package io.inversion.action.security;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTCreator;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTCreationException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import io.inversion.Action;
import io.inversion.ApiException;
import io.inversion.Chain;
import io.inversion.Request;
import io.inversion.Response;
import io.inversion.User;
import io.inversion.utils.Config;
import io.inversion.utils.JSArray;
import io.inversion.utils.JSNode;
import io.inversion.utils.Utils;
import java.io.UnsupportedEncodingException;
import java.util.ArrayList;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.collections4.map.LRUMap;

/* loaded from: input_file:io/inversion/action/security/AuthAction.class */
public class AuthAction extends Action<AuthAction> {
    public static final int AUTH_ACTION_DEFAULT_ORDER_IS_100 = 100;
    protected String collection = null;
    protected String authenticatedPerm = null;
    protected SessionDao sessionDao = null;
    protected UserDao userDao = null;

    /* loaded from: input_file:io/inversion/action/security/AuthAction$InMemoryRevokedTokenCache.class */
    public static class InMemoryRevokedTokenCache implements JwtUserDao.RevokedTokenCache {
        final Set<String> revoked = new HashSet();

        public void addRevokedToken(String str) {
            this.revoked.add(str.toLowerCase());
        }

        @Override // io.inversion.action.security.AuthAction.JwtUserDao.RevokedTokenCache
        public boolean isRevoked(String str) {
            return this.revoked.contains(str);
        }
    }

    /* loaded from: input_file:io/inversion/action/security/AuthAction$InMemorySessionDao.class */
    public static class InMemorySessionDao implements SessionDao {
        protected long sessionExp = 1800000;
        protected long sessionUpdate = 10000;
        protected int sessionMax = 10000;
        protected Map<String, User> cache;

        protected InMemorySessionDao() {
        }

        public InMemorySessionDao(int i) {
            this.cache = new LRUMap(i);
        }

        @Override // io.inversion.action.security.AuthAction.SessionDao
        public User get(String str) {
            long currentTimeMillis = System.currentTimeMillis();
            User doGet = doGet(str);
            if (this.sessionExp > 0) {
                long requestAt = doGet.getRequestAt();
                if (currentTimeMillis - requestAt > this.sessionExp) {
                    delete(str);
                    throw ApiException.new401Unauthroized("The session has expired.", new Object[0]);
                }
                if (currentTimeMillis - requestAt > this.sessionUpdate) {
                    put(str, doGet);
                }
            }
            return this.cache.get(str);
        }

        protected User doGet(String str) {
            return this.cache.get(str);
        }

        @Override // io.inversion.action.security.AuthAction.SessionDao
        public String post(User user) {
            String newSessionId = newSessionId();
            put(newSessionId, user);
            return newSessionId;
        }

        @Override // io.inversion.action.security.AuthAction.SessionDao
        public void put(String str, User user) {
            doPut(str, user);
        }

        protected void doPut(String str, User user) {
            this.cache.put(str, user);
        }

        @Override // io.inversion.action.security.AuthAction.SessionDao
        public void delete(String str) {
            doDelete(str);
        }

        protected void doDelete(String str) {
            this.cache.remove(str);
        }

        protected String newSessionId() {
            return UUID.randomUUID().toString().replace("-", "");
        }

        public SessionDao withSessionUpdate(long j) {
            this.sessionUpdate = j;
            return this;
        }

        public SessionDao withSessionMax(int i) {
            this.sessionMax = i;
            return this;
        }

        public SessionDao withSessionExp(long j) {
            this.sessionExp = j;
            return this;
        }
    }

    /* loaded from: input_file:io/inversion/action/security/AuthAction$JwtUserDao.class */
    public static class JwtUserDao implements UserDao {
        RevokedTokenCache revokedTokenCache = new InMemoryRevokedTokenCache();

        /* loaded from: input_file:io/inversion/action/security/AuthAction$JwtUserDao$RevokedTokenCache.class */
        public interface RevokedTokenCache {
            boolean isRevoked(String str);
        }

        @Override // io.inversion.action.security.AuthAction.UserDao
        public User getUser(AuthAction authAction, String str, String str2, String str3, String str4) throws ApiException {
            throw ApiException.new403Forbidden();
        }

        @Override // io.inversion.action.security.AuthAction.UserDao
        public User getUser(AuthAction authAction, String str, String str2, String str3) throws ApiException {
            if (this.revokedTokenCache != null && this.revokedTokenCache.isRevoked(str)) {
                throw ApiException.new401Unauthroized();
            }
            DecodedJWT decodedJWT = null;
            Iterator<String> it = getJwtSecrets(authAction, str2, str3).iterator();
            while (it.hasNext()) {
                try {
                    decodedJWT = JWT.require(Algorithm.HMAC256(it.next())).acceptLeeway(1L).build().verify(str);
                    break;
                } catch (Exception e) {
                    e.printStackTrace();
                }
            }
            if (decodedJWT == null) {
                throw ApiException.new401Unauthroized();
            }
            return createUserFromValidJwt(decodedJWT);
        }

        protected User createUserFromValidJwt(DecodedJWT decodedJWT) {
            User user = new User();
            user.withUsername(decodedJWT.getSubject());
            Claim claim = decodedJWT.getClaim("groups");
            if (claim != null && !claim.isNull()) {
                user.withRoles((String[]) claim.asList(String.class).toArray(new String[0]));
            }
            Claim claim2 = decodedJWT.getClaim("roles");
            if (claim2 != null && !claim2.isNull()) {
                user.withRoles((String[]) claim2.asList(String.class).toArray(new String[0]));
            }
            Claim claim3 = decodedJWT.getClaim("tenantId");
            if (claim3 != null && !claim3.isNull()) {
                user.withTenant(claim3.asString());
            }
            Claim claim4 = decodedJWT.getClaim("tenantCode");
            if (claim4 != null && !claim4.isNull()) {
                user.withTenant(claim4.asString());
            }
            Claim claim5 = decodedJWT.getClaim("tenant");
            if (claim5 != null && !claim5.isNull()) {
                user.withTenant(claim5.asString());
            }
            addPermsToUser(user, decodedJWT.getClaim("perms"));
            addPermsToUser(user, decodedJWT.getClaim("actions"));
            return user;
        }

        protected void addPermsToUser(User user, Claim claim) {
            if (claim == null || claim.isNull()) {
                return;
            }
            user.withPermissions((String[]) claim.asList(String.class).toArray(new String[0]));
        }

        protected List<String> getJwtSecrets(AuthAction authAction, String str, String str2) {
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            int i = 10;
            while (i >= 0) {
                for (int i2 = 2; i2 >= 0; i2--) {
                    String str3 = (authAction.getName() != null ? authAction.getName() : "") + ".jwt" + (i == 0 ? "" : "." + i);
                    if (i2 > 1 && str != null) {
                        str3 = str3 + "." + str;
                    }
                    if (i2 > 2 && str2 != null) {
                        str3 = str3 + "." + str2;
                    }
                    String string = Config.getString(str3 + ".secret");
                    if (string != null) {
                        linkedHashSet.add(string);
                    }
                }
                i--;
            }
            return new ArrayList(linkedHashSet);
        }

        public String signJwt(JWTCreator.Builder builder, AuthAction authAction, String str, String str2) throws IllegalArgumentException, JWTCreationException, UnsupportedEncodingException {
            return builder.sign(Algorithm.HMAC256(getJwtSecrets(authAction, str, str2).get(0)));
        }

        public RevokedTokenCache getRevokedTokenCache() {
            return this.revokedTokenCache;
        }

        public JwtUserDao withRevokedTokenCache(RevokedTokenCache revokedTokenCache) {
            this.revokedTokenCache = revokedTokenCache;
            return this;
        }
    }

    /* loaded from: input_file:io/inversion/action/security/AuthAction$SessionDao.class */
    public interface SessionDao {
        User get(String str);

        String post(User user);

        void put(String str, User user);

        void delete(String str);
    }

    /* loaded from: input_file:io/inversion/action/security/AuthAction$UserDao.class */
    public interface UserDao {
        User getUser(AuthAction authAction, String str, String str2, String str3) throws ApiException;

        User getUser(AuthAction authAction, String str, String str2, String str3, String str4) throws ApiException;

        default User getGuest(String str, String str2) {
            User user = new User();
            user.withUsername("Anonymous");
            user.withRoles("guest");
            user.withTenant(str2);
            return user;
        }
    }

    public AuthAction() {
        withOrder(100);
    }

    @Override // io.inversion.Action
    public void run(Request request, Response response) throws ApiException {
        User user = Chain.getUser();
        if (user == null || request.isDelete()) {
            String name = request.getApi().getName();
            String param = request.getUrl().getParam("tenant");
            long currentTimeMillis = System.currentTimeMillis();
            String str = null;
            String str2 = null;
            boolean z = this.collection != null && this.collection.equalsIgnoreCase(request.getCollectionKey());
            String lowerCase = request.getUrl().toString().toLowerCase();
            while (true) {
                String str3 = lowerCase;
                if (!str3.endsWith("/")) {
                    break;
                } else {
                    lowerCase = str3.substring(0, str3.length() - 1);
                }
            }
            String header = request.getHeader("authorization");
            if (header == null) {
                header = request.getHeader("x-auth-token");
            }
            if (header != null) {
                String trim = header.trim();
                if (trim.toLowerCase().startsWith("bearer ")) {
                    user = this.userDao.getUser(this, trim.substring(trim.indexOf(" ") + 1).trim(), name, param);
                } else if (trim.toLowerCase().startsWith("basic ")) {
                    String str4 = new String(Base64.decodeBase64(trim.substring(trim.indexOf(" ") + 1)));
                    str = str4.substring(0, str4.indexOf(":"));
                    user = this.userDao.getUser(this, str, str4.substring(str4.indexOf(":") + 1), name, param);
                } else {
                    if (!trim.toLowerCase().startsWith("session ")) {
                        throw ApiException.new400BadRequest("Authorization token format must be bearer,basic or session. {} ", trim);
                    }
                    if (this.sessionDao == null) {
                        throw ApiException.new400BadRequest("AuthAction has not been configured to support session authorization", new Object[0]);
                    }
                    String trim2 = trim.substring(8).trim();
                    if (z && request.isDelete()) {
                        if (!Utils.equal(trim2, request.getResourceKey())) {
                            throw ApiException.new401Unauthroized("Logout requires a session authroization or x-auth-token header that matches the url resourceKey", new Object[0]);
                        }
                        this.sessionDao.delete(trim2);
                        return;
                    }
                    user = this.sessionDao.get(trim2);
                }
                if (user == null) {
                    throw ApiException.new401Unauthroized();
                }
            } else {
                if (request.isPost() && z) {
                    str = request.getJson().getString("username");
                    str2 = request.getJson().getString("password");
                }
                if (Utils.empty(str, str2)) {
                    str = request.getHeader("x-auth-username");
                    str2 = request.getHeader("x-auth-password");
                }
                if (Utils.empty(str, str2)) {
                    str = request.getHeader("username");
                    str2 = request.getHeader("password");
                }
                if (Utils.empty(str, str2)) {
                    str = request.getUrl().clearParams("username");
                    str2 = request.getUrl().clearParams("password");
                }
                if (!Utils.empty(str, str2)) {
                    user = this.userDao.getUser(this, str, str2, name, param);
                    if (user == null) {
                        throw ApiException.new401Unauthroized();
                    }
                }
            }
            if (user == null) {
                if (z) {
                    throw ApiException.new401Unauthroized();
                }
                user = this.userDao.getGuest(name, param);
            }
            if (user == null || !(param == null || param.equalsIgnoreCase(user.getTenant()))) {
                throw ApiException.new401Unauthroized();
            }
            user.withRequestAt(currentTimeMillis);
            Chain.peek().withUser(user);
            if (this.sessionDao != null && z && request.isPost()) {
                response.withHeader("x-auth-token", "Session " + this.sessionDao.post(user));
                JSNode jSNode = new JSNode();
                jSNode.put("id", (Object) Integer.valueOf(user.getId()));
                jSNode.put("username", (Object) str);
                jSNode.put("displayname", (Object) user.getDisplayName());
                JSArray jSArray = new JSArray(new Object[0]);
                Iterator<String> it = user.getPermissions().iterator();
                while (it.hasNext()) {
                    jSArray.add(it.next());
                }
                jSNode.put("perms", (Object) jSArray);
                JSArray jSArray2 = new JSArray(new Object[0]);
                Iterator<String> it2 = user.getRoles().iterator();
                while (it2.hasNext()) {
                    jSArray2.add(it2.next());
                }
                jSNode.put("roles", (Object) jSArray2);
                response.withJson(new JSNode("data", jSNode));
            }
        }
    }

    public AuthAction withCollection(String str) {
        this.collection = str;
        return this;
    }

    public AuthAction withAuthenticatedPerm(String str) {
        this.authenticatedPerm = str;
        return this;
    }

    public AuthAction withSessionDao(SessionDao sessionDao) {
        this.sessionDao = sessionDao;
        return this;
    }

    public AuthAction withUserDao(UserDao userDao) {
        this.userDao = userDao;
        return this;
    }

    public UserDao getUserDao() {
        return this.userDao;
    }
}
