package no.fint.security.access.policy;

import io.fusionauth.jwks.JSONWebKeySetHelper;
import io.fusionauth.jwks.domain.JSONWebKey;
import io.fusionauth.jwt.JWTException;
import io.fusionauth.jwt.Verifier;
import io.fusionauth.jwt.domain.JWT;
import io.fusionauth.jwt.domain.KeyType;
import io.fusionauth.jwt.ec.ECVerifier;
import io.fusionauth.jwt.rsa.RSAVerifier;
import java.security.interfaces.ECPublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.web.authentication.preauth.AbstractPreAuthenticatedProcessingFilter;

/* loaded from: input_file:no/fint/security/access/policy/FintBearerTokenJwtPreAuthenticatedProcessingFilter.class */
public class FintBearerTokenJwtPreAuthenticatedProcessingFilter extends AbstractPreAuthenticatedProcessingFilter {
    private static final Logger log = LoggerFactory.getLogger(FintBearerTokenJwtPreAuthenticatedProcessingFilter.class);
    private final Verifier verifier;

    /* renamed from: no.fint.security.access.policy.FintBearerTokenJwtPreAuthenticatedProcessingFilter$1, reason: invalid class name */
    /* loaded from: input_file:no/fint/security/access/policy/FintBearerTokenJwtPreAuthenticatedProcessingFilter$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$io$fusionauth$jwt$domain$KeyType = new int[KeyType.values().length];

        static {
            try {
                $SwitchMap$io$fusionauth$jwt$domain$KeyType[KeyType.RSA.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$fusionauth$jwt$domain$KeyType[KeyType.EC.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    public FintBearerTokenJwtPreAuthenticatedProcessingFilter(String str) {
        this.verifier = (Verifier) JSONWebKeySetHelper.retrieveKeysFromWellKnownConfiguration(str).stream().map(this::getVerifierFromJSONWebKey).findAny().orElseThrow(IllegalArgumentException::new);
    }

    protected Object getPreAuthenticatedPrincipal(HttpServletRequest httpServletRequest) {
        return FintAccessPrincipal.builder().name(httpServletRequest.getHeader(FintAccessHeaders.CLIENT.header)).orgId(httpServletRequest.getHeader(FintAccessHeaders.ORG_ID.header)).build();
    }

    protected Object getPreAuthenticatedCredentials(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null || !header.regionMatches(true, 0, "bearer", 0, 6)) {
            return null;
        }
        try {
            JWT decode = JWT.getDecoder().decode(header.substring(7), new Verifier[]{this.verifier});
            log.debug("Valid JWT, expires {}", decode.expiration);
            return FintAccessCredentials.builder().packageName(decode.getString("fintClientAccessPackages")).scope(getList(decode, "scope")).read(getList(decode, "fintAccessRead")).modify(getList(decode, "fintAccessModify")).collection(getList(decode, "fintAccessCollection")).build();
        } catch (JWTException e) {
            log.info("Unable to verify JWT: {}", e.getMessage());
            log.debug("Cause:", e);
            return null;
        }
    }

    private Set<String> getList(JWT jwt, String str) {
        List list = jwt.getList(str);
        if (list == null) {
            return null;
        }
        return (Set) list.stream().filter(Objects::nonNull).map(obj -> {
            return Objects.toString(obj, null);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toSet());
    }

    private Verifier getVerifierFromJSONWebKey(JSONWebKey jSONWebKey) {
        switch (AnonymousClass1.$SwitchMap$io$fusionauth$jwt$domain$KeyType[jSONWebKey.kty.ordinal()]) {
            case 1:
                return RSAVerifier.newVerifier((RSAPublicKey) JSONWebKey.parse(jSONWebKey));
            case 2:
                return ECVerifier.newVerifier((ECPublicKey) JSONWebKey.parse(jSONWebKey));
            default:
                throw new IllegalArgumentException(jSONWebKey.kty.name());
        }
    }
}
