package org.eclipse.ditto.services.gateway.endpoints.directives.auth.jwt;

import akka.http.javadsl.model.HttpRequest;
import akka.http.javadsl.model.HttpResponse;
import akka.stream.javadsl.Sink;
import akka.util.ByteString;
import java.lang.invoke.SerializedLambda;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.time.Duration;
import java.util.Iterator;
import java.util.Optional;
import java.util.concurrent.CompletionStage;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import org.eclipse.ditto.json.JsonArray;
import org.eclipse.ditto.json.JsonFactory;
import org.eclipse.ditto.json.JsonMissingFieldException;
import org.eclipse.ditto.json.JsonObject;
import org.eclipse.ditto.json.JsonPointer;
import org.eclipse.ditto.json.JsonValue;
import org.eclipse.ditto.model.base.common.ConditionChecker;
import org.eclipse.ditto.services.gateway.security.cache.Cache;
import org.eclipse.ditto.services.gateway.security.cache.PublicKeyCache;
import org.eclipse.ditto.services.gateway.security.jwt.ImmutableJsonWebKey;
import org.eclipse.ditto.services.gateway.security.jwt.JsonWebKey;
import org.eclipse.ditto.services.gateway.starter.service.util.HttpClientFacade;
import org.eclipse.ditto.signals.commands.base.exceptions.GatewayAuthenticationProviderUnavailableException;
import org.eclipse.ditto.signals.commands.base.exceptions.GatewayJwtIssuerNotSupportedException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/eclipse/ditto/services/gateway/endpoints/directives/auth/jwt/DittoPublicKeyProvider.class */
public final class DittoPublicKeyProvider implements PublicKeyProvider {
    private static final Logger LOGGER = LoggerFactory.getLogger(DittoPublicKeyProvider.class);
    private static final long JWK_REQUEST_TIMEOUT_MILLISECONDS = 5000;
    private final JwtSubjectIssuersConfig jwtSubjectIssuersConfig;
    private final HttpClientFacade httpClient;
    private final Cache<String, PublicKey> publicKeyCache;

    private DittoPublicKeyProvider(JwtSubjectIssuersConfig jwtSubjectIssuersConfig, HttpClientFacade httpClientFacade, Cache<String, PublicKey> cache) {
        this.jwtSubjectIssuersConfig = (JwtSubjectIssuersConfig) ConditionChecker.argumentNotNull(jwtSubjectIssuersConfig);
        this.httpClient = (HttpClientFacade) ConditionChecker.argumentNotNull(httpClientFacade);
        this.publicKeyCache = (Cache) ConditionChecker.argumentNotNull(cache);
    }

    public static PublicKeyProvider of(JwtSubjectIssuersConfig jwtSubjectIssuersConfig, HttpClientFacade httpClientFacade, int i, Duration duration) {
        return new DittoPublicKeyProvider(jwtSubjectIssuersConfig, httpClientFacade, PublicKeyCache.newInstance(i, duration));
    }

    @Override // org.eclipse.ditto.services.gateway.endpoints.directives.auth.jwt.PublicKeyProvider
    public Optional<PublicKey> getPublicKey(String str, String str2) {
        ConditionChecker.argumentNotNull(str);
        ConditionChecker.argumentNotNull(str2);
        JwtSubjectIssuerConfig orElseThrow = this.jwtSubjectIssuersConfig.getConfigItem(str).orElseThrow(() -> {
            return GatewayJwtIssuerNotSupportedException.newBuilder(str).build();
        });
        return Optional.ofNullable(this.publicKeyCache.get(str2).orElseGet(() -> {
            try {
                return refreshCache(getPublicKeysFromJwkResource(orElseThrow.getJwkResource()), str2).orElse(null);
            } catch (RuntimeException e) {
                LOGGER.warn("An error occurred while retrieving a JWK: ", e);
                return null;
            }
        }));
    }

    private JsonArray getPublicKeysFromJwkResource(String str) {
        try {
            HttpResponse httpResponse = (HttpResponse) this.httpClient.createSingleHttpRequest(HttpRequest.GET(str)).toCompletableFuture().get(JWK_REQUEST_TIMEOUT_MILLISECONDS, TimeUnit.MILLISECONDS);
            try {
                CompletionStage completionStage = (CompletionStage) httpResponse.entity().getDataBytes().fold(ByteString.empty(), (v0, v1) -> {
                    return v0.concat(v1);
                }).map((v0) -> {
                    return v0.utf8String();
                }).map(JsonFactory::readFrom).map((v0) -> {
                    return v0.asObject();
                }).runWith(Sink.head(), this.httpClient.getActorMaterializer());
                JsonPointer of = JsonPointer.of("keys");
                return (JsonArray) ((JsonObject) completionStage.toCompletableFuture().get()).getValue(of).map((v0) -> {
                    return v0.asArray();
                }).orElseThrow(() -> {
                    return new JsonMissingFieldException(of);
                });
            } catch (InterruptedException | ExecutionException e) {
                LOGGER.warn("Could not parse JSON. Was: {}", httpResponse);
                throw new IllegalStateException("Failed to extract public keys from JSON!", e);
            }
        } catch (InterruptedException | ExecutionException | TimeoutException e2) {
            LOGGER.warn("Got Exception from JwkResource provider at resource '{}': {} - {}", new Object[]{str, e2.getClass().getSimpleName(), e2.getMessage()});
            throw GatewayAuthenticationProviderUnavailableException.newBuilder().cause(e2).build();
        }
    }

    private Optional<PublicKey> refreshCache(JsonArray jsonArray, String str) {
        PublicKey publicKey = null;
        Iterator it = jsonArray.iterator();
        while (it.hasNext()) {
            try {
                JsonWebKey fromJson = ImmutableJsonWebKey.fromJson(((JsonValue) it.next()).asObject());
                PublicKey generatePublic = KeyFactory.getInstance(fromJson.getType()).generatePublic(new RSAPublicKeySpec(fromJson.getModulus(), fromJson.getExponent()));
                if (fromJson.getId().equals(str)) {
                    publicKey = generatePublic;
                }
                this.publicKeyCache.put(fromJson.getId(), generatePublic);
            } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                LOGGER.warn("Got invalid key from authentication provider: '{}'", e);
            }
        }
        return Optional.ofNullable(publicKey);
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -1406915055:
                if (implMethodName.equals("asObject")) {
                    z = 2;
                    break;
                }
                break;
            case -1354795244:
                if (implMethodName.equals("concat")) {
                    z = 3;
                    break;
                }
                break;
            case -867947936:
                if (implMethodName.equals("readFrom")) {
                    z = true;
                    break;
                }
                break;
            case 1591878370:
                if (implMethodName.equals("utf8String")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 5 && serializedLambda.getFunctionalInterfaceClass().equals("akka/japi/function/Function") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljava/lang/Object;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("akka/util/ByteString") && serializedLambda.getImplMethodSignature().equals("()Ljava/lang/String;")) {
                    return (v0) -> {
                        return v0.utf8String();
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("akka/japi/function/Function") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljava/lang/Object;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("org/eclipse/ditto/json/JsonFactory") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;)Lorg/eclipse/ditto/json/JsonValue;")) {
                    return JsonFactory::readFrom;
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 9 && serializedLambda.getFunctionalInterfaceClass().equals("akka/japi/function/Function") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljava/lang/Object;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("org/eclipse/ditto/json/JsonValue") && serializedLambda.getImplMethodSignature().equals("()Lorg/eclipse/ditto/json/JsonObject;")) {
                    return (v0) -> {
                        return v0.asObject();
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 5 && serializedLambda.getFunctionalInterfaceClass().equals("akka/japi/function/Function2") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("(Ljava/lang/Object;Ljava/lang/Object;)Ljava/lang/Object;") && serializedLambda.getImplClass().equals("akka/util/ByteString") && serializedLambda.getImplMethodSignature().equals("(Lakka/util/ByteString;)Lakka/util/ByteString;")) {
                    return (v0, v1) -> {
                        return v0.concat(v1);
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
