package me.wojnowski.googlecloud4s.auth;

import cats.Invariant$;
import cats.effect.kernel.Sync;
import cats.syntax.ApplicativeErrorOps$;
import cats.syntax.EitherOps$;
import cats.syntax.MonadErrorOps$;
import cats.syntax.MonadErrorRethrowOps$;
import cats.syntax.package$all$;
import io.circe.Decoder;
import io.circe.Error;
import java.io.Serializable;
import java.nio.charset.StandardCharsets;
import java.security.PublicKey;
import java.time.Clock;
import java.time.Instant;
import java.time.ZoneId;
import java.util.Base64;
import me.wojnowski.googlecloud4s.auth.TokenVerifier;
import pdi.jwt.JwtAlgorithm$RS256$;
import pdi.jwt.JwtCirce$;
import pdi.jwt.JwtClaim;
import pdi.jwt.JwtHeader;
import scala.$less$colon$less$;
import scala.Function3;
import scala.MatchError;
import scala.Option;
import scala.Option$;
import scala.Predef$;
import scala.Some;
import scala.Tuple2;
import scala.Tuple2$;
import scala.collection.IterableOps;
import scala.collection.StringOps$;
import scala.collection.immutable.Seq;
import scala.collection.immutable.Set;
import scala.package$;
import scala.reflect.ClassTag$;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;
import scala.runtime.ModuleSerializationProxy;
import scala.runtime.ScalaRunTime$;
import scala.util.Either;
import scala.util.Try$;
import sttp.client3.SttpBackend;

/* compiled from: TokenVerifier.scala */
/* loaded from: input_file:me/wojnowski/googlecloud4s/auth/TokenVerifier$.class */
public final class TokenVerifier$ implements Serializable {
    public static final TokenVerifier$Result$ me$wojnowski$googlecloud4s$auth$TokenVerifier$$$Result = null;
    public static final TokenVerifier$Error$ Error = null;
    public static final TokenVerifier$ MODULE$ = new TokenVerifier$();

    private TokenVerifier$() {
    }

    private Object writeReplace() {
        return new ModuleSerializationProxy(TokenVerifier$.class);
    }

    public <F> TokenVerifier<F> apply(TokenVerifier<F> tokenVerifier) {
        return tokenVerifier;
    }

    /* renamed from: default, reason: not valid java name */
    public <F> TokenVerifier<F> m43default(Sync<F> sync, SttpBackend<F, Object> sttpBackend) {
        return create(PublicKeyProvider$.MODULE$.jwk(PublicKeyProvider$.MODULE$.jwk$default$1(), sync, sttpBackend), create$default$2(), sync);
    }

    public <F> TokenVerifier<F> create(final PublicKeyProvider<F> publicKeyProvider, final Set<String> set, final Sync<F> sync) {
        return new TokenVerifier<F>(publicKeyProvider, set, sync, this) { // from class: me.wojnowski.googlecloud4s.auth.TokenVerifier$$anon$1
            private final PublicKeyProvider publicKeyProvider$1;
            private final Set expectedIssuers$1;
            private final Sync evidence$2$1;
            private final Base64.Decoder base64Decoder;
            private final Seq supportedAlgorithms;

            {
                this.publicKeyProvider$1 = publicKeyProvider;
                this.expectedIssuers$1 = set;
                this.evidence$2$1 = sync;
                if (this == null) {
                    throw new NullPointerException();
                }
                this.base64Decoder = Base64.getDecoder();
                this.supportedAlgorithms = package$.MODULE$.Seq().apply(ScalaRunTime$.MODULE$.wrapRefArray(new JwtAlgorithm$RS256$[]{JwtAlgorithm$RS256$.MODULE$}));
            }

            @Override // me.wojnowski.googlecloud4s.auth.TokenVerifier
            public Object verifyIdentityToken(String str) {
                return ApplicativeErrorOps$.MODULE$.attemptNarrow$extension(package$all$.MODULE$.catsSyntaxApplicativeError(package$all$.MODULE$.toFunctorOps(verifyAndParseToken(str), this.evidence$2$1).map(TokenVerifier$::me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$verifyIdentityToken$$anonfun$1), this.evidence$2$1), this.evidence$2$1, ClassTag$.MODULE$.apply(TokenVerifier.Error.class), $less$colon$less$.MODULE$.refl());
            }

            @Override // me.wojnowski.googlecloud4s.auth.TokenVerifier
            public Object verifyAndDecodeIdentityToken(String str, Decoder decoder) {
                return ApplicativeErrorOps$.MODULE$.attemptNarrow$extension(package$all$.MODULE$.catsSyntaxApplicativeError(package$all$.MODULE$.toFlatMapOps(verifyAndParseToken(str), this.evidence$2$1).flatMap(result -> {
                    if (result == null) {
                        throw new MatchError(result);
                    }
                    TokenVerifier.Result unapply = TokenVerifier$Result$.MODULE$.unapply(result);
                    unapply._1();
                    JwtClaim _2 = unapply._2();
                    unapply._3();
                    return cats.effect.package$.MODULE$.Sync().apply(this.evidence$2$1).fromEither(EitherOps$.MODULE$.leftMap$extension(package$all$.MODULE$.catsSyntaxEither(io.circe.parser.package$.MODULE$.decode(_2.toJson(), decoder)), TokenVerifier$::me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$verifyAndDecodeIdentityToken$$anonfun$1$$anonfun$1));
                }), this.evidence$2$1), this.evidence$2$1, ClassTag$.MODULE$.apply(TokenVerifier.Error.class), $less$colon$less$.MODULE$.refl());
            }

            private Object verifyAndParseToken(String str) {
                return package$all$.MODULE$.toFlatMapOps(package$all$.MODULE$.toFunctorOps(cats.effect.package$.MODULE$.Clock().apply(this.evidence$2$1).realTimeInstant(), this.evidence$2$1).map(TokenVerifier$::me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$verifyAndParseToken$$anonfun$1), this.evidence$2$1).flatMap(tuple2 -> {
                    if (tuple2 == null) {
                        throw new MatchError(tuple2);
                    }
                    Clock clock = (Clock) tuple2._2();
                    return package$all$.MODULE$.toFlatMapOps(cats.effect.package$.MODULE$.Sync().apply(this.evidence$2$1).fromEither(extractKid(str)), this.evidence$2$1).flatMap(str2 -> {
                        return package$all$.MODULE$.toFlatMapOps(MonadErrorRethrowOps$.MODULE$.rethrow$extension(package$all$.MODULE$.catsSyntaxMonadErrorRethrow(package$all$.MODULE$.toFunctorOps(this.publicKeyProvider$1.getKey(str2), this.evidence$2$1).map(TokenVerifier$::me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$verifyAndParseToken$$anonfun$2$$anonfun$1$$anonfun$1), this.evidence$2$1), this.evidence$2$1), this.evidence$2$1).flatMap(publicKey -> {
                            return package$all$.MODULE$.toFunctorOps(decodeAndVerifyToken(str, clock, publicKey), this.evidence$2$1).map(TokenVerifier$::me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$verifyAndParseToken$$anonfun$2$$anonfun$1$$anonfun$2$$anonfun$1);
                        });
                    });
                });
            }

            private Object decodeAndVerifyToken(String str, Clock clock, PublicKey publicKey) {
                package$all$ package_all_ = package$all$.MODULE$;
                Sync apply = cats.effect.package$.MODULE$.Sync().apply(this.evidence$2$1);
                package$all$ package_all_2 = package$all$.MODULE$;
                Either either = JwtCirce$.MODULE$.apply(clock).decodeAll(str, publicKey, this.supportedAlgorithms).toEither();
                Function3 function3 = TokenVerifier$::me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$decodeAndVerifyToken$$anonfun$1;
                return MonadErrorOps$.MODULE$.adaptError$extension(package_all_.catsSyntaxMonadError(apply.fromEither((Either) package_all_2.toFlatMapOps(either.map(function3.tupled()), Invariant$.MODULE$.catsMonadErrorForEither()).flatTap(result -> {
                    if (result == null) {
                        throw new MatchError(result);
                    }
                    TokenVerifier.Result unapply = TokenVerifier$Result$.MODULE$.unapply(result);
                    unapply._1();
                    JwtClaim _2 = unapply._2();
                    unapply._3();
                    return ensureExpectedIssuer(_2);
                })), this.evidence$2$1), new TokenVerifier$$anon$2(), this.evidence$2$1);
            }

            private Either ensureExpectedIssuer(JwtClaim jwtClaim) {
                Some issuer = jwtClaim.issuer();
                if (issuer instanceof Some) {
                    if (this.expectedIssuers$1.contains((String) issuer.value())) {
                        return package$.MODULE$.Right().apply(BoxedUnit.UNIT);
                    }
                }
                return package$.MODULE$.Left().apply(TokenVerifier$Error$UnexpectedIssuer$.MODULE$.apply(jwtClaim.issuer(), this.expectedIssuers$1));
            }

            private Either extractKid(String str) {
                return Try$.MODULE$.apply(() -> {
                    return r1.extractKid$$anonfun$1(r2);
                }).toOption().flatMap(TokenVerifier$::me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$extractKid$$anonfun$2).toRight(TokenVerifier$::me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$extractKid$$anonfun$3);
            }

            private final JwtHeader extractKid$$anonfun$1(String str) {
                return JwtCirce$.MODULE$.parseHeader(new String(this.base64Decoder.decode(StringOps$.MODULE$.takeWhile$extension(Predef$.MODULE$.augmentString(str), TokenVerifier$::me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$extractKid$$anonfun$1$$anonfun$adapted$1)), StandardCharsets.UTF_8));
            }
        };
    }

    public <F> Set<String> create$default$2() {
        return (Set) Predef$.MODULE$.Set().apply(ScalaRunTime$.MODULE$.wrapRefArray(new String[]{"https://accounts.google.com"}));
    }

    public static final /* synthetic */ Set me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$verifyIdentityToken$$anonfun$1(TokenVerifier.Result result) {
        if (result == null) {
            throw new MatchError(result);
        }
        TokenVerifier.Result unapply = TokenVerifier$Result$.MODULE$.unapply(result);
        unapply._1();
        JwtClaim _2 = unapply._2();
        unapply._3();
        return (Set) ((IterableOps) Option$.MODULE$.option2Iterable(_2.audience()).toSet().flatten(Predef$.MODULE$.$conforms())).map(str -> {
            return TargetAudience$.MODULE$.apply(str);
        });
    }

    public static final /* synthetic */ TokenVerifier.Error.CouldNotDecodeClaim me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$verifyAndDecodeIdentityToken$$anonfun$1$$anonfun$1(Error error) {
        return TokenVerifier$Error$CouldNotDecodeClaim$.MODULE$.apply(error);
    }

    public static final /* synthetic */ Tuple2 me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$verifyAndParseToken$$anonfun$1(Instant instant) {
        return Tuple2$.MODULE$.apply(instant, Clock.fixed(instant, ZoneId.of("UTC")));
    }

    public static final /* synthetic */ Either me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$verifyAndParseToken$$anonfun$2$$anonfun$1$$anonfun$1(Either either) {
        return EitherOps$.MODULE$.leftMap$extension(package$all$.MODULE$.catsSyntaxEither(either), error -> {
            return TokenVerifier$Error$CouldNotFindPublicKey$.MODULE$.apply(error);
        });
    }

    public static final /* synthetic */ TokenVerifier.Result me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$verifyAndParseToken$$anonfun$2$$anonfun$1$$anonfun$2$$anonfun$1(TokenVerifier.Result result) {
        return result;
    }

    public static final /* synthetic */ TokenVerifier.Result me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$decodeAndVerifyToken$$anonfun$1(JwtHeader jwtHeader, JwtClaim jwtClaim, String str) {
        return TokenVerifier$Result$.MODULE$.apply(jwtHeader, jwtClaim, str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static final /* synthetic */ boolean extractKid$$anonfun$1$$anonfun$1(char c) {
        return c != '.';
    }

    public static /* bridge */ /* synthetic */ boolean me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$extractKid$$anonfun$1$$anonfun$adapted$1(Object obj) {
        return extractKid$$anonfun$1$$anonfun$1(BoxesRunTime.unboxToChar(obj));
    }

    public static final /* synthetic */ Option me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$extractKid$$anonfun$2(JwtHeader jwtHeader) {
        return jwtHeader.keyId();
    }

    public static final TokenVerifier$Error$CouldNotExtractKeyId$ me$wojnowski$googlecloud4s$auth$TokenVerifier$$anon$1$$_$extractKid$$anonfun$3() {
        return TokenVerifier$Error$CouldNotExtractKeyId$.MODULE$;
    }
}
