package io.toolsplus.atlassian.connect.play.auth.jwt;

import cats.data.EitherT;
import cats.implicits$;
import cats.syntax.EitherOps$;
import com.google.inject.Inject;
import com.nimbusds.jwt.JWTClaimsSet;
import io.toolsplus.atlassian.connect.play.api.models.AtlassianHost;
import io.toolsplus.atlassian.connect.play.api.models.AtlassianHostUser;
import io.toolsplus.atlassian.connect.play.api.repositories.AtlassianHostRepository;
import io.toolsplus.atlassian.connect.play.auth.jwt.exception.JwtAuthenticationError;
import io.toolsplus.atlassian.connect.play.auth.jwt.exception.JwtBadCredentialsError;
import io.toolsplus.atlassian.connect.play.auth.jwt.request.SelfAuthenticationTokenGenerator$;
import io.toolsplus.atlassian.connect.play.models.AddonProperties;
import io.toolsplus.atlassian.jwt.HttpRequestCanonicalizer$;
import io.toolsplus.atlassian.jwt.Jwt;
import io.toolsplus.atlassian.jwt.JwtParser$;
import io.toolsplus.atlassian.jwt.JwtReader;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Option$;
import scala.Predef$;
import scala.Some;
import scala.StringContext;
import scala.collection.JavaConverters$;
import scala.collection.LinearSeqOptimized;
import scala.collection.TraversableOnce;
import scala.collection.immutable.$colon;
import scala.collection.immutable.List;
import scala.collection.immutable.List$;
import scala.collection.immutable.Nil$;
import scala.concurrent.ExecutionContext$Implicits$;
import scala.concurrent.Future;
import scala.package$;
import scala.reflect.ScalaSignature;
import scala.util.Either;
import scala.util.Right;

/* compiled from: JwtAuthenticationProvider.scala */
@ScalaSignature(bytes = "\u0006\u0001\u0005me\u0001B\u0001\u0003\u0001E\u0011\u0011DS<u\u0003V$\b.\u001a8uS\u000e\fG/[8o!J|g/\u001b3fe*\u00111\u0001B\u0001\u0004U^$(BA\u0003\u0007\u0003\u0011\tW\u000f\u001e5\u000b\u0005\u001dA\u0011\u0001\u00029mCfT!!\u0003\u0006\u0002\u000f\r|gN\\3di*\u00111\u0002D\u0001\nCRd\u0017m]:jC:T!!\u0004\b\u0002\u0013Q|w\u000e\\:qYV\u001c(\"A\b\u0002\u0005%|7\u0001A\n\u0003\u0001I\u0001\"a\u0005\f\u000e\u0003QQ\u0011!F\u0001\u0006g\u000e\fG.Y\u0005\u0003/Q\u0011a!\u00118z%\u00164\u0007\u0002C\r\u0001\u0005\u0003\u0005\u000b\u0011\u0002\u000e\u0002\u001d!|7\u000f\u001e*fa>\u001c\u0018\u000e^8ssB\u00111\u0004I\u0007\u00029)\u0011QDH\u0001\re\u0016\u0004xn]5u_JLWm\u001d\u0006\u0003?\u0019\t1!\u00199j\u0013\t\tCDA\fBi2\f7o]5b]\"{7\u000f\u001e*fa>\u001c\u0018\u000e^8ss\"A1\u0005\u0001B\u0001B\u0003%A%\u0001\nbI\u0012|gnQ8oM&<WO]1uS>t\u0007CA\u0013)\u001b\u00051#BA\u0014\u0007\u0003\u0019iw\u000eZ3mg&\u0011\u0011F\n\u0002\u0010\u0003\u0012$wN\u001c)s_B,'\u000f^5fg\")1\u0006\u0001C\u0001Y\u00051A(\u001b8jiz\"2!L\u00181!\tq\u0003!D\u0001\u0003\u0011\u0015I\"\u00061\u0001\u001b\u0011\u0015\u0019#\u00061\u0001%Q\tQ#\u0007\u0005\u00024u5\tAG\u0003\u00026m\u00051\u0011N\u001c6fGRT!a\u000e\u001d\u0002\r\u001d|wn\u001a7f\u0015\u0005I\u0014aA2p[&\u00111\b\u000e\u0002\u0007\u0013:TWm\u0019;\t\u000bu\u0002A\u0011\u0001 \u0002\u0019\u0005,H\u000f[3oi&\u001c\u0017\r^3\u0015\u0005}B\u0006#\u0002!F\u000f6\u001bV\"A!\u000b\u0005\t\u001b\u0015\u0001\u00023bi\u0006T\u0011\u0001R\u0001\u0005G\u0006$8/\u0003\u0002G\u0003\n9Q)\u001b;iKJ$\u0006C\u0001%L\u001b\u0005I%B\u0001&\u0015\u0003)\u0019wN\\2veJ,g\u000e^\u0005\u0003\u0019&\u0013aAR;ukJ,\u0007C\u0001(R\u001b\u0005y%B\u0001)\u0003\u0003%)\u0007pY3qi&|g.\u0003\u0002S\u001f\n1\"j\u001e;BkRDWM\u001c;jG\u0006$\u0018n\u001c8FeJ|'\u000f\u0005\u0002U-6\tQK\u0003\u0002(=%\u0011q+\u0016\u0002\u0012\u0003Rd\u0017m]:jC:Dun\u001d;Vg\u0016\u0014\b\"B-=\u0001\u0004Q\u0016A\u00046xi\u000e\u0013X\rZ3oi&\fGn\u001d\t\u0003]mK!\u0001\u0018\u0002\u0003\u001d);Ho\u0011:fI\u0016tG/[1mg\")a\f\u0001C\u0005?\u0006A\u0001/\u0019:tK*;H\u000f\u0006\u0002acB!\u0011-['m\u001d\t\u0011wM\u0004\u0002dM6\tAM\u0003\u0002f!\u00051AH]8pizJ\u0011!F\u0005\u0003QR\tq\u0001]1dW\u0006<W-\u0003\u0002kW\n1Q)\u001b;iKJT!\u0001\u001b\u000b\u0011\u00055|W\"\u00018\u000b\u0005\rQ\u0011B\u00019o\u0005\rQu\u000f\u001e\u0005\u0006ev\u0003\ra]\u0001\u0007e\u0006<(j\u001e;\u0011\u0005Q<hBA\nv\u0013\t1H#\u0001\u0004Qe\u0016$WMZ\u0005\u0003qf\u0014aa\u0015;sS:<'B\u0001<\u0015\u0011\u0015Y\b\u0001\"\u0003}\u0003A)\u0007\u0010\u001e:bGR\u001cE.[3oi.+\u0017\u0010\u0006\u0002~}B!\u0011-['t\u0011\u0015\u0019!\u00101\u0001m\u0011\u001d\t\t\u0001\u0001C\u0005\u0003\u0007\t!CZ3uG\"\fE\u000f\\1tg&\fg\u000eS8tiR!\u0011QAA\u0007!\u0019\u0001UiR'\u0002\bA\u0019A+!\u0003\n\u0007\u0005-QKA\u0007Bi2\f7o]5b]\"{7\u000f\u001e\u0005\u0007\u0003\u001fy\b\u0019A:\u0002\u0013\rd\u0017.\u001a8u\u0017\u0016L\bbBA\n\u0001\u0011%\u0011QC\u0001\nm\u0016\u0014\u0018NZ=KoR$R\u0001YA\f\u00033Aa!WA\t\u0001\u0004Q\u0006\u0002CA\u000e\u0003#\u0001\r!a\u0002\u0002\t!|7\u000f\u001e\u0005\b\u0003?\u0001A\u0011BA\u0011\u0003eI7oU3mM\u0006+H\u000f[3oi&\u001c\u0017\r^5p]R{7.\u001a8\u0015\r\u0005\r\u0012\u0011FA,!\r\u0019\u0012QE\u0005\u0004\u0003O!\"a\u0002\"p_2,\u0017M\u001c\u0005\t\u0003W\ti\u00021\u0001\u0002.\u0005A\u0011\r\u001a3p].+\u0017\u0010\u0005\u0003\u00020\u0005Ec\u0002BA\u0019\u0003\u001brA!a\r\u0002L9!\u0011QGA%\u001d\u0011\t9$a\u0012\u000f\t\u0005e\u0012Q\t\b\u0005\u0003w\t\u0019E\u0004\u0003\u0002>\u0005\u0005cbA2\u0002@%\tq\"\u0003\u0002\u000e\u001d%\u00111\u0002D\u0005\u0003\u0013)I!a\u0002\u0005\n\u0005}1\u0011BA\u0014\u001f\u0013\r\ty%V\u0001\u000b!J,G-\u001a4j]\u0016$\u0017\u0002BA*\u0003+\u0012\u0001\"\u00113e_:\\U-\u001f\u0006\u0004\u0003\u001f*\u0006\u0002CA-\u0003;\u0001\r!a\u0017\u0002!Utg/\u001a:jM&,Gm\u00117bS6\u001c\b\u0003BA/\u0003Kj!!a\u0018\u000b\u0007\r\t\tGC\u0002\u0002da\n\u0001B\\5nEV\u001cHm]\u0005\u0005\u0003O\nyF\u0001\u0007K/R\u001bE.Y5ngN+G\u000fC\u0004\u0002l\u0001!I!!\u001c\u0002OY\fG.\u001b3bi\u0016\u001cV\r\u001c4BkRDWM\u001c;jG\u0006$\u0018n\u001c8U_.,g.Q;eS\u0016t7-\u001a\u000b\u0007\u0003_\n9(!\u001f\u0011\u000b\u0005LW*!\u001d\u0011\t\u0005\f\u0019h]\u0005\u0004\u0003kZ'\u0001\u0002'jgRD\u0001\"a\u000b\u0002j\u0001\u0007\u0011Q\u0006\u0005\t\u00033\nI\u00071\u0001\u0002\\!9\u0011Q\u0010\u0001\u0005\n\u0005}\u0014\u0001\u000b5pgR\u001cE.[3oi.+\u0017P\u0012:p[N+GNZ!vi\",g\u000e^5dCRLwN\u001c+pW\u0016tGcA?\u0002\u0002\"A\u0011\u0011LA>\u0001\u0004\tY\u0006C\u0004\u0002\u0006\u0002!I!a\"\u0002QY\fG.\u001b3bi\u0016\u001cV\r\u001c4BkRDWM\u001c;jG\u0006$\u0018n\u001c8U_.,gn\u00117jK:$8*Z=\u0015\u0007u\fI\t\u0003\u0005\u0002\f\u0006\r\u0005\u0019AAG\u0003Mi\u0017-\u001f2f\u00072LWM\u001c;LKf\u001cE.Y5n!\u0011\u0019\u0012qR:\n\u0007\u0005EEC\u0001\u0004PaRLwN\u001c\u0005\b\u0003+\u0003A\u0011BAL\u0003}Awn\u001d;DY&,g\u000e^&fs\u001a\u0013x.\\!uY\u0006\u001c8/[1o)>\\WM\u001c\u000b\u0004{\u0006e\u0005\u0002CAF\u0003'\u0003\r!!$")
/* loaded from: input_file:io/toolsplus/atlassian/connect/play/auth/jwt/JwtAuthenticationProvider.class */
public class JwtAuthenticationProvider {
    private final AtlassianHostRepository hostRepository;
    private final AddonProperties addonConfiguration;

    public EitherT<Future, JwtAuthenticationError, AtlassianHostUser> authenticate(JwtCredentials jwtCredentials) {
        return EitherOps$.MODULE$.toEitherT$extension(implicits$.MODULE$.catsSyntaxEither(parseJwt(jwtCredentials.rawJwt())), implicits$.MODULE$.catsStdInstancesForFuture(ExecutionContext$Implicits$.MODULE$.global())).flatMap(new JwtAuthenticationProvider$$anonfun$authenticate$1(this, jwtCredentials), implicits$.MODULE$.catsStdInstancesForFuture(ExecutionContext$Implicits$.MODULE$.global()));
    }

    private Either<JwtAuthenticationError, Jwt> parseJwt(String str) {
        return EitherOps$.MODULE$.leftMap$extension(implicits$.MODULE$.catsSyntaxEither(JwtParser$.MODULE$.parse(str)), new JwtAuthenticationProvider$$anonfun$parseJwt$1(this));
    }

    public Either<JwtAuthenticationError, String> io$toolsplus$atlassian$connect$play$auth$jwt$JwtAuthenticationProvider$$extractClientKey(Jwt jwt) {
        JWTClaimsSet claims = jwt.claims();
        String key = this.addonConfiguration.key();
        return isSelfAuthenticationToken(key, claims) ? EitherOps$.MODULE$.flatMap$extension(implicits$.MODULE$.catsSyntaxEither(validateSelfAuthenticationTokenAudience(key, claims)), new JwtAuthenticationProvider$$anonfun$io$toolsplus$atlassian$connect$play$auth$jwt$JwtAuthenticationProvider$$extractClientKey$1(this, claims)) : hostClientKeyFromAtlassianToken(Option$.MODULE$.apply(claims.getIssuer()));
    }

    public EitherT<Future, JwtAuthenticationError, AtlassianHost> io$toolsplus$atlassian$connect$play$auth$jwt$JwtAuthenticationProvider$$fetchAtlassianHost(String str) {
        return new EitherT<>(this.hostRepository.findByClientKey(str).map(new JwtAuthenticationProvider$$anonfun$io$toolsplus$atlassian$connect$play$auth$jwt$JwtAuthenticationProvider$$fetchAtlassianHost$1(this, str), ExecutionContext$Implicits$.MODULE$.global()));
    }

    public Either<JwtAuthenticationError, Jwt> io$toolsplus$atlassian$connect$play$auth$jwt$JwtAuthenticationProvider$$verifyJwt(JwtCredentials jwtCredentials, AtlassianHost atlassianHost) {
        return EitherOps$.MODULE$.leftMap$extension(implicits$.MODULE$.catsSyntaxEither(new JwtReader(atlassianHost.sharedSecret()).readAndVerify(jwtCredentials.rawJwt(), HttpRequestCanonicalizer$.MODULE$.computeCanonicalRequestHash(jwtCredentials.canonicalHttpRequest()))), new JwtAuthenticationProvider$$anonfun$io$toolsplus$atlassian$connect$play$auth$jwt$JwtAuthenticationProvider$$verifyJwt$1(this));
    }

    private boolean isSelfAuthenticationToken(String str, JWTClaimsSet jWTClaimsSet) {
        String issuer = jWTClaimsSet.getIssuer();
        return str != null ? str.equals(issuer) : issuer == null;
    }

    private Either<JwtAuthenticationError, List<String>> validateSelfAuthenticationTokenAudience(String str, JWTClaimsSet jWTClaimsSet) {
        Right apply;
        $colon.colon list = ((TraversableOnce) JavaConverters$.MODULE$.asScalaBufferConverter(jWTClaimsSet.getAudience()).asScala()).toList();
        if (list instanceof $colon.colon) {
            $colon.colon colonVar = list;
            String str2 = (String) colonVar.head();
            if (Nil$.MODULE$.equals(colonVar.tl$1())) {
                apply = (str2 != null ? !str2.equals(str) : str != null) ? package$.MODULE$.Left().apply(new JwtBadCredentialsError(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"Invalid audience (", ") for self-authentication token"})).s(Predef$.MODULE$.genericWrapArray(new Object[]{str2})))) : package$.MODULE$.Right().apply(colonVar);
                return apply;
            }
        }
        Some unapplySeq = List$.MODULE$.unapplySeq(list);
        if (!unapplySeq.isEmpty() && unapplySeq.get() != null && ((LinearSeqOptimized) unapplySeq.get()).lengthCompare(1) == 0) {
            apply = package$.MODULE$.Left().apply(new JwtBadCredentialsError(new StringContext(Predef$.MODULE$.wrapRefArray(new String[]{"Invalid audience (", ") for self-authentication token"})).s(Predef$.MODULE$.genericWrapArray(new Object[]{list.mkString(",")}))));
        } else {
            if (!Nil$.MODULE$.equals(list)) {
                throw new MatchError(list);
            }
            apply = package$.MODULE$.Left().apply(new JwtBadCredentialsError("Missing audience for self-authentication token"));
        }
        return apply;
    }

    public Either<JwtAuthenticationError, String> io$toolsplus$atlassian$connect$play$auth$jwt$JwtAuthenticationProvider$$hostClientKeyFromSelfAuthenticationToken(JWTClaimsSet jWTClaimsSet) {
        return validateSelfAuthenticationTokenClientKey(Option$.MODULE$.apply((String) jWTClaimsSet.getClaim(SelfAuthenticationTokenGenerator$.MODULE$.HOST_CLIENT_KEY_CLAIM())));
    }

    private Either<JwtAuthenticationError, String> validateSelfAuthenticationTokenClientKey(Option<String> option) {
        Right apply;
        if (option instanceof Some) {
            apply = package$.MODULE$.Right().apply((String) ((Some) option).x());
        } else {
            if (!None$.MODULE$.equals(option)) {
                throw new MatchError(option);
            }
            apply = package$.MODULE$.Left().apply(new JwtBadCredentialsError("Missing client key claim for self-authentication token"));
        }
        return apply;
    }

    private Either<JwtAuthenticationError, String> hostClientKeyFromAtlassianToken(Option<String> option) {
        Right apply;
        if (option instanceof Some) {
            apply = package$.MODULE$.Right().apply((String) ((Some) option).x());
        } else {
            if (!None$.MODULE$.equals(option)) {
                throw new MatchError(option);
            }
            apply = package$.MODULE$.Left().apply(new JwtBadCredentialsError("Missing client key claim for Atlassian token"));
        }
        return apply;
    }

    @Inject
    public JwtAuthenticationProvider(AtlassianHostRepository atlassianHostRepository, AddonProperties addonProperties) {
        this.hostRepository = atlassianHostRepository;
        this.addonConfiguration = addonProperties;
    }
}
