package com.atlassian.bitbucket.internal.scm.git.lfs.jwt;

import com.atlassian.jwt.CanonicalHttpRequest;
import com.atlassian.jwt.exception.JwtInvalidClaimException;
import com.atlassian.jwt.exception.JwtVerificationException;
import com.atlassian.jwt.reader.JwtClaimVerifier;
import com.atlassian.jwt.reader.JwtClaimVerifiersBuilder;
import com.google.common.collect.ImmutableMap;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;

/* loaded from: input_file:com/atlassian/bitbucket/internal/scm/git/lfs/jwt/GitLfsApiClaimVerifiersBuilder.class */
public class GitLfsApiClaimVerifiersBuilder implements JwtClaimVerifiersBuilder {
    private static final Pattern GIT_LFS_API_PATTERN = Pattern.compile("/scm/((?<namespace>[a-zA-Z0-9_\\-]*)/)?(?<projectKey>~[a-zA-Z0-9\\-_.]+|[a-zA-Z][a-zA-Z0-9_\\-]*)/(?<repoSlug>[\\p{Alnum}][\\w\\-\\.]*).git/info/lfs/.+");
    private final GitLfsJwtHelper gitLfsJwtHelper;

    /* loaded from: input_file:com/atlassian/bitbucket/internal/scm/git/lfs/jwt/GitLfsApiClaimVerifiersBuilder$GitLfsActionClaimVerifier.class */
    private class GitLfsActionClaimVerifier implements JwtClaimVerifier {
        private final String relativePath;

        public GitLfsActionClaimVerifier(CanonicalHttpRequest canonicalHttpRequest) {
            this.relativePath = canonicalHttpRequest.getRelativePath();
        }

        public void verify(@Nonnull Object obj) throws JwtVerificationException {
            Matcher matcher = GitLfsApiClaimVerifiersBuilder.GIT_LFS_API_PATTERN.matcher(this.relativePath);
            if (!matcher.matches()) {
                throw new JwtInvalidClaimException("Invalid Git LFS path: " + this.relativePath);
            }
            if (!GitLfsApiClaimVerifiersBuilder.this.gitLfsJwtHelper.getClaimFromParameters(matcher.group("projectKey"), matcher.group("repoSlug")).equals(obj.toString())) {
                throw new JwtInvalidClaimException(String.format("JWT repo claim (%s) does not match repository URL: %s", obj, this.relativePath));
            }
        }
    }

    public GitLfsApiClaimVerifiersBuilder(GitLfsJwtHelper gitLfsJwtHelper) {
        this.gitLfsJwtHelper = gitLfsJwtHelper;
    }

    public Map<String, ? extends JwtClaimVerifier> build(CanonicalHttpRequest canonicalHttpRequest) {
        return ImmutableMap.of(GitLfsJwtHelper.REPO_CLAIM, new GitLfsActionClaimVerifier(canonicalHttpRequest));
    }
}
