package io.camunda.identity.sdk.authentication;

import com.auth0.jwk.InvalidPublicKeyException;
import com.auth0.jwk.Jwk;
import com.auth0.jwk.JwkException;
import com.auth0.jwk.JwkProvider;
import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.AlgorithmMismatchException;
import com.auth0.jwt.exceptions.InvalidClaimException;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.SignatureVerificationException;
import com.auth0.jwt.exceptions.TokenExpiredException;
import com.auth0.jwt.interfaces.DecodedJWT;
import io.camunda.identity.sdk.IdentityConfiguration;
import io.camunda.identity.sdk.authentication.exception.InvalidSignatureException;
import io.camunda.identity.sdk.authentication.exception.JsonWebKeyException;
import io.camunda.identity.sdk.authentication.exception.TokenDecodeException;
import io.camunda.identity.sdk.authentication.exception.TokenVerificationException;
import io.camunda.identity.sdk.cache.ClientTokenCache;
import io.camunda.identity.sdk.impl.dto.WellKnownConfiguration;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.commons.lang3.StringUtils;
import org.ehcache.Cache;

/* loaded from: input_file:BOOT-INF/lib/identity-sdk-8.4.3.jar:io/camunda/identity/sdk/authentication/AbstractAuthentication.class */
public abstract class AbstractAuthentication implements Authentication {
    public static final long JWKS_CACHE_SIZE = 5;
    public static final long JWKS_CACHE_LIFETIME_DAYS = 7;
    public static final String WELL_KNOWN_PATH = "/.well-known/openid-configuration";
    protected final IdentityConfiguration configuration;
    protected final Cache<String, Tokens> tokenCache = new ClientTokenCache().getCache();

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractAuthentication(IdentityConfiguration identityConfiguration) {
        this.configuration = identityConfiguration;
    }

    @Override // io.camunda.identity.sdk.authentication.Authentication
    public boolean isAvailable() {
        return StringUtils.isNoneBlank(this.configuration.getIssuer(), this.configuration.getIssuerBackendUrl(), this.configuration.getClientId(), this.configuration.getClientSecret());
    }

    @Override // io.camunda.identity.sdk.authentication.Authentication
    public Tokens requestToken(String str) {
        if (!this.tokenCache.containsKey(str)) {
            this.tokenCache.put(str, requestFreshToken(str));
        }
        return this.tokenCache.get(str);
    }

    @Override // io.camunda.identity.sdk.authentication.Authentication
    public DecodedJWT decodeJWT(String str) {
        try {
            return JWT.decode(str);
        } catch (JWTDecodeException e) {
            throw new TokenDecodeException(e);
        }
    }

    @Override // io.camunda.identity.sdk.authentication.Authentication
    public AccessToken verifyTokenIgnoringAudience(String str) {
        return verifyToken(str, null);
    }

    @Override // io.camunda.identity.sdk.authentication.Authentication
    public AccessToken verifyToken(String str) {
        return verifyToken(str, this.configuration.getAudience());
    }

    protected AccessToken verifyToken(String str, String str2) {
        try {
            DecodedJWT verify = verify(decodeJWT(str), str2);
            return new AccessToken(verify, getPermissions(verify, str2), getAssignedOrganizations(verify), getUserDetails(verify));
        } catch (AlgorithmMismatchException | SignatureVerificationException e) {
            throw new InvalidSignatureException(e);
        } catch (InvalidClaimException e2) {
            throw new io.camunda.identity.sdk.authentication.exception.InvalidClaimException(e2);
        } catch (TokenExpiredException e3) {
            throw new io.camunda.identity.sdk.authentication.exception.TokenExpiredException(e3);
        }
    }

    protected UserDetails getUserDetails(DecodedJWT decodedJWT) {
        return new UserDetails(decodedJWT.getSubject(), decodedJWT.getClaim("email").asString(), decodedJWT.getClaim("preferred_username").asString(), decodedJWT.getClaim("name").asString(), getGroups(decodedJWT));
    }

    private DecodedJWT verify(DecodedJWT decodedJWT, String str) {
        try {
            Jwk jwk = jwkProvider().get(decodedJWT.getKeyId());
            verifyJwk(decodedJWT, jwk);
            Algorithm signatureValidationAlgorithm = signatureValidationAlgorithm(jwk);
            return (str != null ? JWT.require(signatureValidationAlgorithm).withAudience(str).build() : JWT.require(signatureValidationAlgorithm).build()).verify(decodedJWT);
        } catch (JwkException e) {
            throw new JsonWebKeyException("JWKS error", e);
        }
    }

    private void verifyJwk(DecodedJWT decodedJWT, Jwk jwk) {
        if (jwk.getUsage() != null && !jwk.getUsage().equals("sig")) {
            throw new TokenVerificationException("Token is signed with a JWK, that can not be used for signing");
        }
        if (jwk.getAlgorithm() != null && !jwk.getAlgorithm().equals(decodedJWT.getAlgorithm())) {
            throw new TokenVerificationException("JWT algorithm does not match JWK algorithm");
        }
    }

    private Algorithm signatureValidationAlgorithm(Jwk jwk) throws InvalidPublicKeyException {
        if (jwk.getAlgorithm() == null || jwk.getAlgorithm().equals("RS256")) {
            return Algorithm.RSA256((RSAPublicKey) jwk.getPublicKey(), null);
        }
        String algorithm = jwk.getAlgorithm();
        boolean z = -1;
        switch (algorithm.hashCode()) {
            case 66245349:
                if (algorithm.equals("ES256")) {
                    z = 2;
                    break;
                }
                break;
            case 66246401:
                if (algorithm.equals("ES384")) {
                    z = 3;
                    break;
                }
                break;
            case 66248104:
                if (algorithm.equals("ES512")) {
                    z = 4;
                    break;
                }
                break;
            case 78252174:
                if (algorithm.equals("RS384")) {
                    z = false;
                    break;
                }
                break;
            case 78253877:
                if (algorithm.equals("RS512")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return Algorithm.RSA384((RSAPublicKey) jwk.getPublicKey(), null);
            case true:
                return Algorithm.RSA512((RSAPublicKey) jwk.getPublicKey(), null);
            case true:
                return Algorithm.ECDSA256((ECPublicKey) jwk.getPublicKey(), null);
            case true:
                return Algorithm.ECDSA384((ECPublicKey) jwk.getPublicKey(), null);
            case true:
                return Algorithm.ECDSA512((ECPublicKey) jwk.getPublicKey(), null);
            default:
                throw new TokenVerificationException(String.format("Signing algorithm '%s' is not supported", jwk.getAlgorithm()));
        }
    }

    protected abstract List<String> getPermissions(DecodedJWT decodedJWT, String str);

    protected abstract List<String> getGroups(DecodedJWT decodedJWT);

    protected abstract Map<String, Set<String>> getAssignedOrganizations(DecodedJWT decodedJWT);

    protected abstract JwkProvider jwkProvider();

    protected abstract WellKnownConfiguration wellKnownConfiguration();

    protected abstract Tokens requestFreshToken(String str);
}
