package org.restheart.security.tokens;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTCreator;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.google.common.collect.Sets;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.Credential;
import io.undertow.security.idm.PasswordCredential;
import io.undertow.server.HttpServerExchange;
import java.nio.charset.Charset;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Arrays;
import java.util.Base64;
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import org.restheart.cache.Cache;
import org.restheart.cache.CacheFactory;
import org.restheart.cache.LoadingCache;
import org.restheart.configuration.ConfigurationException;
import org.restheart.configuration.Utils;
import org.restheart.exchange.Request;
import org.restheart.plugins.Inject;
import org.restheart.plugins.OnInit;
import org.restheart.plugins.RegisterPlugin;
import org.restheart.plugins.security.TokenManager;
import org.restheart.security.BaseAccount;
import org.restheart.security.JwtAccount;
import org.restheart.security.PwdCredentialAccount;
import org.restheart.security.WithProperties;
import org.restheart.utils.Pair;
import org.restheart.utils.URLUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RegisterPlugin(name = "jwtTokenManager", description = "issues and verifies auth tokens in a cluster compatible way", enabledByDefault = false)
/* loaded from: input_file:org/restheart/security/tokens/JwtTokenManager.class */
public class JwtTokenManager implements TokenManager {
    private static final Logger LOGGER = LoggerFactory.getLogger(JwtTokenManager.class);
    private LoadingCache<ComparableAccount, Token> jwtCache;
    private JWTVerifier verifier;
    private Algorithm algo;
    private String[] audience;
    private static final int MAX_CACHE_SIZE = 1000;
    private List<String> accountPropertiesClaims;

    @Inject("config")
    Map<String, Object> config;
    private String srvURI = "/tokens";
    private int ttl = 15;
    private String issuer = "restheart.org";
    private boolean enabled = false;

    @OnInit
    public void init() throws ConfigurationException {
        this.enabled = true;
        this.srvURI = (String) arg(this.config, "srv-uri");
        this.ttl = ((Integer) arg(this.config, "ttl")).intValue();
        if (this.ttl < 1) {
            this.enabled = false;
            throw new ConfigurationException("TTL minimum value is 1 minute");
        }
        if ("secret".equals((String) arg(this.config, "key"))) {
            LOGGER.warn("You should really update the JWT key!");
        }
        this.algo = Algorithm.HMAC256((String) arg(this.config, "key"));
        this.issuer = (String) arg(this.config, "issuer");
        this.jwtCache = CacheFactory.createLocalLoadingCache(1000L, Cache.EXPIRE_POLICY.AFTER_WRITE, ((this.ttl * MAX_CACHE_SIZE) * 60) - 500, comparableAccount -> {
            return newToken(comparableAccount.wrapped);
        });
        this.audience = (String[]) argOrDefault(this.config, "audience", null);
        try {
            this.verifier = this.audience != null ? JWT.require(this.algo).withIssuer(this.issuer).withAudience(this.audience).build() : JWT.require(this.algo).withIssuer(this.issuer).build();
            this.accountPropertiesClaims = (List) argOrDefault(this.config, "account-properties-claims", null);
        } catch (Throwable th) {
            this.enabled = false;
            LOGGER.error("error", th);
            throw new ConfigurationException("error ");
        }
    }

    public Account verify(Account account) {
        if (this.enabled) {
            return account;
        }
        return null;
    }

    public Account verify(String str, Credential credential) {
        if (!this.enabled || str == null || !(credential instanceof PasswordCredential)) {
            return null;
        }
        char[] password = ((PasswordCredential) credential).getPassword();
        ComparableAccount comparableAccount = new ComparableAccount(new BaseAccount(str, (Set) null));
        Optional optional = this.jwtCache.get(comparableAccount);
        if (optional != null && optional.isPresent() && Arrays.equals(password, ((Token) optional.get()).raw())) {
            LOGGER.debug("jwt token in cache");
            Token token = (Token) optional.get();
            return new JwtAccount(str, Sets.newHashSet(token.roles()), new String(Base64.getUrlDecoder().decode(new String(token.raw()).split("\\.")[1]), Charset.forName("UTF-8")));
        }
        LOGGER.trace("jwt token not in cache, let's verify it");
        try {
            DecodedJWT verify = this.verifier.verify(new String(password));
            if (!str.equals(verify.getSubject())) {
                LOGGER.warn("invalid token from user {}, not matching id in token, was {}", str, verify.getSubject());
                return null;
            }
            HashSet newHashSet = Sets.newHashSet((String[]) verify.getClaim("roles").asArray(String.class));
            String str2 = new String(Base64.getUrlDecoder().decode(verify.getPayload()), Charset.forName("UTF-8"));
            this.jwtCache.put(comparableAccount, newToken(comparableAccount.wrapped, verify.getExpiresAt()));
            return new JwtAccount(str, newHashSet, str2);
        } catch (Throwable th) {
            LOGGER.debug("expired or invalid token from user {}, {}", str, th.getMessage());
            return null;
        }
    }

    public Account verify(Credential credential) {
        return null;
    }

    public PasswordCredential get(Account account) {
        if (!this.enabled || account == null || account.getPrincipal() == null || account.getPrincipal().getName() == null) {
            return null;
        }
        return new PwdCredentialAccount(account.getPrincipal().getName(), ((Token) this.jwtCache.getLoading(new ComparableAccount(account)).get()).raw(), Sets.newTreeSet(account.getRoles())).getCredentials();
    }

    private Token newToken(Account account) {
        return newToken(account, Date.from(Instant.now().plus(this.ttl, (TemporalUnit) ChronoUnit.MINUTES)));
    }

    private Token newToken(Account account, Date date) {
        Map<String, ? super Object> map;
        JWTCreator.Builder[] builderArr = {(this.audience != null ? JWT.create().withIssuer(this.issuer).withAudience(this.audience) : JWT.create().withIssuer(this.issuer)).withSubject(account.getPrincipal().getName()).withExpiresAt(date).withIssuer(this.issuer).withArrayClaim("roles", (String[]) account.getRoles().toArray(new String[account.getRoles().size()]))};
        if (account instanceof WithProperties) {
            map = claimsFromAccountProps(((WithProperties) account).propertiesAsMap());
            map.entrySet().stream().forEach(entry -> {
                builderArr[0] = withClaim(builderArr[0], (String) entry.getKey(), entry.getValue());
            });
        } else {
            map = null;
        }
        return new Token(builderArr[0].sign(this.algo).toCharArray(), date, (String[]) account.getRoles().toArray(new String[0]), map);
    }

    private JWTCreator.Builder withClaim(JWTCreator.Builder builder, String str, Object obj) {
        if (str == null || obj == null) {
            return builder;
        }
        if (obj instanceof String) {
            return builder.withClaim(str, (String) obj);
        }
        if (obj instanceof String[]) {
            return builder.withArrayClaim(str, (String[]) obj);
        }
        if (obj instanceof Boolean) {
            return builder.withClaim(str, (Boolean) obj);
        }
        if (obj instanceof Integer) {
            return builder.withClaim(str, (Integer) obj);
        }
        if (obj instanceof Integer[]) {
            return builder.withArrayClaim(str, (Integer[]) obj);
        }
        if (obj instanceof Long) {
            return builder.withClaim(str, (Long) obj);
        }
        if (obj instanceof Long[]) {
            return builder.withArrayClaim(str, (Long[]) obj);
        }
        if (obj instanceof Double) {
            return builder.withClaim(str, (Double) obj);
        }
        if (obj instanceof Date) {
            return builder.withClaim(str, (Date) obj);
        }
        if (obj instanceof Map) {
            try {
                return builder.withClaim(str, (Map) obj);
            } catch (ClassCastException e) {
                LOGGER.warn("cannot add claim {} to jwt because of usupported type", str);
                return builder;
            }
        }
        if (obj instanceof List) {
            return builder.withClaim(str, (List) obj);
        }
        LOGGER.warn("cannot add claim {} to jwt because of usupported type", str, obj.getClass().getSimpleName());
        return builder;
    }

    private Map<String, ? super Object> claimsFromAccountProps(Map<String, ? super Object> map) {
        HashMap hashMap = new HashMap();
        if (this.accountPropertiesClaims != null) {
            this.accountPropertiesClaims.stream().map(str -> {
                return new Pair(keysFromPath(str), Utils.find(map, str, true));
            }).filter(pair -> {
                return pair.getValue() != null;
            }).forEach(pair2 -> {
                addClaim(hashMap, (String[]) pair2.getKey(), pair2.getValue());
            });
        }
        return hashMap;
    }

    private String[] keysFromPath(String str) {
        return (String[]) Arrays.stream(str.contains("/") ? str.split("/") : new String[]{str}).filter(str2 -> {
            return (str2 == null || str2.isBlank()) ? false : true;
        }).toArray(i -> {
            return new String[i];
        });
    }

    private void addClaim(Map<String, Object> map, String[] strArr, Object obj) {
        for (int i = 0; i < strArr.length; i++) {
            if (i != strArr.length - 1) {
                HashMap hashMap = new HashMap();
                map.put(strArr[i], hashMap);
                addClaim(hashMap, (String[]) Arrays.copyOfRange(strArr, i + 1, strArr.length), obj);
                return;
            }
            map.put(strArr[i], obj);
        }
    }

    public void invalidate(Account account) {
        if (this.enabled) {
            this.jwtCache.invalidate(new ComparableAccount(account));
        }
    }

    public void update(Account account) {
        if (this.enabled) {
            ComparableAccount comparableAccount = new ComparableAccount(account);
            this.jwtCache.put(comparableAccount, (Token) this.jwtCache.getLoading(comparableAccount).get());
        }
    }

    public void injectTokenHeaders(HttpServerExchange httpServerExchange, PasswordCredential passwordCredential) {
        if (this.enabled) {
            Request of = Request.of(httpServerExchange);
            if (of.getAuthenticatedAccount() == null || of.getAuthenticatedAccount().getPrincipal() == null || of.getAuthenticatedAccount().getPrincipal().getName() == null) {
                return;
            }
            Account authenticatedAccount = of.getAuthenticatedAccount();
            ComparableAccount comparableAccount = new ComparableAccount(authenticatedAccount);
            httpServerExchange.getResponseHeaders().add(AUTH_TOKEN_LOCATION_HEADER, URLUtils.removeTrailingSlashes(this.srvURI).concat("/").concat(of.getAuthenticatedAccount().getPrincipal().getName()));
            if (httpServerExchange.getQueryParameters().containsKey("renew-auth-token")) {
                Token newToken = newToken(authenticatedAccount);
                this.jwtCache.put(comparableAccount, newToken);
                httpServerExchange.getResponseHeaders().add(AUTH_TOKEN_HEADER, new String(newToken.raw()));
                httpServerExchange.getResponseHeaders().add(AUTH_TOKEN_VALID_HEADER, newToken.getDateAsString());
                return;
            }
            if (this.jwtCache.get(comparableAccount) != null) {
                Token token = (Token) this.jwtCache.get(comparableAccount).get();
                httpServerExchange.getResponseHeaders().add(AUTH_TOKEN_HEADER, new String(token.raw()));
                httpServerExchange.getResponseHeaders().add(AUTH_TOKEN_VALID_HEADER, token.getDateAsString());
            }
        }
    }
}
