package org.camelbee.security.routes.routes;

import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import lombok.Generated;
import org.apache.camel.Exchange;
import org.apache.camel.builder.RouteBuilder;
import org.camelbee.security.routes.config.SecurityProperties;
import org.camelbee.security.routes.constant.Constants;
import org.camelbee.security.routes.exception.AuthenticationFailedException;
import org.camelbee.security.routes.exception.InvalidTokenException;
import org.camelbee.security.routes.exception.TokenExpiredException;
import org.camelbee.security.routes.exception.TokenValidationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.stereotype.Component;

@ConditionalOnProperty(value = {"camelbee.security.enabled"}, havingValue = "true")
@Component
/* loaded from: input_file:org/camelbee/security/routes/routes/JwtValidationRoute.class */
public class JwtValidationRoute extends RouteBuilder {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(JwtValidationRoute.class);
    private final SecurityProperties securityProperties;

    public void configure() throws Exception {
        from("direct:validateJWT").id("jwt-validation").errorHandler(noErrorHandler()).setProperty(Constants.ORIGINAL_BODY, body()).setProperty(Constants.ORIGINAL_CONTENT_TYPE, header("Content-Type")).setProperty(Constants.ORIGINAL_ACCEPT_CONTENT_TYPE, header("Accept")).to("direct:fetchJWKS").id("fetchJWKSEndpoint").process(exchange -> {
            String extractToken = extractToken(exchange);
            JWKSet jWKSet = (JWKSet) exchange.getProperty("jwkSet", JWKSet.class);
            if (jWKSet == null) {
                throw new AuthenticationFailedException("ERROR-AUTH002", "JWKS not available");
            }
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(JWSAlgorithm.parse(this.securityProperties.getAlgorithm()), new ImmutableJWKSet(jWKSet)));
            try {
                JWTClaimsSet process = defaultJWTProcessor.process(extractToken, (SecurityContext) null);
                validateClaims(process);
                exchange.setProperty("jwt.claims", process);
                exchange.setProperty("jwt.iss", process.getIssuer());
                exchange.setProperty("jwt.sub", process.getSubject());
                exchange.setProperty("jwt.exp", process.getExpirationTime());
                exchange.setProperty("jwt.iat", process.getIssueTime());
                exchange.setProperty("jwt.nbf", process.getNotBeforeTime());
                exchange.setProperty("jwt.jti", process.getJWTID());
                List<String> extractRoles = extractRoles(process);
                List<String> extractScopes = extractScopes(process);
                exchange.setProperty("jwt.roles", extractRoles);
                exchange.setProperty("jwt.scopes", extractScopes);
                exchange.setProperty("jwt.validated", true);
                log.debug("JWT validated successfully. Subject: {}, Roles: {}, Scopes: {}", new Object[]{process.getSubject(), extractRoles, extractScopes});
                exchange.getIn().setBody(true);
            } catch (Exception e) {
                throw new TokenValidationException("ERROR-AUTH007", "Token validation failed", e);
            }
        }).setBody(exchangeProperty(Constants.ORIGINAL_BODY)).setHeader("Content-Type", exchangeProperty(Constants.ORIGINAL_CONTENT_TYPE)).setHeader("Accept", exchangeProperty(Constants.ORIGINAL_ACCEPT_CONTENT_TYPE));
    }

    private String extractToken(Exchange exchange) {
        String str = (String) exchange.getIn().getHeader("Authorization", String.class);
        if (str == null) {
            throw new InvalidTokenException("ERROR-AUTH001", "Authorization header is missing");
        }
        if (str.startsWith("Bearer ")) {
            return str.substring(7);
        }
        throw new InvalidTokenException("ERROR-AUTH001", "Authorization header is malformed");
    }

    private void validateClaims(JWTClaimsSet jWTClaimsSet) {
        long currentTimeMillis = System.currentTimeMillis();
        long clockSkew = this.securityProperties.getClockSkew() * 1000;
        if (!this.securityProperties.getIssuer().equals(jWTClaimsSet.getIssuer())) {
            throw new TokenValidationException("ERROR-AUTH003", "Invalid token issuer");
        }
        List audience = jWTClaimsSet.getAudience();
        if (audience == null || audience.isEmpty() || !this.securityProperties.getAudience().equals(audience.get(0))) {
            throw new TokenValidationException("ERROR-AUTH004", "Invalid token audience");
        }
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        if (expirationTime != null && currentTimeMillis > expirationTime.getTime() + clockSkew) {
            throw new TokenExpiredException("ERROR-AUTH005", "Token has expired");
        }
        Date notBeforeTime = jWTClaimsSet.getNotBeforeTime();
        if (notBeforeTime != null && currentTimeMillis < notBeforeTime.getTime() - clockSkew) {
            throw new TokenValidationException("ERROR-AUTH006", "Token not yet valid");
        }
    }

    private List<String> extractRoles(JWTClaimsSet jWTClaimsSet) {
        Map<String, Object> claims = jWTClaimsSet.getClaims();
        HashSet hashSet = new HashSet();
        log.debug("Extracting roles from claims with paths: {}", this.securityProperties.getRoleClaims());
        for (String str : this.securityProperties.getRoleClaims()) {
            Object nestedClaimValue = getNestedClaimValue(claims, str);
            if (nestedClaimValue != null) {
                log.debug("Found value for role path '{}': {}", str, nestedClaimValue);
                if (nestedClaimValue instanceof List) {
                    Iterator it = ((List) nestedClaimValue).iterator();
                    while (it.hasNext()) {
                        hashSet.add(String.valueOf(it.next()));
                    }
                } else if (nestedClaimValue instanceof String) {
                    hashSet.addAll(Arrays.asList(((String) nestedClaimValue).split(" ")));
                } else if (nestedClaimValue instanceof Map) {
                    Object obj = ((Map) nestedClaimValue).get("roles");
                    if (obj instanceof List) {
                        Iterator it2 = ((List) obj).iterator();
                        while (it2.hasNext()) {
                            hashSet.add(String.valueOf(it2.next()));
                        }
                    }
                }
            }
        }
        log.debug("Extracted roles: {}", hashSet);
        return new ArrayList(hashSet);
    }

    private List<String> extractScopes(JWTClaimsSet jWTClaimsSet) {
        Map<String, Object> claims = jWTClaimsSet.getClaims();
        HashSet hashSet = new HashSet();
        log.debug("Extracting scopes from claims with paths: {}", this.securityProperties.getScopeClaims());
        for (String str : this.securityProperties.getScopeClaims()) {
            Object nestedClaimValue = getNestedClaimValue(claims, str);
            if (nestedClaimValue != null) {
                log.debug("Found value for scope path '{}': {}", str, nestedClaimValue);
                if (nestedClaimValue instanceof String) {
                    hashSet.addAll(Arrays.asList(((String) nestedClaimValue).split(" ")));
                } else if (nestedClaimValue instanceof List) {
                    Iterator it = ((List) nestedClaimValue).iterator();
                    while (it.hasNext()) {
                        hashSet.add(String.valueOf(it.next()));
                    }
                }
            }
        }
        log.debug("Extracted scopes: {}", hashSet);
        return new ArrayList(hashSet);
    }

    private Object getNestedClaimValue(Map<String, Object> map, String str) {
        Map<String, Object> map2 = map;
        for (String str2 : str.split("\\.")) {
            if (!(map2 instanceof Map)) {
                return null;
            }
            map2 = map2.get(str2);
            if (map2 == null) {
                return null;
            }
        }
        return map2;
    }

    @Generated
    public JwtValidationRoute(SecurityProperties securityProperties) {
        this.securityProperties = securityProperties;
    }
}
