package software.sandc.springframework.security.jwt.impl.authority;

import io.jsonwebtoken.Claims;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.UnsupportedJwtException;
import io.jsonwebtoken.impl.TextCodec;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.beans.factory.InitializingBean;
import org.springframework.security.authentication.AccountStatusUserDetailsChecker;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsChecker;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.util.Assert;
import software.sandc.springframework.security.jwt.authority.AuthorityKeyProvider;
import software.sandc.springframework.security.jwt.authority.JWTAuthority;
import software.sandc.springframework.security.jwt.authority.SessionProvider;
import software.sandc.springframework.security.jwt.impl.DefaultJWTRequestResponseHandler;
import software.sandc.springframework.security.jwt.impl.DefaultSigningKeyResolver;
import software.sandc.springframework.security.jwt.impl.consumer.DefaultJWTConsumer;
import software.sandc.springframework.security.jwt.model.Credentials;
import software.sandc.springframework.security.jwt.model.JWTContext;
import software.sandc.springframework.security.jwt.model.TokenContainer;
import software.sandc.springframework.security.jwt.model.exception.ExpiredTokenException;
import software.sandc.springframework.security.jwt.model.exception.InvalidSessionException;
import software.sandc.springframework.security.jwt.model.exception.TokenRenewalException;
import software.sandc.springframework.security.jwt.model.exception.UserNotFoundException;
import software.sandc.springframework.security.jwt.model.parameter.DisableXSRFParameter;
import software.sandc.springframework.security.jwt.model.parameter.IgnoreExpiryParameter;
import software.sandc.springframework.security.jwt.model.parameter.Parameters;
import software.sandc.springframework.security.jwt.model.parameter.SessionIdParameter;
import software.sandc.springframework.security.jwt.util.BooleanUtils;
import software.sandc.springframework.security.jwt.util.RSAUtils;
import software.sandc.springframework.security.jwt.util.StringUtils;

/* loaded from: input_file:software/sandc/springframework/security/jwt/impl/authority/DefaultJWTAuthority.class */
public class DefaultJWTAuthority extends DefaultJWTConsumer implements JWTAuthority, InitializingBean {
    protected UserDetailsService userDetailsService;
    protected SessionProvider sessionProvider;
    protected UserDetailsChecker userDetailsChecker;
    protected PasswordEncoder passwordEncoder;
    protected AuthorityKeyProvider authorityKeyProvider;
    protected int tokenLifetimeInSeconds = 600;
    protected int sessionInvalidationDelayInMinutes = 5;
    protected boolean refreshSessionOnAuthentication = false;
    protected boolean refreshSessionOnRenewal = true;

    public DefaultJWTAuthority(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    @Override // software.sandc.springframework.security.jwt.impl.consumer.DefaultJWTConsumer, software.sandc.springframework.security.jwt.consumer.JWTConsumer
    public JWTContext authenticateJWTRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        JWTContext jWTContext = null;
        TokenContainer tokenFromRequest = this.jwtRequestResponseHandler.getTokenFromRequest(httpServletRequest);
        if (tokenFromRequest != null) {
            try {
                jWTContext = validate(tokenFromRequest, this.jwtRequestResponseHandler.getParametersFromRequest(httpServletRequest));
            } catch (ExpiredTokenException e) {
                if (isTokenRenewalEnabled()) {
                    jWTContext = renew(tokenFromRequest, this.jwtRequestResponseHandler.getParametersFromRequest(httpServletRequest));
                }
            }
            if (this.refreshSessionOnAuthentication) {
                refreshSession(jWTContext);
            }
            handleJWTContext(httpServletRequest, httpServletResponse, jWTContext);
        }
        return jWTContext;
    }

    @Override // software.sandc.springframework.security.jwt.authority.JWTAuthority
    public JWTContext authenticateLoginRequest(Credentials credentials, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        JWTContext jWTContext = null;
        String password = credentials.getPassword();
        String principal = credentials.getPrincipal();
        if (principal != null && password != null) {
            if (this.passwordEncoder.matches(password, this.userDetailsService.loadUserByUsername(principal).getPassword())) {
                jWTContext = create(principal, this.jwtRequestResponseHandler.getParametersFromRequest(httpServletRequest));
                handleJWTContext(httpServletRequest, httpServletResponse, jWTContext);
            }
        }
        return jWTContext;
    }

    @Override // software.sandc.springframework.security.jwt.authority.JWTAuthority
    public JWTContext createAndAttach(String str, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Parameters parameters) {
        JWTContext jWTContext = null;
        if (str != null) {
            Parameters parametersFromRequest = this.jwtRequestResponseHandler.getParametersFromRequest(httpServletRequest);
            if (parametersFromRequest != null) {
                parametersFromRequest.merge(parameters);
                parameters = parametersFromRequest;
            }
            jWTContext = create(str, parameters);
            handleJWTContext(httpServletRequest, httpServletResponse, jWTContext);
        }
        return jWTContext;
    }

    @Override // software.sandc.springframework.security.jwt.authority.JWTAuthority
    public JWTContext create(String str, Parameters parameters) throws UserNotFoundException {
        JwtBuilder signWith;
        if (parameters == null) {
            parameters = new Parameters();
        }
        String currentSigningKeyId = this.authorityKeyProvider.getCurrentSigningKeyId();
        String privateKey = this.authorityKeyProvider.getPrivateKey(currentSigningKeyId);
        SignatureAlgorithm signatureAlgorithm = this.authorityKeyProvider.getSignatureAlgorithm(currentSigningKeyId);
        Date date = new Date();
        Date date2 = new Date(System.currentTimeMillis() + (this.tokenLifetimeInSeconds * 1000));
        String str2 = null;
        if (!isXSRFProtectionDisabled(parameters)) {
            str2 = generateXSRFToken();
        }
        UserDetails userDetails = getUserDetails(str);
        Collection<? extends GrantedAuthority> authorities = userDetails.getAuthorities();
        String convertToString = convertToString(authorities);
        Claims claims = Jwts.claims();
        if (str2 != null) {
            claims.put(this.xsrfParameterName, str2);
        }
        claims.put(this.authoritiesParameterName, convertToString);
        String str3 = null;
        if (this.sessionProvider != null) {
            str3 = (String) parameters.getValueOf(SessionIdParameter.class);
            if (str3 == null || str3.isEmpty()) {
                str3 = this.sessionProvider.createSession(str);
            }
            if (str3 != null && !str3.isEmpty()) {
                claims.put(this.sessionIdParameterName, str3);
            }
        }
        JwtBuilder expiration = Jwts.builder().setHeaderParam("kid", currentSigningKeyId).setClaims(claims).setSubject(userDetails.getUsername()).setIssuedAt(date).setNotBefore(date).setExpiration(date2);
        if (signatureAlgorithm.isHmac()) {
            signWith = expiration.signWith(signatureAlgorithm, TextCodec.BASE64.decode(privateKey));
        } else {
            if (!signatureAlgorithm.isRsa()) {
                throw new UnsupportedJwtException("Not supported signature algorithm " + signatureAlgorithm.getValue());
            }
            signWith = expiration.signWith(signatureAlgorithm, RSAUtils.toPrivateKey(privateKey));
        }
        return createJWTContext(str, str3, str2, authorities, getJWTModeFromParameters(parameters), signWith.compact());
    }

    @Override // software.sandc.springframework.security.jwt.authority.JWTAuthority
    public JWTContext renew(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        JWTContext jWTContext = null;
        TokenContainer tokenFromRequest = this.jwtRequestResponseHandler.getTokenFromRequest(httpServletRequest);
        if (tokenFromRequest != null) {
            jWTContext = renew(tokenFromRequest, this.jwtRequestResponseHandler.getParametersFromRequest(httpServletRequest));
            handleJWTContext(httpServletRequest, httpServletResponse, jWTContext);
        }
        return jWTContext;
    }

    @Override // software.sandc.springframework.security.jwt.authority.JWTAuthority
    public JWTContext renew(TokenContainer tokenContainer, Parameters parameters) {
        if (this.sessionProvider == null) {
            throw new TokenRenewalException("No session provider found for token renewal.");
        }
        Parameters parameters2 = new Parameters(parameters);
        parameters2.put(new IgnoreExpiryParameter(true));
        validate(tokenContainer, parameters2);
        Claims claims = (Claims) Jwts.parser().setSigningKeyResolver(this.signingKeyResolver).setAllowedClockSkewSeconds(TEN_YEARS_IN_SECONDS.intValue()).parseClaimsJws(tokenContainer.getJwtToken()).getBody();
        String extractSessionId = extractSessionId(claims);
        String extractPrincipal = extractPrincipal(claims);
        if (!this.sessionProvider.isSessionValid(extractSessionId)) {
            throw new InvalidSessionException("Token session does not exist or not valid anymore.");
        }
        parameters2.put(new SessionIdParameter(this.sessionProvider.renewSession(extractSessionId)));
        JWTContext create = create(extractPrincipal, parameters);
        if (this.refreshSessionOnRenewal) {
            refreshSession(create);
        }
        return create;
    }

    @Override // software.sandc.springframework.security.jwt.impl.consumer.DefaultJWTConsumer
    public void afterPropertiesSet() throws Exception {
        Assert.notNull(this.userDetailsService, "userDetailsService must be specified");
        if (this.jwtRequestResponseHandler == null) {
            this.jwtRequestResponseHandler = new DefaultJWTRequestResponseHandler();
        }
        if (this.authorityKeyProvider == null) {
            this.authorityKeyProvider = new FakeKeyProvider();
        }
        if (this.signingKeyResolver == null) {
            this.signingKeyResolver = new DefaultSigningKeyResolver(this.authorityKeyProvider);
        }
        if (this.sessionProvider == null) {
            this.sessionProvider = new FakeSessionProvider();
        }
        if (this.userDetailsChecker == null) {
            this.userDetailsChecker = new AccountStatusUserDetailsChecker();
        }
        if (this.passwordEncoder == null) {
            this.passwordEncoder = new BCryptPasswordEncoder();
        }
    }

    public boolean isTokenRenewalEnabled() {
        return this.sessionProvider != null;
    }

    public UserDetailsService getUserDetailsService() {
        return this.userDetailsService;
    }

    public void setUserDetailsService(UserDetailsService userDetailsService) {
        this.userDetailsService = userDetailsService;
    }

    public void setSessionProvider(SessionProvider sessionProvider) {
        this.sessionProvider = sessionProvider;
    }

    public void setAuthorityKeyProvider(AuthorityKeyProvider authorityKeyProvider) {
        this.authorityKeyProvider = authorityKeyProvider;
    }

    public void setUserDetailsChecker(UserDetailsChecker userDetailsChecker) {
        Assert.notNull(userDetailsChecker, "userDetailsChacker cannot be null");
        this.userDetailsChecker = userDetailsChecker;
    }

    public void setTokenLifetimeInSeconds(int i) {
        this.tokenLifetimeInSeconds = i;
    }

    public void setSessionInvalidationDelayInMinutes(int i) {
        this.sessionInvalidationDelayInMinutes = i;
    }

    public void setPasswordEncoder(PasswordEncoder passwordEncoder) {
        this.passwordEncoder = passwordEncoder;
    }

    public void setRefreshSessionOnAuthentication(boolean z) {
        this.refreshSessionOnAuthentication = z;
    }

    public void setRefreshSessionOnRenewal(boolean z) {
        this.refreshSessionOnRenewal = z;
    }

    protected String generateXSRFToken() {
        return UUID.randomUUID().toString();
    }

    protected String convertToString(Collection<? extends GrantedAuthority> collection) {
        return StringUtils.join(getAuthorityListAsString(collection), ",");
    }

    protected UserDetails getUserDetails(String str) {
        try {
            UserDetails loadUserByUsername = this.userDetailsService.loadUserByUsername(str);
            this.userDetailsChecker.check(loadUserByUsername);
            return loadUserByUsername;
        } catch (UsernameNotFoundException e) {
            throw new UserNotFoundException("User with principal: " + str + " cannot be found.", e);
        }
    }

    protected List<String> getAuthorityListAsString(Collection<? extends GrantedAuthority> collection) {
        ArrayList arrayList = new ArrayList();
        if (collection != null) {
            Iterator<? extends GrantedAuthority> it = collection.iterator();
            while (it.hasNext()) {
                arrayList.add(it.next().getAuthority());
            }
        }
        return arrayList;
    }

    protected void refreshSession(JWTContext jWTContext) {
        if (jWTContext == null || !jWTContext.isAuthenticated() || this.sessionProvider == null) {
            return;
        }
        this.sessionProvider.refreshSession(jWTContext.getAuthentication().getSessionId());
    }

    @Override // software.sandc.springframework.security.jwt.impl.consumer.DefaultJWTConsumer
    protected void handleJWTContext(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, JWTContext jWTContext) {
        if (jWTContext == null || !jWTContext.isAuthenticated()) {
            return;
        }
        SecurityContextHolder.getContext().setAuthentication(jWTContext.getAuthentication());
        this.jwtRequestResponseHandler.putTokenToResponse(httpServletRequest, httpServletResponse, jWTContext.getTokenContainer());
    }

    protected boolean isXSRFProtectionDisabled(Parameters parameters) {
        if (parameters != null) {
            return BooleanUtils.isTrue((Boolean) parameters.getValueOf(DisableXSRFParameter.class)).booleanValue();
        }
        return false;
    }
}
