package org.opencadc.permissions;

import ca.nrc.cadc.util.Base64;
import ca.nrc.cadc.util.RsaSignatureGenerator;
import ca.nrc.cadc.util.RsaSignatureVerifier;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.IOException;
import java.net.URI;
import java.security.AccessControlException;
import java.security.InvalidKeyException;
import org.apache.log4j.Logger;

/* loaded from: input_file:org/opencadc/permissions/TokenTool.class */
public class TokenTool {
    private static final Logger log = Logger.getLogger(TokenTool.class);
    private static final String KEY_META_URI = "uri";
    private static final String KEY_META_GRANT = "gnt";
    private static final String KEY_META_SUBJECT = "sub";
    private final File publicKey;
    private final File privateKey;
    private static final String TOKEN_DELIM = "~";

    public TokenTool(File file) {
        if (file == null) {
            throw new IllegalArgumentException("publicKey cannot be null");
        }
        this.publicKey = file;
        this.privateKey = null;
    }

    public TokenTool(File file, File file2) {
        if (file == null) {
            throw new IllegalArgumentException("publicKey cannot be null");
        }
        if (file2 == null) {
            throw new IllegalArgumentException("privateKey cannot be null");
        }
        this.publicKey = file;
        this.privateKey = file2;
    }

    public String generateToken(URI uri, Class<? extends Grant> cls, String str) {
        if (this.privateKey == null) {
            throw new IllegalStateException("cannot generate token: no private key");
        }
        StringBuilder sb = new StringBuilder();
        sb.append(KEY_META_URI).append("=").append(uri.toString());
        sb.append("&");
        sb.append(KEY_META_GRANT).append("=").append(cls.getSimpleName());
        sb.append("&");
        sb.append(KEY_META_SUBJECT).append("=").append(str);
        byte[] bytes = sb.toString().getBytes();
        try {
            String str2 = new String(Base64.encode(new RsaSignatureGenerator(this.privateKey).sign(new ByteArrayInputStream(bytes))));
            log.debug("Created signature: " + str2 + " for meta: " + sb.toString());
            String str3 = new String(Base64.encode(bytes));
            log.debug("meta: " + str3);
            log.debug("sig: " + str2);
            StringBuilder sb2 = new StringBuilder();
            String base64URLEncode = base64URLEncode(str3);
            String base64URLEncode2 = base64URLEncode(str2);
            log.debug("metaURLEncoded: " + base64URLEncode);
            log.debug("sigURLEncoded: " + base64URLEncode2);
            sb2.append(base64URLEncode);
            sb2.append(TOKEN_DELIM);
            sb2.append(base64URLEncode2);
            log.debug("Created token path: " + sb2.toString());
            return sb2.toString();
        } catch (IOException | RuntimeException | InvalidKeyException e) {
            throw new IllegalStateException("Could not sign token", e);
        }
    }

    public String validateToken(String str, URI uri, Class<? extends Grant> cls) throws AccessControlException, IOException {
        log.debug("validating token: " + str);
        String[] split = str.split(TOKEN_DELIM);
        if (split.length != 2) {
            log.debug("invalid format, not two parts");
            throw new AccessControlException("Invalid auth token");
        }
        byte[] decode = Base64.decode(base64URLDecode(split[0]));
        try {
            if (!new RsaSignatureVerifier(this.publicKey).verify(new ByteArrayInputStream(decode), Base64.decode(base64URLDecode(split[1])))) {
                log.debug("verified==false");
                throw new AccessControlException("Invalid auth token");
            }
            String str2 = null;
            String str3 = null;
            String str4 = null;
            for (String str5 : new String(decode).split("&")) {
                log.debug("Processing param: " + str5);
                int indexOf = str5.indexOf("=");
                if (indexOf < 2) {
                    log.debug("invalid param key/value pair");
                    throw new AccessControlException("Invalid auth token");
                }
                String substring = str5.substring(0, indexOf);
                String substring2 = str5.substring(indexOf + 1);
                if (KEY_META_URI.equals(substring)) {
                    str2 = substring2;
                }
                if (KEY_META_GRANT.equals(substring)) {
                    str3 = substring2;
                }
                if (KEY_META_SUBJECT.equals(substring)) {
                    str4 = substring2;
                }
            }
            log.debug("uri: " + str2);
            log.debug("grant: " + str3);
            log.debug("subject: " + str4);
            if (!uri.toString().equals(str2)) {
                log.debug("wrong target uri");
                throw new AccessControlException("Invalid auth token");
            }
            if (cls.getSimpleName().equals(str3)) {
                return str4;
            }
            log.debug("wrong http method");
            throw new AccessControlException("Invalid auth token");
        } catch (RuntimeException | InvalidKeyException e) {
            log.debug("Recieved invalid signature", e);
            throw new AccessControlException("Invalid auth token");
        }
    }

    static String base64URLEncode(String str) {
        if (str == null) {
            return null;
        }
        return str.replace("/", "-").replace("+", "_");
    }

    static String base64URLDecode(String str) {
        if (str == null) {
            return null;
        }
        return str.replace("_", "+").replace("-", "/");
    }
}
