package com.stormpath.sdk.impl.oauth.authc;

import com.stormpath.sdk.account.AccountStatus;
import com.stormpath.sdk.api.ApiKey;
import com.stormpath.sdk.api.ApiKeyStatus;
import com.stormpath.sdk.application.Application;
import com.stormpath.sdk.error.authc.AccessTokenOAuthException;
import com.stormpath.sdk.error.jwt.InvalidJwtException;
import com.stormpath.sdk.impl.api.DefaultApiKeyOptions;
import com.stormpath.sdk.impl.ds.InternalDataStore;
import com.stormpath.sdk.impl.error.ApiAuthenticationExceptionFactory;
import com.stormpath.sdk.impl.jwt.JwtSignatureValidator;
import com.stormpath.sdk.impl.jwt.JwtWrapper;
import com.stormpath.sdk.lang.Assert;
import com.stormpath.sdk.lang.Strings;
import com.stormpath.sdk.oauth.OAuthAuthenticationResult;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/stormpath/sdk/impl/oauth/authc/ResourceRequestAuthenticator.class */
public class ResourceRequestAuthenticator {
    private static final Logger log = LoggerFactory.getLogger(ResourceRequestAuthenticator.class);
    public static final String SCOPE_SEPARATOR_CHAR = " ";
    private final InternalDataStore dataStore;
    private final JwtSignatureValidator jwtSignatureValidator;

    public ResourceRequestAuthenticator(InternalDataStore internalDataStore) {
        Assert.notNull(internalDataStore, "datastore cannot be null or empty.");
        this.dataStore = internalDataStore;
        this.jwtSignatureValidator = new JwtSignatureValidator(internalDataStore.getApiKey());
    }

    public OAuthAuthenticationResult authenticate(Application application, ResourceAuthenticationRequest resourceAuthenticationRequest) {
        Set emptySet;
        try {
            JwtWrapper jwtWrapper = new JwtWrapper(resourceAuthenticationRequest.getAccessToken());
            this.jwtSignatureValidator.validate(jwtWrapper);
            Map jsonPayloadAsMap = jwtWrapper.getJsonPayloadAsMap();
            assertTokenNotExpired(((Number) getRequiredValue(jsonPayloadAsMap, AccessTokenRequestAuthenticator.ACCESS_TOKEN_EXPIRATION_TIMESTAMP_FIELD_NAME)).longValue());
            ApiKey tokenApiKey = getTokenApiKey(application, (String) getRequiredValue(jsonPayloadAsMap, AccessTokenRequestAuthenticator.ACCESS_TOKEN_SUBJECT_FIELD_NAME));
            String str = (String) getOptionalValue(jsonPayloadAsMap, "scope");
            if (Strings.hasText(str)) {
                emptySet = new HashSet();
                StringTokenizer stringTokenizer = new StringTokenizer(str, SCOPE_SEPARATOR_CHAR);
                while (stringTokenizer.hasMoreElements()) {
                    emptySet.add(stringTokenizer.nextToken());
                }
            } else {
                emptySet = Collections.emptySet();
            }
            return new DefaultOAuthAuthenticationResult(this.dataStore, tokenApiKey, emptySet);
        } catch (OAuthSystemException e) {
            log.warn("Caught Exception while validating JWT signature: {}. Rethrowing as AccessTokenOAuthException", e.getMessage(), e);
            throw ApiAuthenticationExceptionFactory.newOAuthException(AccessTokenOAuthException.class, "access_token is invalid.");
        } catch (InvalidJwtException e2) {
            log.warn("Caught Exception while validating JWT signature: {}. Rethrowing as AccessTokenOAuthException", e2.getMessage(), e2);
            throw ApiAuthenticationExceptionFactory.newOAuthException(AccessTokenOAuthException.class, "access_token is invalid.");
        }
    }

    private void assertTokenNotExpired(long j) {
        if (System.currentTimeMillis() / 1000 >= j) {
            throw ApiAuthenticationExceptionFactory.newOAuthException(AccessTokenOAuthException.class, "access_token is expired.");
        }
    }

    private ApiKey getTokenApiKey(Application application, String str) {
        ApiKey apiKey = application.getApiKey(str, new DefaultApiKeyOptions().withAccount());
        if (apiKey == null || apiKey.getStatus() == ApiKeyStatus.DISABLED) {
            throw ApiAuthenticationExceptionFactory.newOAuthException(AccessTokenOAuthException.class, "invalid_client");
        }
        if (apiKey.getAccount().getStatus() != AccountStatus.ENABLED) {
            throw ApiAuthenticationExceptionFactory.newOAuthException(AccessTokenOAuthException.class, "invalid_client");
        }
        return apiKey;
    }

    private <T> T getRequiredValue(Map map, String str) {
        T t = (T) map.get(str);
        Assert.notNull(t, "required jwt parameter is missing or null.");
        return t;
    }

    private <T> T getOptionalValue(Map map, String str) {
        T t = (T) map.get(str);
        if (t == null) {
            return null;
        }
        return t;
    }
}
