package org.interledger.connector.server.spring.auth.ilpoverhttp;

import com.auth0.jwk.GuavaCachedJwkProvider;
import com.auth0.jwk.JwkProvider;
import com.auth0.jwk.UrlJwkProvider;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.spring.security.api.JwtAuthenticationProvider;
import com.auth0.spring.security.api.authentication.PreAuthenticatedAuthenticationJsonWebToken;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import com.github.benmanes.caffeine.cache.LoadingCache;
import com.google.common.collect.Sets;
import com.google.common.eventbus.Subscribe;
import com.google.common.hash.HashCode;
import io.prometheus.client.cache.caffeine.CacheMetricsCollector;
import java.util.ArrayList;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import okhttp3.HttpUrl;
import org.immutables.value.Value;
import org.interledger.connector.accounts.AccessTokenManager;
import org.interledger.connector.accounts.AccountId;
import org.interledger.connector.accounts.AccountNotFoundProblem;
import org.interledger.connector.accounts.event.AccountCredentialsUpdatedEvent;
import org.interledger.connector.links.LinkSettingsFactory;
import org.interledger.connector.persistence.repositories.AccountSettingsRepository;
import org.interledger.connector.settings.ConnectorSettings;
import org.interledger.crypto.Decryptor;
import org.interledger.crypto.EncryptedSecret;
import org.interledger.link.http.IlpOverHttpLinkSettings;
import org.interledger.link.http.IncomingLinkSettings;
import org.interledger.link.http.JwtAuthSettings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;

/* loaded from: input_file:BOOT-INF/classes/org/interledger/connector/server/spring/auth/ilpoverhttp/IlpOverHttpAuthenticationProvider.class */
public class IlpOverHttpAuthenticationProvider implements AuthenticationProvider {
    private static final String AUTH_DECISIONS_CACHE_NAME = "ilpOverHttpAuthenticationDecisionsCache";
    private final Decryptor decryptor;
    private final Cache<DecisionsCacheKey, AuthenticationDecision> authenticationDecisions;
    private AccountSettingsRepository accountSettingsRepository;
    private AccessTokenManager accessTokenManager;
    private LinkSettingsFactory linkSettingsFactory;
    private final LoadingCache<HttpUrl, JwkProvider> jwkProviderCache;
    private final Logger logger = LoggerFactory.getLogger(getClass());
    private Set<IlpOverHttpLinkSettings.AuthType> supportedJwtAuthTypes = Sets.newHashSet(IlpOverHttpLinkSettings.AuthType.JWT_HS_256, IlpOverHttpLinkSettings.AuthType.JWT_RS_256);

    /* JADX INFO: Access modifiers changed from: package-private */
    @Value.Immutable
    /* loaded from: input_file:BOOT-INF/classes/org/interledger/connector/server/spring/auth/ilpoverhttp/IlpOverHttpAuthenticationProvider$DecisionsCacheKey.class */
    public interface DecisionsCacheKey {
        static DecisionsCacheKey newKey(AccountId accountId, HashCode hashCode) {
            return ImmutableDecisionsCacheKey.builder().accountId(accountId).tokenHash(hashCode).build();
        }

        AccountId accountId();

        HashCode tokenHash();
    }

    public IlpOverHttpAuthenticationProvider(Supplier<ConnectorSettings> supplier, Decryptor decryptor, AccountSettingsRepository accountSettingsRepository, LinkSettingsFactory linkSettingsFactory, CacheMetricsCollector cacheMetricsCollector, AccessTokenManager accessTokenManager) {
        this.accountSettingsRepository = accountSettingsRepository;
        this.linkSettingsFactory = linkSettingsFactory;
        this.accessTokenManager = accessTokenManager;
        Objects.requireNonNull(supplier);
        this.decryptor = (Decryptor) Objects.requireNonNull(decryptor);
        this.jwkProviderCache = Caffeine.newBuilder().recordStats().maximumSize(100L).build(httpUrl -> {
            return new GuavaCachedJwkProvider(new UrlJwkProvider(httpUrl.url()));
        });
        this.authenticationDecisions = Caffeine.newBuilder().recordStats().maximumSize(5000L).expireAfterWrite(30L, TimeUnit.MINUTES).removalListener((decisionsCacheKey, authenticationDecision, removalCause) -> {
            this.logger.debug("Removing IlpOverHttp AuthenticationDecision from Cache for Principal: {}", authenticationDecision.getPrincipal());
        }).build();
        ((CacheMetricsCollector) Objects.requireNonNull(cacheMetricsCollector)).addCache(AUTH_DECISIONS_CACHE_NAME, this.authenticationDecisions);
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
        try {
            if (!(authentication instanceof BearerAuthentication)) {
                this.logger.debug("Unsupported authentication type: " + authentication.getClass());
                return null;
            }
            AuthenticationDecision authenticateBearer = authenticateBearer((BearerAuthentication) authentication);
            if (authenticateBearer.isAuthenticated()) {
                return authenticateBearer;
            }
            throw new BadCredentialsException("Authentication failed for principal: " + authenticateBearer.getPrincipal());
        } catch (AccountNotFoundProblem e) {
            throw new BadCredentialsException("Account not found for principal: " + authentication.getPrincipal());
        } catch (BadCredentialsException e2) {
            throw handleBadCredentialsException(e2, authentication);
        } catch (Exception e3) {
            if (e3.getCause() == null || !BadCredentialsException.class.isAssignableFrom(e3.getCause().getClass())) {
                throw new BadCredentialsException("Unable to validate token due to system error", e3);
            }
            throw e3;
        }
    }

    @Subscribe
    public void handleCredentialsUpdatedEvent(AccountCredentialsUpdatedEvent accountCredentialsUpdatedEvent) {
        ArrayList arrayList = new ArrayList();
        this.authenticationDecisions.asMap().forEach((decisionsCacheKey, authenticationDecision) -> {
            if (decisionsCacheKey.accountId().equals(accountCredentialsUpdatedEvent.accountId())) {
                arrayList.add(decisionsCacheKey);
            }
        });
        this.authenticationDecisions.invalidateAll(arrayList);
    }

    private RuntimeException handleBadCredentialsException(BadCredentialsException badCredentialsException, Authentication authentication) {
        if (badCredentialsException.getCause() == null || !JWTVerificationException.class.isAssignableFrom(badCredentialsException.getCause().getClass())) {
            throw badCredentialsException;
        }
        return new BadCredentialsException(String.format("Authentication failed for principal: %s. %s", authentication.getPrincipal(), badCredentialsException.getCause().getMessage()));
    }

    private static AuthenticationDecision notAuthenticated() {
        return AuthenticationDecision.builder().credentialHmac(HashCode.fromBytes(new byte[32])).isAuthenticated(false).build();
    }

    private AuthenticationDecision authenticateBearer(BearerAuthentication bearerAuthentication) {
        AccountId accountId = bearerAuthentication.getAccountId();
        return this.authenticationDecisions.get(DecisionsCacheKey.newKey(accountId, bearerAuthentication.hmacSha256()), decisionsCacheKey -> {
            AuthenticationDecision authenticateViaAccountSettings = authenticateViaAccountSettings(bearerAuthentication, accountId);
            return authenticateViaAccountSettings.isAuthenticated() ? authenticateViaAccountSettings : authenticateViaAccountAuthToken(bearerAuthentication).orElse(authenticateViaAccountSettings);
        });
    }

    private AuthenticationDecision authenticateViaAccountSettings(BearerAuthentication bearerAuthentication, AccountId accountId) {
        IncomingLinkSettings orElseThrow = getIncomingLinkSettings(accountId).orElseThrow(() -> {
            return new IllegalArgumentException("no incoming settings for " + accountId);
        });
        return orElseThrow.authType().equals(IlpOverHttpLinkSettings.AuthType.SIMPLE) ? authenticateAsSimple(bearerAuthentication, accountId, orElseThrow) : authenticateAsJwt(bearerAuthentication, accountId, orElseThrow);
    }

    private Optional<AuthenticationDecision> authenticateViaAccountAuthToken(BearerAuthentication bearerAuthentication) {
        return this.accessTokenManager.findByAccountIdAndRawToken(bearerAuthentication.getAccountId(), new String(bearerAuthentication.getBearerToken())).map(accessToken -> {
            return AuthenticationDecision.builder().isAuthenticated(true).credentialHmac(bearerAuthentication.hmacSha256()).principal(bearerAuthentication.getAccountId()).build();
        });
    }

    @Override // org.springframework.security.authentication.AuthenticationProvider
    public boolean supports(Class<?> cls) {
        return BearerAuthentication.class.isAssignableFrom(cls);
    }

    private AuthenticationDecision authenticateAsJwt(BearerAuthentication bearerAuthentication, AccountId accountId, IncomingLinkSettings incomingLinkSettings) {
        try {
            PreAuthenticatedAuthenticationJsonWebToken usingToken = PreAuthenticatedAuthenticationJsonWebToken.usingToken(new String(bearerAuthentication.getBearerToken()));
            if (usingToken == null) {
                throw new JWTDecodeException("jwt decoded to null. Value: " + new String(bearerAuthentication.getBearerToken()));
            }
            if (!this.supportedJwtAuthTypes.contains(incomingLinkSettings.authType())) {
                throw new IllegalStateException("JWT authentication not supported for auth type for incoming link with type " + incomingLinkSettings.authType());
            }
            JwtAuthSettings orElseThrow = incomingLinkSettings.jwtAuthSettings().orElseThrow(() -> {
                return missingJwtAuthSetting(accountId, "jwtAuthSettings");
            });
            switch (incomingLinkSettings.authType()) {
                case JWT_HS_256:
                    return authenticateWithJwtHs256(bearerAuthentication, usingToken, accountId, orElseThrow);
                case JWT_RS_256:
                    return authenticateWithJwtRs256(bearerAuthentication, usingToken, accountId, orElseThrow);
                default:
                    throw new IllegalArgumentException(incomingLinkSettings.authType() + " not supported");
            }
        } catch (JWTDecodeException | AccountNotFoundProblem e) {
            this.logger.debug(e.getMessage(), (Throwable) e);
            return notAuthenticated();
        }
    }

    private AuthenticationDecision authenticateWithJwtRs256(BearerAuthentication bearerAuthentication, PreAuthenticatedAuthenticationJsonWebToken preAuthenticatedAuthenticationJsonWebToken, AccountId accountId, JwtAuthSettings jwtAuthSettings) {
        HttpUrl orElseThrow = jwtAuthSettings.tokenIssuer().orElseThrow(() -> {
            return missingJwtAuthSetting(accountId, "jwtAuthSettings.tokenIssuer");
        });
        Authentication authenticate = new JwtAuthenticationProvider(this.jwkProviderCache.get(JwksUtils.getJwksUrl(orElseThrow)), orElseThrow.toString(), jwtAuthSettings.tokenAudience().orElseThrow(() -> {
            return missingJwtAuthSetting(accountId, "jwtAuthSettings.tokenAudience");
        })).authenticate(preAuthenticatedAuthenticationJsonWebToken);
        if (preAuthenticatedAuthenticationJsonWebToken.getPrincipal().equals(jwtAuthSettings.tokenSubject())) {
            return AuthenticationDecision.builder().principal(accountId).isAuthenticated(authenticate.isAuthenticated()).credentialHmac(bearerAuthentication.hmacSha256()).build();
        }
        throw new BadCredentialsException("jwt subject " + preAuthenticatedAuthenticationJsonWebToken.getPrincipal() + " does not match expected " + jwtAuthSettings.tokenSubject());
    }

    private AuthenticationDecision authenticateWithJwtHs256(BearerAuthentication bearerAuthentication, PreAuthenticatedAuthenticationJsonWebToken preAuthenticatedAuthenticationJsonWebToken, AccountId accountId, JwtAuthSettings jwtAuthSettings) {
        return (AuthenticationDecision) this.decryptor.withDecrypted((EncryptedSecret) jwtAuthSettings.encryptedTokenSharedSecret().map(str -> {
            return EncryptedSecret.fromEncodedValue(str);
        }).orElseThrow(() -> {
            return missingJwtAuthSetting(accountId, "jwtAuthSettings.encryptedTokenSharedSecret");
        }), bArr -> {
            Authentication authenticate = new JwtHs256AuthenticationProvider(jwtAuthSettings.tokenSubject(), bArr).authenticate(preAuthenticatedAuthenticationJsonWebToken);
            this.logger.debug("authenticationProvider returned with an AuthResult: {}", Boolean.valueOf(authenticate.isAuthenticated()));
            return AuthenticationDecision.builder().principal(accountId).isAuthenticated(authenticate.isAuthenticated()).credentialHmac(bearerAuthentication.hmacSha256()).build();
        });
    }

    private IllegalStateException missingJwtAuthSetting(AccountId accountId, String str) {
        return new IllegalStateException("Missing " + str + " for account id " + accountId.value());
    }

    private AuthenticationDecision authenticateAsSimple(BearerAuthentication bearerAuthentication, AccountId accountId, IncomingLinkSettings incomingLinkSettings) {
        try {
            SimpleCredentials simpleCredentials = getSimpleCredentials(bearerAuthentication.getAccountId(), bearerAuthentication.getBearerToken());
            if (!incomingLinkSettings.authType().equals(IlpOverHttpLinkSettings.AuthType.SIMPLE)) {
                throw new BadCredentialsException("SIMPLE auth not configured for account id " + accountId.value());
            }
            return AuthenticationDecision.builder().principal(accountId).credentialHmac(bearerAuthentication.hmacSha256()).isAuthenticated(this.decryptor.isEqualDecrypted(EncryptedSecret.fromEncodedValue(incomingLinkSettings.simpleAuthSettings().orElseThrow(() -> {
                return new BadCredentialsException("No simple auth settings for account id " + accountId.value());
            }).authToken()), simpleCredentials.getAuthToken())).build();
        } catch (AccountNotFoundProblem e) {
            this.logger.debug(e.getMessage(), (Throwable) e);
            return notAuthenticated();
        }
    }

    private Optional<IncomingLinkSettings> getIncomingLinkSettings(AccountId accountId) {
        return ((IlpOverHttpLinkSettings) ((LinkSettingsFactory) Objects.requireNonNull(this.linkSettingsFactory)).constructTyped(this.accountSettingsRepository.findByAccountIdWithConversion(accountId).orElseThrow(() -> {
            return new AccountNotFoundProblem(accountId);
        }))).incomingLinkSettings();
    }

    private static SimpleCredentials getSimpleCredentials(AccountId accountId, byte[] bArr) {
        return SimpleCredentials.builder().principal(accountId).authToken(bArr).build();
    }
}
