package org.imixs.jwt.jaspic;

import java.io.StringReader;
import java.util.Arrays;
import java.util.Map;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.json.Json;
import javax.json.JsonArray;
import javax.json.JsonException;
import javax.json.JsonObject;
import javax.json.JsonReader;
import javax.json.stream.JsonParsingException;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.message.AuthException;
import javax.security.auth.message.AuthStatus;
import javax.security.auth.message.MessageInfo;
import javax.security.auth.message.MessagePolicy;
import javax.security.auth.message.callback.CallerPrincipalCallback;
import javax.security.auth.message.callback.GroupPrincipalCallback;
import javax.security.auth.message.config.ServerAuthContext;
import javax.security.auth.message.module.ServerAuthModule;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.imixs.jwt.HMAC;
import org.imixs.jwt.JWSAlgorithm;
import org.imixs.jwt.JWTException;
import org.imixs.jwt.JWTParser;

/* loaded from: input_file:org/imixs/jwt/jaspic/JWTAuthModule.class */
public class JWTAuthModule implements ServerAuthModule, ServerAuthContext {
    protected static final Class[] supportedMessageTypes = {HttpServletRequest.class, HttpServletResponse.class};
    protected Map options;
    protected CallbackHandler handler;
    protected MessagePolicy requestPolicy;
    protected MessagePolicy responsePolicy;
    private static final String IS_MANDATORY_INFO_KEY = "javax.security.auth.message.MessagePolicy.isMandatory";
    private static final String AUTH_TYPE_INFO_KEY = "javax.servlet.http.authType";
    private static final String QUERY_PARAM_SESSION = "jwt";
    private static final String MODULE_OPTION_SECRET = "secret";
    protected static final String JWT_SUBJECT = "imixs.jwt.sub";
    protected static final String JWT_GROUPS = "imixs.jwt.groups";
    protected static final String JWT_PAYLOAD = "imixs.jwt.payload";
    protected final Logger logger = Logger.getLogger(JWTAuthModule.class.getName());

    public void initialize(MessagePolicy messagePolicy, MessagePolicy messagePolicy2, CallbackHandler callbackHandler, Map map) throws AuthException {
        this.logger.fine("initialize....");
        this.requestPolicy = messagePolicy;
        this.responsePolicy = messagePolicy2;
        this.handler = callbackHandler;
        this.options = map;
        if (map == null || !map.containsKey(MODULE_OPTION_SECRET)) {
            this.logger.warning("Missing module-option - option 'secret' was not found!");
        } else {
            this.logger.fine("options=" + map);
        }
    }

    public AuthStatus validateRequest(MessageInfo messageInfo, Subject subject, Subject subject2) throws AuthException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) messageInfo.getRequestMessage();
        try {
            String consumeJWTPayload = consumeJWTPayload(httpServletRequest, (HttpServletResponse) messageInfo.getResponseMessage());
            Object obj = messageInfo.getMap().get(IS_MANDATORY_INFO_KEY);
            if (obj == null || !Boolean.parseBoolean(obj.toString())) {
                this.logger.finest("request not mandatory");
                return AuthStatus.SUCCESS;
            }
            if (consumeJWTPayload == null) {
                this.logger.fine("validateRequest failed!");
                cleanSubject(messageInfo, subject);
                return AuthStatus.FAILURE;
            }
            setCallerPrincipal("" + httpServletRequest.getSession().getAttribute(JWT_SUBJECT), subject, (String[]) httpServletRequest.getSession().getAttribute(JWT_GROUPS));
            messageInfo.getMap().put(AUTH_TYPE_INFO_KEY, "JWS");
            this.logger.fine("user logged in");
            return AuthStatus.SUCCESS;
        } catch (JWTException e) {
            this.logger.severe(e.getMessage());
            cleanSubject(messageInfo, subject);
            e.printStackTrace();
            return AuthStatus.FAILURE;
        }
    }

    public void cleanSubject(MessageInfo messageInfo, Subject subject) throws AuthException {
        if (subject != null) {
            this.logger.fine("clean_subject");
            HttpServletRequest httpServletRequest = (HttpServletRequest) messageInfo.getRequestMessage();
            httpServletRequest.getSession().removeAttribute(JWT_PAYLOAD);
            httpServletRequest.getSession().removeAttribute(JWT_SUBJECT);
            httpServletRequest.getSession().removeAttribute(JWT_GROUPS);
            subject.getPrincipals().clear();
            this.logger.fine("user logged out");
        }
    }

    public AuthStatus secureResponse(MessageInfo messageInfo, Subject subject) throws AuthException {
        return AuthStatus.SEND_SUCCESS;
    }

    public Class[] getSupportedMessageTypes() {
        return supportedMessageTypes;
    }

    private String consumeJWTPayload(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws JWTException {
        int indexOf;
        this.logger.fine("consume JWT Payload....");
        String queryString = httpServletRequest.getQueryString();
        if (queryString == null || (indexOf = queryString.indexOf("jwt=")) <= -1) {
            String str = (String) httpServletRequest.getSession().getAttribute(JWT_PAYLOAD);
            if (str != null) {
                this.logger.fine("get payload from current session");
            }
            return str;
        }
        this.logger.fine("parsing query param jwt....");
        String substring = queryString.substring(indexOf + "jwt=".length() + 0);
        int indexOf2 = substring.indexOf("&");
        if (indexOf2 > -1) {
            substring = substring.substring(0, indexOf2 - 1);
        }
        this.logger.fine("jwt=" + substring);
        String payload = new JWTParser().setKey(HMAC.createKey(JWSAlgorithm.JDK_HS256, ((String) this.options.get(MODULE_OPTION_SECRET)).getBytes())).setToken(substring).verify().getPayload();
        this.logger.fine("payload=" + payload);
        JsonReader jsonReader = null;
        try {
            try {
                try {
                    try {
                        jsonReader = Json.createReader(new StringReader(payload));
                        JsonObject readObject = jsonReader.readObject();
                        httpServletRequest.getSession().setAttribute(JWT_PAYLOAD, payload);
                        httpServletRequest.getSession().setAttribute(JWT_SUBJECT, readObject.getString("sub"));
                        JsonArray jsonArray = readObject.getJsonArray("groups");
                        String[] strArr = new String[jsonArray.size()];
                        for (int i = 0; i < strArr.length; i++) {
                            strArr[i] = jsonArray.getString(i);
                        }
                        httpServletRequest.getSession().setAttribute(JWT_GROUPS, strArr);
                        if (jsonReader != null) {
                            jsonReader.close();
                        }
                        this.logger.fine("sub=" + httpServletRequest.getSession().getAttribute(JWT_SUBJECT));
                        this.logger.fine("groups=" + Arrays.toString((String[]) httpServletRequest.getSession().getAttribute(JWT_GROUPS)));
                        return payload;
                    } catch (ClassCastException e) {
                        this.logger.severe("invalid payload=" + payload);
                        this.logger.severe("JSON object or array cannot be created due to incorrect representation: " + e.getMessage());
                        if (jsonReader != null) {
                            jsonReader.close();
                        }
                        return null;
                    }
                } catch (JsonException e2) {
                    this.logger.severe("invalid payload=" + payload);
                    this.logger.severe("JSON object or array cannot be created due to incorrect representation: " + e2.getMessage());
                    if (jsonReader != null) {
                        jsonReader.close();
                    }
                    return null;
                }
            } catch (JsonParsingException e3) {
                this.logger.severe("invalid payload=" + payload);
                this.logger.severe("JSON object or array cannot be created due to i/o error: " + e3.getMessage());
                if (jsonReader != null) {
                    jsonReader.close();
                }
                return null;
            }
        } catch (Throwable th) {
            if (jsonReader != null) {
                jsonReader.close();
            }
            throw th;
        }
    }

    private boolean setCallerPrincipal(String str, Subject subject, String[] strArr) {
        boolean z = true;
        boolean z2 = true;
        Callback callerPrincipalCallback = new CallerPrincipalCallback(subject, str);
        if (callerPrincipalCallback.getName() == null && callerPrincipalCallback.getPrincipal() == null) {
            z2 = false;
        }
        try {
            this.handler.handle(z2 ? new Callback[]{callerPrincipalCallback, new GroupPrincipalCallback(callerPrincipalCallback.getSubject(), strArr)} : new Callback[]{callerPrincipalCallback});
            this.logger.fine("AuthModule: caller_principal:" + callerPrincipalCallback.getName() + " " + callerPrincipalCallback.getPrincipal());
            this.logger.fine("AuthModule: assigned_Groups:" + strArr);
        } catch (Exception e) {
            this.logger.log(Level.WARNING, "jmac.failed_to_set_caller", (Throwable) e);
            z = false;
        }
        return z;
    }
}
