package org.eclipse.sensinact.gateway.northbound.security.oidc;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.json.JsonMapper;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jws;
import io.jsonwebtoken.JwtHandlerAdapter;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.jackson.io.JacksonDeserializer;
import java.time.Duration;
import java.util.Dictionary;
import java.util.List;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.client.dynamic.HttpClientTransportDynamic;
import org.eclipse.jetty.client.util.InputStreamResponseListener;
import org.eclipse.jetty.io.ClientConnectionFactory;
import org.eclipse.jetty.io.ClientConnector;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.sensinact.core.security.UserInfo;
import org.eclipse.sensinact.gateway.northbound.security.oidc.Certificates;
import org.eclipse.sensinact.northbound.security.api.Authenticator;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(configurationPid = {"sensinact.northbound.auth.oidc"}, configurationPolicy = ConfigurationPolicy.REQUIRE)
/* loaded from: input_file:org/eclipse/sensinact/gateway/northbound/security/oidc/OIDCTokenValidator.class */
public class OIDCTokenValidator {
    private static final Logger LOG = LoggerFactory.getLogger(OIDCTokenValidator.class);
    private BundleContext ctx;
    private AuthenticationServiceConfig configuration;
    private HttpClient client;
    private List<Certificates.KeyInfo> keys;
    private ServiceRegistration<Authenticator> reg;
    private final ObjectMapper mapper = JsonMapper.builder().build();
    private boolean running = true;
    private final Object lock = new Object();

    /* loaded from: input_file:org/eclipse/sensinact/gateway/northbound/security/oidc/OIDCTokenValidator$AuthenticationServiceConfig.class */
    public @interface AuthenticationServiceConfig {
        String discoveryURL();

        boolean ignore_ssl_errors() default false;

        String keystore() default "";

        String _keystore_password() default "";

        String truststore() default "";

        String _truststore_password() default "";

        int tokenRefresh() default 600;

        int gracePeriod() default 300;

        String realm();
    }

    /* loaded from: input_file:org/eclipse/sensinact/gateway/northbound/security/oidc/OIDCTokenValidator$Validator.class */
    private static class Validator implements Authenticator {
        private final JwtParser parser;
        private final String realm;

        public Validator(String str, JwtParser jwtParser) {
            this.realm = str;
            this.parser = jwtParser;
        }

        public UserInfo authenticate(String str, String str2) {
            return (UserInfo) this.parser.parse(str2, new JwtHandlerAdapter<UserInfo>() { // from class: org.eclipse.sensinact.gateway.northbound.security.oidc.OIDCTokenValidator.Validator.1
                public UserInfo onClaimsJws(Jws<Claims> jws) {
                    return new JwsUserInfo(jws, jws2 -> {
                        return Set.of();
                    });
                }

                /* renamed from: onClaimsJws, reason: collision with other method in class */
                public /* bridge */ /* synthetic */ Object m3onClaimsJws(Jws jws) {
                    return onClaimsJws((Jws<Claims>) jws);
                }
            });
        }

        public String getRealm() {
            return this.realm;
        }

        public Authenticator.Scheme getScheme() {
            return Authenticator.Scheme.TOKEN;
        }
    }

    @Activate
    void activate(BundleContext bundleContext, AuthenticationServiceConfig authenticationServiceConfig) throws Exception {
        this.configuration = authenticationServiceConfig;
        this.ctx = bundleContext;
        String discoveryURL = authenticationServiceConfig.discoveryURL();
        if (discoveryURL == null || discoveryURL.isBlank()) {
            throw new IllegalArgumentException("The OpenId Connect discovery URL is not set.");
        }
        LOG.info("Starting OIDC validation for {}", discoveryURL);
        this.client = getClient();
        this.client.getExecutor().execute(this::checkAndUpdate);
    }

    @Deactivate
    void stop() {
        ServiceRegistration<Authenticator> serviceRegistration;
        synchronized (this.lock) {
            this.running = false;
            serviceRegistration = this.reg;
            this.reg = null;
        }
        safeUnregister(serviceRegistration);
        try {
            this.client.stop();
        } catch (Exception e) {
        }
    }

    private HttpClient getClient() throws Exception {
        SslContextFactory.Client client = new SslContextFactory.Client(this.configuration.ignore_ssl_errors());
        String keystore = this.configuration.keystore();
        if (!keystore.isBlank()) {
            client.setKeyStorePath(keystore);
            String _keystore_password = this.configuration._keystore_password();
            if (!_keystore_password.isBlank()) {
                client.setKeyStorePassword(_keystore_password);
            }
        }
        String truststore = this.configuration.truststore();
        if (!truststore.isBlank()) {
            client.setTrustStorePath(truststore);
            String _truststore_password = this.configuration._truststore_password();
            if (!_truststore_password.isBlank()) {
                client.setTrustStorePassword(_truststore_password);
            }
        }
        ClientConnector clientConnector = new ClientConnector();
        clientConnector.setSslContextFactory(client);
        clientConnector.setConnectTimeout(Duration.ofSeconds(5L));
        HttpClient httpClient = new HttpClient(new HttpClientTransportDynamic(clientConnector, new ClientConnectionFactory.Info[0]));
        httpClient.start();
        return httpClient;
    }

    private void checkAndUpdate() {
        ServiceRegistration<Authenticator> serviceRegistration;
        boolean z;
        List<Certificates.KeyInfo> loadKeys = loadKeys();
        if (loadKeys == null) {
            synchronized (this.lock) {
                this.keys = null;
                serviceRegistration = this.reg;
                this.reg = null;
                z = this.running;
            }
        } else {
            synchronized (this.lock) {
                if (!loadKeys.equals(this.keys)) {
                    this.keys = loadKeys;
                    ServiceRegistration<Authenticator> serviceRegistration2 = this.reg;
                    this.reg = null;
                }
            }
            ServiceRegistration<Authenticator> registerService = this.ctx.registerService(Authenticator.class, new Validator(this.configuration.realm(), Jwts.parserBuilder().deserializeJsonWith(new JacksonDeserializer(this.mapper)).setSigningKeyResolver(new KeyResolver(loadKeys)).build()), (Dictionary) null);
            synchronized (this.lock) {
                if (loadKeys.equals(this.keys) && this.reg == null && this.running) {
                    this.reg = registerService;
                    serviceRegistration = null;
                } else {
                    serviceRegistration = registerService;
                }
                z = this.running;
            }
        }
        safeUnregister(serviceRegistration);
        if (z) {
            this.client.getScheduler().schedule(this::checkAndUpdate, this.configuration.tokenRefresh(), TimeUnit.SECONDS);
        }
    }

    private void safeUnregister(ServiceRegistration<?> serviceRegistration) {
        if (serviceRegistration != null) {
            try {
                serviceRegistration.unregister();
            } catch (IllegalStateException e) {
            }
        }
    }

    private List<Certificates.KeyInfo> loadKeys() {
        try {
            InputStreamResponseListener inputStreamResponseListener = new InputStreamResponseListener();
            this.client.newRequest(this.configuration.discoveryURL()).accept(new String[]{"application/json"}).send(inputStreamResponseListener);
            String textValue = this.mapper.readTree(inputStreamResponseListener.getInputStream()).get("jwks_uri").textValue();
            if (textValue == null || textValue.isBlank()) {
                LOG.warn("No URI available to query public keys");
                return null;
            }
            InputStreamResponseListener inputStreamResponseListener2 = new InputStreamResponseListener();
            this.client.newRequest(textValue).accept(new String[]{"application/json"}).send(inputStreamResponseListener2);
            return ((Certificates) this.mapper.readValue(inputStreamResponseListener2.getInputStream(), Certificates.class)).getKeys();
        } catch (Exception e) {
            LOG.error("An error occurred while loading the validation keys", e);
            return null;
        }
    }
}
