package io.gravitee.am.gateway.handler.common.jwt.impl;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.nimbusds.jose.JWSAlgorithm;
import io.gravitee.am.common.exception.oauth2.InvalidTokenException;
import io.gravitee.am.common.jwt.JWT;
import io.gravitee.am.gateway.certificate.CertificateProvider;
import io.gravitee.am.gateway.handler.common.certificate.CertificateManager;
import io.gravitee.am.gateway.handler.common.jwt.JWTService;
import io.gravitee.am.model.oidc.Client;
import io.reactivex.rxjava3.core.Single;
import java.util.Base64;
import java.util.Map;
import java.util.Objects;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:io/gravitee/am/gateway/handler/common/jwt/impl/JWTServiceImpl.class */
public class JWTServiceImpl implements JWTService {
    private static final Logger logger = LoggerFactory.getLogger(JWTServiceImpl.class);

    @Autowired
    private CertificateManager certificateManager;

    @Autowired
    private ObjectMapper objectMapper;

    @Override // io.gravitee.am.gateway.handler.common.jwt.JWTService
    public Single<String> encode(JWT jwt, CertificateProvider certificateProvider) {
        Objects.requireNonNull(certificateProvider, "Certificate provider is required to sign JWT");
        return sign(certificateProvider, jwt);
    }

    @Override // io.gravitee.am.gateway.handler.common.jwt.JWTService
    public Single<String> encode(JWT jwt, Client client) {
        return this.certificateManager.get(client.getCertificate()).defaultIfEmpty(this.certificateManager.defaultCertificateProvider()).flatMap(certificateProvider -> {
            return encode(jwt, certificateProvider);
        });
    }

    @Override // io.gravitee.am.gateway.handler.common.jwt.JWTService
    public Single<String> encodeUserinfo(JWT jwt, Client client) {
        return client.getUserinfoSignedResponseAlg() == null ? encode(jwt, this.certificateManager.noneAlgorithmCertificateProvider()) : this.certificateManager.findByAlgorithm(client.getUserinfoSignedResponseAlg()).switchIfEmpty(this.certificateManager.get(client.getCertificate())).defaultIfEmpty(this.certificateManager.defaultCertificateProvider()).flatMap(certificateProvider -> {
            return encode(jwt, certificateProvider);
        });
    }

    @Override // io.gravitee.am.gateway.handler.common.jwt.JWTService
    public Single<String> encodeAuthorization(JWT jwt, Client client) {
        String authorizationSignedResponseAlg = client.getAuthorizationSignedResponseAlg();
        if (authorizationSignedResponseAlg == null) {
            authorizationSignedResponseAlg = JWSAlgorithm.RS256.getName();
        }
        return this.certificateManager.findByAlgorithm(authorizationSignedResponseAlg).switchIfEmpty(this.certificateManager.get(client.getCertificate())).defaultIfEmpty(this.certificateManager.defaultCertificateProvider()).flatMap(certificateProvider -> {
            return encode(jwt, certificateProvider);
        });
    }

    @Override // io.gravitee.am.gateway.handler.common.jwt.JWTService
    public Single<JWT> decodeAndVerify(String str, Client client, JWTService.TokenType tokenType) {
        return this.certificateManager.get(client.getCertificate()).defaultIfEmpty(this.certificateManager.defaultCertificateProvider()).flatMap(certificateProvider -> {
            return decodeAndVerify(str, certificateProvider, tokenType);
        });
    }

    @Override // io.gravitee.am.gateway.handler.common.jwt.JWTService
    public Single<JWT> decodeAndVerify(String str, CertificateProvider certificateProvider, JWTService.TokenType tokenType) {
        return decode(certificateProvider, str, tokenType).map(JWT::new);
    }

    @Override // io.gravitee.am.gateway.handler.common.jwt.JWTService
    public Single<JWT> decode(String str, JWTService.TokenType tokenType) {
        return Single.create(singleEmitter -> {
            try {
                singleEmitter.onSuccess((JWT) this.objectMapper.readValue(new String(Base64.getUrlDecoder().decode(str.split("\\.")[1]), "UTF-8"), JWT.class));
            } catch (Exception e) {
                logger.debug("Failed to decode {} JWT", tokenType, e);
                singleEmitter.onError(buildInvalidTokenException(tokenType, e));
            }
        });
    }

    private static InvalidTokenException buildInvalidTokenException(JWTService.TokenType tokenType, Exception exc) {
        switch (tokenType) {
            case STATE:
                return new InvalidTokenException("The state token is invalid", exc);
            case ID_TOKEN:
                return new InvalidTokenException("The id token is invalid", exc);
            case REFRESH_TOKEN:
                return new InvalidTokenException("The refresh token is invalid", exc);
            case SESSION:
                return new InvalidTokenException("The session token is invalid", exc);
            default:
                return new InvalidTokenException("The access token is invalid", exc);
        }
    }

    private Single<String> sign(CertificateProvider certificateProvider, JWT jwt) {
        return Single.create(singleEmitter -> {
            try {
                singleEmitter.onSuccess(certificateProvider.getJwtBuilder().sign(jwt));
            } catch (Exception e) {
                logger.error("Failed to sign JWT", e);
                singleEmitter.onError(new InvalidTokenException("The JWT token couldn't be signed", e));
            }
        });
    }

    private Single<Map<String, Object>> decode(CertificateProvider certificateProvider, String str, JWTService.TokenType tokenType) {
        return Single.create(singleEmitter -> {
            try {
                singleEmitter.onSuccess(certificateProvider.getJwtParser().parse(str));
            } catch (Exception e) {
                logger.debug("Failed to decode {} JWT", tokenType, e);
                singleEmitter.onError(buildInvalidTokenException(tokenType, e));
            }
        });
    }
}
