package org.activiti.cloud.services.notifications.qraphql.ws.security;

import com.fasterxml.jackson.databind.ObjectMapper;
import java.math.BigInteger;
import java.net.URL;
import java.security.KeyFactory;
import java.security.PublicKey;
import java.security.spec.RSAPublicKeySpec;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import org.activiti.cloud.services.identity.keycloak.KeycloakProperties;
import org.keycloak.TokenVerifier;
import org.keycloak.common.VerificationException;
import org.keycloak.jose.jwk.JWK;
import org.keycloak.jose.jwk.RSAPublicJWK;
import org.keycloak.jose.jws.JWSHeader;
import org.keycloak.representations.AccessToken;

/* loaded from: input_file:BOOT-INF/lib/activiti-cloud-services-notifications-graphql-security-7.1.423.jar:org/activiti/cloud/services/notifications/qraphql/ws/security/KeycloakAccessTokenVerifier.class */
public class KeycloakAccessTokenVerifier {
    private final KeycloakProperties config;
    private final ConcurrentHashMap<String, PublicKey> publicKeys = new ConcurrentHashMap<>();
    private static final ObjectMapper objectMapper = new ObjectMapper();

    public KeycloakAccessTokenVerifier(KeycloakProperties keycloakProperties) {
        this.config = keycloakProperties;
    }

    public AccessToken verifyToken(String str) throws VerificationException {
        TokenVerifier create = TokenVerifier.create(str, AccessToken.class);
        return (AccessToken) create.withDefaultChecks().realmUrl(getRealmUrl()).publicKey(getPublicKey(create.getHeader())).verify().getToken();
    }

    protected PublicKey getPublicKey(JWSHeader jWSHeader) {
        return this.publicKeys.computeIfAbsent(getRealmCertsUrl(), str -> {
            return retrievePublicKeyFromCertsEndpoint(str, jWSHeader);
        });
    }

    protected PublicKey retrievePublicKeyFromCertsEndpoint(String str, JWSHeader jWSHeader) {
        try {
            Map map = null;
            Iterator it = ((List) ((Map) objectMapper.readValue(new URL(str).openStream(), Map.class)).get("keys")).iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Map map2 = (Map) it.next();
                if (jWSHeader.getKeyId().equals((String) map2.get(JWK.KEY_ID))) {
                    map = map2;
                    break;
                }
            }
            if (map == null) {
                return null;
            }
            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
            String str2 = (String) map.get(RSAPublicJWK.MODULUS);
            String str3 = (String) map.get(RSAPublicJWK.PUBLIC_EXPONENT);
            Base64.Decoder urlDecoder = Base64.getUrlDecoder();
            return keyFactory.generatePublic(new RSAPublicKeySpec(new BigInteger(1, urlDecoder.decode(str2)), new BigInteger(1, urlDecoder.decode(str3))));
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }

    public String getRealmUrl() {
        return String.format("%s/realms/%s", this.config.getAuthServerUrl(), this.config.getRealm());
    }

    public String getRealmCertsUrl() {
        return getRealmUrl() + "/protocol/openid-connect/certs";
    }
}
