package me.wojnowski.googlecloud4s.auth;

import cats.data.OptionT$;
import cats.data.OptionT$FromOptionPartiallyApplied$;
import cats.effect.kernel.Sync;
import cats.kernel.Eq$;
import cats.syntax.ApplicativeErrorIdOps$;
import cats.syntax.package$all$;
import io.circe.Decoder;
import io.circe.Decoder$;
import io.circe.Error;
import io.circe.KeyDecoder$;
import io.circe.parser.package$;
import java.io.ByteArrayInputStream;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateFactory;
import java.time.Clock;
import java.time.ZoneId;
import java.util.Base64;
import me.wojnowski.googlecloud4s.auth.TokenValidator;
import pdi.jwt.Jwt$;
import pdi.jwt.JwtClaim;
import scala.MatchError;
import scala.Predef$;
import scala.StringContext;
import scala.Tuple2;
import scala.UninitializedFieldError;
import scala.collection.StringOps$;
import scala.collection.immutable.Map;
import scala.collection.immutable.Nil$;
import scala.runtime.BoxesRunTime;
import scala.runtime.ScalaRunTime$;
import scala.util.Either;
import scala.util.Left;
import scala.util.Right;
import sttp.client3.DeserializationException;
import sttp.client3.IsOption$;
import sttp.client3.SttpBackend;

/* compiled from: TokenValidator.scala */
/* loaded from: input_file:me/wojnowski/googlecloud4s/auth/TokenValidator$.class */
public final class TokenValidator$ {
    public static final TokenValidator$ MODULE$ = new TokenValidator$();
    private static volatile boolean bitmap$init$0;

    public <F> TokenValidator<F> apply(TokenValidator<F> tokenValidator) {
        return tokenValidator;
    }

    public <F> TokenValidator<F> instance(final Sync<F> sync, final SttpBackend<F, Object> sttpBackend) {
        return new TokenValidator<F>(sync, sttpBackend) { // from class: me.wojnowski.googlecloud4s.auth.TokenValidator$$anon$1
            private final Base64.Decoder base64Decoder = Base64.getDecoder();
            private final String expectedIssuer = "https://accounts.google.com";
            private final CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            private volatile byte bitmap$init$0;
            private final Sync evidence$2$1;
            private final SttpBackend backend$1;

            private Base64.Decoder base64Decoder() {
                if (((byte) (this.bitmap$init$0 & 1)) == 0) {
                    throw new UninitializedFieldError("Uninitialized field: /home/runner/work/googlecloud4s/googlecloud4s/auth/src/main/scala/me/wojnowski/googlecloud4s/auth/TokenValidator.scala: 35");
                }
                Base64.Decoder decoder = this.base64Decoder;
                return this.base64Decoder;
            }

            private String expectedIssuer() {
                if (((byte) (this.bitmap$init$0 & 2)) == 0) {
                    throw new UninitializedFieldError("Uninitialized field: /home/runner/work/googlecloud4s/googlecloud4s/auth/src/main/scala/me/wojnowski/googlecloud4s/auth/TokenValidator.scala: 37");
                }
                String str = this.expectedIssuer;
                return this.expectedIssuer;
            }

            private CertificateFactory certificateFactory() {
                if (((byte) (this.bitmap$init$0 & 4)) == 0) {
                    throw new UninitializedFieldError("Uninitialized field: /home/runner/work/googlecloud4s/googlecloud4s/auth/src/main/scala/me/wojnowski/googlecloud4s/auth/TokenValidator.scala: 39");
                }
                CertificateFactory certificateFactory = this.certificateFactory;
                return this.certificateFactory;
            }

            @Override // me.wojnowski.googlecloud4s.auth.TokenValidator
            public F validateIdentityToken(String str) {
                return (F) package$all$.MODULE$.toFunctorOps(validateAndDecodeIdentityToken(str, Decoder$.MODULE$.decodeHCursor()), this.evidence$2$1).map(option -> {
                    return option.flatMap(either -> {
                        return either.toOption();
                    }).flatMap(hCursor -> {
                        return hCursor.get("aud", Decoder$.MODULE$.decodeString()).toOption().map(str2 -> {
                            return new TargetAudience(str2);
                        });
                    });
                });
            }

            @Override // me.wojnowski.googlecloud4s.auth.TokenValidator
            public <A> F validateAndDecodeIdentityToken(String str, Decoder<A> decoder) {
                return (F) package$all$.MODULE$.toFunctorOps(validateToken(str), this.evidence$2$1).map(option -> {
                    return option.map(jwtClaim -> {
                        return package$.MODULE$.decode(jwtClaim.content(), decoder);
                    });
                });
            }

            private F validateToken(String str) {
                return (F) OptionT$.MODULE$.liftF(cats.effect.package$.MODULE$.Clock().apply(this.evidence$2$1).realTimeInstant(), this.evidence$2$1).map(instant -> {
                    return new Tuple2(instant, Clock.fixed(instant, ZoneId.of("UTC")));
                }, this.evidence$2$1).flatMap(tuple2 -> {
                    if (tuple2 == null) {
                        throw new MatchError(tuple2);
                    }
                    Clock clock = (Clock) tuple2._2();
                    return OptionT$FromOptionPartiallyApplied$.MODULE$.apply$extension(OptionT$.MODULE$.fromOption(), this.extractKid(str).toOption(), this.evidence$2$1).flatMap(str2 -> {
                        return OptionT$.MODULE$.liftF(this.getPublicKey(str2), this.evidence$2$1).flatMap(publicKey -> {
                            return OptionT$FromOptionPartiallyApplied$.MODULE$.apply$extension(OptionT$.MODULE$.fromOption(), Jwt$.MODULE$.apply(clock).decode(str, publicKey).toOption(), this.evidence$2$1).map(jwtClaim -> {
                                return jwtClaim;
                            }, this.evidence$2$1);
                        }, this.evidence$2$1);
                    }, this.evidence$2$1);
                }, this.evidence$2$1).filter(jwtClaim -> {
                    return BoxesRunTime.boxToBoolean($anonfun$validateToken$6(this, jwtClaim));
                }, this.evidence$2$1).value();
            }

            private F getPublicKey(String str) {
                return (F) package$all$.MODULE$.toFlatMapOps(package$all$.MODULE$.toFlatMapOps(this.backend$1.send(sttp.client3.package$.MODULE$.basicRequest().get(sttp.client3.package$.MODULE$.UriContext(new StringContext(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{"https://www.googleapis.com/oauth2/v1/certs"}))).uri(Nil$.MODULE$)).response(sttp.client3.circe.package$.MODULE$.asJsonAlways(Decoder$.MODULE$.decodeMap(KeyDecoder$.MODULE$.decodeKeyString(), Decoder$.MODULE$.decodeString()), IsOption$.MODULE$.otherIsNotOption()))), this.evidence$2$1).flatMap(response -> {
                    Object raiseError$extension;
                    Right right = (Either) response.body();
                    if (right instanceof Right) {
                        raiseError$extension = cats.effect.package$.MODULE$.Sync().apply(this.evidence$2$1).fromOption(((Map) right.value()).get(str), () -> {
                            return new TokenValidator.Error.CouldNotFindCertificate(str);
                        });
                    } else {
                        if (!(right instanceof Left)) {
                            throw new MatchError(right);
                        }
                        raiseError$extension = ApplicativeErrorIdOps$.MODULE$.raiseError$extension(package$all$.MODULE$.catsSyntaxApplicativeErrorId(new TokenValidator.Error.CouldNotParseResponse((DeserializationException) ((Left) right).value())), this.evidence$2$1);
                    }
                    return raiseError$extension;
                }), this.evidence$2$1).flatMap(str2 -> {
                    return cats.effect.package$.MODULE$.Sync().apply(this.evidence$2$1).delay(() -> {
                        return this.certificateFactory().generateCertificate(new ByteArrayInputStream(str2.getBytes())).getPublicKey();
                    });
                });
            }

            private Either<Error, String> extractKid(String str) {
                return package$.MODULE$.parse(new String(base64Decoder().decode(StringOps$.MODULE$.takeWhile$extension(Predef$.MODULE$.augmentString(str), obj -> {
                    return BoxesRunTime.boxToBoolean($anonfun$extractKid$1(BoxesRunTime.unboxToChar(obj)));
                })), StandardCharsets.UTF_8)).flatMap(json -> {
                    return json.hcursor().get("kid", Decoder$.MODULE$.decodeString());
                });
            }

            public static final /* synthetic */ boolean $anonfun$validateToken$7(TokenValidator$$anon$1 tokenValidator$$anon$1, String str) {
                return package$all$.MODULE$.catsSyntaxEq(str, Eq$.MODULE$.catsKernelInstancesForString()).$eq$eq$eq(tokenValidator$$anon$1.expectedIssuer());
            }

            public static final /* synthetic */ boolean $anonfun$validateToken$6(TokenValidator$$anon$1 tokenValidator$$anon$1, JwtClaim jwtClaim) {
                return jwtClaim.issuer().forall(str -> {
                    return BoxesRunTime.boxToBoolean($anonfun$validateToken$7(tokenValidator$$anon$1, str));
                });
            }

            public static final /* synthetic */ boolean $anonfun$extractKid$1(char c) {
                return c != '.';
            }

            {
                this.evidence$2$1 = sync;
                this.backend$1 = sttpBackend;
                this.bitmap$init$0 = (byte) (this.bitmap$init$0 | 1);
                this.bitmap$init$0 = (byte) (this.bitmap$init$0 | 2);
                this.bitmap$init$0 = (byte) (this.bitmap$init$0 | 4);
            }
        };
    }

    private TokenValidator$() {
    }
}
