package dev.fitko.fitconnect.core.keys;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.nimbusds.jose.jwk.KeyOperation;
import com.nimbusds.jose.jwk.RSAKey;
import dev.fitko.fitconnect.api.config.ApplicationConfig;
import dev.fitko.fitconnect.api.domain.model.destination.Destination;
import dev.fitko.fitconnect.api.domain.model.jwk.ApiJwk;
import dev.fitko.fitconnect.api.domain.model.jwk.ApiJwkSet;
import dev.fitko.fitconnect.api.domain.validation.ValidationResult;
import dev.fitko.fitconnect.api.exceptions.internal.InvalidKeyException;
import dev.fitko.fitconnect.api.exceptions.internal.RestApiException;
import dev.fitko.fitconnect.api.services.auth.OAuthService;
import dev.fitko.fitconnect.api.services.keys.KeyService;
import dev.fitko.fitconnect.api.services.validation.ValidationService;
import dev.fitko.fitconnect.core.http.HttpClient;
import dev.fitko.fitconnect.core.http.HttpHeaders;
import dev.fitko.fitconnect.core.http.MimeTypes;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dev/fitko/fitconnect/core/keys/PublicKeyApiService.class */
public class PublicKeyApiService implements KeyService {
    public static final String DESTINATIONS_KEY_PATH = "/v1/destinations/%s/keys/%s";
    public static final String WELL_KNOWN_KEYS_PATH = "/.well-known/jwks.json";
    private static final Logger LOGGER = LoggerFactory.getLogger(PublicKeyApiService.class);
    private static final ObjectMapper MAPPER = new ObjectMapper();
    private final ApplicationConfig config;
    private final ValidationService validationService;
    private final HttpClient httpClient;
    private final OAuthService authService;

    public PublicKeyApiService(ApplicationConfig applicationConfig, HttpClient httpClient, OAuthService oAuthService, ValidationService validationService) {
        this.config = applicationConfig;
        this.httpClient = httpClient;
        this.authService = oAuthService;
        this.validationService = validationService;
    }

    public PublicKeyApiService(ApplicationConfig applicationConfig, HttpClient httpClient, ValidationService validationService) {
        this(applicationConfig, httpClient, null, validationService);
    }

    @Override // dev.fitko.fitconnect.api.services.keys.KeyService
    public RSAKey getPublicEncryptionKey(Destination destination) {
        RSAKey rSAKey = toRSAKey((ApiJwk) performRequest(this.config.getSubmissionBaseUrl() + "/v1/destinations/%s/keys/%s", ApiJwk.class, getHeaders(), destination.getDestinationId(), destination.getEncryptionKid()));
        validateEncryptionKey(rSAKey);
        return rSAKey;
    }

    @Override // dev.fitko.fitconnect.api.services.keys.KeyService
    public RSAKey getPublicSignatureKey(UUID uuid, String str) {
        RSAKey rSAKey = toRSAKey((ApiJwk) performRequest(this.config.getSubmissionBaseUrl() + "/v1/destinations/%s/keys/%s", ApiJwk.class, getHeaders(), uuid, str));
        validateSignatureKey(rSAKey);
        return rSAKey;
    }

    @Override // dev.fitko.fitconnect.api.services.keys.KeyService
    public RSAKey getSubmissionServicePublicKey(String str) {
        RSAKey filterKeysById = filterKeysById(str, ((ApiJwkSet) performRequest(this.config.getSubmissionBaseUrl() + "/.well-known/jwks.json", ApiJwkSet.class, getHeaders(), new Object[0])).getKeys());
        validateSignatureKey(filterKeysById);
        return filterKeysById;
    }

    @Override // dev.fitko.fitconnect.api.services.keys.KeyService
    public RSAKey getPortalPublicKey(String str) {
        RSAKey filterKeysById = filterKeysById(str, ((ApiJwkSet) performRequest(this.config.getSelfServicePortalBaseUrl() + "/.well-known/jwks.json", ApiJwkSet.class, getHeadersWithoutAuth(), new Object[0])).getKeys());
        validateSignatureKey(filterKeysById);
        return filterKeysById;
    }

    @Override // dev.fitko.fitconnect.api.services.keys.KeyService
    public RSAKey getWellKnownKeysForSubmissionUrl(String str, String str2) {
        RSAKey filterKeysById = filterKeysById(str2, ((ApiJwkSet) performRequest(!str.endsWith("/") ? str + "/.well-known/jwks.json" : str, ApiJwkSet.class, getHeadersWithoutAuth(), str2)).getKeys());
        validateSignatureKey(filterKeysById);
        return filterKeysById;
    }

    private RSAKey filterKeysById(String str, List<ApiJwk> list) {
        return (RSAKey) list.stream().filter(apiJwk -> {
            return apiJwk.getKid().equals(str);
        }).map(this::toRSAKey).findFirst().orElse(null);
    }

    private void validateEncryptionKey(RSAKey rSAKey) {
        validateResult(this.validationService.validatePublicKey(rSAKey, KeyOperation.WRAP_KEY), "Invalid public encryption key");
    }

    private void validateSignatureKey(RSAKey rSAKey) {
        validateResult(this.validationService.validatePublicKey(rSAKey, KeyOperation.VERIFY), "Public signature key is not valid");
    }

    private void validateResult(ValidationResult validationResult, String str) {
        if (validationResult.hasError()) {
            if (!this.config.isAllowInsecurePublicKey()) {
                throw new InvalidKeyException(str, validationResult.getError());
            }
            LOGGER.warn(str, validationResult.getError());
        }
    }

    private RSAKey toRSAKey(ApiJwk apiJwk) {
        try {
            return RSAKey.parse(MAPPER.writeValueAsString(apiJwk));
        } catch (JsonProcessingException | ParseException e) {
            throw new InvalidKeyException("Key could not be parsed", e);
        }
    }

    private <T> T performRequest(String str, Class<T> cls, Map<String, String> map, Object... objArr) {
        try {
            return (T) this.httpClient.get(String.format(str, objArr), map, cls).getBody();
        } catch (RestApiException e) {
            throw new RestApiException("Request failed", e);
        }
    }

    private Map<String, String> getHeadersWithoutAuth() {
        return new HashMap(Map.of(HttpHeaders.CONTENT_TYPE, MimeTypes.APPLICATION_JSON, HttpHeaders.ACCEPT_CHARSET, StandardCharsets.UTF_8.toString()));
    }

    private Map<String, String> getHeaders() {
        Map<String, String> headersWithoutAuth = getHeadersWithoutAuth();
        headersWithoutAuth.put(HttpHeaders.AUTHORIZATION, "Bearer " + this.authService.getCurrentToken().getAccessToken());
        return headersWithoutAuth;
    }
}
