package de.adorsys.sts.tokenauth;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import org.apache.commons.lang3.StringUtils;

/* loaded from: input_file:BOOT-INF/lib/sts-token-auth-0.25.0.jar:de/adorsys/sts/tokenauth/BearerTokenValidator.class */
public class BearerTokenValidator {
    static final String TOKEN_PREFIX = "Bearer ";
    public static final String HEADER_KEY = "Authorization";
    private final AuthServersProvider authServersProvider;
    private final KeycloakTokenRolesParser keycloakTokenRolesParser = new KeycloakTokenRolesParser();
    private final StringListRolesParser stringListRolesParser = new StringListRolesParser();

    public BearerTokenValidator(AuthServersProvider authServersProvider) {
        this.authServersProvider = authServersProvider;
    }

    public BearerToken extract(String str) {
        Optional<JWTClaimsSet> extractClaims = extractClaims(str);
        if (!extractClaims.isPresent()) {
            return BearerToken.builder().token(str).isValid(false).build();
        }
        return BearerToken.builder().token(str).claims(extractClaims.get()).isValid(true).roles(extractRoles(extractClaims.get())).build();
    }

    private List<String> extractRoles(JWTClaimsSet jWTClaimsSet) {
        ArrayList arrayList = new ArrayList();
        this.stringListRolesParser.extractRoles(jWTClaimsSet, "scp", arrayList);
        this.stringListRolesParser.extractRoles(jWTClaimsSet, "roles", arrayList);
        this.keycloakTokenRolesParser.parseRoles(jWTClaimsSet, arrayList);
        return arrayList;
    }

    private Optional<JWTClaimsSet> extractClaims(String str) {
        Optional<JWTClaimsSet> empty = Optional.empty();
        if (str != null && StringUtils.startsWithIgnoreCase(str, TOKEN_PREFIX)) {
            try {
                SignedJWT parse = SignedJWT.parse(StringUtils.substringAfterLast(str, StringUtils.SPACE));
                if (JWSAlgorithm.NONE.equals(parse.getHeader().getAlgorithm())) {
                    return empty;
                }
                AuthServer authServer = this.authServersProvider.get(parse.getJWTClaimsSet().getIssuer());
                if (authServer == null) {
                    return empty;
                }
                MultiAuthJWSKeySelector multiAuthJWSKeySelector = new MultiAuthJWSKeySelector(authServer);
                DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
                defaultJWTProcessor.setJWSKeySelector(multiAuthJWSKeySelector);
                empty = Optional.of(defaultJWTProcessor.process(parse, (SignedJWT) null));
                return empty;
            } catch (JOSEException | BadJOSEException | ParseException e) {
                return empty;
            }
        }
        return empty;
    }
}
