package dev.soffa.foundation.security;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.source.ImmutableJWKSet;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.proc.JWSVerificationKeySelector;
import com.nimbusds.jose.proc.SecurityContext;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.proc.ConfigurableJWTProcessor;
import com.nimbusds.jwt.proc.DefaultJWTProcessor;
import dev.soffa.foundation.commons.IOUtil;
import dev.soffa.foundation.commons.Logger;
import dev.soffa.foundation.commons.TextUtil;
import dev.soffa.foundation.commons.TokenUtil;
import dev.soffa.foundation.error.ConfigurationException;
import dev.soffa.foundation.error.InvalidTokenException;
import dev.soffa.foundation.error.NotImplementedException;
import dev.soffa.foundation.error.UnauthorizedException;
import dev.soffa.foundation.model.Authentication;
import dev.soffa.foundation.model.Token;
import dev.soffa.foundation.model.TokenType;
import dev.soffa.foundation.model.UserInfo;
import java.io.InputStream;
import java.net.URL;
import java.text.ParseException;
import java.time.Duration;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;

/* loaded from: input_file:dev/soffa/foundation/security/DefaultTokenProvider.class */
public class DefaultTokenProvider implements TokenProvider, ClaimsExtractor {
    private static final Logger LOG = Logger.get(DefaultTokenProvider.class);
    private TokensConfig config;
    private ConfigurableJWTProcessor<SecurityContext> jwtProcessor;
    private String privateJwks;

    public DefaultTokenProvider(TokensConfig tokensConfig) {
        this.config = tokensConfig;
        configureJwksProcessor();
    }

    private static Object getClaimValue(Claim claim) {
        if (claim.isNull()) {
            return null;
        }
        String asString = claim.asString();
        if (asString != null) {
            return asString;
        }
        Boolean asBoolean = claim.asBoolean();
        if (asBoolean != null) {
            return asBoolean;
        }
        Double asDouble = claim.asDouble();
        if (asDouble != null) {
            return asDouble;
        }
        Integer asInt = claim.asInt();
        if (asInt != null) {
            return asInt;
        }
        Long asLong = claim.asLong();
        if (asLong != null) {
            return asLong;
        }
        Date asDate = claim.asDate();
        if (asDate != null) {
            return asDate;
        }
        Map asMap = claim.asMap();
        return asMap != null ? asMap : claim.toString();
    }

    @Override // dev.soffa.foundation.security.TokenProvider
    public Token create(TokenType tokenType, String str, Map<String, Object> map) {
        return create(tokenType, str, map, this.config.getDefaultTtl());
    }

    @Override // dev.soffa.foundation.security.TokenProvider
    public Token create(TokenType tokenType, String str, Map<String, Object> map, int i) {
        String createJwt;
        if (tokenType != TokenType.JWT) {
            throw new NotImplementedException("Token type not supported yet: %s", new Object[]{tokenType.name()});
        }
        if (this.privateJwks != null) {
            createJwt = TokenUtil.fromJwks(this.privateJwks, this.config.getIssuer(), str, map, Duration.ofMinutes(i));
        } else {
            if (!TextUtil.isNotEmpty(new String[]{this.config.getSecret()})) {
                throw new ConfigurationException("No secret or private jwks configured", new Object[0]);
            }
            createJwt = TokenUtil.createJwt(this.config.getIssuer(), this.config.getSecret(), str, map, i);
        }
        return new Token(createJwt, str, map, i);
    }

    @Override // dev.soffa.foundation.security.TokenProvider, dev.soffa.foundation.security.ClaimsExtractor
    public Authentication extractInfo(Token token) {
        String str = (String) token.lookupClaim(new String[]{"tenant", "tenantId", "X-TenantId"}).orElse(null);
        UserInfo userInfo = new UserInfo();
        userInfo.setCity((String) token.lookupClaim(new String[]{"city", "location"}).orElse(null));
        userInfo.setCountry((String) token.lookupClaim(new String[]{"country", "countryId"}).orElse(null));
        userInfo.setGender((String) token.lookupClaim(new String[]{"gender", "sex", "sexe"}).orElse(null));
        userInfo.setEmail((String) token.lookupClaim(new String[]{"email", "mail"}).orElse(null));
        userInfo.setPhoneNumber((String) token.lookupClaim(new String[]{"mobile", "mobileNumber", "phoneNumber", "phone"}).orElse(null));
        userInfo.setGivenName((String) token.lookupClaim(new String[]{"givenname", "given_name", "firstname", "first_name", "prenom"}).orElse(null));
        userInfo.setFamilyName((String) token.lookupClaim(new String[]{"familyname", "family_name", "lastName", "last_name"}).orElse(null));
        userInfo.setNickname((String) token.lookupClaim(new String[]{"nickname", "nick_name", "pseudo", "alias"}).orElse(null));
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        token.lookupClaim(new String[]{"permissions", "grants"}).ifPresent(str2 -> {
            for (String str2 : str2.split(",")) {
                if (TextUtil.isNotEmpty(new String[]{str2})) {
                    hashSet.add(str2.trim().toLowerCase());
                }
            }
        });
        Object orElse = token.lookupClaim(new String[]{"principal"}).orElse(null);
        token.lookupClaim(new String[]{"roles"}).ifPresent(str3 -> {
            for (String str3 : str3.split(",")) {
                if (TextUtil.isNotEmpty(new String[]{str3})) {
                    hashSet2.add(str3.trim().toLowerCase());
                }
            }
        });
        return Authentication.builder().claims(token.getClaims()).liveMode(Boolean.parseBoolean(((String) token.lookupClaim(new String[]{"live", "liveMode"}).orElse("false")).toLowerCase())).username(token.getSubject()).tenantId(str).application((String) token.lookupClaim(new String[]{"applicationName", "application", "app"}).orElse(null)).applicationId((String) token.lookupClaim(new String[]{"applicationId", "appId"}).orElse(null)).profile(userInfo).roles(hashSet2).principal(orElse).permissions(hashSet).build();
    }

    private void configureJwksProcessor() {
        if (this.config.getPrivateJwks() != null) {
            this.privateJwks = IOUtil.getResourceAsString(this.config.getPrivateJwks());
        }
        if (this.config.getPublicJwks() != null) {
            ImmutableJWKSet immutableJWKSet = new ImmutableJWKSet(this.config.getPublicJwks().startsWith("http") ? JWKSet.load(new URL(this.config.getPublicJwks())) : JWKSet.load((InputStream) Objects.requireNonNull(DefaultTokenProvider.class.getResourceAsStream(this.config.getPublicJwks()))));
            this.jwtProcessor = new DefaultJWTProcessor();
            this.jwtProcessor.setJWSKeySelector(new JWSVerificationKeySelector(JWSAlgorithm.RS256, immutableJWKSet));
        }
    }

    @Override // dev.soffa.foundation.security.TokenProvider
    public Authentication decode(String str) {
        return decode(str, this);
    }

    @Override // dev.soffa.foundation.security.TokenProvider
    public Authentication decode(String str, ClaimsExtractor claimsExtractor) {
        if (TokenUtil.isWellFormedJwt(str)) {
            return this.jwtProcessor != null ? decodejwtWithJwks(str, claimsExtractor) : decodeJwtWithSecret(str, claimsExtractor);
        }
        LOG.warn("Received token *******%s is not a well-formed JWT", new Object[]{TextUtil.takeLast(str, 4)});
        return null;
    }

    public Authentication decodejwtWithJwks(String str, ClaimsExtractor claimsExtractor) {
        try {
            LOG.debug("Decoding JWT with JWKS", new Object[0]);
            JWTClaimsSet process = this.jwtProcessor.process(str, (SecurityContext) null);
            return claimsExtractor.extractInfo(new Token(str, process.getSubject(), process.getClaims()));
        } catch (ParseException | JOSEException | BadJOSEException e) {
            throw new InvalidTokenException(e.getMessage(), e);
        }
    }

    public Authentication decodeJwtWithSecret(String str, ClaimsExtractor claimsExtractor) {
        try {
            LOG.debug("Decoding JWT token", new Object[0]);
            DecodedJWT verify = JWT.require(Algorithm.HMAC256(this.config.getSecret())).withIssuer(this.config.getIssuer()).build().verify(str);
            Map claims = verify.getClaims();
            HashMap hashMap = new HashMap();
            for (Map.Entry entry : claims.entrySet()) {
                Object claimValue = getClaimValue((Claim) entry.getValue());
                if (claimValue != null) {
                    LOG.debug("Claim set %s = %s", new Object[]{entry.getKey(), claimValue});
                    hashMap.put(entry.getKey(), claimValue);
                }
            }
            return claimsExtractor.extractInfo(new Token(str, verify.getSubject(), hashMap));
        } catch (Exception e) {
            throw new UnauthorizedException(e.getMessage(), e);
        }
    }

    @Override // dev.soffa.foundation.security.TokenProvider
    public TokensConfig getConfig() {
        return this.config;
    }

    public ConfigurableJWTProcessor<SecurityContext> getJwtProcessor() {
        return this.jwtProcessor;
    }

    public String getPrivateJwks() {
        return this.privateJwks;
    }

    public void setConfig(TokensConfig tokensConfig) {
        this.config = tokensConfig;
    }

    public void setJwtProcessor(ConfigurableJWTProcessor<SecurityContext> configurableJWTProcessor) {
        this.jwtProcessor = configurableJWTProcessor;
    }

    public void setPrivateJwks(String str) {
        this.privateJwks = str;
    }

    public boolean equals(Object obj) {
        if (obj == this) {
            return true;
        }
        if (!(obj instanceof DefaultTokenProvider)) {
            return false;
        }
        DefaultTokenProvider defaultTokenProvider = (DefaultTokenProvider) obj;
        if (!defaultTokenProvider.canEqual(this)) {
            return false;
        }
        TokensConfig config = getConfig();
        TokensConfig config2 = defaultTokenProvider.getConfig();
        if (config == null) {
            if (config2 != null) {
                return false;
            }
        } else if (!config.equals(config2)) {
            return false;
        }
        ConfigurableJWTProcessor<SecurityContext> jwtProcessor = getJwtProcessor();
        ConfigurableJWTProcessor<SecurityContext> jwtProcessor2 = defaultTokenProvider.getJwtProcessor();
        if (jwtProcessor == null) {
            if (jwtProcessor2 != null) {
                return false;
            }
        } else if (!jwtProcessor.equals(jwtProcessor2)) {
            return false;
        }
        String privateJwks = getPrivateJwks();
        String privateJwks2 = defaultTokenProvider.getPrivateJwks();
        return privateJwks == null ? privateJwks2 == null : privateJwks.equals(privateJwks2);
    }

    protected boolean canEqual(Object obj) {
        return obj instanceof DefaultTokenProvider;
    }

    public int hashCode() {
        TokensConfig config = getConfig();
        int hashCode = (1 * 59) + (config == null ? 43 : config.hashCode());
        ConfigurableJWTProcessor<SecurityContext> jwtProcessor = getJwtProcessor();
        int hashCode2 = (hashCode * 59) + (jwtProcessor == null ? 43 : jwtProcessor.hashCode());
        String privateJwks = getPrivateJwks();
        return (hashCode2 * 59) + (privateJwks == null ? 43 : privateJwks.hashCode());
    }

    public String toString() {
        return "DefaultTokenProvider(config=" + getConfig() + ", jwtProcessor=" + getJwtProcessor() + ", privateJwks=" + getPrivateJwks() + ")";
    }
}
