package com.atlassian.asap.service.core.impl;

import com.atlassian.asap.VisibleForTesting;
import com.atlassian.asap.api.Jwt;
import com.atlassian.asap.api.exception.CannotRetrieveKeyException;
import com.atlassian.asap.api.exception.InvalidTokenException;
import com.atlassian.asap.core.keys.KeyProvider;
import com.atlassian.asap.core.parser.JwtParser;
import com.atlassian.asap.core.validator.JwtClaimsValidator;
import com.atlassian.asap.core.validator.JwtValidator;
import com.atlassian.asap.core.validator.JwtValidatorImpl;
import com.atlassian.asap.nimbus.parser.NimbusJwtParser;
import com.atlassian.asap.service.api.TokenValidator;
import com.atlassian.asap.service.api.ValidationResult;
import com.atlassian.asap.service.core.spi.AsapConfiguration;
import java.security.PublicKey;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;

/* loaded from: input_file:com/atlassian/asap/service/core/impl/TokenValidatorImpl.class */
public class TokenValidatorImpl extends AbstractTokenValidator {
    private final KeyProvider<PublicKey> publicKeyProvider;
    private final JwtClaimsValidator jwtClaimsValidator;
    private final JwtParser jwtParser;

    /* renamed from: com.atlassian.asap.service.core.impl.TokenValidatorImpl$1, reason: invalid class name */
    /* loaded from: input_file:com/atlassian/asap/service/core/impl/TokenValidatorImpl$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$com$atlassian$asap$service$api$TokenValidator$Policy = new int[TokenValidator.Policy.values().length];

        static {
            try {
                $SwitchMap$com$atlassian$asap$service$api$TokenValidator$Policy[TokenValidator.Policy.REJECT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$atlassian$asap$service$api$TokenValidator$Policy[TokenValidator.Policy.IGNORE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$atlassian$asap$service$api$TokenValidator$Policy[TokenValidator.Policy.OPTIONAL.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$atlassian$asap$service$api$TokenValidator$Policy[TokenValidator.Policy.REQUIRE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public TokenValidatorImpl(AsapConfiguration asapConfiguration, KeyProvider<PublicKey> keyProvider, JwtClaimsValidator jwtClaimsValidator) {
        this(asapConfiguration, keyProvider, jwtClaimsValidator, new NimbusJwtParser());
    }

    @VisibleForTesting
    TokenValidatorImpl(AsapConfiguration asapConfiguration, KeyProvider<PublicKey> keyProvider, JwtClaimsValidator jwtClaimsValidator, JwtParser jwtParser) {
        super(asapConfiguration);
        this.publicKeyProvider = (KeyProvider) Objects.requireNonNull(keyProvider, "publicKeyProvider");
        this.jwtClaimsValidator = (JwtClaimsValidator) Objects.requireNonNull(jwtClaimsValidator, "jwtClaimsValidator");
        this.jwtParser = (JwtParser) Objects.requireNonNull(jwtParser, "jwtParser");
    }

    public ValidationResult validate(Optional<String> optional) {
        Objects.requireNonNull(optional, "authHeader");
        switch (AnonymousClass1.$SwitchMap$com$atlassian$asap$service$api$TokenValidator$Policy[policy().ordinal()]) {
            case 1:
                return rejectAsap(optional);
            case 2:
                return ValidationResultImpl.abstain();
            case 3:
                return optionalAsap(optional);
            case 4:
                return requireAsap(optional);
            default:
                throw new IllegalStateException("Unknown authorization policy: " + policy());
        }
    }

    private ValidationResult rejectAsap(Optional<String> optional) {
        Optional<String> extractSerializedJwt = extractSerializedJwt(optional);
        JwtParser jwtParser = this.jwtParser;
        Objects.requireNonNull(jwtParser);
        return (ValidationResult) extractSerializedJwt.flatMap(jwtParser::determineUnverifiedIssuer).map(ValidationResultImpl::rejected).orElseGet(ValidationResultImpl::abstain);
    }

    private ValidationResult optionalAsap(Optional<String> optional) {
        return (ValidationResult) extractSerializedJwt(optional).flatMap(this::parseAndVerifyToken).orElseGet(ValidationResultImpl::abstain);
    }

    private ValidationResult requireAsap(Optional<String> optional) {
        return (ValidationResult) extractSerializedJwt(optional).flatMap(this::parseAndVerifyToken).orElseGet(ValidationResultImpl::notAuthenticated);
    }

    private Optional<ValidationResult> parseAndVerifyToken(String str) {
        try {
            return Optional.of(verifyAuthorization(createJwtValidator(this.publicKeyProvider, this.jwtParser, this.jwtClaimsValidator, acceptableAudienceValues()).readAndValidate(str)));
        } catch (InvalidTokenException e) {
            return this.jwtParser.determineUnverifiedIssuer(str).map(str2 -> {
                return ValidationResultImpl.notAuthenticated();
            });
        } catch (CannotRetrieveKeyException e2) {
            return Optional.of(ValidationResultImpl.notVerified((String) this.jwtParser.determineUnverifiedIssuer(str).orElse(null)));
        }
    }

    protected JwtValidator createJwtValidator(KeyProvider<PublicKey> keyProvider, JwtParser jwtParser, JwtClaimsValidator jwtClaimsValidator, Set<String> set) {
        return new JwtValidatorImpl(keyProvider, jwtParser, jwtClaimsValidator, set);
    }

    private ValidationResult verifyAuthorization(Jwt jwt) {
        return ((isImpersonationIssuerAuthorized(jwt) || isNonImpersonationIssuerAuthorized(jwt)) && isSubjectAuthorized(jwt)) ? ValidationResultImpl.authorized(jwt) : ValidationResultImpl.notAuthorized(jwt.getClaims().getIssuer());
    }

    private boolean subjectImpersonation(Jwt jwt) {
        return subjectImpersonation() || isImpersonationIssuerAuthorized(jwt);
    }

    private boolean isImpersonationIssuerAuthorized(Jwt jwt) {
        return impersonationAuthorizedIssuers().contains(jwt.getClaims().getIssuer());
    }

    private boolean isNonImpersonationIssuerAuthorized(Jwt jwt) {
        if (!authorizedIssuers().isEmpty()) {
            return authorizedIssuers().contains(jwt.getClaims().getIssuer());
        }
        if (subjectImpersonation(jwt)) {
            throw new IllegalStateException("Subject impersonation requires an explicit issuer whitelist");
        }
        return impersonationAuthorizedIssuers().isEmpty();
    }

    private boolean isSubjectAuthorized(Jwt jwt) {
        Set<String> authorizedSubjects = authorizedSubjects();
        if (authorizedSubjects.isEmpty()) {
            return true;
        }
        return authorizedSubjects.contains((String) jwt.getClaims().getSubject().orElse(subjectImpersonation(jwt) ? null : jwt.getClaims().getIssuer()));
    }

    private static Optional<String> extractSerializedJwt(Optional<String> optional) {
        return optional.filter(str -> {
            return str.startsWith("Bearer ");
        }).map(str2 -> {
            return str2.substring("Bearer ".length());
        });
    }
}
