package org.restheart.security.mechanisms;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.exceptions.JWTDecodeException;
import com.auth0.jwt.exceptions.JWTVerificationException;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.auth0.jwt.interfaces.Verification;
import io.undertow.security.api.AuthenticationMechanism;
import io.undertow.security.api.SecurityContext;
import io.undertow.server.HttpServerExchange;
import io.undertow.util.HeaderValues;
import java.io.ByteArrayInputStream;
import java.io.UnsupportedEncodingException;
import java.nio.charset.Charset;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Base64;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.function.Consumer;
import org.apache.commons.codec.binary.StringUtils;
import org.restheart.configuration.ConfigurationException;
import org.restheart.exchange.Request;
import org.restheart.plugins.ConsumingPlugin;
import org.restheart.plugins.Inject;
import org.restheart.plugins.OnInit;
import org.restheart.plugins.RegisterPlugin;
import org.restheart.plugins.security.AuthMechanism;
import org.restheart.security.JwtAccount;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RegisterPlugin(name = "jwtAuthenticationMechanism", description = "handle JSON Web Token authentication", enabledByDefault = false)
/* loaded from: input_file:org/restheart/security/mechanisms/JwtAuthenticationMechanism.class */
public class JwtAuthenticationMechanism implements AuthMechanism, ConsumingPlugin<DecodedJWT> {
    private static final Logger LOGGER = LoggerFactory.getLogger(JwtAuthenticationMechanism.class);
    public static final String JWT_AUTH_HEADER_PREFIX = "Bearer ";
    private JWTVerifier jwtVerifier;
    private Consumer<DecodedJWT> extraJwtVerifier = null;
    private boolean base64Encoded;
    private String algorithm;
    private String key;
    private String usernameClaim;
    private String rolesClaim;
    private List<String> fixedRoles;
    private String issuer;
    private List<String> audience;

    @Inject("config")
    private Map<String, Object> config;

    @OnInit
    public void init() throws ConfigurationException {
        this.base64Encoded = ((Boolean) arg(this.config, "base64Encoded")).booleanValue();
        this.algorithm = (String) arg(this.config, "algorithm");
        this.key = (String) arg(this.config, "key");
        if ("secret".equals(this.key)) {
            LOGGER.warn("You should really update the JWT key!");
        }
        this.usernameClaim = (String) arg(this.config, "usernameClaim");
        this.rolesClaim = (String) argOrDefault(this.config, "rolesClaim", null);
        this.fixedRoles = (List) argOrDefault(this.config, "fixedRoles", null);
        this.issuer = (String) argOrDefault(this.config, "issuer", null);
        Object argOrDefault = argOrDefault(this.config, "audience", null);
        this.audience = new ArrayList();
        if (argOrDefault == null) {
            this.audience = null;
        } else if (argOrDefault instanceof String) {
            this.audience = new ArrayList();
            this.audience.add((String) argOrDefault);
        } else {
            if (!(argOrDefault instanceof List)) {
                throw new ConfigurationException("Wrong audience, must be a String or an Array of Strings");
            }
            this.audience = new ArrayList();
            ((List) argOrDefault).stream().filter(obj -> {
                return obj instanceof String;
            }).map(obj2 -> {
                return (String) obj2;
            }).forEach(str -> {
                this.audience.add(str);
            });
        }
        try {
            Verification require = JWT.require(getAlgorithm(this.algorithm, this.key));
            if (this.audience != null && !this.audience.isEmpty()) {
                require = require.withAudience((String[]) this.audience.toArray(i -> {
                    return new String[i];
                }));
            }
            if (this.issuer != null) {
                require = require.withIssuer(this.issuer);
            }
            if (this.rolesClaim == null && this.fixedRoles == null) {
                throw new ConfigurationException("wrong JWT configuration, need to set at least one of 'rolesClaim' or 'fixedRoles'");
            }
            this.jwtVerifier = require.build();
        } catch (UnsupportedEncodingException | CertificateException e) {
            throw new ConfigurationException("wrong JWT configuration, cannot setup algorithm", e);
        }
    }

    public AuthenticationMechanism.AuthenticationMechanismOutcome authenticate(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        Claim claim;
        try {
            String token = getToken(httpServerExchange);
            if (token == null) {
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_ATTEMPTED;
            }
            if (this.base64Encoded) {
                token = StringUtils.newStringUtf8(Base64.getUrlDecoder().decode(token));
            }
            DecodedJWT verify = this.jwtVerifier.verify(token);
            String asString = verify.getClaim(this.usernameClaim).asString();
            if (asString == null) {
                LOGGER.debug("username not specified with claim {}", this.usernameClaim);
                securityContext.authenticationFailed("JwtAuthenticationManager", "username not specified");
                return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
            }
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            if (this.rolesClaim != null && (claim = verify.getClaim(this.rolesClaim)) != null && !claim.isNull()) {
                try {
                    String[] strArr = (String[]) claim.asArray(String.class);
                    if (strArr == null) {
                        LOGGER.debug("roles is not an array: {}", claim.asString());
                        return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
                    }
                    linkedHashSet.addAll(Arrays.asList(strArr));
                } catch (JWTDecodeException e) {
                    LOGGER.warn("Jwt cannot get roles from claim {}, extepected an array of strings: {}", this.rolesClaim, claim.toString());
                }
            }
            if (this.fixedRoles != null) {
                linkedHashSet.addAll(this.fixedRoles);
            }
            if (this.extraJwtVerifier != null) {
                this.extraJwtVerifier.accept(verify);
            }
            String str = new String(Base64.getUrlDecoder().decode(verify.getPayload()), Charset.forName("UTF-8"));
            securityContext.authenticationComplete(new JwtAccount(asString, linkedHashSet, str), "JwtAuthenticationManager", false);
            Request.of(httpServerExchange).addXForwardedHeader("Jwt-Payload", str);
            return AuthenticationMechanism.AuthenticationMechanismOutcome.AUTHENTICATED;
        } catch (JWTVerificationException e2) {
            LOGGER.debug("Jwt not verified: {}", e2.getMessage());
            return AuthenticationMechanism.AuthenticationMechanismOutcome.NOT_AUTHENTICATED;
        }
    }

    public AuthenticationMechanism.ChallengeResult sendChallenge(HttpServerExchange httpServerExchange, SecurityContext securityContext) {
        return new AuthenticationMechanism.ChallengeResult(true, 200);
    }

    public void addConsumer(Consumer<DecodedJWT> consumer) {
        this.extraJwtVerifier = consumer;
    }

    private String getToken(HttpServerExchange httpServerExchange) {
        HeaderValues headerValues = httpServerExchange.getRequestHeaders().get("Authorization");
        if (headerValues == null || headerValues.isEmpty()) {
            return null;
        }
        String first = headerValues.getFirst();
        if (first.startsWith(JWT_AUTH_HEADER_PREFIX)) {
            return first.substring(7);
        }
        return null;
    }

    private Algorithm getAlgorithm(String str, String str2) throws CertificateException, UnsupportedEncodingException {
        if (str == null || str2 == null) {
            throw new IllegalArgumentException("algorithm and key are required.");
        }
        if (str.startsWith("HMAC") || str.startsWith("HS")) {
            return getHMAC(str, str2.getBytes("UTF-8"));
        }
        if (str.startsWith("RS")) {
            return getRSA(str, str2);
        }
        throw new IllegalArgumentException("unknown algorithm " + str);
    }

    private Algorithm getHMAC(String str, byte[] bArr) throws IllegalArgumentException {
        boolean z = -1;
        switch (str.hashCode()) {
            case 69015912:
                if (str.equals("HS256")) {
                    z = true;
                    break;
                }
                break;
            case 69016964:
                if (str.equals("HS384")) {
                    z = 3;
                    break;
                }
                break;
            case 69018667:
                if (str.equals("HS512")) {
                    z = 5;
                    break;
                }
                break;
            case 1742274828:
                if (str.equals("HMAC256")) {
                    z = false;
                    break;
                }
                break;
            case 1742275880:
                if (str.equals("HMAC384")) {
                    z = 2;
                    break;
                }
                break;
            case 1742277583:
                if (str.equals("HMAC512")) {
                    z = 4;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
                return Algorithm.HMAC256(bArr);
            case true:
            case true:
                return Algorithm.HMAC384(bArr);
            case true:
            case true:
                return Algorithm.HMAC512(bArr);
            default:
                throw new IllegalArgumentException("unknown HMAC algorithm " + str);
        }
    }

    private Algorithm getRSA(String str, String str2) throws IllegalArgumentException, CertificateException {
        RSAPublicKey rSAPublicKey = getRSAPublicKey(str2);
        boolean z = -1;
        switch (str.hashCode()) {
            case -1868738509:
                if (str.equals("RSA256")) {
                    z = false;
                    break;
                }
                break;
            case -1868737457:
                if (str.equals("RSA384")) {
                    z = 2;
                    break;
                }
                break;
            case -1868735754:
                if (str.equals("RSA512")) {
                    z = 4;
                    break;
                }
                break;
            case 78251122:
                if (str.equals("RS256")) {
                    z = true;
                    break;
                }
                break;
            case 78252174:
                if (str.equals("RS384")) {
                    z = 3;
                    break;
                }
                break;
            case 78253877:
                if (str.equals("RS512")) {
                    z = 5;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
                return Algorithm.RSA256(rSAPublicKey, (RSAPrivateKey) null);
            case true:
            case true:
                return Algorithm.RSA384(rSAPublicKey, (RSAPrivateKey) null);
            case true:
            case true:
                return Algorithm.RSA512(rSAPublicKey, (RSAPrivateKey) null);
            default:
                throw new IllegalArgumentException("unknown HMAC algorithm " + str);
        }
    }

    private RSAPublicKey getRSAPublicKey(String str) throws CertificateException {
        return (RSAPublicKey) ((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(str)))).getPublicKey();
    }
}
