package ca.nrc.cadc.ac.server.oidc;

import ca.nrc.cadc.ac.Group;
import ca.nrc.cadc.ac.Role;
import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.UserNotFoundException;
import ca.nrc.cadc.ac.server.ldap.LdapGroupPersistence;
import ca.nrc.cadc.ac.server.ldap.LdapUserPersistence;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.auth.SignedToken;
import ca.nrc.cadc.net.ResourceNotFoundException;
import ca.nrc.cadc.net.TransientException;
import ca.nrc.cadc.reg.Standards;
import ca.nrc.cadc.reg.client.LocalAuthority;
import ca.nrc.cadc.reg.client.RegistryClient;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.security.Keys;
import java.io.IOException;
import java.net.URI;
import java.security.AccessControlException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.KeyPair;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.security.auth.Subject;
import org.apache.log4j.Logger;

/* loaded from: input_file:ca/nrc/cadc/ac/server/oidc/OIDCUtil.class */
public class OIDCUtil {
    public static final String AUTHORIZE_TOKEN_SCOPE = "cadc:oauth2/authorize_token";
    public static final String REFRESH_TOKEN_SCOPE = "cadc:oauth2/refresh_token";
    public static final String ACCESS_TOKEN_SCOPE = "cadc:oauth2/access_token";
    public static final String CLAIM_GROUPS_KEY = "memberOf";
    static final Key publicSigningKey;
    static final Key privateSigningKey;
    public static final Integer ID_TOKEN_EXPIRY_MINUTES = 20160;
    public static final Integer AUTHORIZE_CODE_EXPIRY_MINUTES = 10;
    public static final Integer ACCESS_CODE_EXPIRY_MINUTES = 20160;
    public static final Integer REFRESH_TOKEN_EXPIRY_MINUTES = 524160;
    public static final Integer JWT_EXPIRY_MINUTES = 20160;
    private static final Logger log = Logger.getLogger(OIDCUtil.class);
    private static final Map<String, RelyParty> relyParties = new HashMap();

    public static RelyParty getRelyParty(String str) {
        return relyParties.get(str);
    }

    public static String getToken(String str, URI uri, int i) throws InvalidKeyException, IOException {
        HttpPrincipal httpPrincipal = new HttpPrincipal(str);
        Calendar calendar = Calendar.getInstance();
        calendar.add(12, i);
        return SignedToken.format(new SignedToken(httpPrincipal, uri, calendar.getTime(), (List) null));
    }

    public static String getEmail(HttpPrincipal httpPrincipal) throws AccessControlException, UserNotFoundException, TransientException {
        User user = new LdapUserPersistence().getUser(httpPrincipal);
        return (user.personalDetails == null || user.personalDetails.email == null) ? "" : user.personalDetails.email;
    }

    public static List<String> getGroupList() throws Exception {
        Collection<Group> groups = new LdapGroupPersistence().getGroups(Role.MEMBER, null);
        ArrayList arrayList = new ArrayList();
        Iterator<Group> it = groups.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getID().getName());
        }
        return arrayList;
    }

    public static String buildIDToken(String str) throws Exception {
        Subject currentSubject = AuthenticationUtil.getCurrentSubject();
        NumericPrincipal numericPrincipal = (NumericPrincipal) currentSubject.getPrincipals(NumericPrincipal.class).iterator().next();
        HttpPrincipal httpPrincipal = (HttpPrincipal) currentSubject.getPrincipals(HttpPrincipal.class).iterator().next();
        String email = getEmail(httpPrincipal);
        JwtBuilder builder = Jwts.builder();
        builder.claim("iss", getClaimIssuer());
        builder.claim("sub", numericPrincipal.getName());
        Calendar calendar = Calendar.getInstance();
        builder.claim("iat", calendar.getTime());
        calendar.add(12, ID_TOKEN_EXPIRY_MINUTES.intValue());
        builder.claim("exp", calendar.getTime());
        builder.claim("name", httpPrincipal.getName());
        builder.claim("email", email);
        builder.claim(CLAIM_GROUPS_KEY, getGroupList());
        builder.claim("aud", str);
        return builder.signWith(privateSigningKey).compact();
    }

    static String getClaimIssuer() throws IOException, ResourceNotFoundException {
        String url = new RegistryClient().getAccessURL(new LocalAuthority().getServiceURI(Standards.SECURITY_METHOD_OAUTH.toString())).toString();
        return url.substring(0, url.lastIndexOf("/"));
    }

    static {
        relyParties.put("arbutus-harbor", new RelyParty("arbutus-harbor", "harbor-secret"));
        KeyPair keyPairFor = Keys.keyPairFor(SignatureAlgorithm.RS256);
        publicSigningKey = keyPairFor.getPublic();
        privateSigningKey = keyPairFor.getPrivate();
    }
}
