package com.sap.cloud.sdk.cloudplatform.security;

import com.auth0.jwt.JWT;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.sap.cloud.sdk.cloudplatform.requestheader.RequestHeaderContainer;
import com.sap.cloud.sdk.cloudplatform.resilience.ResilienceConfiguration;
import com.sap.cloud.sdk.cloudplatform.resilience.ResilienceDecorator;
import com.sap.cloud.sdk.cloudplatform.resilience.ResilienceIsolationMode;
import com.sap.cloud.sdk.cloudplatform.security.exception.AuthTokenAccessException;
import com.sap.cloud.sdk.cloudplatform.security.exception.TokenRequestFailedException;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.validation.CombiningValidator;
import com.sap.cloud.security.token.validation.ValidationResult;
import com.sap.cloud.security.token.validation.Validator;
import com.sap.cloud.security.xsuaa.tokenflows.XsuaaTokenFlows;
import io.vavr.control.Try;
import java.lang.invoke.SerializedLambda;
import java.time.Duration;
import java.util.Collection;
import java.util.List;
import java.util.Locale;
import java.util.Optional;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/sap/cloud/sdk/cloudplatform/security/AuthTokenDecoder.class */
class AuthTokenDecoder {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(AuthTokenDecoder.class);
    private static final String BEARER_PREFIX = "bearer ";

    @Nonnull
    private final OAuth2TokenServiceCache tokenServiceCache;

    @Nonnull
    private final List<CombiningValidator<Token>> tokenValidators;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthTokenDecoder() {
        this(ScpCfAuthTokenFacade.DEFAULT_TOKEN_SERVICE_CACHE, ScpCfAuthTokenFacade.DEFAULT_VALIDATORS);
    }

    public AuthTokenDecoder(@Nullable OAuth2TokenServiceCache oAuth2TokenServiceCache, @Nullable List<CombiningValidator<Token>> list) {
        this.tokenServiceCache = oAuth2TokenServiceCache != null ? oAuth2TokenServiceCache : OAuth2TokenServiceCache.create();
        this.tokenValidators = list != null ? list : ScpCfAuthTokenFacade.loadOauth2Validators();
    }

    @Nonnull
    String getRefreshToken(@Nonnull String str, @Nonnull String str2) {
        return (String) ResilienceDecorator.decorateSupplier(() -> {
            return sendRefreshTokenRequestAndParseResponse(str, str2);
        }, ResilienceConfiguration.of(AuthTokenDecoder.class).isolationMode(ResilienceIsolationMode.NO_ISOLATION).timeLimiterConfiguration(ResilienceConfiguration.TimeLimiterConfiguration.of().timeoutDuration(Duration.ofSeconds(6L))).circuitBreakerConfiguration(ResilienceConfiguration.CircuitBreakerConfiguration.of().waitDuration(Duration.ofSeconds(6L)))).get();
    }

    private String sendRefreshTokenRequestAndParseResponse(@Nonnull String str, @Nonnull String str2) {
        XsuaaTokenFlows xsuaaTokenFlows = OAuth2ServiceProvider.builder().tokenServiceCache(this.tokenServiceCache).staticAccessToken(JWT.decode(str)).build().getXsuaaTokenFlows();
        return (String) Try.of(() -> {
            return xsuaaTokenFlows.refreshTokenFlow().refreshToken(str2).execute().getAccessToken();
        }).onFailure(th -> {
            log.debug("Failed for access token {} and refresh token {}.", new Object[]{str, str2, th});
        }).getOrElseThrow(th2 -> {
            return new TokenRequestFailedException("Refresh JWT request failed", th2);
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public AuthToken decodeAndValidate(@Nonnull String str, @Nullable String str2) throws AuthTokenAccessException {
        AuthTokenAccessException authTokenAccessException = new AuthTokenAccessException("Failed to verify JWT bearer.");
        Optional map = this.tokenValidators.stream().map(combiningValidator -> {
            return Try.of(() -> {
                return validateJwtWithSecurityLibrary(str, combiningValidator);
            });
        }).peek(r5 -> {
            authTokenAccessException.getClass();
            r5.onFailure(authTokenAccessException::addSuppressed);
        }).peek(r3 -> {
            r3.onFailure(th -> {
                log.debug("JWT validation attempt failed.", th);
            });
        }).filter((v0) -> {
            return v0.isSuccess();
        }).findFirst().map((v0) -> {
            return v0.get();
        }).map(AuthToken::new);
        if (map.isPresent()) {
            return (AuthToken) map.get();
        }
        if (this.tokenValidators.isEmpty()) {
            log.warn("AuthTokenDecoder was instantiated without a token validator. Falling back to legacy mode for token validation.");
        } else {
            log.warn("Access token validation failed. Falling back to legacy mode. Issuer and JKU properties are not supported.");
        }
        Try map2 = validateJwtViaLegacyImplementation(str, str2).map(AuthToken::new);
        authTokenAccessException.getClass();
        return (AuthToken) map2.onFailure(authTokenAccessException::addSuppressed).onFailure(th -> {
            log.debug("JWT validation attempt failed.", th);
        }).getOrElseThrow(th2 -> {
            return authTokenAccessException;
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public Try<AuthToken> decodeAndValidate(@Nonnull RequestHeaderContainer requestHeaderContainer) {
        return fromAuthorizationHeaders(requestHeaderContainer.getHeaderValues("Authorization"));
    }

    @Nonnull
    private Try<AuthToken> fromAuthorizationHeaders(@Nonnull Collection<String> collection) {
        if (collection.isEmpty()) {
            return Try.failure(new AuthTokenAccessException("Failed to decode JWT bearer: no 'Authorization' header present in request."));
        }
        if (collection.size() > 1) {
            return Try.failure(new AuthTokenAccessException("Failed to decode JWT bearer: multiple 'Authorization' headers present in request."));
        }
        String str = collection.stream().findFirst().get();
        if (!str.toLowerCase(Locale.ENGLISH).startsWith(BEARER_PREFIX)) {
            return Try.failure(new AuthTokenAccessException("Failed to decode JWT bearer: no JWT bearer present in 'Authorization' header of request."));
        }
        String substring = str.substring(BEARER_PREFIX.length());
        return Try.of(() -> {
            return decodeAndValidate(substring, null);
        });
    }

    private DecodedJWT validateJwtWithSecurityLibrary(@Nonnull String str, @Nonnull Validator<Token> validator) {
        ValidationResult validate = validator.validate(Token.create(str));
        if (validate.isValid()) {
            return JWT.decode(str);
        }
        throw new AuthTokenAccessException("The token is invalid: " + validate.getErrorDescription());
    }

    private Try<DecodedJWT> validateJwtViaLegacyImplementation(@Nonnull String str, @Nullable String str2) {
        try {
            DecodedJWT decode = JWT.decode(str);
            AuthTokenValidator authTokenValidator = new AuthTokenValidator(decode.getAlgorithm(), AuthTokenValidator.getVerificationPublicKeysForJwt(decode));
            Optional<DecodedJWT> verifyToken = authTokenValidator.verifyToken(str);
            if (!verifyToken.isPresent() && str2 != null) {
                verifyToken = authTokenValidator.verifyToken(getRefreshToken(str, str2));
            }
            Optional<DecodedJWT> optional = verifyToken;
            optional.getClass();
            return Try.of(optional::get);
        } catch (JWTDecodeException | AuthTokenAccessException e) {
            return Try.failure(e);
        }
    }

    @Nonnull
    @Generated
    public OAuth2TokenServiceCache getTokenServiceCache() {
        return this.tokenServiceCache;
    }

    @Nonnull
    @Generated
    public List<CombiningValidator<Token>> getTokenValidators() {
        return this.tokenValidators;
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -840658155:
                if (implMethodName.equals("lambda$sendRefreshTokenRequestAndParseResponse$26412b40$1")) {
                    z = false;
                    break;
                }
                break;
            case 102230:
                if (implMethodName.equals("get")) {
                    z = 2;
                    break;
                }
                break;
            case 804053418:
                if (implMethodName.equals("lambda$null$72e97a37$1")) {
                    z = true;
                    break;
                }
                break;
            case 1878660500:
                if (implMethodName.equals("lambda$fromAuthorizationHeaders$c23c743$1")) {
                    z = 3;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenDecoder") && serializedLambda.getImplMethodSignature().equals("(Lcom/sap/cloud/security/xsuaa/tokenflows/XsuaaTokenFlows;Ljava/lang/String;)Ljava/lang/String;")) {
                    XsuaaTokenFlows xsuaaTokenFlows = (XsuaaTokenFlows) serializedLambda.getCapturedArg(0);
                    String str = (String) serializedLambda.getCapturedArg(1);
                    return () -> {
                        return xsuaaTokenFlows.refreshTokenFlow().refreshToken(str).execute().getAccessToken();
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 7 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenDecoder") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;Lcom/sap/cloud/security/token/validation/CombiningValidator;)Lcom/auth0/jwt/interfaces/DecodedJWT;")) {
                    AuthTokenDecoder authTokenDecoder = (AuthTokenDecoder) serializedLambda.getCapturedArg(0);
                    String str2 = (String) serializedLambda.getCapturedArg(1);
                    CombiningValidator combiningValidator = (CombiningValidator) serializedLambda.getCapturedArg(2);
                    return () -> {
                        return validateJwtWithSecurityLibrary(str2, combiningValidator);
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 5 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("java/util/Optional") && serializedLambda.getImplMethodSignature().equals("()Ljava/lang/Object;")) {
                    Optional optional = (Optional) serializedLambda.getCapturedArg(0);
                    return optional::get;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 7 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenDecoder") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;)Lcom/sap/cloud/sdk/cloudplatform/security/AuthToken;")) {
                    AuthTokenDecoder authTokenDecoder2 = (AuthTokenDecoder) serializedLambda.getCapturedArg(0);
                    String str3 = (String) serializedLambda.getCapturedArg(1);
                    return () -> {
                        return decodeAndValidate(str3, null);
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
