package io.getmedusa.medusa.core.security;

import com.auth0.jwt.JWT;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.github.benmanes.caffeine.cache.Cache;
import com.github.benmanes.caffeine.cache.Caffeine;
import java.security.KeyFactory;
import java.security.SecureRandom;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Base64;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.springframework.http.HttpCookie;
import org.springframework.http.ResponseCookie;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.security.web.server.authentication.AuthenticationWebFilter;
import org.springframework.web.server.ServerWebExchange;
import reactor.core.publisher.Mono;

/* loaded from: input_file:io/getmedusa/medusa/core/security/JWTTokenInterpreter.class */
public class JWTTokenInterpreter extends AuthenticationWebFilter {
    public static RSAPublicKey PUBLIC_KEY;
    private static final Map<String, String> ROLE_MAPPING = new HashMap();
    static Cache<String, Authentication> cache = Caffeine.newBuilder().expireAfterWrite(5, TimeUnit.MINUTES).maximumSize(250).build();

    public static void clearCache() {
        cache.invalidateAll();
    }

    public JWTTokenInterpreter() {
        super(new KnownAuthenticationManager());
        setServerAuthenticationConverter(serverWebExchange -> {
            List list = (List) serverWebExchange.getRequest().getCookies().getOrDefault("HYDRA-SSO", new ArrayList());
            if (list.isEmpty()) {
                return reject(serverWebExchange);
            }
            String value = ((HttpCookie) list.get(0)).getValue();
            Authentication authentication = (Authentication) cache.get(value, str -> {
                return verifyToken(value);
            });
            return authentication == null ? reject(serverWebExchange) : Mono.just(authentication);
        });
    }

    public static void handleUpdate(String str, Map<String, String> map) {
        if (null != str) {
            ROLE_MAPPING.clear();
            try {
                try {
                    System.out.println("Loading new Hydra public key");
                    PUBLIC_KEY = (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(str)));
                    ROLE_MAPPING.putAll(map);
                    System.out.println("Hydra connection established with public key");
                } catch (Exception e) {
                    PUBLIC_KEY = null;
                    throw new RuntimeException(e);
                }
            } finally {
                clearCache();
            }
        }
    }

    private Mono<Authentication> reject(ServerWebExchange serverWebExchange) {
        serverWebExchange.getResponse().addCookie(ResponseCookie.from("Referer", serverWebExchange.getRequest().getPath().toString()).httpOnly(true).maxAge(Duration.ofMinutes(4L)).build());
        return Mono.empty();
    }

    private PreAuthenticatedAuthenticationToken verifyToken(String str) {
        try {
            DecodedJWT verify = JWT.require(Algorithm.RSA256(PUBLIC_KEY, (RSAPrivateKey) null)).withIssuer("hydra").build().verify(str);
            if (verify == null) {
                return null;
            }
            PreAuthenticatedAuthenticationToken preAuthenticatedAuthenticationToken = new PreAuthenticatedAuthenticationToken(verify.getClaim("username").asString(), new SecureRandom(), buildAuthorities(mapRolesIfApplicable((String[]) verify.getClaim("roles").asArray(String.class))));
            preAuthenticatedAuthenticationToken.setAuthenticated(true);
            return preAuthenticatedAuthenticationToken;
        } catch (Exception e) {
            return null;
        }
    }

    private static List<String> mapRolesIfApplicable(String[] strArr) {
        ArrayList arrayList = new ArrayList();
        for (String str : strArr) {
            arrayList.add(ROLE_MAPPING.getOrDefault(str, str));
        }
        return arrayList;
    }

    private List<SimpleGrantedAuthority> buildAuthorities(List<String> list) {
        ArrayList arrayList = new ArrayList();
        if (list.isEmpty()) {
            return arrayList;
        }
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(new SimpleGrantedAuthority(it.next().toUpperCase()));
        }
        return arrayList;
    }
}
