package org.activiti.cloud.services.notifications.qraphql.ws.security.tokenverifier.jwt;

import java.util.Set;
import org.activiti.cloud.services.common.security.jwt.JwtAccessTokenValidator;
import org.activiti.cloud.services.common.security.jwt.JwtUserInfoUriAuthenticationConverter;
import org.activiti.cloud.services.notifications.qraphql.ws.security.tokenverifier.GraphQLAccessToken;
import org.activiti.cloud.services.notifications.qraphql.ws.security.tokenverifier.GraphQLAccessTokenVerifier;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;

/* loaded from: input_file:org/activiti/cloud/services/notifications/qraphql/ws/security/tokenverifier/jwt/JwtAccessTokenVerifier.class */
public class JwtAccessTokenVerifier implements GraphQLAccessTokenVerifier {
    private final JwtAccessTokenValidator jwtAccessTokenValidator;
    private final JwtUserInfoUriAuthenticationConverter jwtUserInfoUriAuthenticationConverter;
    private final JwtDecoder jwtDecoder;

    public JwtAccessTokenVerifier(JwtAccessTokenValidator jwtAccessTokenValidator, JwtUserInfoUriAuthenticationConverter jwtUserInfoUriAuthenticationConverter, JwtDecoder jwtDecoder) {
        this.jwtAccessTokenValidator = jwtAccessTokenValidator;
        this.jwtUserInfoUriAuthenticationConverter = jwtUserInfoUriAuthenticationConverter;
        this.jwtDecoder = jwtDecoder;
    }

    @Override // org.activiti.cloud.services.notifications.qraphql.ws.security.tokenverifier.GraphQLAccessTokenVerifier
    public GraphQLAccessToken verifyToken(String str) {
        Jwt decode = this.jwtDecoder.decode(str);
        if (!this.jwtAccessTokenValidator.isValid(decode)) {
            throw new BadCredentialsException("Invalid JWT token");
        }
        JwtAuthenticationToken convert = this.jwtUserInfoUriAuthenticationConverter.convert(decode);
        return new GraphQLAccessToken(convert.getName(), Set.copyOf(decode.getClaimAsStringList("role")), convert);
    }
}
