package com.networknt.rule.conquest;

import com.networknt.client.ClientConfig;
import com.networknt.client.oauth.TokenResponse;
import com.networknt.config.Config;
import com.networknt.config.JsonMapper;
import com.networknt.config.PathPrefixAuth;
import com.networknt.config.TlsUtil;
import com.networknt.http.client.HttpClientRequest;
import com.networknt.rule.IAction;
import com.networknt.rule.RuleActionValue;
import com.networknt.utility.HashUtil;
import com.networknt.utility.ModuleRegistry;
import com.networknt.utility.StringUtils;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.ProxySelector;
import java.net.URI;
import java.net.URLEncoder;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.charset.StandardCharsets;
import java.security.PrivateKey;
import java.security.Signature;
import java.text.MessageFormat;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.commons.codec.binary.Base64;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/networknt/rule/conquest/ConquestTokenRequestTransformAction.class */
public class ConquestTokenRequestTransformAction implements IAction {
    private static final Logger logger = LoggerFactory.getLogger(ConquestTokenRequestTransformAction.class);
    private static final ConquestConfig config = ConquestConfig.load();
    private static HttpClient client;

    public ConquestTokenRequestTransformAction() {
        if (logger.isInfoEnabled()) {
            logger.info("ConquestTokenRequestTransformAction is constructed");
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(ConquestConfig.CERT_PASSWORD);
        ModuleRegistry.registerPlugin(ConquestTokenRequestTransformAction.class.getPackage().getImplementationTitle(), ConquestTokenRequestTransformAction.class.getPackage().getImplementationVersion(), ConquestConfig.CONFIG_NAME, ConquestTokenRequestTransformAction.class.getName(), Config.getNoneDecryptedInstance().getJsonMapConfigNoCache(ConquestConfig.CONFIG_NAME), arrayList);
    }

    public void performAction(Map<String, Object> map, Map<String, Object> map2, Collection<RuleActionValue> collection) {
        map2.put("result", true);
        String str = (String) map.get("requestPath");
        if (logger.isTraceEnabled()) {
            logger.trace("requestPath = " + str);
        }
        for (PathPrefixAuth pathPrefixAuth : config.getPathPrefixAuths()) {
            if (str.startsWith(pathPrefixAuth.getPathPrefix())) {
                if (logger.isTraceEnabled()) {
                    logger.trace("found with requestPath = " + str + " prefix = " + pathPrefixAuth.getPathPrefix());
                }
                if (System.currentTimeMillis() >= pathPrefixAuth.getExpiration()) {
                    if (logger.isTraceEnabled()) {
                        logger.trace("Cached token {} is expired with current time {} and expired time {}", new Object[]{pathPrefixAuth.getAccessToken(), Long.valueOf(System.currentTimeMillis()), Long.valueOf(pathPrefixAuth.getExpiration())});
                    }
                    try {
                        String createJwt = createJwt(pathPrefixAuth.getCertFilename(), pathPrefixAuth.getCertPassword(), pathPrefixAuth.getAuthIssuer(), pathPrefixAuth.getAuthSubject(), pathPrefixAuth.getAuthAudience(), HashUtil.generateUUID(), pathPrefixAuth.getTokenTtl());
                        if (logger.isTraceEnabled()) {
                            logger.trace("generated jwt = {}", createJwt);
                        }
                        if (createJwt != null) {
                            TokenResponse accessToken = getAccessToken(pathPrefixAuth.getTokenUrl(), createJwt);
                            if (accessToken == null) {
                                return;
                            }
                            pathPrefixAuth.setExpiration((System.currentTimeMillis() + (accessToken.getExpiresIn() * 1000)) - 60000);
                            pathPrefixAuth.setAccessToken(accessToken.getAccessToken());
                            if (logger.isTraceEnabled()) {
                                logger.trace("Got a new token {} and cached it with expiration time {}", pathPrefixAuth.getAccessToken(), Long.valueOf(pathPrefixAuth.getExpiration()));
                            }
                        }
                    } catch (Exception e) {
                        logger.error("Exception", e);
                        return;
                    }
                }
                if (pathPrefixAuth.getAccessToken() != null) {
                    HashMap hashMap = new HashMap();
                    HashMap hashMap2 = new HashMap();
                    hashMap2.put("Authorization", "Bearer " + pathPrefixAuth.getAccessToken());
                    hashMap.put("update", hashMap2);
                    map2.put("requestHeaders", hashMap);
                    return;
                }
            }
        }
    }

    private String createJwt(String str, String str2, String str3, String str4, String str5, String str6, int i) throws Exception {
        if (logger.isTraceEnabled()) {
            logger.trace("certFilename = " + str + " certPassword = " + StringUtils.maskHalfString(str2) + " issuer = " + str3 + " subject = " + str4 + " audience = " + str5 + " jti = " + str6 + " tokenTtl = " + i);
        }
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append(Base64.encodeBase64URLSafeString("{\"typ\":\"JWT\", \"alg\":\"RS256\"}".getBytes("UTF-8")));
        stringBuffer.append(".");
        String format = new MessageFormat("'{'\"iss\": \"{0}\", \"sub\": \"{1}\", \"aud\": \"{2}\", \"jti\": \"{3}\", \"iat\": {4}, \"exp\": {5}'}'").format(new String[]{str3, str4, str5, str6, Long.toString(System.currentTimeMillis() / 1000), Long.toString((System.currentTimeMillis() / 1000) + i)});
        if (logger.isTraceEnabled()) {
            logger.trace("jwtHeaderString = {} jwtBodyString = {}", "{\"typ\":\"JWT\", \"alg\":\"RS256\"}", format);
        }
        stringBuffer.append(Base64.encodeBase64URLSafeString(format.getBytes("UTF-8")));
        PrivateKey privateKey = (PrivateKey) TlsUtil.loadKeyStore(str, str2.toCharArray()).getKey(str.substring(0, str.indexOf(".")), str2.toCharArray());
        if (logger.isTraceEnabled()) {
            logger.trace("Created PrivateKey with name {} password {} alias {} keyPass {}", new Object[]{str, str2, str.substring(0, str.indexOf(".")), str2});
        }
        if (logger.isTraceEnabled()) {
            logger.trace("JWT Algorithm = {}", "SHA256withRSA");
        }
        Signature signature = Signature.getInstance("SHA256withRSA");
        signature.initSign(privateKey);
        signature.update(stringBuffer.toString().getBytes("UTF-8"));
        String encodeBase64URLSafeString = Base64.encodeBase64URLSafeString(signature.sign());
        stringBuffer.append(".");
        stringBuffer.append(encodeBase64URLSafeString);
        return stringBuffer.toString();
    }

    private TokenResponse getAccessToken(String str, String str2) {
        if (client == null) {
            try {
                HttpClient.Builder sslContext = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NORMAL).connectTimeout(Duration.ofMillis(ClientConfig.get().getTimeout())).sslContext(HttpClientRequest.createSSLContext());
                if (config.getProxyHost() != null) {
                    sslContext.proxy(ProxySelector.of(new InetSocketAddress(config.getProxyHost(), config.getProxyPort() == 0 ? 443 : config.getProxyPort())));
                }
                if (config.isEnableHttp2()) {
                    sslContext.version(HttpClient.Version.HTTP_2);
                } else {
                    sslContext.version(HttpClient.Version.HTTP_1_1);
                }
                Map map = (Map) ClientConfig.get().getMappedConfig().get("tls");
                if (map != null && !Boolean.TRUE.equals(map.get("verifyHostname"))) {
                    System.getProperties().setProperty("jdk.internal.httpclient.disableHostnameVerification", Boolean.TRUE.toString());
                }
                client = sslContext.build();
            } catch (IOException e) {
                logger.error("Cannot create HttpClient:", e);
                return null;
            }
        }
        try {
            if (str == null) {
                logger.error("tokenUrl is null");
                return null;
            }
            HashMap hashMap = new HashMap();
            hashMap.put("grant_type", "client_credentials");
            hashMap.put("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer");
            hashMap.put("client_assertion", str2);
            HttpResponse send = client.send(HttpRequest.newBuilder().uri(URI.create(str)).headers(new String[]{"Content-Type", "application/x-www-form-urlencoded"}).POST(HttpRequest.BodyPublishers.ofString((String) hashMap.entrySet().stream().map(entry -> {
                return ((String) entry.getKey()) + "=" + URLEncoder.encode((String) entry.getValue(), StandardCharsets.UTF_8);
            }).collect(Collectors.joining("&")))).build(), HttpResponse.BodyHandlers.ofString());
            if (send.statusCode() != 200) {
                logger.error("Error in getting the token with status code " + send.statusCode() + " and body " + send.body().toString());
                return null;
            }
            Map string2Map = JsonMapper.string2Map(send.body().toString());
            if (string2Map == null) {
                logger.error("response body cannot be parsed as a JSON " + send.body());
                return null;
            }
            TokenResponse tokenResponse = new TokenResponse();
            tokenResponse.setAccessToken((String) string2Map.get("access_token"));
            tokenResponse.setTokenType((String) string2Map.get("token_type"));
            tokenResponse.setScope((String) string2Map.get("scope"));
            tokenResponse.setExpiresIn(((Integer) string2Map.get("expires_in")).intValue());
            return tokenResponse;
        } catch (Exception e2) {
            logger.error("Exception:", e2);
            return null;
        }
    }
}
