package com.sap.cloud.sdk.cloudplatform.security;

import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.google.common.collect.Sets;
import com.sap.cloud.sdk.cloudplatform.ScpCfCloudPlatform;
import com.sap.cloud.sdk.cloudplatform.resilience.ResilienceConfiguration;
import com.sap.cloud.sdk.cloudplatform.resilience.ResilienceDecorator;
import com.sap.cloud.sdk.cloudplatform.resilience.ResilienceIsolationMode;
import com.sap.cloud.sdk.cloudplatform.security.exception.AuthTokenAccessException;
import com.sap.cloud.sdk.cloudplatform.security.exception.TokenRequestDeniedException;
import com.sap.cloud.sdk.cloudplatform.security.exception.TokenRequestFailedException;
import com.sap.cloud.security.config.OAuth2ServiceConfiguration;
import com.sap.cloud.security.config.Service;
import com.sap.cloud.security.config.cf.CFConstants;
import com.sap.cloud.security.config.cf.CFEnvironment;
import com.sap.cloud.security.token.Token;
import com.sap.cloud.security.token.validation.CombiningValidator;
import com.sap.cloud.security.token.validation.ValidationResult;
import com.sap.cloud.security.token.validation.Validator;
import com.sap.cloud.security.token.validation.validators.JwtValidatorBuilder;
import com.sap.cloud.security.xsuaa.tokenflows.XsuaaTokenFlows;
import io.vavr.control.Option;
import io.vavr.control.Try;
import java.lang.invoke.SerializedLambda;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Collections;
import java.util.EnumSet;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.Future;
import java.util.concurrent.FutureTask;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Deprecated
/* loaded from: input_file:com/sap/cloud/sdk/cloudplatform/security/AuthTokenDecoderXsuaa.class */
class AuthTokenDecoderXsuaa implements AuthTokenDecoder {
    private static final String MESSAGE_INVALID_REFRESH_TOKEN = "Failed to get access token: no valid refresh token found in response of user token flow. Please make sure to correctly bind your application to an OAuth2 compatible service instance.";

    @Nonnull
    private final List<CombiningValidator<Token>> tokenValidators;

    @Generated
    private static final Logger log = LoggerFactory.getLogger(AuthTokenDecoderXsuaa.class);

    @Nonnull
    private static final List<CombiningValidator<Token>> defaultValidators = loadOauth2Validators();

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthTokenDecoderXsuaa() {
        this(defaultValidators);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AuthTokenDecoderXsuaa(@Nullable OAuth2ServiceConfiguration oAuth2ServiceConfiguration) {
        this((List<CombiningValidator<Token>>) Option.of(oAuth2ServiceConfiguration).onEmpty(() -> {
            log.warn("AuthTokenFacade instantiated without an OAuth2 configuration.");
        }).map(AuthTokenDecoderXsuaa::getJwtValidator).map((v0) -> {
            return Collections.singletonList(v0);
        }).getOrElse(Collections::emptyList));
    }

    @Override // com.sap.cloud.sdk.cloudplatform.security.AuthTokenDecoder
    @Nonnull
    public AuthToken decode(@Nonnull String str) throws AuthTokenAccessException {
        if (this.tokenValidators.isEmpty()) {
            throw new AuthTokenAccessException("AuthTokenDecoder was instantiated without a token validator.");
        }
        ArrayList arrayList = new ArrayList();
        return (AuthToken) this.tokenValidators.stream().map(combiningValidator -> {
            return Try.of(() -> {
                return validateJwtWithSecurityLibrary(str, combiningValidator);
            });
        }).peek(r5 -> {
            Objects.requireNonNull(arrayList);
            r5.onFailure((v1) -> {
                r1.add(v1);
            });
        }).peek(r3 -> {
            r3.onFailure(th -> {
                log.debug("JWT validation attempt failed.", th);
            });
        }).filter((v0) -> {
            return v0.isSuccess();
        }).findFirst().map((v0) -> {
            return v0.get();
        }).map(AuthToken::new).orElseThrow(() -> {
            AuthTokenAccessException authTokenAccessException = new AuthTokenAccessException("Failed to verify JWT bearer.");
            Objects.requireNonNull(authTokenAccessException);
            arrayList.forEach(authTokenAccessException::addSuppressed);
            return authTokenAccessException;
        });
    }

    private DecodedJWT validateJwtWithSecurityLibrary(@Nonnull String str, @Nonnull Validator<Token> validator) {
        ValidationResult validate = validator.validate(Token.create(str));
        if (validate.isValid()) {
            return JWT.decode(str);
        }
        throw new AuthTokenAccessException("The token is invalid: " + validate.getErrorDescription());
    }

    @Nonnull
    private static List<CombiningValidator<Token>> loadOauth2Validators() {
        List<OAuth2ServiceConfiguration> loadOauth2ServiceConfigurations = loadOauth2ServiceConfigurations();
        if (loadOauth2ServiceConfigurations.isEmpty()) {
            log.debug("No OAuth2 validators were registered since no configuration could be loaded.");
        }
        return (List) loadOauth2ServiceConfigurations.stream().map(oAuth2ServiceConfiguration -> {
            return Try.of(() -> {
                return getJwtValidator(oAuth2ServiceConfiguration);
            });
        }).filter(r3 -> {
            return r3.onFailure(th -> {
                log.warn("Failed to load validator.", th);
            }).isSuccess();
        }).map((v0) -> {
            return v0.get();
        }).collect(Collectors.toList());
    }

    @Nonnull
    private static List<OAuth2ServiceConfiguration> loadOauth2ServiceConfigurations() {
        Try of = Try.of(() -> {
            ScpCfCloudPlatform instanceOrThrow = ScpCfCloudPlatform.getInstanceOrThrow();
            return CFEnvironment.getInstance(str -> {
                return K8sWorkarounds.getEnvironmentVariable(instanceOrThrow, str);
            }, System::getProperty);
        });
        if (!of.isSuccess()) {
            log.error("Failed to read environment data for OAuth2 based configurations.", of.getCause());
            return Collections.emptyList();
        }
        List<OAuth2ServiceConfiguration> list = (List) Sets.cartesianProduct(new Set[]{EnumSet.allOf(Service.class), EnumSet.allOf(CFConstants.Plan.class)}).stream().map(list2 -> {
            return ((CFEnvironment) of.get()).loadForServicePlan((Service) list2.get(0), (CFConstants.Plan) list2.get(1));
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).peek(oAuth2ServiceConfiguration -> {
            log.debug("Found {} service binding with plan {}, client id {} and application id {}.", new Object[]{oAuth2ServiceConfiguration.getService().getCFName(), oAuth2ServiceConfiguration.getProperty("plan"), oAuth2ServiceConfiguration.getClientId(), oAuth2ServiceConfiguration.getProperty("xsappname")});
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            log.warn("Could not find any OAuth2 based service bindings.");
        }
        return list;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public static CombiningValidator<Token> getJwtValidator(@Nonnull OAuth2ServiceConfiguration oAuth2ServiceConfiguration) {
        CombiningValidator<Token> build = JwtValidatorBuilder.getInstance(oAuth2ServiceConfiguration).build();
        if (build.getValidators().removeIf(validator -> {
            return "com.sap.cloud.security.token.validation.validators.JwtIssuerValidator".equals(validator.getClass().getName());
        })) {
            build.getValidators().add(new CustomJwtIssuerValidator(oAuth2ServiceConfiguration));
        }
        return build;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Future<String> getRefreshToken(@Nonnull DecodedJWT decodedJWT, @Nullable OAuth2TokenServiceCache oAuth2TokenServiceCache) {
        FutureTask futureTask = new FutureTask(ResilienceDecorator.decorateCallable(() -> {
            return sendTokenRequestAndParseResponse(decodedJWT, oAuth2TokenServiceCache);
        }, ResilienceConfiguration.of(ScpCfAuthTokenFacade.class).isolationMode(ResilienceIsolationMode.NO_ISOLATION).timeLimiterConfiguration(ResilienceConfiguration.TimeLimiterConfiguration.of().timeoutDuration(Duration.ofSeconds(6L))).circuitBreakerConfiguration(ResilienceConfiguration.CircuitBreakerConfiguration.of().waitDuration(Duration.ofSeconds(6L)))));
        futureTask.run();
        return futureTask;
    }

    @Nonnull
    private String sendTokenRequestAndParseResponse(@Nonnull DecodedJWT decodedJWT, @Nullable OAuth2TokenServiceCache oAuth2TokenServiceCache) throws TokenRequestDeniedException, TokenRequestFailedException {
        String token = decodedJWT.getToken();
        XsuaaTokenFlows xsuaaTokenFlows = OAuth2ServiceProvider.builder().tokenServiceCache(oAuth2TokenServiceCache).staticAccessToken(decodedJWT).build().getXsuaaTokenFlows();
        return (String) Try.of(() -> {
            return xsuaaTokenFlows.userTokenFlow().token(token).execute().getRefreshToken();
        }).onFailure(th -> {
            log.debug("User token request failed for auth token {}.", token, th);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }, () -> {
            return new TokenRequestFailedException(MESSAGE_INVALID_REFRESH_TOKEN);
        }).getOrElseThrow(th2 -> {
            return new TokenRequestFailedException("Refresh JWT request failed", th2);
        });
    }

    @Generated
    AuthTokenDecoderXsuaa(@Nonnull List<CombiningValidator<Token>> list) {
        if (list == null) {
            throw new NullPointerException("tokenValidators is marked non-null but is null");
        }
        this.tokenValidators = list;
    }

    @Nonnull
    @Generated
    public List<CombiningValidator<Token>> getTokenValidators() {
        return this.tokenValidators;
    }

    private static /* synthetic */ Object $deserializeLambda$(SerializedLambda serializedLambda) {
        String implMethodName = serializedLambda.getImplMethodName();
        boolean z = -1;
        switch (implMethodName.hashCode()) {
            case -1790886737:
                if (implMethodName.equals("lambda$loadOauth2ServiceConfigurations$3a89d090$1")) {
                    z = 3;
                    break;
                }
                break;
            case -927334781:
                if (implMethodName.equals("lambda$decode$f029bbd0$1")) {
                    z = true;
                    break;
                }
                break;
            case 1120442235:
                if (implMethodName.equals("lambda$loadOauth2Validators$7a8bc745$1")) {
                    z = false;
                    break;
                }
                break;
            case 2074453640:
                if (implMethodName.equals("lambda$sendTokenRequestAndParseResponse$bd19d8c4$1")) {
                    z = 2;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenDecoderXsuaa") && serializedLambda.getImplMethodSignature().equals("(Lcom/sap/cloud/security/config/OAuth2ServiceConfiguration;)Lcom/sap/cloud/security/token/validation/CombiningValidator;")) {
                    OAuth2ServiceConfiguration oAuth2ServiceConfiguration = (OAuth2ServiceConfiguration) serializedLambda.getCapturedArg(0);
                    return () -> {
                        return getJwtValidator(oAuth2ServiceConfiguration);
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 7 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenDecoderXsuaa") && serializedLambda.getImplMethodSignature().equals("(Ljava/lang/String;Lcom/sap/cloud/security/token/validation/CombiningValidator;)Lcom/auth0/jwt/interfaces/DecodedJWT;")) {
                    AuthTokenDecoderXsuaa authTokenDecoderXsuaa = (AuthTokenDecoderXsuaa) serializedLambda.getCapturedArg(0);
                    String str = (String) serializedLambda.getCapturedArg(1);
                    CombiningValidator combiningValidator = (CombiningValidator) serializedLambda.getCapturedArg(2);
                    return () -> {
                        return validateJwtWithSecurityLibrary(str, combiningValidator);
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenDecoderXsuaa") && serializedLambda.getImplMethodSignature().equals("(Lcom/sap/cloud/security/xsuaa/tokenflows/XsuaaTokenFlows;Ljava/lang/String;)Ljava/lang/String;")) {
                    XsuaaTokenFlows xsuaaTokenFlows = (XsuaaTokenFlows) serializedLambda.getCapturedArg(0);
                    String str2 = (String) serializedLambda.getCapturedArg(1);
                    return () -> {
                        return xsuaaTokenFlows.userTokenFlow().token(str2).execute().getRefreshToken();
                    };
                }
                break;
            case true:
                if (serializedLambda.getImplMethodKind() == 6 && serializedLambda.getFunctionalInterfaceClass().equals("io/vavr/CheckedFunction0") && serializedLambda.getFunctionalInterfaceMethodName().equals("apply") && serializedLambda.getFunctionalInterfaceMethodSignature().equals("()Ljava/lang/Object;") && serializedLambda.getImplClass().equals("com/sap/cloud/sdk/cloudplatform/security/AuthTokenDecoderXsuaa") && serializedLambda.getImplMethodSignature().equals("()Lcom/sap/cloud/security/config/cf/CFEnvironment;")) {
                    return () -> {
                        ScpCfCloudPlatform instanceOrThrow = ScpCfCloudPlatform.getInstanceOrThrow();
                        return CFEnvironment.getInstance(str3 -> {
                            return K8sWorkarounds.getEnvironmentVariable(instanceOrThrow, str3);
                        }, System::getProperty);
                    };
                }
                break;
        }
        throw new IllegalArgumentException("Invalid lambda deserialization");
    }
}
