package ca.nrc.cadc.ac.server.oidc;

import ca.nrc.cadc.ac.Group;
import ca.nrc.cadc.ac.Role;
import ca.nrc.cadc.ac.User;
import ca.nrc.cadc.ac.UserNotFoundException;
import ca.nrc.cadc.ac.server.ldap.LdapGroupPersistence;
import ca.nrc.cadc.ac.server.ldap.LdapUserPersistence;
import ca.nrc.cadc.ac.server.oidc.RelyParty;
import ca.nrc.cadc.auth.AuthenticationUtil;
import ca.nrc.cadc.auth.HttpPrincipal;
import ca.nrc.cadc.auth.NumericPrincipal;
import ca.nrc.cadc.auth.SignedToken;
import ca.nrc.cadc.net.ResourceNotFoundException;
import ca.nrc.cadc.net.TransientException;
import ca.nrc.cadc.reg.Standards;
import ca.nrc.cadc.reg.client.LocalAuthority;
import ca.nrc.cadc.reg.client.RegistryClient;
import ca.nrc.cadc.util.FileUtil;
import ca.nrc.cadc.util.MultiValuedProperties;
import ca.nrc.cadc.util.PropertiesReader;
import ca.nrc.cadc.util.RsaSignatureGenerator;
import ca.nrc.cadc.util.RsaSignatureVerifier;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import java.io.File;
import java.io.IOException;
import java.net.URI;
import java.security.AccessControlException;
import java.security.InvalidKeyException;
import java.security.Key;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Calendar;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import org.apache.log4j.Logger;
import org.json.JSONObject;
import org.opencadc.gms.GroupURI;
import org.opencadc.gms.GroupUtil;

/* loaded from: input_file:ca/nrc/cadc/ac/server/oidc/OIDCUtil.class */
public class OIDCUtil {
    public static final String CONFIG = "ac-oidc-clients.properties";
    public static final String AUTHORIZE_TOKEN_SCOPE = "cadc:oauth2/authorize_token";
    public static final String REFRESH_TOKEN_SCOPE = "cadc:oauth2/refresh_token";
    public static final String ACCESS_TOKEN_SCOPE = "cadc:oauth2/access_token";
    public static final String CLAIM_GROUPS_KEY = "memberOf";
    private static final String PUBLIC_KEY_NAME = "oidc-rsa256-pub.key";
    private static final String PRIVATE_KEY_NAME = "oidc-rsa256-priv.key";
    public static final Integer ID_TOKEN_EXPIRY_MINUTES = 20160;
    public static final Integer AUTHORIZE_CODE_EXPIRY_MINUTES = 10;
    public static final Integer ACCESS_CODE_EXPIRY_MINUTES = 20160;
    public static final Integer REFRESH_TOKEN_EXPIRY_MINUTES = 524160;
    public static final Integer JWT_EXPIRY_MINUTES = 20160;
    private static Set<PublicKey> publicKeys = null;
    private static Key privateKey = null;
    private static final Logger log = Logger.getLogger(OIDCUtil.class);
    private static Map<String, RelyParty> relyParties = null;

    public static Set<PublicKey> getPublicKeys() {
        if (publicKeys == null) {
            publicKeys = new RsaSignatureVerifier(new File(System.getProperty("user.home") + "/config", PUBLIC_KEY_NAME)).getPublicKeys();
        }
        return publicKeys;
    }

    private static Key getPrivateKey() {
        if (privateKey == null) {
            privateKey = new RsaSignatureGenerator(FileUtil.getFileFromResource(PRIVATE_KEY_NAME, OIDCUtil.class)).getPrivateKey();
        }
        return privateKey;
    }

    private static Set<String> getClientIDs(MultiValuedProperties multiValuedProperties) {
        HashSet hashSet = new HashSet();
        Iterator it = multiValuedProperties.keySet().iterator();
        while (it.hasNext()) {
            hashSet.add(((String) it.next()).split("\\.")[0]);
        }
        return hashSet;
    }

    private static void checkKey(MultiValuedProperties multiValuedProperties, Set<String> set, String str) {
        if (!set.contains(str)) {
            throw new IllegalStateException("missing key " + str + " in " + CONFIG);
        }
        if (((String) multiValuedProperties.getProperty(str).get(0)).isEmpty()) {
            throw new IllegalStateException("missing value for " + str + " in " + CONFIG);
        }
    }

    private static String getSecret(MultiValuedProperties multiValuedProperties, Set<String> set, String str) {
        String str2 = str + ".secret";
        checkKey(multiValuedProperties, set, str2);
        return (String) multiValuedProperties.getProperty(str2).get(0);
    }

    private static String getDescription(MultiValuedProperties multiValuedProperties, Set<String> set, String str) {
        String str2 = str + ".description";
        checkKey(multiValuedProperties, set, str2);
        return (String) multiValuedProperties.getProperty(str2).get(0);
    }

    private static boolean getSignDocuments(MultiValuedProperties multiValuedProperties, Set<String> set, String str) {
        String str2 = str + ".sign-documents";
        checkKey(multiValuedProperties, set, str2);
        return Boolean.valueOf((String) multiValuedProperties.getProperty(str2).get(0)).booleanValue();
    }

    private static List<RelyParty.Claim> getClaims(MultiValuedProperties multiValuedProperties, Set<String> set, String str) {
        String str2 = str + ".claims";
        checkKey(multiValuedProperties, set, str2);
        ArrayList arrayList = new ArrayList();
        for (String str3 : ((String) multiValuedProperties.getProperty(str2).get(0)).split(" ")) {
            arrayList.add(RelyParty.Claim.getClaim(str3));
        }
        return arrayList;
    }

    private static void loadConfig() {
        log.debug("Reading RelyParties properties from: ac-oidc-clients.properties");
        relyParties = new HashMap();
        MultiValuedProperties allProperties = new PropertiesReader(CONFIG).getAllProperties();
        Set keySet = allProperties.keySet();
        if (allProperties == null || keySet.isEmpty()) {
            throw new RuntimeException("failed to read any OIDC property ");
        }
        for (String str : getClientIDs(allProperties)) {
            RelyParty relyParty = new RelyParty(str, getSecret(allProperties, keySet, str), getDescription(allProperties, keySet, str), getClaims(allProperties, keySet, str), getSignDocuments(allProperties, keySet, str));
            String str2 = str + ".access-group";
            if (keySet.contains(str2)) {
                String str3 = (String) allProperties.getProperty(str2).get(0);
                if (!str3.isEmpty()) {
                    relyParty.setAccessGroup(new GroupURI(URI.create(str3)));
                }
            }
            relyParties.put(str, relyParty);
        }
    }

    public static RelyParty getRelyParty(String str) {
        if (relyParties == null) {
            loadConfig();
        }
        return relyParties.get(str);
    }

    public static boolean accessAllowed(RelyParty relyParty) {
        GroupURI accessGroup = relyParty.getAccessGroup();
        if (accessGroup == null) {
            return true;
        }
        return GroupUtil.getGroupClient(accessGroup.getServiceID()).isMember(accessGroup);
    }

    public static String getToken(String str, URI uri, int i) throws InvalidKeyException, IOException {
        HttpPrincipal httpPrincipal = new HttpPrincipal(str);
        Calendar calendar = Calendar.getInstance();
        calendar.add(12, i);
        return SignedToken.format(new SignedToken(httpPrincipal, uri, calendar.getTime(), (List) null));
    }

    public static String getEmail(HttpPrincipal httpPrincipal) throws AccessControlException, UserNotFoundException, TransientException {
        User user = new LdapUserPersistence().getUser(httpPrincipal);
        return (user.personalDetails == null || user.personalDetails.email == null) ? "" : user.personalDetails.email;
    }

    public static List<String> getGroupList() throws Exception {
        Collection<Group> groups = new LdapGroupPersistence().getGroups(Role.MEMBER, null);
        ArrayList arrayList = new ArrayList();
        Iterator<Group> it = groups.iterator();
        while (it.hasNext()) {
            arrayList.add(it.next().getID().getName());
        }
        return arrayList;
    }

    public static String buildIDToken(RelyParty relyParty, boolean z) throws Exception {
        Subject currentSubject = AuthenticationUtil.getCurrentSubject();
        NumericPrincipal numericPrincipal = (NumericPrincipal) currentSubject.getPrincipals(NumericPrincipal.class).iterator().next();
        HttpPrincipal httpPrincipal = (HttpPrincipal) currentSubject.getPrincipals(HttpPrincipal.class).iterator().next();
        String email = getEmail(httpPrincipal);
        Calendar calendar = Calendar.getInstance();
        if (relyParty.isSignDocuments() || !z) {
            JwtBuilder builder = Jwts.builder();
            builder.claim("sub", numericPrincipal.getName());
            builder.claim("iss", getClaimIssuer());
            if (relyParty.getClientID() != null) {
                builder.claim("aud", relyParty.getClientID());
            }
            builder.claim("iat", calendar.getTime());
            calendar.add(12, ID_TOKEN_EXPIRY_MINUTES.intValue());
            builder.claim("exp", calendar.getTime());
            if (relyParty.getClaims().contains(RelyParty.Claim.NAME)) {
                builder.claim(RelyParty.Claim.NAME.getValue(), httpPrincipal.getName());
            }
            if (relyParty.getClaims().contains(RelyParty.Claim.EMAIL)) {
                builder.claim(RelyParty.Claim.EMAIL.getValue(), email);
            }
            if (relyParty.getClaims().contains(RelyParty.Claim.GROUPS)) {
                builder.claim(RelyParty.Claim.GROUPS.getValue(), getGroupList());
            }
            return relyParty.isSignDocuments() ? builder.signWith(getPrivateKey()).compact() : builder.compact();
        }
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("sub", numericPrincipal.getName());
        jSONObject.put("iss", getClaimIssuer());
        if (relyParty.getClientID() != null) {
            jSONObject.put("aud", relyParty.getClientID());
        }
        jSONObject.put("iat", calendar.getTime());
        calendar.add(12, ID_TOKEN_EXPIRY_MINUTES.intValue());
        jSONObject.put("exp", calendar.getTime());
        if (relyParty.getClaims().contains(RelyParty.Claim.NAME)) {
            jSONObject.put(RelyParty.Claim.NAME.getValue(), httpPrincipal.getName());
        }
        if (relyParty.getClaims().contains(RelyParty.Claim.EMAIL)) {
            jSONObject.put(RelyParty.Claim.EMAIL.getValue(), email);
        }
        if (relyParty.getClaims().contains(RelyParty.Claim.GROUPS)) {
            jSONObject.put(RelyParty.Claim.GROUPS.getValue(), (Collection) getGroupList());
        }
        return jSONObject.toString();
    }

    static String getClaimIssuer() throws IOException, ResourceNotFoundException {
        String url = new RegistryClient().getAccessURL(new LocalAuthority().getServiceURI(Standards.SECURITY_METHOD_OAUTH.toString())).toString();
        return url.substring(0, url.lastIndexOf("/"));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getClaimDescriptionString(List<RelyParty.Claim> list) {
        StringBuilder sb = new StringBuilder();
        int i = 0;
        for (RelyParty.Claim claim : list) {
            if (i > 0) {
                sb.append(", ");
            }
            i++;
            sb.append(claim.getDescription());
        }
        return sb.toString();
    }
}
