package org.restheart.security.plugins.mechanisms;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.Verification;
import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderValues;
import java.io.ByteArrayInputStream;
import java.io.UnsupportedEncodingException;
import java.nio.charset.Charset;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.Base64;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import org.apache.commons.codec.binary.StringUtils;
import org.restheart.ConfigurationException;
import org.restheart.exchange.Request;
import org.restheart.idm.JwtAccount;
import org.restheart.plugins.ConfigurablePlugin;
import org.restheart.plugins.ConsumingPlugin;
import org.restheart.plugins.InjectConfiguration;
import org.restheart.plugins.RegisterPlugin;
import org.restheart.plugins.security.AuthMechanism;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RegisterPlugin(name = "jwtAuthenticationMechanism", description = "handle JSON Web Token authentication")
/* loaded from: input_file:org/restheart/security/plugins/mechanisms/JwtAuthenticationMechanism.class */
public class JwtAuthenticationMechanism implements AuthMechanism, ConsumingPlugin<DecodedJWT> {
    private static final Logger LOGGER = LoggerFactory.getLogger(JwtAuthenticationMechanism.class);
    public static final String JWT_AUTH_HEADER_PREFIX = "Bearer ";
    private JWTVerifier jwtVerifier;
    private Consumer<DecodedJWT> extraJwtVerifier = null;
    private boolean base64Encoded;
    private String algorithm;
    private String key;
    private String usernameClaim;
    private String rolesClaim;
    private List<String> fixedRoles;
    private String issuer;
    private String audience;

    @InjectConfiguration
    public void init(Map<String, Object> map) throws ConfigurationException {
        this.base64Encoded = ((Boolean) ConfigurablePlugin.argValue(map, "base64Encoded")).booleanValue();
        this.algorithm = (String) ConfigurablePlugin.argValue(map, "algorithm");
        this.key = (String) ConfigurablePlugin.argValue(map, "key");
        this.usernameClaim = (String) ConfigurablePlugin.argValue(map, "usernameClaim");
        this.rolesClaim = (String) ConfigurablePlugin.argValue(map, "rolesClaim");
        this.fixedRoles = (List) ConfigurablePlugin.argValue(map, "fixedRoles");
        this.issuer = (String) ConfigurablePlugin.argValue(map, "issuer");
        this.audience = (String) ConfigurablePlugin.argValue(map, "audience");
        try {
            Verification require = JWT.require(getAlgorithm(this.algorithm, this.key));
            if (this.audience != null) {
                require.withAudience(new String[]{this.audience});
            }
            if (this.issuer != null) {
                require.withIssuer(new String[]{this.issuer});
            }
            if (this.rolesClaim != null && this.fixedRoles != null) {
                throw new ConfigurationException("wrong JWT configuration, cannot set both 'rolesClaim' and 'fixedRoles'");
            }
            if (this.rolesClaim == null && this.fixedRoles == null) {
                throw new ConfigurationException("wrong JWT configuration, need to set either 'rolesClaim' or 'fixedRoles'");
            }
            this.jwtVerifier = require.build();
        } catch (UnsupportedEncodingException | CertificateException e) {
            throw new ConfigurationException("wrong JWT configuration, cannot setup algorithm", e);
        }
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        try {
            String token = getToken(httpServerExchange);
            if (token == null) {
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
            }
            if (this.base64Encoded) {
                token = StringUtils.newStringUtf8(Base64.getUrlDecoder().decode(token));
            }
            DecodedJWT verify = this.jwtVerifier.verify(token);
            String asString = verify.getClaim(this.usernameClaim).asString();
            if (asString == null) {
                LOGGER.debug("username not specified with claim {}", this.usernameClaim);
                securityContext.authenticationFailed("JwtAuthenticationManager", "username not specified");
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            }
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            if (this.rolesClaim != null) {
                Claim claim = verify.getClaim(this.rolesClaim);
                if (claim != null && !claim.isNull()) {
                    try {
                        String[] strArr = (String[]) claim.asArray(String.class);
                        if (strArr == null) {
                            LOGGER.debug("roles is not an array: {}", claim.asString());
                            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
                        }
                        for (String str : strArr) {
                            linkedHashSet.add(str);
                        }
                    } catch (JWTDecodeException e) {
                        LOGGER.warn("Jwt cannot get roles from claim {}, extepected an array of strings: {}", this.rolesClaim, claim.toString());
                    }
                }
            } else if (this.fixedRoles != null) {
                linkedHashSet.addAll(this.fixedRoles);
            }
            if (this.extraJwtVerifier != null) {
                this.extraJwtVerifier.accept(verify);
            }
            String str2 = new String(Base64.getUrlDecoder().decode(verify.getPayload()), Charset.forName("UTF-8"));
            securityContext.authenticationComplete(new JwtAccount(asString, linkedHashSet, str2), "JwtAuthenticationManager", false);
            Request.of(httpServerExchange).addXForwardedHeader("Jwt-Payload", str2);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
        } catch (JWTVerificationException e2) {
            LOGGER.debug("Jwt not verified: {}", e2.getMessage());
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        return new AuthenticationMechanism.ChallengeResult(true, 200);
    }

    public void addConsumer(Consumer<DecodedJWT> consumer) {
        this.extraJwtVerifier = consumer;
    }

    private String getToken(HttpServerExchange httpServerExchange) {
        HeaderValues headerValues = httpServerExchange.getRequestHeaders().get("Authorization");
        if (headerValues == null || headerValues.isEmpty()) {
            return null;
        }
        String first = headerValues.getFirst();
        if (first.startsWith(JWT_AUTH_HEADER_PREFIX)) {
            return first.substring(7);
        }
        return null;
    }

    private Algorithm getAlgorithm(String str, String str2) throws CertificateException, UnsupportedEncodingException {
        if (str == null || str2 == null) {
            throw new IllegalArgumentException("algorithm and key are required.");
        }
        if (str.startsWith("HMAC") || str.startsWith("HS")) {
            return getHMAC(str, str2.getBytes("UTF-8"));
        }
        if (str.startsWith("RS")) {
            return getRSA(str, str2);
        }
        throw new IllegalArgumentException("unknown algorithm " + str);
    }

    private Algorithm getHMAC(String str, byte[] bArr) throws IllegalArgumentException {
        if ("HMAC256".equals(str) || "HS256".equals(str)) {
            return Algorithm.HMAC256(bArr);
        }
        if ("HMAC384".equals(str) || "HS384".equals(str)) {
            return Algorithm.HMAC384(bArr);
        }
        if ("HMAC512".equals(str) || "HS512".equals(str)) {
            return Algorithm.HMAC512(bArr);
        }
        throw new IllegalArgumentException("unknown HMAC algorithm " + str);
    }

    private Algorithm getRSA(String str, String str2) throws IllegalArgumentException, CertificateException {
        RSAPublicKey rSAPublicKey = getRSAPublicKey(str2);
        if ("RSA256".equals(str) || "RS256".equals(str)) {
            return Algorithm.RSA256(rSAPublicKey, (RSAPrivateKey) null);
        }
        if ("RSA384".equals(str) || "RS384".equals(str)) {
            return Algorithm.RSA384(rSAPublicKey, (RSAPrivateKey) null);
        }
        if ("RSA512".equals(str) || "RS512".equals(str)) {
            return Algorithm.RSA512(rSAPublicKey, (RSAPrivateKey) null);
        }
        throw new IllegalArgumentException("unknown HMAC algorithm " + str);
    }

    private RSAPublicKey getRSAPublicKey(String str) throws CertificateException {
        return (RSAPublicKey) ((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(str)))).getPublicKey();
    }
}
