package io.helidon.security.providers.jwt;

import io.helidon.common.Errors;
import io.helidon.common.configurable.Resource;
import io.helidon.config.Config;
import io.helidon.security.AuthenticationResponse;
import io.helidon.security.EndpointConfig;
import io.helidon.security.Grant;
import io.helidon.security.OutboundSecurityResponse;
import io.helidon.security.Principal;
import io.helidon.security.ProviderRequest;
import io.helidon.security.Role;
import io.helidon.security.SecurityEnvironment;
import io.helidon.security.SecurityResponse;
import io.helidon.security.Subject;
import io.helidon.security.SubjectType;
import io.helidon.security.jwt.Jwt;
import io.helidon.security.jwt.JwtException;
import io.helidon.security.jwt.JwtUtil;
import io.helidon.security.jwt.SignedJwt;
import io.helidon.security.jwt.jwk.Jwk;
import io.helidon.security.jwt.jwk.JwkKeys;
import io.helidon.security.providers.common.OutboundConfig;
import io.helidon.security.providers.common.OutboundTarget;
import io.helidon.security.providers.common.TokenCredential;
import io.helidon.security.spi.AuthenticationProvider;
import io.helidon.security.spi.OutboundSecurityProvider;
import io.helidon.security.spi.SynchronousProvider;
import io.helidon.security.util.TokenHandler;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.HashMap;
import java.util.IdentityHashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.logging.Logger;

/* loaded from: input_file:io/helidon/security/providers/jwt/JwtProvider.class */
public final class JwtProvider extends SynchronousProvider implements AuthenticationProvider, OutboundSecurityProvider {
    private static final Logger LOGGER = Logger.getLogger(JwtProvider.class.getName());
    public static final String EP_PROPERTY_OUTBOUND_USER = "io.helidon.security.outbound.user";
    private final boolean optional;
    private final boolean authenticate;
    private final boolean propagate;
    private final boolean allowImpersonation;
    private final boolean verifySignature;
    private final SubjectType subjectType;
    private final TokenHandler atnTokenHandler;
    private final TokenHandler defaultTokenHandler;
    private final JwkKeys verifyKeys;
    private final String expectedAudience;
    private final JwkKeys signKeys;
    private final OutboundConfig outboundConfig;
    private final String issuer;
    private final Map<OutboundTarget, JwtOutboundTarget> targetToJwtConfig = new IdentityHashMap();
    private final Jwk defaultJwk;
    private final boolean useJwtGroups;

    /* renamed from: io.helidon.security.providers.jwt.JwtProvider$1, reason: invalid class name */
    /* loaded from: input_file:io/helidon/security/providers/jwt/JwtProvider$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$helidon$security$SubjectType = new int[SubjectType.values().length];

        static {
            try {
                $SwitchMap$io$helidon$security$SubjectType[SubjectType.USER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$helidon$security$SubjectType[SubjectType.SERVICE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:io/helidon/security/providers/jwt/JwtProvider$Builder.class */
    public static final class Builder implements io.helidon.common.Builder<JwtProvider> {
        private JwkKeys verifyKeys;
        private JwkKeys signKeys;
        private String issuer;
        private String expectedAudience;
        private boolean verifySignature = true;
        private boolean optional = false;
        private boolean authenticate = true;
        private boolean propagate = true;
        private boolean allowImpersonation = false;
        private boolean allowUnsigned = false;
        private SubjectType subjectType = SubjectType.USER;
        private TokenHandler atnTokenHandler = TokenHandler.builder().tokenHeader("Authorization").tokenPrefix("bearer ").build();
        private OutboundConfig outboundConfig = OutboundConfig.builder().build();
        private boolean useJwtGroups = true;

        private Builder() {
        }

        /* renamed from: build, reason: merged with bridge method [inline-methods] */
        public JwtProvider m2build() {
            if (this.verifySignature && null == this.verifyKeys) {
                throw new JwtException("Failed to extract verify JWK from configuration");
            }
            return new JwtProvider(this);
        }

        public Builder propagate(boolean z) {
            this.propagate = z;
            return this;
        }

        public Builder authenticate(boolean z) {
            this.authenticate = z;
            return this;
        }

        public Builder allowImpersonation(boolean z) {
            this.allowImpersonation = z;
            return this;
        }

        public Builder allowUnsigned(boolean z) {
            this.allowUnsigned = z;
            return this;
        }

        public Builder verifySignature(boolean z) {
            this.verifySignature = z;
            return this;
        }

        public Builder subjectType(SubjectType subjectType) {
            this.subjectType = subjectType;
            switch (AnonymousClass1.$SwitchMap$io$helidon$security$SubjectType[subjectType.ordinal()]) {
                case 1:
                case 2:
                    return this;
                default:
                    throw new SecurityException("Invalid configuration. Principal type not supported: " + subjectType);
            }
        }

        public Builder atnTokenHandler(TokenHandler tokenHandler) {
            this.atnTokenHandler = tokenHandler;
            return this;
        }

        public Builder optional(boolean z) {
            this.optional = z;
            return this;
        }

        public Builder outboundConfig(OutboundConfig outboundConfig) {
            this.outboundConfig = outboundConfig;
            return this;
        }

        public Builder signJwk(Resource resource) {
            this.signKeys = JwkKeys.builder().resource(resource).build();
            return this;
        }

        public Builder verifyJwk(Resource resource) {
            this.verifyKeys = JwkKeys.builder().resource(resource).build();
            return this;
        }

        public Builder issuer(String str) {
            this.issuer = str;
            return this;
        }

        public Builder config(Config config) {
            config.get("optional").asBoolean().ifPresent((v1) -> {
                optional(v1);
            });
            config.get("authenticate").asBoolean().ifPresent((v1) -> {
                authenticate(v1);
            });
            config.get("propagate").asBoolean().ifPresent((v1) -> {
                propagate(v1);
            });
            config.get("allow-impersonation").asBoolean().ifPresent((v1) -> {
                allowImpersonation(v1);
            });
            config.get("principal-type").asString().map(SubjectType::valueOf).ifPresent(this::subjectType);
            config.get("atn-token.handler").as(TokenHandler::create).ifPresent(this::atnTokenHandler);
            config.get("atn-token").ifExists(this::verifyKeys);
            config.get("atn-token.jwt-audience").asString().ifPresent(this::expectedAudience);
            config.get("atn-token.verify-signature").asBoolean().ifPresent((v1) -> {
                verifySignature(v1);
            });
            config.get("sign-token").ifExists(config2 -> {
                outboundConfig(OutboundConfig.create(config2));
            });
            config.get("sign-token").ifExists(this::outbound);
            config.get("allow-unsigned").asBoolean().ifPresent((v1) -> {
                allowUnsigned(v1);
            });
            config.get("use-jwt-groups").asBoolean().ifPresent((v1) -> {
                useJwtGroups(v1);
            });
            return this;
        }

        public void expectedAudience(String str) {
            this.expectedAudience = str;
        }

        public Builder useJwtGroups(boolean z) {
            this.useJwtGroups = z;
            return this;
        }

        private void verifyKeys(Config config) {
            config.get("jwk.resource").as(Resource::create).ifPresent(this::verifyJwk);
            Resource.create(config, "jwk").ifPresent(this::verifyJwk);
        }

        private void outbound(Config config) {
            config.get("jwt-issuer").asString().ifPresent(this::issuer);
            config.get("jwk.resource").as(Resource::create).ifPresent(this::signJwk);
            Resource.create(config, "jwk").ifPresent(this::signJwk);
        }
    }

    /* loaded from: input_file:io/helidon/security/providers/jwt/JwtProvider$JwtOutboundTarget.class */
    public static class JwtOutboundTarget {
        public static final long DEFAULT_VALIDITY_SECONDS = 86400;
        public static final int DEFAULT_NOT_BEFORE_SECONDS = 5;
        private final TokenHandler outboundHandler;
        private final String jwtKid;
        private final String jwkKid;
        private final String jwtAudience;
        private final int notBeforeSeconds;
        private final long validitySeconds;

        /* loaded from: input_file:io/helidon/security/providers/jwt/JwtProvider$JwtOutboundTarget$Builder.class */
        public static final class Builder implements io.helidon.common.Builder<JwtOutboundTarget> {
            private String jwtKid;
            private String jwkKid;
            private String jwtAudience;
            private TokenHandler outboundHandler = TokenHandler.builder().tokenHeader("Authorization").tokenPrefix("bearer ").build();
            private int notBeforeSeconds = 5;
            private long validitySeconds = JwtOutboundTarget.DEFAULT_VALIDITY_SECONDS;

            private Builder() {
            }

            /* renamed from: build, reason: merged with bridge method [inline-methods] */
            public JwtOutboundTarget m3build() {
                return new JwtOutboundTarget(this);
            }

            public Builder config(Config config) {
                config.get("outbound-token").asNode().map(TokenHandler::create).ifPresent(this::tokenHandler);
                config.get("jwt-kid").asString().ifPresent(this::jwtKid);
                config.get("jwk-kid").asString().ifPresent(this::jwkKid);
                config.get("jwt-audience").asString().ifPresent(this::jwtAudience);
                config.get("jwt-not-before-seconds").asInt().ifPresent((v1) -> {
                    notBeforeSeconds(v1);
                });
                config.get("jwt-validity-seconds").asLong().ifPresent((v1) -> {
                    validitySeconds(v1);
                });
                return this;
            }

            public Builder tokenHandler(TokenHandler tokenHandler) {
                this.outboundHandler = tokenHandler;
                return this;
            }

            public Builder jwtKid(String str) {
                this.jwtKid = str;
                return this;
            }

            public Builder jwkKid(String str) {
                this.jwkKid = str;
                return this;
            }

            public Builder jwtAudience(String str) {
                this.jwtAudience = str;
                return this;
            }

            public Builder notBeforeSeconds(int i) {
                this.notBeforeSeconds = i;
                return this;
            }

            public Builder validitySeconds(long j) {
                this.validitySeconds = j;
                return this;
            }
        }

        private JwtOutboundTarget(Builder builder) {
            this.outboundHandler = builder.outboundHandler;
            this.jwtKid = builder.jwtKid;
            this.jwkKid = builder.jwkKid;
            this.jwtAudience = builder.jwtAudience;
            this.notBeforeSeconds = builder.notBeforeSeconds;
            this.validitySeconds = builder.validitySeconds;
        }

        public static Builder builder() {
            return new Builder();
        }

        public static JwtOutboundTarget create(Config config, TokenHandler tokenHandler) {
            return builder().tokenHandler(tokenHandler).config(config).m3build();
        }

        private void update(Jwt.Builder builder) {
            Instant now = Instant.now();
            builder.issueTime(now).expirationTime(now.plus(this.validitySeconds, (TemporalUnit) ChronoUnit.SECONDS)).notBefore(now.minus(this.notBeforeSeconds, (TemporalUnit) ChronoUnit.SECONDS)).keyId(this.jwtKid).audience(this.jwtAudience);
        }
    }

    private JwtProvider(Builder builder) {
        this.optional = builder.optional;
        this.authenticate = builder.authenticate;
        this.propagate = builder.propagate && builder.outboundConfig.targets().size() > 0;
        this.allowImpersonation = builder.allowImpersonation;
        this.subjectType = builder.subjectType;
        this.atnTokenHandler = builder.atnTokenHandler;
        this.outboundConfig = builder.outboundConfig;
        this.verifyKeys = builder.verifyKeys;
        this.signKeys = builder.signKeys;
        this.issuer = builder.issuer;
        this.expectedAudience = builder.expectedAudience;
        this.verifySignature = builder.verifySignature;
        this.useJwtGroups = builder.useJwtGroups;
        if (null == this.atnTokenHandler) {
            this.defaultTokenHandler = TokenHandler.builder().tokenHeader("Authorization").tokenPrefix("bearer ").build();
        } else {
            this.defaultTokenHandler = this.atnTokenHandler;
        }
        if (builder.allowUnsigned) {
            this.defaultJwk = Jwk.NONE_JWK;
        } else {
            this.defaultJwk = null;
        }
        if (this.verifySignature) {
            return;
        }
        LOGGER.info("JWT Signature validation is disabled. Any JWT will be accepted.");
    }

    public static Builder builder() {
        return new Builder();
    }

    public static JwtProvider create(Config config) {
        return builder().config(config).m2build();
    }

    protected AuthenticationResponse syncAuthenticate(ProviderRequest providerRequest) {
        if (!this.authenticate) {
            return AuthenticationResponse.abstain();
        }
        try {
            return (AuthenticationResponse) this.atnTokenHandler.extractToken(providerRequest.env().headers()).map(this::authenticateToken).orElseGet(() -> {
                return failOrAbstain("JWT header not available or in a wrong format");
            });
        } catch (Exception e) {
            return failOrAbstain("JWT header not available or in a wrong format" + e);
        }
    }

    private AuthenticationResponse authenticateToken(String str) {
        try {
            SignedJwt parseToken = SignedJwt.parseToken(str);
            if (!this.verifySignature) {
                return AuthenticationResponse.success(buildSubject(parseToken.getJwt(), parseToken));
            }
            Errors verifySignature = parseToken.verifySignature(this.verifyKeys, this.defaultJwk);
            if (!verifySignature.isValid()) {
                return failOrAbstain(verifySignature.toString());
            }
            Jwt jwt = parseToken.getJwt();
            return jwt.validate((String) null, this.expectedAudience).isValid() ? AuthenticationResponse.success(buildSubject(jwt, parseToken)) : failOrAbstain("Audience is invalid or missing: " + this.expectedAudience);
        } catch (Exception e) {
            return failOrAbstain("Invalid token" + e);
        }
    }

    private AuthenticationResponse failOrAbstain(String str) {
        return this.optional ? AuthenticationResponse.builder().status(SecurityResponse.SecurityStatus.ABSTAIN).description(str).build() : AuthenticationResponse.builder().status(SecurityResponse.SecurityStatus.FAILURE).description(str).build();
    }

    Subject buildSubject(Jwt jwt, SignedJwt signedJwt) {
        Principal buildPrincipal = buildPrincipal(jwt);
        TokenCredential.Builder builder = TokenCredential.builder();
        Optional issueTime = jwt.issueTime();
        Objects.requireNonNull(builder);
        issueTime.ifPresent(builder::issueTime);
        Optional expirationTime = jwt.expirationTime();
        Objects.requireNonNull(builder);
        expirationTime.ifPresent(builder::expTime);
        Optional issuer = jwt.issuer();
        Objects.requireNonNull(builder);
        issuer.ifPresent(builder::issuer);
        builder.token(signedJwt.tokenContent());
        builder.addToken(Jwt.class, jwt);
        builder.addToken(SignedJwt.class, signedJwt);
        Subject.Builder addPublicCredential = Subject.builder().principal(buildPrincipal).addPublicCredential(TokenCredential.class, builder.build());
        if (this.useJwtGroups) {
            jwt.userGroups().ifPresent(list -> {
                list.forEach(str -> {
                    addPublicCredential.addGrant(Role.create(str));
                });
            });
        }
        jwt.scopes().ifPresent(list2 -> {
            list2.forEach(str -> {
                addPublicCredential.addGrant(Grant.builder().name(str).type("scope").build());
            });
        });
        return addPublicCredential.build();
    }

    Principal buildPrincipal(Jwt jwt) {
        String str = (String) jwt.subject().orElseThrow(() -> {
            return new JwtException("JWT does not contain subject claim, cannot create principal.");
        });
        String str2 = (String) jwt.preferredUsername().orElse(str);
        Principal.Builder builder = Principal.builder();
        builder.name(str2).id(str);
        jwt.payloadClaims().forEach((str3, jsonValue) -> {
            builder.addAttribute(str3, JwtUtil.toObject(jsonValue));
        });
        jwt.email().ifPresent(str4 -> {
            builder.addAttribute("email", str4);
        });
        jwt.emailVerified().ifPresent(bool -> {
            builder.addAttribute("email_verified", bool);
        });
        jwt.locale().ifPresent(locale -> {
            builder.addAttribute("locale", locale);
        });
        jwt.familyName().ifPresent(str5 -> {
            builder.addAttribute("family_name", str5);
        });
        jwt.givenName().ifPresent(str6 -> {
            builder.addAttribute("given_name", str6);
        });
        jwt.fullName().ifPresent(str7 -> {
            builder.addAttribute("full_name", str7);
        });
        return builder.build();
    }

    public boolean isOutboundSupported(ProviderRequest providerRequest, SecurityEnvironment securityEnvironment, EndpointConfig endpointConfig) {
        return this.propagate && this.outboundConfig.findTarget(securityEnvironment).isPresent();
    }

    protected OutboundSecurityResponse syncOutbound(ProviderRequest providerRequest, SecurityEnvironment securityEnvironment, EndpointConfig endpointConfig) {
        return (OutboundSecurityResponse) endpointConfig.abacAttribute(EP_PROPERTY_OUTBOUND_USER).map(String::valueOf).flatMap(str -> {
            return attemptImpersonation(securityEnvironment, str);
        }).orElseGet(() -> {
            return attemptPropagation(providerRequest, securityEnvironment);
        });
    }

    private OutboundSecurityResponse attemptPropagation(ProviderRequest providerRequest, SecurityEnvironment securityEnvironment) {
        return (OutboundSecurityResponse) (this.subjectType == SubjectType.USER ? providerRequest.securityContext().user() : providerRequest.securityContext().service()).flatMap(subject -> {
            return this.outboundConfig.findTarget(securityEnvironment).flatMap(outboundTarget -> {
                JwtOutboundTarget computeIfAbsent = this.targetToJwtConfig.computeIfAbsent(outboundTarget, this::toOutboundTarget);
                return null == computeIfAbsent.jwkKid ? subject.publicCredential(TokenCredential.class).map(tokenCredential -> {
                    return propagate(computeIfAbsent, tokenCredential.token());
                }) : Optional.of(propagate(computeIfAbsent, subject));
            });
        }).orElseGet(OutboundSecurityResponse::abstain);
    }

    private Optional<OutboundSecurityResponse> attemptImpersonation(SecurityEnvironment securityEnvironment, String str) {
        return this.allowImpersonation ? this.outboundConfig.findTarget(securityEnvironment).flatMap(outboundTarget -> {
            JwtOutboundTarget computeIfAbsent = this.targetToJwtConfig.computeIfAbsent(outboundTarget, this::toOutboundTarget);
            return null == computeIfAbsent.jwkKid ? Optional.of(OutboundSecurityResponse.builder().description("Cannot do explicit user propagation if no kid is defined.").status(SecurityResponse.SecurityStatus.FAILURE).build()) : Optional.of(impersonate(computeIfAbsent, str));
        }) : Optional.of(OutboundSecurityResponse.builder().description("Attempting to impersonate a user, when impersonation is not allowed for JWT provider").status(SecurityResponse.SecurityStatus.FAILURE).build());
    }

    private OutboundSecurityResponse propagate(JwtOutboundTarget jwtOutboundTarget, String str) {
        HashMap hashMap = new HashMap();
        jwtOutboundTarget.outboundHandler.header(hashMap, str);
        return OutboundSecurityResponse.withHeaders(hashMap);
    }

    private OutboundSecurityResponse propagate(JwtOutboundTarget jwtOutboundTarget, Subject subject) {
        HashMap hashMap = new HashMap();
        Jwk jwk = (Jwk) this.signKeys.forKeyId(jwtOutboundTarget.jwkKid).orElseThrow(() -> {
            return new JwtException("Signing JWK with kid: " + jwtOutboundTarget.jwkKid + " is not defined.");
        });
        Principal principal = subject.principal();
        Jwt.Builder builder = Jwt.builder();
        principal.abacAttributeNames().forEach(str -> {
            principal.abacAttribute(str).ifPresent(obj -> {
                builder.addPayloadClaim(str, obj);
            });
        });
        principal.abacAttribute("full_name").ifPresentOrElse(obj -> {
            builder.addPayloadClaim("name", obj);
        }, () -> {
            builder.removePayloadClaim("name");
        });
        builder.subject(principal.id()).preferredUsername(principal.getName()).issuer(this.issuer).algorithm(jwk.algorithm());
        jwtOutboundTarget.update(builder);
        jwtOutboundTarget.outboundHandler.header(hashMap, SignedJwt.sign(builder.build(), jwk).tokenContent());
        return OutboundSecurityResponse.withHeaders(hashMap);
    }

    private OutboundSecurityResponse impersonate(JwtOutboundTarget jwtOutboundTarget, String str) {
        HashMap hashMap = new HashMap();
        Jwk jwk = (Jwk) this.signKeys.forKeyId(jwtOutboundTarget.jwkKid).orElseThrow(() -> {
            return new JwtException("Signing JWK with kid: " + jwtOutboundTarget.jwkKid + " is not defined.");
        });
        Jwt.Builder builder = Jwt.builder();
        builder.addPayloadClaim("name", str);
        builder.subject(str).preferredUsername(str).issuer(this.issuer).algorithm(jwk.algorithm());
        jwtOutboundTarget.update(builder);
        jwtOutboundTarget.outboundHandler.header(hashMap, SignedJwt.sign(builder.build(), jwk).tokenContent());
        return OutboundSecurityResponse.withHeaders(hashMap);
    }

    private JwtOutboundTarget toOutboundTarget(OutboundTarget outboundTarget) {
        Optional customObject = outboundTarget.customObject(JwtOutboundTarget.class);
        return customObject.isPresent() ? (JwtOutboundTarget) customObject.get() : JwtOutboundTarget.create((Config) outboundTarget.getConfig().orElse(Config.empty()), this.defaultTokenHandler);
    }
}
