package com.netflix.genie.web.security.oauth2.pingfederate;

import com.google.common.collect.Sets;
import com.netflix.spectator.api.Registry;
import com.netflix.spectator.api.Timer;
import java.util.Collection;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.validation.constraints.NotNull;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.oauth2.common.OAuth2AccessToken;
import org.springframework.security.oauth2.common.exceptions.InvalidTokenException;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.security.oauth2.provider.OAuth2Request;
import org.springframework.security.oauth2.provider.token.ResourceServerTokenServices;

/* loaded from: input_file:com/netflix/genie/web/security/oauth2/pingfederate/PingFederateJWTTokenServices.class */
public class PingFederateJWTTokenServices implements ResourceServerTokenServices {
    private static final String ROLE = "ROLE_";
    private final JwtConsumer jwtConsumer;
    private final Timer loadAuthenticationTimer;
    private static final Logger log = LoggerFactory.getLogger(PingFederateJWTTokenServices.class);
    private static final String GENIE_SCOPE_PREFIX = "genie_";
    private static final int GENIE_SCOPE_PREFIX_LENGTH = GENIE_SCOPE_PREFIX.length();
    private static final SimpleGrantedAuthority USER = new SimpleGrantedAuthority("ROLE_USER");
    private static final SimpleGrantedAuthority ADMIN = new SimpleGrantedAuthority("ROLE_ADMIN");

    public PingFederateJWTTokenServices(@NotNull JwtConsumer jwtConsumer, @NotNull Registry registry) {
        this.jwtConsumer = jwtConsumer;
        this.loadAuthenticationTimer = registry.timer("genie.security.oauth2.pingFederate.authentication.timer");
    }

    public OAuth2Authentication loadAuthentication(String str) throws AuthenticationException, InvalidTokenException {
        long nanoTime = System.nanoTime();
        try {
            try {
                JwtClaims processToClaims = this.jwtConsumer.processToClaims(str);
                log.debug("Ping Federate JWT Claims: {}", processToClaims);
                OAuth2Authentication oAuth2Authentication = new OAuth2Authentication(getOAuth2Request(processToClaims), (Authentication) null);
                this.loadAuthenticationTimer.record(System.nanoTime() - nanoTime, TimeUnit.NANOSECONDS);
                return oAuth2Authentication;
            } catch (InvalidJwtException | MalformedClaimException e) {
                throw new InvalidTokenException(e.getMessage(), e);
            }
        } catch (Throwable th) {
            this.loadAuthenticationTimer.record(System.nanoTime() - nanoTime, TimeUnit.NANOSECONDS);
            throw th;
        }
    }

    public OAuth2AccessToken readAccessToken(String str) {
        throw new UnsupportedOperationException("readAccessToken not implemented");
    }

    private OAuth2Request getOAuth2Request(@NotNull JwtClaims jwtClaims) throws MalformedClaimException, InvalidTokenException {
        String str = (String) jwtClaims.getClaimValue("client_id", String.class);
        HashSet newHashSet = Sets.newHashSet((Iterable) jwtClaims.getClaimValue("scope", Collection.class));
        Set set = (Set) newHashSet.stream().map(str2 -> {
            if (str2.startsWith(GENIE_SCOPE_PREFIX)) {
                str2 = str2.substring(GENIE_SCOPE_PREFIX_LENGTH);
            }
            return new SimpleGrantedAuthority(ROLE + str2.toUpperCase());
        }).collect(Collectors.toSet());
        if (set.isEmpty()) {
            throw new InvalidTokenException("No scopes found. Unable to authorize");
        }
        if (set.contains(ADMIN)) {
            set.add(USER);
        }
        return new OAuth2Request((Map) null, str, set, true, newHashSet, (Set) null, (String) null, (Set) null, (Map) null);
    }
}
