package io.smallrye.jwt.config;

import io.smallrye.jwt.KeyUtils;
import io.smallrye.jwt.SmallryeJwtUtils;
import io.smallrye.jwt.auth.principal.JWTAuthContextInfo;
import java.security.interfaces.RSAPublicKey;
import java.util.Optional;
import java.util.Set;
import java.util.function.Supplier;
import javax.enterprise.context.ApplicationScoped;
import javax.enterprise.context.Dependent;
import javax.enterprise.inject.Produces;
import javax.enterprise.inject.spi.DeploymentException;
import javax.inject.Inject;
import org.eclipse.microprofile.config.inject.ConfigProperty;
import org.jboss.logging.Logger;

@Dependent
/* loaded from: input_file:io/smallrye/jwt/config/JWTAuthContextInfoProvider.class */
public class JWTAuthContextInfoProvider {
    private static final String AUTHORIZATION_HEADER = "Authorization";
    private static final String NONE = "NONE";
    private static final String DEFAULT_GROUPS_SEPARATOR = " ";
    private static final Logger log = Logger.getLogger(JWTAuthContextInfoProvider.class);

    @Inject
    @ConfigProperty(name = "mp.jwt.verify.publickey", defaultValue = NONE)
    private Optional<String> mpJwtPublicKey;

    @Inject
    @ConfigProperty(name = "mp.jwt.verify.issuer", defaultValue = NONE)
    private String mpJwtIssuer;

    @Inject
    @ConfigProperty(name = "mp.jwt.verify.publickey.location", defaultValue = NONE)
    private Optional<String> mpJwtLocation;

    @Inject
    @ConfigProperty(name = "mp.jwt.verify.requireiss", defaultValue = "true")
    private Optional<Boolean> mpJwtRequireIss;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.token.header", defaultValue = AUTHORIZATION_HEADER)
    private String tokenHeader;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.token.cookie")
    private Optional<String> tokenCookie;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.token.kid")
    private Optional<String> tokenKeyId;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.require.named-principal", defaultValue = "false")
    private Optional<Boolean> requireNamedPrincipal;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.claims.sub")
    private Optional<String> defaultSubClaim;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.path.sub")
    private Optional<String> subPath;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.claims.groups")
    private Optional<String> defaultGroupsClaim;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.path.groups")
    private Optional<String> groupsPath;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.groups-separator", defaultValue = DEFAULT_GROUPS_SEPARATOR)
    private String groupsSeparator;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.expiration.grace", defaultValue = "60")
    private Optional<Integer> expGracePeriodSecs;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.jwks.refresh-interval", defaultValue = "60")
    private Optional<Integer> jwksRefreshInterval;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.whitelist.algorithms")
    private Optional<String> whitelistAlgorithms;

    @Inject
    @ConfigProperty(name = "smallrye.jwt.verify.aud")
    Optional<Set<String>> expectedAudience;

    public static JWTAuthContextInfoProvider createWithKey(String str, String str2) {
        return create(str, NONE, str2);
    }

    public static JWTAuthContextInfoProvider createWithKeyLocation(String str, String str2) {
        return create(NONE, str, str2);
    }

    private static JWTAuthContextInfoProvider create(String str, String str2, String str3) {
        JWTAuthContextInfoProvider jWTAuthContextInfoProvider = new JWTAuthContextInfoProvider();
        jWTAuthContextInfoProvider.mpJwtPublicKey = Optional.of(str);
        jWTAuthContextInfoProvider.mpJwtLocation = Optional.of(str2);
        jWTAuthContextInfoProvider.mpJwtIssuer = str3;
        jWTAuthContextInfoProvider.mpJwtRequireIss = Optional.of(Boolean.TRUE);
        jWTAuthContextInfoProvider.tokenHeader = AUTHORIZATION_HEADER;
        jWTAuthContextInfoProvider.tokenCookie = Optional.empty();
        jWTAuthContextInfoProvider.tokenKeyId = Optional.empty();
        jWTAuthContextInfoProvider.requireNamedPrincipal = Optional.of(Boolean.TRUE);
        jWTAuthContextInfoProvider.defaultSubClaim = Optional.empty();
        jWTAuthContextInfoProvider.subPath = Optional.empty();
        jWTAuthContextInfoProvider.defaultGroupsClaim = Optional.empty();
        jWTAuthContextInfoProvider.groupsPath = Optional.empty();
        jWTAuthContextInfoProvider.expGracePeriodSecs = Optional.of(60);
        jWTAuthContextInfoProvider.jwksRefreshInterval = Optional.empty();
        jWTAuthContextInfoProvider.whitelistAlgorithms = Optional.empty();
        jWTAuthContextInfoProvider.expectedAudience = Optional.empty();
        jWTAuthContextInfoProvider.groupsSeparator = DEFAULT_GROUPS_SEPARATOR;
        return jWTAuthContextInfoProvider;
    }

    @ApplicationScoped
    @Produces
    Optional<JWTAuthContextInfo> getOptionalContextInfo() {
        log.debugf("init, mpJwtPublicKey=%s, mpJwtIssuer=%s, mpJwtLocation=%s", this.mpJwtPublicKey.orElse("missing"), this.mpJwtIssuer, this.mpJwtLocation.orElse("missing"));
        if (NONE.equals(this.mpJwtPublicKey.get()) && NONE.equals(this.mpJwtLocation.get())) {
            log.debugf("Neither mpJwtPublicKey nor mpJwtLocation properties are configured, JWTAuthContextInfo will not be available", new Object[0]);
            return Optional.empty();
        }
        JWTAuthContextInfo jWTAuthContextInfo = new JWTAuthContextInfo();
        decodeMpJwtPublicKey(jWTAuthContextInfo);
        if (this.mpJwtIssuer == null || this.mpJwtIssuer.equals(NONE)) {
            jWTAuthContextInfo.setRequireIssuer(false);
        } else {
            jWTAuthContextInfo.setIssuedBy(this.mpJwtIssuer);
        }
        jWTAuthContextInfo.setRequireIssuer(this.mpJwtRequireIss.orElse(true).booleanValue());
        if (this.mpJwtLocation.isPresent() && !NONE.equals(this.mpJwtLocation.get())) {
            jWTAuthContextInfo.setPublicKeyLocation(this.mpJwtLocation.get());
        }
        if (this.tokenHeader != null) {
            jWTAuthContextInfo.setTokenHeader(this.tokenHeader);
        }
        jWTAuthContextInfo.setTokenKeyId(this.tokenKeyId.orElse(null));
        jWTAuthContextInfo.setRequireNamedPrincipal(this.requireNamedPrincipal.orElse(null).booleanValue());
        SmallryeJwtUtils.setContextTokenCookie(jWTAuthContextInfo, this.tokenCookie);
        jWTAuthContextInfo.setDefaultSubjectClaim(this.defaultSubClaim.orElse(null));
        SmallryeJwtUtils.setContextSubPath(jWTAuthContextInfo, this.subPath);
        jWTAuthContextInfo.setDefaultGroupsClaim(this.defaultGroupsClaim.orElse(null));
        SmallryeJwtUtils.setContextGroupsPath(jWTAuthContextInfo, this.groupsPath);
        jWTAuthContextInfo.setExpGracePeriodSecs(this.expGracePeriodSecs.orElse(null).intValue());
        jWTAuthContextInfo.setJwksRefreshInterval(this.jwksRefreshInterval.orElse(null));
        SmallryeJwtUtils.setWhitelistAlgorithms(jWTAuthContextInfo, this.whitelistAlgorithms);
        jWTAuthContextInfo.setExpectedAudience(this.expectedAudience.orElse(null));
        jWTAuthContextInfo.setGroupsSeparator(this.groupsSeparator);
        return Optional.of(jWTAuthContextInfo);
    }

    protected void decodeMpJwtPublicKey(JWTAuthContextInfo jWTAuthContextInfo) {
        if (!this.mpJwtPublicKey.isPresent() || NONE.equals(this.mpJwtPublicKey.get())) {
            return;
        }
        try {
            jWTAuthContextInfo.setSignerKey((RSAPublicKey) KeyUtils.decodeJWKSPublicKey(this.mpJwtPublicKey.get()));
            log.debugf("mpJwtPublicKey parsed as JWK(S)", new Object[0]);
        } catch (Exception e) {
            log.debugf("mpJwtPublicKey failed as JWK(S), %s", e.getMessage());
            try {
                jWTAuthContextInfo.setSignerKey((RSAPublicKey) KeyUtils.decodePublicKey(this.mpJwtPublicKey.get()));
                log.debugf("mpJwtPublicKey parsed as PEM", new Object[0]);
            } catch (Exception e2) {
                throw new DeploymentException(e2);
            }
        }
    }

    public Optional<String> getMpJwtPublicKey() {
        return this.mpJwtPublicKey;
    }

    public String getMpJwtIssuer() {
        return this.mpJwtIssuer;
    }

    public Optional<String> getMpJwtLocation() {
        return this.mpJwtLocation;
    }

    public Optional<Boolean> getMpJwtRequireIss() {
        return this.mpJwtRequireIss;
    }

    public String getTokenHeader() {
        return this.tokenHeader;
    }

    public Optional<String> getTokenCookie() {
        return this.tokenCookie;
    }

    public Optional<String> getTokenKeyId() {
        return this.tokenKeyId;
    }

    public Optional<Integer> getExpGracePeriodSecs() {
        return this.expGracePeriodSecs;
    }

    public Optional<Integer> getJwksRefreshInterval() {
        return this.jwksRefreshInterval;
    }

    public Optional<String> getDefaultGroupsClaim() {
        return this.defaultGroupsClaim;
    }

    public Optional<String> getGroupsPath() {
        return this.groupsPath;
    }

    public String getGroupsSeparator() {
        return this.groupsSeparator;
    }

    public Optional<String> getSubjectPath() {
        return this.subPath;
    }

    public Optional<String> getDefaultSubjectClaim() {
        return this.defaultSubClaim;
    }

    public Optional<String> getWhitelistAlgorithms() {
        return this.whitelistAlgorithms;
    }

    public Optional<Set<String>> getExpectedAudience() {
        return this.expectedAudience;
    }

    @ApplicationScoped
    @Produces
    public JWTAuthContextInfo getContextInfo() {
        return getOptionalContextInfo().orElseThrow(throwException());
    }

    private static Supplier<IllegalStateException> throwException() {
        return () -> {
            return new IllegalStateException("JWTAuthContextInfo has not been initialized. Please make sure that either 'mp.jwt.verify.publickey' or 'mp.jwt.verify.publickey.location' properties are set.");
        };
    }
}
