package io.atlassian.micros.oauth2.accesstoken;

import com.atlassian.asap.api.exception.CannotRetrieveKeyException;
import com.atlassian.asap.core.exception.InvalidHeaderException;
import com.atlassian.asap.core.keys.KeyProvider;
import com.atlassian.asap.core.validator.ValidatedKeyId;
import com.google.common.base.Preconditions;
import com.google.common.collect.Sets;
import com.nimbusds.jose.JOSEException;
import java.net.URL;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.util.HashSet;
import java.util.Optional;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.validation.ConstraintViolation;
import javax.validation.ValidationException;
import javax.validation.Validator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-connect-server-plugin-2.0.0-39bf8e4.jar:io/atlassian/micros/oauth2/accesstoken/ConnectSessionAuthTokenValidator.class */
public class ConnectSessionAuthTokenValidator {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ConnectSessionAuthTokenValidator.class);
    private final KeyProvider<RSAPublicKey> publicKeyProvider;
    private final String authorizationServerId;
    private final Validator validator;
    private final Set<URL> supportedResourceServerUrls;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-connect-server-plugin-2.0.0-39bf8e4.jar:io/atlassian/micros/oauth2/accesstoken/ConnectSessionAuthTokenValidator$CannotRetrieveExceptionWrapper.class */
    public final class CannotRetrieveExceptionWrapper extends RuntimeException {
        private final CannotRetrieveKeyException wrapped;

        private CannotRetrieveExceptionWrapper(CannotRetrieveKeyException cannotRetrieveKeyException) {
            this.wrapped = cannotRetrieveKeyException;
        }
    }

    public ConnectSessionAuthTokenValidator(@Nonnull KeyProvider<RSAPublicKey> keyProvider, @Nonnull String str, @Nonnull Validator validator, @Nonnull Set<URL> set) {
        this.publicKeyProvider = (KeyProvider) Preconditions.checkNotNull(keyProvider);
        this.authorizationServerId = (String) Preconditions.checkNotNull(str);
        this.validator = (Validator) Preconditions.checkNotNull(validator);
        this.supportedResourceServerUrls = (Set) Preconditions.checkNotNull(set);
    }

    public Optional<ConnectSessionAuthToken> parseAndValidate(@Nonnull String str) throws InvalidSessionAuthTokenException, CannotRetrieveKeyException {
        try {
            Optional<ConnectSessionAuthToken> parse = ConnectSessionAuthToken.parse(str);
            getRsaPublicKey(parse).ifPresent(rSAPublicKey -> {
                parse.ifPresent(connectSessionAuthToken -> {
                    validateToken(connectSessionAuthToken, rSAPublicKey);
                });
            });
            return parse;
        } catch (ParseException e) {
            throw new InvalidSessionAuthTokenException(e);
        }
    }

    private Optional<RSAPublicKey> getRsaPublicKey(Optional<ConnectSessionAuthToken> optional) throws CannotRetrieveKeyException {
        try {
            return optional.map(connectSessionAuthToken -> {
                try {
                    return this.publicKeyProvider.getKey(ValidatedKeyId.validate(connectSessionAuthToken.keyId()));
                } catch (CannotRetrieveKeyException e) {
                    throw new CannotRetrieveExceptionWrapper(e);
                } catch (InvalidHeaderException e2) {
                    throw new InvalidSessionAuthTokenException(e2);
                }
            });
        } catch (CannotRetrieveExceptionWrapper e) {
            throw e.wrapped;
        }
    }

    private void validateToken(ConnectSessionAuthToken connectSessionAuthToken, RSAPublicKey rSAPublicKey) throws InvalidSessionAuthTokenException {
        try {
            if (!connectSessionAuthToken.verify(rSAPublicKey)) {
                throw new ValidationException("Session auth token failed key validation");
            }
            Set validate = this.validator.validate(connectSessionAuthToken, new Class[0]);
            if (!validate.isEmpty()) {
                throw new InvalidSessionAuthTokenException((Set<ConstraintViolation<ConnectSessionAuthToken>>) validate);
            }
            connectSessionAuthToken.getSessionClaimSet().ifPresent(sessionClaimSet -> {
                String authorizationServerId = sessionClaimSet.getAuthorizationServerId();
                if (authorizationServerId == null || !this.authorizationServerId.equals(authorizationServerId)) {
                    log.info("received token from issuer {} when expecting {}", authorizationServerId, this.authorizationServerId);
                    throw new ValidationException(String.format("Session auth token was not issued by the expected authorization server. Token was issued by: %s", authorizationServerId));
                }
                HashSet newHashSet = Sets.newHashSet(sessionClaimSet.getResourceServerUrls());
                Sets.SetView intersection = Sets.intersection(this.supportedResourceServerUrls, newHashSet);
                if (!newHashSet.isEmpty() && intersection.isEmpty()) {
                    throw new ValidationException(String.format("Session auth token does not include expected resource servers in audience server. Token was issued for: %s", newHashSet));
                }
            });
        } catch (JOSEException e) {
            throw new InvalidSessionAuthTokenException(e);
        } catch (ParseException e2) {
            throw new InvalidSessionAuthTokenException(e2);
        }
    }
}
