package org.frankframework.management.security;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.crypto.ECDSASigner;
import com.nimbusds.jose.jwk.Curve;
import com.nimbusds.jose.jwk.ECKey;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.gen.ECKeyGenerator;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import jakarta.annotation.Nonnull;
import java.time.Instant;
import java.util.Date;
import java.util.List;
import java.util.stream.Collectors;
import lombok.Generated;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.frankframework.util.Environment;
import org.frankframework.util.UUIDUtil;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.core.oidc.user.OidcUser;

/* loaded from: input_file:org/frankframework/management/security/JwtKeyGenerator.class */
public class JwtKeyGenerator implements InitializingBean {
    public static final Curve JWT_DEFAULT_CURVE = Curve.P_384;
    public static final JWSAlgorithm JWT_DEFAULT_SIGNING_ALGORITHM = JWSAlgorithm.ES384;
    private final Logger log = LogManager.getLogger(JwtKeyGenerator.class);
    private JWSSigner signer;
    private String publicJwkSet;
    private JWSHeader jwtHeader;

    public void afterPropertiesSet() {
        try {
            ECKey eCKey = (ECKey) new ECKeyGenerator(JWT_DEFAULT_CURVE).keyIDFromThumbprint(true).generate();
            String moduleVersion = Environment.getModuleVersion("iaf-management-gateway");
            this.log.info("initializing JWT KeyGenerator version [{}]", moduleVersion);
            generateJWSHeader(eCKey, moduleVersion);
            this.signer = new ECDSASigner(eCKey.toECPrivateKey(), JWT_DEFAULT_CURVE);
            this.publicJwkSet = new JWKSet(eCKey.toPublicJWK()).toString();
        } catch (JOSEException e) {
            throw new IllegalStateException("unable to generate JWT header", e);
        }
    }

    private void generateJWSHeader(ECKey eCKey, String str) {
        this.jwtHeader = new JWSHeader.Builder(JWT_DEFAULT_SIGNING_ALGORITHM).type(JOSEObjectType.JWT).customParam("version", str).keyID(eCKey.getKeyID()).build();
    }

    @Nonnull
    public String create() {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null) {
            throw new AuthenticationServiceException("no Authentication object found in SecurityContext");
        }
        return createJwtToken(createClaimsSet(authentication));
    }

    @Nonnull
    private JWTClaimsSet createClaimsSet(Authentication authentication) {
        try {
            return new JWTClaimsSet.Builder().subject(getPrincipalName(authentication)).expirationTime(Date.from(Instant.now().plusSeconds(120L))).issueTime(Date.from(Instant.now())).jwtID(UUIDUtil.createRandomUUID()).claim("scope", mapAuthorities(authentication)).build();
        } catch (Exception e) {
            throw new AuthenticationServiceException("unable to generate JWT ClaimsSet", e);
        }
    }

    private String getPrincipalName(Authentication authentication) {
        return authentication.getPrincipal() instanceof OidcUser ? ((OidcUser) authentication.getPrincipal()).getGivenName() : authentication.getName();
    }

    private List<String> mapAuthorities(Authentication authentication) {
        return (List) authentication.getAuthorities().stream().map((v0) -> {
            return v0.getAuthority();
        }).collect(Collectors.toList());
    }

    @Nonnull
    private String createJwtToken(@Nonnull JWTClaimsSet jWTClaimsSet) {
        SignedJWT signedJWT = new SignedJWT(this.jwtHeader, jWTClaimsSet);
        try {
            signedJWT.sign(this.signer);
            String serialize = signedJWT.serialize();
            this.log.trace("generated JWT token [{}]", serialize);
            return serialize;
        } catch (JOSEException e) {
            throw new AuthenticationServiceException("unable to sign JWT using [" + this.signer + "]", e);
        }
    }

    @Generated
    public String getPublicJwkSet() {
        return this.publicJwkSet;
    }
}
