package com.atlassian.okhttp.bitbucket.jwt;

import com.atlassian.jwt.SigningAlgorithm;
import com.atlassian.jwt.core.SimpleSymmetricSigningInfo;
import com.atlassian.jwt.core.writer.JsonSmartJwtJsonBuilder;
import com.atlassian.jwt.core.writer.JwtClaimsBuilder;
import com.atlassian.jwt.core.writer.NimbusJwtWriterFactory;
import com.atlassian.jwt.exception.JwtMalformedSharedSecretException;
import com.atlassian.jwt.exception.JwtSigningException;
import com.atlassian.jwt.httpclient.CanonicalHttpUriRequest;
import com.atlassian.jwt.writer.JwtJsonBuilder;
import com.atlassian.jwt.writer.JwtWriter;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.time.Clock;
import java.time.Instant;
import java.util.Objects;
import javax.annotation.Nonnull;
import okhttp3.Interceptor;
import okhttp3.MediaType;
import okhttp3.Protocol;
import okhttp3.Request;
import okhttp3.Response;
import okhttp3.ResponseBody;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/okhttp/bitbucket/jwt/ConnectApplicationJwtInterceptor.class */
public class ConnectApplicationJwtInterceptor implements Interceptor {
    public static final int BAD_REQUEST_CODE = 600;
    public static final int SECRET_JWT_GENERATION_ERROR_CODE = 724;
    public static final String TARGET_ACCOUNT = "X-TARGET-ACCOUNT";
    private final String issuer;
    private final Clock clock;
    private final String connectKey;
    private final JwtWriter writer;
    private static final Logger log = LoggerFactory.getLogger(ConnectApplicationJwtInterceptor.class);
    private static final MediaType PLAIN_TEXT = MediaType.parse("text/plain; charset=utf-8");

    /* loaded from: input_file:com/atlassian/okhttp/bitbucket/jwt/ConnectApplicationJwtInterceptor$Error.class */
    public enum Error {
        BAD_REQUEST(ConnectApplicationJwtInterceptor.BAD_REQUEST_CODE, "Target account header 'X-TARGET-ACCOUNT' is required"),
        SECRET_JWT_GENERATION_ERROR(ConnectApplicationJwtInterceptor.SECRET_JWT_GENERATION_ERROR_CODE, "Failed to generate JWT token");

        private final int code;
        private final String message;

        Error(int i, String str) {
            this.code = i;
            this.message = str;
        }
    }

    public ConnectApplicationJwtInterceptor(Clock clock, String str, String str2, String str3) {
        Objects.requireNonNull(clock, "clock");
        Objects.requireNonNull(str, "connectKey");
        Objects.requireNonNull(str2, "issuer");
        Objects.requireNonNull(str3, "secret");
        this.connectKey = str;
        this.clock = clock;
        this.issuer = str2;
        this.writer = createWriter(str3);
    }

    public Response intercept(Interceptor.Chain chain) throws IOException {
        Objects.requireNonNull(chain, "chain");
        Request request = chain.request();
        String header = request.header(TARGET_ACCOUNT);
        if (header == null) {
            return accountRequired(request);
        }
        try {
            return chain.proceed(request.newBuilder().addHeader("Authorization", "JWT " + createJwtToken(request, header)).removeHeader(TARGET_ACCOUNT).build());
        } catch (JwtGenerationError e) {
            log.error(Error.SECRET_JWT_GENERATION_ERROR.message, e);
            String str = null;
            if (e.getCause() != null) {
                str = e.getCause().getMessage();
            }
            if (str == null) {
                str = e.getMessage();
            }
            if (str == null) {
                str = "Unable to generate JWT token.";
            }
            return jwtError(request, str);
        }
    }

    private static Response.Builder defaultResponse(Request request) {
        return new Response.Builder().protocol(Protocol.HTTP_1_1).request(request);
    }

    private static Response jwtError(Request request, String str) {
        return errorResponse(request, Error.SECRET_JWT_GENERATION_ERROR, str);
    }

    private static Response accountRequired(Request request) {
        return errorResponse(request, Error.BAD_REQUEST, "Unknown account");
    }

    private static Response errorResponse(Request request, Error error, String str) {
        return defaultResponse(request).code(error.code).message(error.message).body(ResponseBody.create(PLAIN_TEXT, str)).build();
    }

    private String createJwtToken(Request request, String str) throws JwtGenerationError {
        Instant instant = this.clock.instant();
        long epochSecond = instant.getEpochSecond();
        JwtJsonBuilder issuer = new JsonSmartJwtJsonBuilder().issuedAt(epochSecond).expirationTime(instant.plusSeconds(180L).getEpochSecond()).subject(subject(str)).issuer(this.issuer);
        try {
            JwtClaimsBuilder.appendHttpRequestClaims(issuer, new CanonicalHttpUriRequest(request.method(), request.url().encodedPath(), (String) null));
            return this.writer.jsonToJwt(issuer.build());
        } catch (UnsupportedEncodingException | IllegalArgumentException | NoSuchAlgorithmException | JwtMalformedSharedSecretException | JwtSigningException e) {
            throw new JwtGenerationError(e);
        }
    }

    private String subject(String str) {
        return String.format("ari:cloud:bitbucket::app/%s/%s", str, this.connectKey);
    }

    private static JwtWriter createWriter(String str) {
        try {
            return new NimbusJwtWriterFactory().signingWriter(new SimpleSymmetricSigningInfo(SigningAlgorithm.HS256, str));
        } catch (JwtMalformedSharedSecretException e) {
            log.error("Bad secret provided. All signing attempts will fail.", e);
            return new JwtWriter() { // from class: com.atlassian.okhttp.bitbucket.jwt.ConnectApplicationJwtInterceptor.1
                @Nonnull
                public String jsonToJwt(@Nonnull String str2) {
                    throw new JwtGenerationError("Unable create JWT token: Bad secret provided.");
                }
            };
        }
    }
}
