package org.opencastproject.security.jwt;

import com.auth0.jwk.JwkException;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import java.nio.charset.StandardCharsets;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import org.apache.commons.lang3.StringUtils;
import org.opencastproject.security.api.Organization;
import org.opencastproject.security.api.SecurityService;
import org.opencastproject.security.api.UserDirectoryService;
import org.opencastproject.security.impl.jpa.JpaOrganization;
import org.opencastproject.security.impl.jpa.JpaRole;
import org.opencastproject.security.impl.jpa.JpaUserReference;
import org.opencastproject.userdirectory.api.UserReferenceProvider;
import org.osgi.service.component.annotations.Reference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.expression.spel.standard.SpelExpressionParser;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.util.Assert;

/* loaded from: input_file:org/opencastproject/security/jwt/DynamicLoginHandler.class */
public class DynamicLoginHandler implements InitializingBean, JWTLoginHandler {
    private static final Logger logger = LoggerFactory.getLogger(DynamicLoginHandler.class);
    private GuavaCachedUrlJwkProvider jwkProvider;
    private Cache<String, CachedJWT> cache;
    private UserDetailsService userDetailsService = null;
    private UserDirectoryService userDirectoryService = null;
    private UserReferenceProvider userReferenceProvider = null;
    private SecurityService securityService = null;
    private String jwksUrl = null;
    private int jwksCacheExpiresIn = 1440;
    private String secret = null;
    private List<String> expectedAlgorithms = null;
    private List<String> claimConstraints = null;
    private String usernameMapping = null;
    private String nameMapping = null;
    private String emailMapping = null;
    private List<String> roleMappings = null;
    private int jwtCacheSize = 500;
    private int jwtCacheExpiresIn = 60;

    public void afterPropertiesSet() {
        Assert.notNull(this.userDetailsService, "A UserDetailsService must be set");
        Assert.notNull(this.userDirectoryService, "A UserDirectoryService must be set");
        Assert.notNull(this.userReferenceProvider, "A UserReferenceProvider must be set");
        Assert.notNull(this.securityService, "A SecurityService must be set");
        Assert.isTrue(StringUtils.isNotBlank(this.jwksUrl) ^ StringUtils.isNotBlank(this.secret), "Either a JWKS URL or a secret must be set");
        Assert.notEmpty(this.expectedAlgorithms, "Expected algorithms must be set");
        Assert.notEmpty(this.claimConstraints, "Claim constraints must be set");
        Assert.notNull(this.usernameMapping, "User name mapping must be set");
        Assert.notNull(this.nameMapping, "Name mapping must be set");
        Assert.notNull(this.emailMapping, "Email mapping must be set");
        Assert.notEmpty(this.roleMappings, "Role mappings must be set");
        if (this.jwksUrl != null) {
            this.jwkProvider = new GuavaCachedUrlJwkProvider(this.jwksUrl, this.jwksCacheExpiresIn, TimeUnit.MINUTES);
        }
        this.userReferenceProvider.setRoleProvider(new JWTRoleProvider(this.securityService, this.userReferenceProvider));
        this.cache = CacheBuilder.newBuilder().maximumSize(this.jwtCacheSize).expireAfterWrite(this.jwtCacheExpiresIn, TimeUnit.MINUTES).build();
    }

    @Override // org.opencastproject.security.jwt.JWTLoginHandler
    public String handleToken(String str) {
        try {
            String extractSignature = extractSignature(str);
            CachedJWT cachedJWT = (CachedJWT) this.cache.getIfPresent(extractSignature);
            if (cachedJWT != null) {
                if (cachedJWT.hasExpired()) {
                    this.cache.invalidate(extractSignature);
                    throw new JWTVerificationException("JWT token is not valid anymore");
                }
                logger.debug("Using decoded and validated JWT from cache");
                return cachedJWT.getUsername();
            }
            DecodedJWT decodeAndValidate = decodeAndValidate(str);
            String extractUsername = extractUsername(decodeAndValidate);
            try {
                if (this.userDetailsService.loadUserByUsername(extractUsername) != null) {
                    existingUserLogin(extractUsername, decodeAndValidate);
                }
            } catch (UsernameNotFoundException e) {
                newUserLogin(extractUsername, decodeAndValidate);
                this.userDirectoryService.invalidate(extractUsername);
            }
            this.cache.put(decodeAndValidate.getSignature(), new CachedJWT(decodeAndValidate, extractUsername));
            return extractUsername;
        } catch (JwkException | JWTVerificationException e2) {
            logger.error(e2.getMessage());
            return null;
        }
    }

    private DecodedJWT decodeAndValidate(String str) throws JwkException {
        DecodedJWT verify = this.jwksUrl != null ? JWTVerifier.verify(str, this.jwkProvider, this.claimConstraints) : JWTVerifier.verify(str, this.secret, this.claimConstraints);
        if (this.expectedAlgorithms.contains(verify.getAlgorithm())) {
            return verify;
        }
        throw new JWTVerificationException("JWT token was signed with an unexpected algorithm '" + verify.getAlgorithm() + "'");
    }

    private String extractSignature(String str) {
        String[] split = str.split("\\.");
        if (split.length != 3) {
            throw new JWTDecodeException("Given token is not in a valid JWT format");
        }
        return split[2];
    }

    private String extractUsername(DecodedJWT decodedJWT) {
        String evaluateMapping = evaluateMapping(decodedJWT, this.usernameMapping, false);
        Assert.isTrue(StringUtils.isNotBlank(evaluateMapping), "Extracted username is blank");
        return evaluateMapping;
    }

    private String extractName(DecodedJWT decodedJWT) {
        String evaluateMapping = evaluateMapping(decodedJWT, this.nameMapping, true);
        Assert.isTrue(StringUtils.isNotBlank(evaluateMapping), "Extracted name is blank");
        return evaluateMapping;
    }

    private String extractEmail(DecodedJWT decodedJWT) {
        String evaluateMapping = evaluateMapping(decodedJWT, this.emailMapping, true);
        Assert.isTrue(StringUtils.isNotBlank(evaluateMapping), "Extracted email is blank");
        return evaluateMapping;
    }

    private Set<JpaRole> extractRoles(DecodedJWT decodedJWT) {
        JpaOrganization fromOrganization = fromOrganization(this.securityService.getOrganization());
        HashSet hashSet = new HashSet();
        Iterator<String> it = this.roleMappings.iterator();
        while (it.hasNext()) {
            String evaluateMapping = evaluateMapping(decodedJWT, it.next(), false);
            if (StringUtils.isNotBlank(evaluateMapping)) {
                hashSet.add(new JpaRole(evaluateMapping, fromOrganization));
            }
        }
        Assert.notEmpty(hashSet, "No roles could be extracted");
        return hashSet;
    }

    private String evaluateMapping(DecodedJWT decodedJWT, String str, boolean z) {
        String str2 = (String) new SpelExpressionParser().parseExpression(str).getValue(decodedJWT.getClaims(), String.class);
        if (z) {
            str2 = new String(str2.getBytes(StandardCharsets.ISO_8859_1), StandardCharsets.UTF_8);
        }
        return str2;
    }

    public void newUserLogin(String str, DecodedJWT decodedJWT) {
        JpaUserReference jpaUserReference = new JpaUserReference(str, extractName(decodedJWT), extractEmail(decodedJWT), JWTLoginHandler.MECH_JWT, new Date(), fromOrganization(this.securityService.getOrganization()), extractRoles(decodedJWT));
        logger.debug("JWT user '{}' logged in for the first time", str);
        this.userReferenceProvider.addUserReference(jpaUserReference, JWTLoginHandler.MECH_JWT);
    }

    public void existingUserLogin(String str, DecodedJWT decodedJWT) {
        JpaUserReference findUserReference = this.userReferenceProvider.findUserReference(str, this.securityService.getOrganization().getId());
        if (findUserReference == null) {
            throw new UsernameNotFoundException("User reference '" + str + "' was not found");
        }
        findUserReference.setName(extractName(decodedJWT));
        findUserReference.setEmail(extractEmail(decodedJWT));
        findUserReference.setLastLogin(new Date());
        findUserReference.setRoles(extractRoles(decodedJWT));
        logger.debug("JWT user '{}' logged in", str);
        this.userReferenceProvider.updateUserReference(findUserReference);
    }

    private JpaOrganization fromOrganization(Organization organization) {
        return organization instanceof JpaOrganization ? (JpaOrganization) organization : new JpaOrganization(organization.getId(), organization.getName(), organization.getServers(), organization.getAdminRole(), organization.getAnonymousRole(), organization.getProperties());
    }

    @Reference
    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    @Reference
    public void setUserDirectoryService(UserDirectoryService userDirectoryService) {
        this.userDirectoryService = userDirectoryService;
    }

    @Reference
    public void setSecurityService(SecurityService securityService) {
        this.securityService = securityService;
    }

    @Reference
    public void setUserReferenceProvider(UserReferenceProvider userReferenceProvider) {
        this.userReferenceProvider = userReferenceProvider;
    }

    public void setJwksUrl(String str) {
        this.jwksUrl = str;
    }

    public void setJwksCacheExpiresIn(int i) {
        this.jwksCacheExpiresIn = i;
    }

    public void setSecret(String str) {
        this.secret = str;
    }

    public void setExpectedAlgorithms(List<String> list) {
        this.expectedAlgorithms = list;
    }

    public void setClaimConstraints(List<String> list) {
        this.claimConstraints = list;
    }

    public void setUsernameMapping(String str) {
        this.usernameMapping = str;
    }

    public void setNameMapping(String str) {
        this.nameMapping = str;
    }

    public void setEmailMapping(String str) {
        this.emailMapping = str;
    }

    public void setRoleMappings(List<String> list) {
        this.roleMappings = list;
    }

    public void setJwtCacheSize(int i) {
        this.jwtCacheSize = i;
    }

    public void setJwtCacheExpiresIn(int i) {
        this.jwtCacheExpiresIn = i;
    }
}
