package io.riada.jira.api;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTCreator;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.Verification;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Collection;
import java.util.Date;
import java.util.Map;
import kotlin.Metadata;
import kotlin.jvm.internal.Intrinsics;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* compiled from: MixedAtlassianAuth0JwtProvider.kt */
@Metadata(mv = {1, 1, 15}, bv = {1, 0, 3}, k = 1, d1 = {"��d\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0010\u000e\n\u0002\b\u0003\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0010$\n\u0002\u0010\u001e\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n��\n\u0002\u0010\u000b\n��\b��\u0018��2\u00020\u0001B\u0015\u0012\u0006\u0010\u0002\u001a\u00020\u0003\u0012\u0006\u0010\u0004\u001a\u00020\u0003¢\u0006\u0002\u0010\u0005J\u0018\u0010\u000b\u001a\n \n*\u0004\u0018\u00010\t0\t2\u0006\u0010\f\u001a\u00020\rH\u0002J\u0018\u0010\u000e\u001a\u00020\u00032\u0006\u0010\f\u001a\u00020\r2\u0006\u0010\u000f\u001a\u00020\u0003H\u0016J\"\u0010\u000e\u001a\u00020\u00032\u0006\u0010\f\u001a\u00020\r2\b\u0010\u000f\u001a\u0004\u0018\u00010\u00032\u0006\u0010\u0010\u001a\u00020\u0003H\u0016J\u0018\u0010\u0011\u001a\n \n*\u0004\u0018\u00010\u00120\u00122\u0006\u0010\u0013\u001a\u00020\u0014H\u0002J2\u0010\u0015\u001a\u00020\u00032\u0006\u0010\u0016\u001a\u00020\u00032\u0006\u0010\u0017\u001a\u00020\u00032\u0018\u0010\u0018\u001a\u0014\u0012\u0004\u0012\u00020\u0003\u0012\n\u0012\b\u0012\u0004\u0012\u00020\u00030\u001a0\u0019H\u0016J2\u0010\u001b\u001a\n \n*\u0004\u0018\u00010\u00030\u00032\u0006\u0010\u0013\u001a\u00020\u00142\b\u0010\u000f\u001a\u0004\u0018\u00010\u00032\u0006\u0010\f\u001a\u00020\r2\u0006\u0010\u001c\u001a\u00020\u0012H\u0002JB\u0010\u001d\u001a\u00020\u001e2\u0006\u0010\u001f\u001a\u00020\u00032\u0006\u0010\f\u001a\u00020\r2\u0006\u0010\u0016\u001a\u00020\u00032\u0006\u0010\u0017\u001a\u00020\u00032\u0018\u0010\u0018\u001a\u0014\u0012\u0004\u0012\u00020\u0003\u0012\n\u0012\b\u0012\u0004\u0012\u00020\u00030\u001a0\u0019H\u0016J \u0010 \u001a\u00020!2\u0006\u0010\"\u001a\u00020#2\u0006\u0010$\u001a\u00020\u00032\u0006\u0010%\u001a\u00020\u0003H\u0002J\u0018\u0010&\u001a\u00020!2\u0006\u0010\"\u001a\u00020#2\u0006\u0010\f\u001a\u00020\rH\u0002J\u0014\u0010'\u001a\u00020!*\u00020(2\u0006\u0010\u001f\u001a\u00020#H\u0002J\f\u0010)\u001a\u00020**\u00020#H\u0002R\u000e\u0010\u0006\u001a\u00020\u0007X\u0082\u0004¢\u0006\u0002\n��R\u000e\u0010\u0002\u001a\u00020\u0003X\u0082\u0004¢\u0006\u0002\n��R\u0016\u0010\b\u001a\n \n*\u0004\u0018\u00010\t0\tX\u0082\u0004¢\u0006\u0002\n��¨\u0006+"}, d2 = {"Lio/riada/jira/api/MixedAtlassianAuth0JwtProvider;", "Lio/riada/jira/api/JwtProvider;", "issuer", "", "sharedSecret", "(Ljava/lang/String;Ljava/lang/String;)V", "decoder", "Lio/riada/jira/api/JwtDecoder;", "jiraAlgorithm", "Lcom/auth0/jwt/algorithms/Algorithm;", "kotlin.jvm.PlatformType", "algorithmForTenant", "tenantContext", "Lio/riada/jira/api/TenantContext;", "createSelfAuthenticationToken", "userAccountId", "initialJwt", "expiresAt", "Ljava/util/Date;", "issuedAt", "Ljava/time/Instant;", "generate", "method", "path", "parameters", "", "", "generateInsightJwt", MixedAtlassianAuth0JwtProviderKt.ORIGINALLY_ISSUED_AT, "verifyJWT", "Lio/riada/jira/api/VerifiedJWT;", "token", "verifyJiraGeneratedToken", "", "jwt", "Lcom/auth0/jwt/interfaces/DecodedJWT;", MixedAtlassianAuth0JwtProviderKt.CLIENT_KEY, "requestHash", "verifySelfAuthenticatedToken", "check", "Lcom/auth0/jwt/interfaces/JWTVerifier;", "isSelfAuthenticated", "", "jira-cloud-integration"})
/* loaded from: input_file:io/riada/jira/api/MixedAtlassianAuth0JwtProvider.class */
public final class MixedAtlassianAuth0JwtProvider implements JwtProvider {
    private final Algorithm jiraAlgorithm;
    private final JwtDecoder decoder;
    private final String issuer;

    @Override // io.riada.jira.api.JwtProvider
    @NotNull
    public String generate(@NotNull String str, @NotNull String str2, @NotNull Map<String, ? extends Collection<String>> map) {
        Intrinsics.checkParameterIsNotNull(str, "method");
        Intrinsics.checkParameterIsNotNull(str2, "path");
        Intrinsics.checkParameterIsNotNull(map, "parameters");
        Instant now = Instant.now();
        JWTCreator.Builder withIssuedAt = JWT.create().withIssuer(this.issuer).withIssuedAt(Date.from(now));
        Intrinsics.checkExpressionValueIsNotNull(now, "issuedAt");
        String sign = withIssuedAt.withExpiresAt(expiresAt(now)).withClaim(MixedAtlassianAuth0JwtProviderKt.REQUEST_HASH_CLAIM, MixedAtlassianAuth0JwtProviderKt.calculateRequestHash(str, str2, map)).sign(this.jiraAlgorithm);
        Intrinsics.checkExpressionValueIsNotNull(sign, "JWT.create().withIssuer(…ers)).sign(jiraAlgorithm)");
        return sign;
    }

    @Override // io.riada.jira.api.JwtProvider
    @NotNull
    public String createSelfAuthenticationToken(@NotNull TenantContext tenantContext, @Nullable String str, @NotNull String str2) {
        Intrinsics.checkParameterIsNotNull(tenantContext, "tenantContext");
        Intrinsics.checkParameterIsNotNull(str2, "initialJwt");
        Instant now = Instant.now();
        DecodedJWT decode = JWT.decode(str2);
        Intrinsics.checkExpressionValueIsNotNull(decode, "decodedInitialJwt");
        Date asDate = isSelfAuthenticated(decode) ? decode.getClaim(MixedAtlassianAuth0JwtProviderKt.ORIGINALLY_ISSUED_AT).asDate() : Date.from(now);
        Intrinsics.checkExpressionValueIsNotNull(now, "issuedAt");
        Intrinsics.checkExpressionValueIsNotNull(asDate, MixedAtlassianAuth0JwtProviderKt.ORIGINALLY_ISSUED_AT);
        String generateInsightJwt = generateInsightJwt(now, str, tenantContext, asDate);
        Intrinsics.checkExpressionValueIsNotNull(generateInsightJwt, "generateInsightJwt(issue…text, originallyIssuedAt)");
        return generateInsightJwt;
    }

    @Override // io.riada.jira.api.JwtProvider
    @NotNull
    public String createSelfAuthenticationToken(@NotNull TenantContext tenantContext, @NotNull String str) {
        Intrinsics.checkParameterIsNotNull(tenantContext, "tenantContext");
        Intrinsics.checkParameterIsNotNull(str, "userAccountId");
        Instant now = Instant.now();
        Intrinsics.checkExpressionValueIsNotNull(now, "issuedAt");
        Date from = Date.from(now);
        Intrinsics.checkExpressionValueIsNotNull(from, "from(issuedAt)");
        String generateInsightJwt = generateInsightJwt(now, str, tenantContext, from);
        Intrinsics.checkExpressionValueIsNotNull(generateInsightJwt, "generateInsightJwt(issue…tContext, from(issuedAt))");
        return generateInsightJwt;
    }

    private final String generateInsightJwt(Instant instant, String str, TenantContext tenantContext, Date date) {
        JWTCreator.Builder create = JWT.create();
        create.withIssuer(this.issuer);
        create.withAudience(new String[]{this.issuer});
        create.withIssuedAt(Date.from(instant));
        create.withExpiresAt(expiresAt(instant));
        if (str != null) {
            create.withSubject(str);
        }
        create.withClaim(MixedAtlassianAuth0JwtProviderKt.CLIENT_KEY, tenantContext.getClientKey());
        create.withClaim(MixedAtlassianAuth0JwtProviderKt.INSIGHT, true);
        create.withClaim(MixedAtlassianAuth0JwtProviderKt.ORIGINALLY_ISSUED_AT, date);
        return create.sign(algorithmForTenant(tenantContext));
    }

    @Override // io.riada.jira.api.JwtProvider
    @NotNull
    public VerifiedJWT verifyJWT(@NotNull String str, @NotNull TenantContext tenantContext, @NotNull String str2, @NotNull String str3, @NotNull Map<String, ? extends Collection<String>> map) {
        Intrinsics.checkParameterIsNotNull(str, "token");
        Intrinsics.checkParameterIsNotNull(tenantContext, "tenantContext");
        Intrinsics.checkParameterIsNotNull(str2, "method");
        Intrinsics.checkParameterIsNotNull(str3, "path");
        Intrinsics.checkParameterIsNotNull(map, "parameters");
        DecodedJWT decode = JWT.decode(str);
        Intrinsics.checkExpressionValueIsNotNull(decode, "jwt");
        if (isSelfAuthenticated(decode)) {
            verifySelfAuthenticatedToken(decode, tenantContext);
        } else {
            verifyJiraGeneratedToken(decode, tenantContext.getClientKey(), MixedAtlassianAuth0JwtProviderKt.calculateRequestHash(str2, str3, map));
        }
        return new VerifiedJWT(this.decoder.decodeJWT(str));
    }

    private final Algorithm algorithmForTenant(TenantContext tenantContext) {
        return Algorithm.HMAC256(tenantContext.getSecret());
    }

    private final void verifySelfAuthenticatedToken(DecodedJWT decodedJWT, TenantContext tenantContext) {
        Date from = Date.from(Instant.now().minus(2L, (TemporalUnit) ChronoUnit.HOURS));
        Date asDate = decodedJWT.getClaim(MixedAtlassianAuth0JwtProviderKt.ORIGINALLY_ISSUED_AT).asDate();
        if (!asDate.after(from)) {
            throw new JWTVerificationException("The originally issued token expired. Expected to be not older than " + from + ", but was " + asDate);
        }
        Verification require = JWT.require(algorithmForTenant(tenantContext));
        require.acceptLeeway(30L);
        require.withClaim(MixedAtlassianAuth0JwtProviderKt.INSIGHT, true);
        require.withIssuer(new String[]{this.issuer});
        require.withAudience(new String[]{this.issuer});
        require.withClaim(MixedAtlassianAuth0JwtProviderKt.CLIENT_KEY, tenantContext.getClientKey());
        JWTVerifier build = require.build();
        Intrinsics.checkExpressionValueIsNotNull(build, "verification");
        check((com.auth0.jwt.interfaces.JWTVerifier) build, decodedJWT);
    }

    private final void verifyJiraGeneratedToken(DecodedJWT decodedJWT, String str, String str2) {
        Verification require = JWT.require(this.jiraAlgorithm);
        require.acceptLeeway(30L);
        require.withIssuer(new String[]{str});
        require.withClaim(MixedAtlassianAuth0JwtProviderKt.REQUEST_HASH_CLAIM, str2);
        JWTVerifier build = require.build();
        Intrinsics.checkExpressionValueIsNotNull(build, "verification");
        check((com.auth0.jwt.interfaces.JWTVerifier) build, decodedJWT);
    }

    private final void check(@NotNull com.auth0.jwt.interfaces.JWTVerifier jWTVerifier, DecodedJWT decodedJWT) {
        try {
            jWTVerifier.verify(decodedJWT);
        } catch (com.auth0.jwt.exceptions.JWTVerificationException e) {
            throw new JWTVerificationException(e);
        }
    }

    private final boolean isSelfAuthenticated(@NotNull DecodedJWT decodedJWT) {
        return Intrinsics.areEqual(decodedJWT.getClaim(MixedAtlassianAuth0JwtProviderKt.INSIGHT).asBoolean(), true);
    }

    private final Date expiresAt(Instant instant) {
        return Date.from(instant.plus(3L, (TemporalUnit) ChronoUnit.MINUTES));
    }

    public MixedAtlassianAuth0JwtProvider(@NotNull String str, @NotNull String str2) {
        Intrinsics.checkParameterIsNotNull(str, "issuer");
        Intrinsics.checkParameterIsNotNull(str2, "sharedSecret");
        this.issuer = str;
        this.jiraAlgorithm = Algorithm.HMAC256(str2);
        this.decoder = JwtDecoder.Companion.newDefaultDecoder();
    }
}
