package com.atlassian.connect.spring.internal.auth.jwt;

import com.atlassian.connect.spring.AtlassianHost;
import com.atlassian.connect.spring.AtlassianHostRepository;
import com.atlassian.connect.spring.AtlassianHostUser;
import com.atlassian.connect.spring.internal.descriptor.AddonDescriptorLoader;
import com.atlassian.connect.spring.internal.jwt.CanonicalHttpRequest;
import com.atlassian.connect.spring.internal.jwt.CanonicalRequestUtil;
import com.atlassian.connect.spring.internal.jwt.HttpRequestCanonicalizer;
import com.atlassian.connect.spring.internal.jwt.JwtExpiredException;
import com.atlassian.connect.spring.internal.jwt.JwtParseException;
import com.atlassian.connect.spring.internal.jwt.JwtParser;
import com.atlassian.connect.spring.internal.jwt.JwtReader;
import com.atlassian.connect.spring.internal.jwt.JwtVerificationException;
import com.atlassian.connect.spring.internal.request.jwt.SelfAuthenticationTokenGenerator;
import com.nimbusds.jwt.JWTClaimsSet;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.text.ParseException;
import java.util.Collections;
import java.util.List;
import java.util.Optional;
import net.minidev.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.CredentialsExpiredException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:com/atlassian/connect/spring/internal/auth/jwt/JwtAuthenticationProvider.class */
public class JwtAuthenticationProvider implements AuthenticationProvider {
    private static final Logger log = LoggerFactory.getLogger(JwtAuthenticationProvider.class);
    private static final Class<JwtAuthenticationToken> TOKEN_CLASS = JwtAuthenticationToken.class;
    private AddonDescriptorLoader addonDescriptorLoader;
    private AtlassianHostRepository hostRepository;

    public JwtAuthenticationProvider(AddonDescriptorLoader addonDescriptorLoader, AtlassianHostRepository atlassianHostRepository) {
        this.addonDescriptorLoader = addonDescriptorLoader;
        this.hostRepository = atlassianHostRepository;
    }

    public boolean supports(Class<?> cls) {
        return cls.equals(TOKEN_CLASS);
    }

    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        JwtCredentials jwtCredentials = getJwtCredentials(authentication);
        JWTClaimsSet parseToken = parseToken(jwtCredentials.getRawJwt());
        log.debug("Parsed JWT: {}", parseToken);
        Optional<String> hostClientKeyFromSelfAuthenticationToken = getHostClientKeyFromSelfAuthenticationToken(parseToken);
        parseToken.getClass();
        AtlassianHost host = getHost(hostClientKeyFromSelfAuthenticationToken.orElseGet(parseToken::getIssuer));
        JWTClaimsSet verifyToken = verifyToken(jwtCredentials, host);
        try {
            return new JwtAuthentication(createHostUserFromContextClaim(host, verifyToken).orElseGet(() -> {
                return createHostUserFromSubjectClaim(host, verifyToken);
            }), verifyToken);
        } catch (ParseException e) {
            log.error("Context claim present, but not a JSON object. Unable to parse");
            throw new InvalidJwtException("Unable to parse context in JWT", e);
        }
    }

    private Optional<AtlassianHostUser> createHostUserFromContextClaim(AtlassianHost atlassianHost, JWTClaimsSet jWTClaimsSet) throws ParseException {
        JSONObject jSONObject;
        JSONObject jSONObjectClaim = jWTClaimsSet.getJSONObjectClaim("context");
        if (jSONObjectClaim == null || (jSONObject = (JSONObject) jSONObjectClaim.get("user")) == null) {
            return Optional.empty();
        }
        return Optional.of(AtlassianHostUser.builder(atlassianHost).withUserAccountId(jSONObject.getAsString("accountId")).withUserKey(jSONObject.getAsString("userKey")).build());
    }

    private AtlassianHostUser createHostUserFromSubjectClaim(AtlassianHost atlassianHost, JWTClaimsSet jWTClaimsSet) {
        String subject = jWTClaimsSet.getSubject();
        AtlassianHostUser.AtlassianHostUserBuilder builder = AtlassianHostUser.builder(atlassianHost);
        Optional ofNullable = Optional.ofNullable(subject);
        builder.getClass();
        ofNullable.ifPresent(builder::withUserAccountId);
        return builder.build();
    }

    private JwtCredentials getJwtCredentials(Authentication authentication) {
        return TOKEN_CLASS.cast(authentication).m4getCredentials();
    }

    private JWTClaimsSet parseToken(String str) throws AuthenticationException {
        try {
            return new JwtParser().parse(str);
        } catch (JwtParseException e) {
            log.error(e.getMessage());
            throw new InvalidJwtException(e.getMessage(), e);
        }
    }

    private Optional<String> getHostClientKeyFromSelfAuthenticationToken(JWTClaimsSet jWTClaimsSet) {
        Optional<String> empty = Optional.empty();
        String key = this.addonDescriptorLoader.getDescriptor().getKey();
        if (key.equals(jWTClaimsSet.getIssuer())) {
            assertValidSelfAuthenticationTokenAudience(jWTClaimsSet, key);
            empty = Optional.of(assertValidSelfAuthenticationTokenClientKey(jWTClaimsSet.getClaim(SelfAuthenticationTokenGenerator.HOST_CLIENT_KEY_CLAIM)));
        }
        return empty;
    }

    private void assertValidSelfAuthenticationTokenAudience(JWTClaimsSet jWTClaimsSet, String str) {
        List audience = jWTClaimsSet.getAudience();
        if (audience == null) {
            throw new BadCredentialsException("Missing audience for self-authentication token");
        }
        if (!audience.equals(Collections.singletonList(str))) {
            throw new BadCredentialsException(String.format("Invalid audience (%s) for self-authentication token", String.join(",", audience)));
        }
    }

    private String assertValidSelfAuthenticationTokenClientKey(Object obj) {
        if (obj == null) {
            throw new BadCredentialsException("Missing client key claim for self-authentication token");
        }
        return obj.toString();
    }

    private AtlassianHost getHost(String str) throws AuthenticationException {
        return (AtlassianHost) this.hostRepository.findById(str).orElseThrow(() -> {
            UnknownJwtIssuerException unknownJwtIssuerException = new UnknownJwtIssuerException(str);
            log.debug(unknownJwtIssuerException.getMessage());
            return unknownJwtIssuerException;
        });
    }

    private JWTClaimsSet verifyToken(JwtCredentials jwtCredentials, AtlassianHost atlassianHost) throws AuthenticationException {
        try {
            JWTClaimsSet readAndVerify = new JwtReader(atlassianHost.getSharedSecret()).readAndVerify(jwtCredentials.getRawJwt(), computeQueryStringHash(jwtCredentials));
            log.debug("Verified JWT for host {} ({}) ", atlassianHost.getBaseUrl(), atlassianHost.getClientKey());
            return readAndVerify;
        } catch (JwtVerificationException e) {
            log.error(e.getMessage());
            throw new BadCredentialsException(e.getMessage(), e);
        } catch (JwtExpiredException e2) {
            log.error(e2.getMessage());
            throw new CredentialsExpiredException(e2.getMessage());
        } catch (JwtParseException e3) {
            log.error(e3.getMessage());
            throw new InvalidJwtException(e3.getMessage(), e3);
        }
    }

    private String computeQueryStringHash(JwtCredentials jwtCredentials) {
        CanonicalHttpRequest canonicalHttpRequest = jwtCredentials.getCanonicalHttpRequest();
        log.debug("Canonical request for incoming JWT: {}", CanonicalRequestUtil.toVerboseString(canonicalHttpRequest));
        try {
            return HttpRequestCanonicalizer.computeCanonicalRequestHash(canonicalHttpRequest);
        } catch (UnsupportedEncodingException | NoSuchAlgorithmException e) {
            throw new AssertionError(e);
        }
    }
}
