package org.sonar.server.authentication;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.SignatureException;
import io.jsonwebtoken.impl.crypto.MacProvider;
import java.util.Base64;
import java.util.Collections;
import java.util.Date;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.annotation.concurrent.Immutable;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.sonar.api.Startable;
import org.sonar.api.config.Configuration;
import org.sonar.api.server.ServerSide;
import org.sonar.api.utils.System2;
import org.sonar.core.util.UuidFactory;
import org.sonar.process.ProcessProperties;
import org.sonar.server.authentication.event.AuthenticationEvent;
import org.sonar.server.authentication.event.AuthenticationException;

@ServerSide
/* loaded from: input_file:org/sonar/server/authentication/JwtSerializer.class */
public class JwtSerializer implements Startable {
    private static final SignatureAlgorithm SIGNATURE_ALGORITHM = SignatureAlgorithm.HS256;
    private final Configuration config;
    private final System2 system2;
    private final UuidFactory uuidFactory;
    private SecretKey secretKey;

    @Immutable
    /* loaded from: input_file:org/sonar/server/authentication/JwtSerializer$JwtSession.class */
    static class JwtSession {
        private final String userLogin;
        private final long expirationTimeInSeconds;
        private final Map<String, Object> properties;

        JwtSession(String str, long j) {
            this(str, j, Collections.emptyMap());
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public JwtSession(String str, long j, Map<String, Object> map) {
            this.userLogin = (String) Objects.requireNonNull(str, "User login cannot be null");
            this.expirationTimeInSeconds = j;
            this.properties = map;
        }

        String getUserLogin() {
            return this.userLogin;
        }

        long getExpirationTimeInSeconds() {
            return this.expirationTimeInSeconds;
        }

        Map<String, Object> getProperties() {
            return this.properties;
        }
    }

    public JwtSerializer(Configuration configuration, System2 system2, UuidFactory uuidFactory) {
        this.config = configuration;
        this.system2 = system2;
        this.uuidFactory = uuidFactory;
    }

    @VisibleForTesting
    SecretKey getSecretKey() {
        return this.secretKey;
    }

    public void start() {
        Optional optional = this.config.get(ProcessProperties.Property.AUTH_JWT_SECRET.getKey());
        if (optional.isPresent()) {
            this.secretKey = decodeSecretKeyProperty((String) optional.get());
        } else {
            this.secretKey = generateSecretKey();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String encode(JwtSession jwtSession) {
        checkIsStarted();
        long now = this.system2.now();
        JwtBuilder signWith = Jwts.builder().setId(this.uuidFactory.create()).setSubject(jwtSession.getUserLogin()).setIssuedAt(new Date(now)).setExpiration(new Date(now + (jwtSession.getExpirationTimeInSeconds() * 1000))).signWith(SIGNATURE_ALGORITHM, this.secretKey);
        for (Map.Entry<String, Object> entry : jwtSession.getProperties().entrySet()) {
            signWith.claim(entry.getKey(), entry.getValue());
        }
        return signWith.compact();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Optional<Claims> decode(String str) {
        checkIsStarted();
        Claims claims = null;
        try {
            claims = (Claims) Jwts.parser().setSigningKey(this.secretKey).parseClaimsJws(str).getBody();
            Objects.requireNonNull(claims.getId(), "Token id hasn't been found");
            Objects.requireNonNull(claims.getSubject(), "Token subject hasn't been found");
            Objects.requireNonNull(claims.getExpiration(), "Token expiration date hasn't been found");
            Objects.requireNonNull(claims.getIssuedAt(), "Token creation date hasn't been found");
            return Optional.of(claims);
        } catch (ExpiredJwtException | SignatureException e) {
            return Optional.empty();
        } catch (Exception e2) {
            throw AuthenticationException.newBuilder().setSource(AuthenticationEvent.Source.jwt()).setLogin(claims == null ? null : claims.getSubject()).setMessage(e2.getMessage()).build();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String refresh(Claims claims, int i) {
        checkIsStarted();
        long now = this.system2.now();
        JwtBuilder builder = Jwts.builder();
        for (Map.Entry entry : claims.entrySet()) {
            builder.claim((String) entry.getKey(), entry.getValue());
        }
        builder.setExpiration(new Date(now + (i * 1000))).signWith(SIGNATURE_ALGORITHM, this.secretKey);
        return builder.compact();
    }

    private static SecretKey generateSecretKey() {
        return MacProvider.generateKey(SIGNATURE_ALGORITHM);
    }

    private static SecretKey decodeSecretKeyProperty(String str) {
        byte[] decode = Base64.getDecoder().decode(str);
        return new SecretKeySpec(decode, 0, decode.length, SIGNATURE_ALGORITHM.getJcaName());
    }

    private void checkIsStarted() {
        Preconditions.checkNotNull(this.secretKey, "%s not started", new Object[]{getClass().getName()});
    }

    public void stop() {
        this.secretKey = null;
    }
}
