package org.sonar.server.authentication;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableMap;
import io.jsonwebtoken.Claims;
import java.util.Collections;
import java.util.Date;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.annotation.Nullable;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.time.DateUtils;
import org.sonar.api.config.Settings;
import org.sonar.api.server.ServerSide;
import org.sonar.api.utils.System2;
import org.sonar.db.DbClient;
import org.sonar.db.DbSession;
import org.sonar.db.user.UserDto;
import org.sonar.server.authentication.JwtSerializer;

@ServerSide
/* loaded from: input_file:org/sonar/server/authentication/JwtHttpHandler.class */
public class JwtHttpHandler {
    private static final String SESSION_TIMEOUT_IN_MINUTES_PROPERTY = "sonar.web.sessionTimeoutInMinutes";
    private static final int SESSION_TIMEOUT_DEFAULT_VALUE_IN_MINUTES = 4320;
    private static final int MAX_SESSION_TIMEOUT_IN_MINUTES = 129600;
    private static final String JWT_COOKIE = "JWT-SESSION";
    private static final String LAST_REFRESH_TIME_PARAM = "lastRefreshTime";
    private static final String CSRF_JWT_PARAM = "xsrfToken";
    private static final int SESSION_DISCONNECT_IN_SECONDS = 7776000;
    private static final int SESSION_REFRESH_IN_SECONDS = 300;
    private final System2 system2;
    private final DbClient dbClient;
    private final JwtSerializer jwtSerializer;
    private final int sessionTimeoutInSeconds;
    private final JwtCsrfVerifier jwtCsrfVerifier;

    /* loaded from: input_file:org/sonar/server/authentication/JwtHttpHandler$Token.class */
    public static class Token {
        private final UserDto userDto;
        private final Map<String, Object> properties;

        Token(UserDto userDto, Map<String, Object> map) {
            this.userDto = userDto;
            this.properties = map;
        }

        public UserDto getUserDto() {
            return this.userDto;
        }

        public Map<String, Object> getProperties() {
            return this.properties;
        }
    }

    public JwtHttpHandler(System2 system2, DbClient dbClient, Settings settings, JwtSerializer jwtSerializer, JwtCsrfVerifier jwtCsrfVerifier) {
        this.jwtSerializer = jwtSerializer;
        this.dbClient = dbClient;
        this.system2 = system2;
        this.sessionTimeoutInSeconds = getSessionTimeoutInSeconds(settings);
        this.jwtCsrfVerifier = jwtCsrfVerifier;
    }

    public void generateToken(UserDto userDto, Map<String, Object> map, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        httpServletResponse.addCookie(createCookie(httpServletRequest, JWT_COOKIE, this.jwtSerializer.encode(new JwtSerializer.JwtSession(userDto.getLogin(), this.sessionTimeoutInSeconds, ImmutableMap.builder().putAll(map).put(LAST_REFRESH_TIME_PARAM, Long.valueOf(this.system2.now())).put(CSRF_JWT_PARAM, this.jwtCsrfVerifier.generateState(httpServletRequest, httpServletResponse, this.sessionTimeoutInSeconds)).build())), this.sessionTimeoutInSeconds));
    }

    public void generateToken(UserDto userDto, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        generateToken(userDto, Collections.emptyMap(), httpServletRequest, httpServletResponse);
    }

    public Optional<UserDto> validateToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Optional<Token> token = getToken(httpServletRequest, httpServletResponse);
        return token.isPresent() ? Optional.of(token.get().getUserDto()) : Optional.empty();
    }

    public Optional<Token> getToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Optional<String> tokenFromCookie = getTokenFromCookie(httpServletRequest);
        return !tokenFromCookie.isPresent() ? Optional.empty() : validateToken(tokenFromCookie.get(), httpServletRequest, httpServletResponse);
    }

    private static Optional<String> getTokenFromCookie(HttpServletRequest httpServletRequest) {
        Optional<Cookie> findCookie = CookieUtils.findCookie(JWT_COOKIE, httpServletRequest);
        if (!findCookie.isPresent()) {
            return Optional.empty();
        }
        String value = findCookie.get().getValue();
        return StringUtils.isEmpty(value) ? Optional.empty() : Optional.of(value);
    }

    private Optional<Token> validateToken(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Optional<Claims> decode = this.jwtSerializer.decode(str);
        if (!decode.isPresent()) {
            return Optional.empty();
        }
        Date date = new Date(this.system2.now());
        Claims claims = decode.get();
        if (date.after(DateUtils.addSeconds(claims.getIssuedAt(), SESSION_DISCONNECT_IN_SECONDS))) {
            return Optional.empty();
        }
        this.jwtCsrfVerifier.verifyState(httpServletRequest, (String) claims.get(CSRF_JWT_PARAM));
        if (date.after(DateUtils.addSeconds(getLastRefreshDate(claims), SESSION_REFRESH_IN_SECONDS))) {
            refreshToken(claims, httpServletRequest, httpServletResponse);
        }
        Optional<UserDto> selectUserFromDb = selectUserFromDb(claims.getSubject());
        return !selectUserFromDb.isPresent() ? Optional.empty() : Optional.of(new Token(selectUserFromDb.get(), decode.get()));
    }

    private static Date getLastRefreshDate(Claims claims) {
        Long l = (Long) claims.get(LAST_REFRESH_TIME_PARAM);
        Objects.requireNonNull(l, "last refresh time is missing in token");
        return new Date(l.longValue());
    }

    private void refreshToken(Claims claims, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        httpServletResponse.addCookie(createCookie(httpServletRequest, JWT_COOKIE, this.jwtSerializer.refresh(claims, this.sessionTimeoutInSeconds), this.sessionTimeoutInSeconds));
        this.jwtCsrfVerifier.refreshState(httpServletRequest, httpServletResponse, (String) claims.get(CSRF_JWT_PARAM), this.sessionTimeoutInSeconds);
    }

    void removeToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        httpServletResponse.addCookie(createCookie(httpServletRequest, JWT_COOKIE, null, 0));
        this.jwtCsrfVerifier.removeState(httpServletRequest, httpServletResponse);
    }

    private static Cookie createCookie(HttpServletRequest httpServletRequest, String str, @Nullable String str2, int i) {
        return CookieUtils.createCookie(str, str2, true, i, httpServletRequest);
    }

    private Optional<UserDto> selectUserFromDb(String str) {
        DbSession openSession = this.dbClient.openSession(false);
        try {
            Optional<UserDto> ofNullable = Optional.ofNullable(this.dbClient.userDao().selectActiveUserByLogin(openSession, str));
            this.dbClient.closeSession(openSession);
            return ofNullable;
        } catch (Throwable th) {
            this.dbClient.closeSession(openSession);
            throw th;
        }
    }

    private static int getSessionTimeoutInSeconds(Settings settings) {
        int i;
        if (settings.hasKey(SESSION_TIMEOUT_IN_MINUTES_PROPERTY)) {
            i = settings.getInt(SESSION_TIMEOUT_IN_MINUTES_PROPERTY);
            Preconditions.checkArgument(i > 0, "Property %s must be strictly positive. Got %s.", new Object[]{SESSION_TIMEOUT_IN_MINUTES_PROPERTY, Integer.valueOf(i)});
        } else {
            i = SESSION_TIMEOUT_DEFAULT_VALUE_IN_MINUTES;
        }
        Preconditions.checkArgument(i <= MAX_SESSION_TIMEOUT_IN_MINUTES, "Property %s must not be greater than %s. Got %s.", new Object[]{SESSION_TIMEOUT_IN_MINUTES_PROPERTY, Integer.valueOf(MAX_SESSION_TIMEOUT_IN_MINUTES), Integer.valueOf(i)});
        return i * 60;
    }
}
