNDA_OPERATE_CLOUD_CLUSTERID' try 'CAMUNDA_OPERATE_CLIENT_CLUSTERID'");
            clusterId = this.operateProperties.getClient().getClusterId();
        }
        if (ConversionUtils.stringIsEmpty(clusterId)) {
            throw new OperateRuntimeException("No configuration found in 'CAMUNDA_OPERATE_CLOUD_CLUSTERID' or 'CAMUNDA_OPERATE_CLIENT_CLUSTERID'");
        }
        return clusterId;
    }

    private String getAudienceFromConfiguration() {
        String audience = this.operateProperties.getClient().getAudience();
        if (ConversionUtils.stringIsEmpty(audience)) {
            throw new OperateRuntimeException("No configuration found in 'CAMUNDA_OPERATE_CLIENT_AUDIENCE'");
        }
        return audience;
    }
}
