package org.dspace.app.rest.security.jwt;

import com.nimbusds.jose.CompressionAlgorithm;
import com.nimbusds.jose.EncryptionMethod;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWEAlgorithm;
import com.nimbusds.jose.JWEHeader;
import com.nimbusds.jose.JWEObject;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.Payload;
import com.nimbusds.jose.crypto.DirectDecrypter;
import com.nimbusds.jose.crypto.DirectEncrypter;
import com.nimbusds.jose.crypto.MACSigner;
import com.nimbusds.jose.crypto.MACVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import com.nimbusds.jwt.util.DateUtils;
import java.sql.SQLException;
import java.text.ParseException;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.dspace.authorize.AuthorizeException;
import org.dspace.core.Context;
import org.dspace.eperson.EPerson;
import org.dspace.eperson.service.EPersonService;
import org.dspace.service.ClientInfoService;
import org.dspace.services.ConfigurationService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.crypto.keygen.KeyGenerators;

/* loaded from: input_file:org/dspace/app/rest/security/jwt/JWTTokenHandler.class */
public abstract class JWTTokenHandler {
    private static final int MAX_CLOCK_SKEW_SECONDS = 60;
    private static final String AUTHORIZATION_TOKEN_PARAMETER = "authentication-token";
    private static final Logger log = LoggerFactory.getLogger(JWTTokenHandler.class);

    @Autowired
    private List<JWTClaimProvider> jwtClaimProviders;

    @Autowired
    private ConfigurationService configurationService;

    @Autowired
    private EPersonClaimProvider ePersonClaimProvider;

    @Autowired
    private EPersonService ePersonService;

    @Autowired
    private ClientInfoService clientInfoService;
    private String generatedJwtKey;
    private String generatedEncryptionKey;

    protected abstract String getTokenSecretConfigurationKey();

    protected abstract String getEncryptionSecretConfigurationKey();

    protected abstract String getTokenExpirationConfigurationKey();

    protected abstract String getEncryptionEnabledConfigurationKey();

    protected abstract String getCompressionEnabledConfigurationKey();

    public EPerson parseEPersonFromToken(String str, HttpServletRequest httpServletRequest, Context context) throws JOSEException, ParseException, SQLException {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        SignedJWT signedJWT = getSignedJWT(str);
        JWTClaimsSet jWTClaimsSet = signedJWT.getJWTClaimsSet();
        EPerson ePerson = getEPerson(context, jWTClaimsSet);
        if (!isValidToken(httpServletRequest, signedJWT, jWTClaimsSet, ePerson)) {
            log.warn(getIpAddress(httpServletRequest) + " tried to use an expired or non-valid token");
            return null;
        }
        log.debug("Received valid token for username: " + ePerson.getEmail());
        Iterator<JWTClaimProvider> it = this.jwtClaimProviders.iterator();
        while (it.hasNext()) {
            it.next().parseClaim(context, httpServletRequest, jWTClaimsSet);
        }
        return ePerson;
    }

    public String createTokenForEPerson(Context context, HttpServletRequest httpServletRequest, Date date) throws JOSEException, SQLException {
        if (StringUtils.isNotBlank(httpServletRequest.getParameter(AUTHORIZATION_TOKEN_PARAMETER))) {
            throw new AccessDeniedException("Short lived tokens can't be used to generate other tokens");
        }
        SignedJWT createSignedJWT = createSignedJWT(httpServletRequest, updateSessionSalt(context, date), buildJwtClaimsSet(context, httpServletRequest));
        return isEncryptionEnabled() ? encryptJWT(createSignedJWT).serialize() : createSignedJWT.serialize();
    }

    public void invalidateToken(String str, HttpServletRequest httpServletRequest, Context context) throws Exception {
        EPerson parseEPersonFromToken;
        if (!StringUtils.isNotBlank(str) || (parseEPersonFromToken = parseEPersonFromToken(str, httpServletRequest, context)) == null) {
            return;
        }
        parseEPersonFromToken.setSessionSalt("");
    }

    public String getJwtKey() {
        String property = this.configurationService.getProperty(getTokenSecretConfigurationKey());
        if (StringUtils.isBlank(property)) {
            if (StringUtils.isBlank(this.generatedJwtKey)) {
                this.generatedJwtKey = generateRandomKey();
            }
            property = this.generatedJwtKey;
        }
        return property;
    }

    public long getExpirationPeriod() {
        return this.configurationService.getLongProperty(getTokenExpirationConfigurationKey(), 1800000L);
    }

    public boolean isEncryptionEnabled() {
        return this.configurationService.getBooleanProperty(getEncryptionEnabledConfigurationKey(), false);
    }

    public boolean getCompressionEnabled() {
        return this.configurationService.getBooleanProperty(getCompressionEnabledConfigurationKey(), false);
    }

    public byte[] getEncryptionKey() {
        String property = this.configurationService.getProperty(getEncryptionSecretConfigurationKey());
        if (StringUtils.isBlank(property)) {
            if (StringUtils.isBlank(this.generatedEncryptionKey)) {
                this.generatedEncryptionKey = generateRandomKey();
            }
            property = this.generatedEncryptionKey;
        }
        return property.getBytes();
    }

    private JWEObject encryptJWT(SignedJWT signedJWT) throws JOSEException {
        JWEObject jWEObject = new JWEObject(compression(new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A128GCM).contentType("JWT")).build(), new Payload(signedJWT));
        jWEObject.encrypt(new DirectEncrypter(getEncryptionKey()));
        return jWEObject;
    }

    protected boolean isValidToken(HttpServletRequest httpServletRequest, SignedJWT signedJWT, JWTClaimsSet jWTClaimsSet, EPerson ePerson) throws JOSEException {
        if (ePerson == null || StringUtils.isBlank(ePerson.getSessionSalt())) {
            return false;
        }
        MACVerifier mACVerifier = new MACVerifier(buildSigningKey(ePerson));
        Date expirationTime = jWTClaimsSet.getExpirationTime();
        return signedJWT.verify(mACVerifier) && expirationTime != null && DateUtils.isAfter(expirationTime, new Date(), 60L);
    }

    private SignedJWT getSignedJWT(String str) throws ParseException, JOSEException {
        SignedJWT parse;
        if (isEncryptionEnabled()) {
            JWEObject parse2 = JWEObject.parse(str);
            parse2.decrypt(new DirectDecrypter(getEncryptionKey()));
            parse = parse2.getPayload().toSignedJWT();
        } else {
            parse = SignedJWT.parse(str);
        }
        return parse;
    }

    private EPerson getEPerson(Context context, JWTClaimsSet jWTClaimsSet) throws SQLException {
        return this.ePersonClaimProvider.getEPerson(context, jWTClaimsSet);
    }

    private SignedJWT createSignedJWT(HttpServletRequest httpServletRequest, EPerson ePerson, JWTClaimsSet jWTClaimsSet) throws JOSEException {
        SignedJWT signedJWT = new SignedJWT(new JWSHeader(JWSAlgorithm.HS256), jWTClaimsSet);
        signedJWT.sign(new MACSigner(buildSigningKey(ePerson)));
        return signedJWT;
    }

    private JWTClaimsSet buildJwtClaimsSet(Context context, HttpServletRequest httpServletRequest) {
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        for (JWTClaimProvider jWTClaimProvider : this.jwtClaimProviders) {
            builder = builder.claim(jWTClaimProvider.getKey(), jWTClaimProvider.getValue(context, httpServletRequest));
        }
        return builder.expirationTime(new Date(System.currentTimeMillis() + getExpirationPeriod())).build();
    }

    private JWEHeader.Builder compression(JWEHeader.Builder builder) {
        return getCompressionEnabled() ? builder.compressionAlgorithm(CompressionAlgorithm.DEF) : builder;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public String buildSigningKey(EPerson ePerson) {
        return getJwtKey() + ePerson.getSessionSalt();
    }

    private String getIpAddress(HttpServletRequest httpServletRequest) {
        return this.clientInfoService.getClientIp(httpServletRequest);
    }

    protected EPerson updateSessionSalt(Context context, Date date) throws SQLException {
        EPerson ePerson;
        try {
            ePerson = context.getCurrentUser();
            if (StringUtils.isBlank(ePerson.getSessionSalt()) || date == null || ePerson.getLastActive().getTime() - date.getTime() > getExpirationPeriod()) {
                log.debug("Regenerating auth token as session salt was either empty or expired..");
                ePerson.setSessionSalt(generateRandomKey());
                this.ePersonService.update(context, ePerson);
            }
        } catch (AuthorizeException e) {
            ePerson = null;
        }
        return ePerson;
    }

    private String generateRandomKey() {
        return Base64.encodeBase64String(KeyGenerators.secureRandom(24).generateKey());
    }
}
