package com.atlassian.asap.core.server.jersey;

import com.atlassian.asap.api.Jwt;
import com.atlassian.asap.api.exception.AuthorizationFailedException;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.lang3.StringUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:com/atlassian/asap/core/server/jersey/WhiteListAsapValidator.class */
public final class WhiteListAsapValidator implements AsapValidator {
    private final Function<Asap, Whitelist> whitelistProvider;

    /* loaded from: input_file:com/atlassian/asap/core/server/jersey/WhiteListAsapValidator$AsapAnnotationWhitelistProviderWithConfigSupport.class */
    static class AsapAnnotationWhitelistProviderWithConfigSupport implements Function<Asap, Whitelist> {
        private final Whitelist whiteList;

        /* JADX INFO: Access modifiers changed from: package-private */
        public AsapAnnotationWhitelistProviderWithConfigSupport(Set<String> set, Set<String> set2) {
            this.whiteList = new Whitelist(set, set2);
        }

        @Override // java.util.function.Function
        public Whitelist apply(Asap asap) {
            return (asap.authorizedIssuers().length == 0 && asap.authorizedSubjects().length == 0) ? this.whiteList : new Whitelist((Set) Arrays.stream(asap.authorizedSubjects()).collect(Collectors.toSet()), (Set) Arrays.stream(asap.authorizedIssuers()).collect(Collectors.toSet()));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/atlassian/asap/core/server/jersey/WhiteListAsapValidator$AsapWhitelistProvider.class */
    public static class AsapWhitelistProvider implements Function<Asap, Whitelist> {
        @Override // java.util.function.Function
        public Whitelist apply(Asap asap) {
            return new Whitelist((Set) Arrays.stream(asap.authorizedSubjects()).collect(Collectors.toSet()), (Set) Arrays.stream(asap.authorizedIssuers()).collect(Collectors.toSet()));
        }
    }

    /* loaded from: input_file:com/atlassian/asap/core/server/jersey/WhiteListAsapValidator$EnvironmentVariablesWhitelistProvider.class */
    static class EnvironmentVariablesWhitelistProvider implements Function<Asap, Whitelist> {
        public static final String AUTHORIZED_SUBJECTS_KEY = "ASAP_AUTHORIZED_SUBJECTS";
        public static final String AUTHORIZED_ISSUERS_KEY = "ASAP_AUTHORIZED_ISSUERS";
        private final String authorizedSubjectsVariableName;
        private final String authorizedIssuersVariableName;
        private final Map<String, String> variables;

        /* JADX INFO: Access modifiers changed from: package-private */
        public EnvironmentVariablesWhitelistProvider() {
            this(AUTHORIZED_SUBJECTS_KEY, AUTHORIZED_ISSUERS_KEY, System.getenv());
        }

        EnvironmentVariablesWhitelistProvider(String str, String str2, Map<String, String> map) {
            this.authorizedSubjectsVariableName = (String) Objects.requireNonNull(str);
            this.authorizedIssuersVariableName = (String) Objects.requireNonNull(str2);
            this.variables = map;
        }

        @Override // java.util.function.Function
        public Whitelist apply(Asap asap) {
            return new Whitelist(getEnv(this.authorizedSubjectsVariableName), getEnv(this.authorizedIssuersVariableName));
        }

        private Set<String> getEnv(String str) {
            return (Set) Stream.of((Object[]) this.variables.getOrDefault(str, "").split(",")).map((v0) -> {
                return v0.trim();
            }).filter((v0) -> {
                return StringUtils.isNotEmpty(v0);
            }).collect(Collectors.toSet());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/atlassian/asap/core/server/jersey/WhiteListAsapValidator$Whitelist.class */
    public static class Whitelist {
        private final Set<String> authorizedSubjects;
        private final Set<String> authorizedIssuers;

        Whitelist(Set<String> set, Set<String> set2) {
            this.authorizedSubjects = Collections.unmodifiableSet((Set) Objects.requireNonNull(set));
            this.authorizedIssuers = Collections.unmodifiableSet((Set) Objects.requireNonNull(set2));
        }

        Set<String> getAuthorizedSubjects() {
            return this.authorizedSubjects;
        }

        Set<String> getAuthorizedIssuers() {
            return this.authorizedIssuers;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public WhiteListAsapValidator(Function<Asap, Whitelist> function) {
        this.whitelistProvider = (Function) Objects.requireNonNull(function);
    }

    private static String joinSet(Set<String> set) {
        return String.join(",", set);
    }

    @Override // com.atlassian.asap.core.server.jersey.AsapValidator
    public void validate(Asap asap, Jwt jwt) throws AuthorizationFailedException {
        Whitelist apply = this.whitelistProvider.apply(asap);
        validateSubject(apply, jwt);
        validateIssuer(apply, jwt);
    }

    private void validateIssuer(Whitelist whitelist, Jwt jwt) throws AuthorizationFailedException {
        String issuer = jwt.getClaims().getIssuer();
        Set set = !whitelist.authorizedIssuers.isEmpty() ? whitelist.authorizedIssuers : whitelist.authorizedSubjects;
        if (!set.isEmpty() && !set.contains(issuer)) {
            throw new AuthorizationFailedException(String.format("Unacceptable issuer ('%s' not in '%s')", issuer, joinSet(set)));
        }
    }

    private void validateSubject(Whitelist whitelist, Jwt jwt) throws AuthorizationFailedException {
        String str = (String) jwt.getClaims().getSubject().orElse(jwt.getClaims().getIssuer());
        if (!whitelist.authorizedSubjects.isEmpty() && !whitelist.authorizedSubjects.contains(str)) {
            throw new AuthorizationFailedException(String.format("Unacceptable subject ('%s' not in '%s')", str, joinSet(whitelist.authorizedSubjects)));
        }
    }
}
