package com.premiumminds.flowable.service;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jose.util.DefaultResourceRetriever;
import com.nimbusds.jwt.JWT;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import com.nimbusds.oauth2.sdk.id.ClientID;
import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
import com.premiumminds.flowable.conf.KeycloakProperties;
import java.io.IOException;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.List;
import net.minidev.json.JSONArray;
import net.minidev.json.JSONObject;

/* loaded from: input_file:com/premiumminds/flowable/service/KeycloakAccessTokenExtractor.class */
public class KeycloakAccessTokenExtractor {
    private final ClientID clientId;
    private final OIDCProviderMetadata providerMetadata;
    private final JWKSet jwkSet;

    public KeycloakAccessTokenExtractor(KeycloakProperties keycloakProperties, OIDCMetadataHolder oIDCMetadataHolder) {
        this.clientId = new ClientID(keycloakProperties.getClient().getClientId());
        this.providerMetadata = oIDCMetadataHolder.getProviderMetadata();
        try {
            this.jwkSet = JWKSet.parse(new DefaultResourceRetriever(keycloakProperties.getConnectTimeout(), keycloakProperties.getReadTimeout()).retrieveResource(this.providerMetadata.getJWKSetURI().toURL()).getContent());
        } catch (IOException | ParseException e) {
            throw new RuntimeException("problem retrieving jwk sets from keycloak", e);
        }
    }

    public List<String> getRoles(String str) {
        return getRoles(extractClaims(str));
    }

    public List<String> getRoles(JWTClaimsSet jWTClaimsSet) {
        JSONObject jSONObject;
        JSONArray jSONArray;
        ArrayList arrayList = new ArrayList();
        try {
            JSONObject jSONObjectClaim = jWTClaimsSet.getJSONObjectClaim("resource_access");
            if (jSONObjectClaim != null && (jSONObject = (JSONObject) jSONObjectClaim.get(this.clientId.getValue())) != null && (jSONArray = (JSONArray) jSONObject.get("roles")) != null) {
                jSONArray.forEach(obj -> {
                    arrayList.add(obj.toString());
                });
            }
            return arrayList;
        } catch (ParseException e) {
            throw new RuntimeException("problem retrieving access token roles", e);
        }
    }

    public String getUserId(JWTClaimsSet jWTClaimsSet) {
        return jWTClaimsSet.getSubject();
    }

    public JWTClaimsSet extractClaims(String str) {
        try {
            JWT parse = JWTParser.parse(str);
            JWSAlgorithm algorithm = parse.getHeader().getAlgorithm();
            if (!(algorithm instanceof JWSAlgorithm)) {
                throw new RuntimeException("keycloak access token needs a JWSAlgorithm");
            }
            DefaultJWTProcessor defaultJWTProcessor = new DefaultJWTProcessor();
            defaultJWTProcessor.setJWSKeySelector(new JWSVerificationKeySelector(algorithm, new ImmutableJWKSet(this.jwkSet)));
            defaultJWTProcessor.setJWTClaimsSetVerifier(new KeycloakAccessTokenVerifier(this.providerMetadata.getIssuer(), this.clientId, null));
            return defaultJWTProcessor.process(parse, (SecurityContext) null);
        } catch (BadJOSEException e) {
            throw new RuntimeException("problem parsing access token", e);
        } catch (ParseException e2) {
            throw new RuntimeException("problem parsing access token", e2);
        } catch (JOSEException e3) {
            throw new RuntimeException("problem parsing access token", e3);
        }
    }
}
