package com.predic8.membrane.core.interceptor.jwt;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
import com.predic8.membrane.annot.MCAttribute;
import com.predic8.membrane.annot.MCChildElement;
import com.predic8.membrane.annot.MCElement;
import com.predic8.membrane.core.exceptions.ProblemDetails;
import com.predic8.membrane.core.exchange.Exchange;
import com.predic8.membrane.core.http.Message;
import com.predic8.membrane.core.interceptor.AbstractInterceptor;
import com.predic8.membrane.core.interceptor.Interceptor;
import com.predic8.membrane.core.interceptor.Outcome;
import com.predic8.membrane.core.interceptor.session.JwtSessionManager;
import com.predic8.membrane.core.util.ConfigurationException;
import java.io.IOException;
import java.util.Map;
import java.util.Objects;
import org.jose4j.json.JsonUtil;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@MCElement(name = "jwtSign")
/* loaded from: input_file:com/predic8/membrane/core/interceptor/jwt/JwtSignInterceptor.class */
public class JwtSignInterceptor extends AbstractInterceptor {
    private static final Logger log = LoggerFactory.getLogger(JwtSignInterceptor.class);
    private static final String DEFAULT_PKEY = "wP1ITsKxAWOO03eywdOj73T5Po1OFXZlFgzf1CJaf8D3piuxS0C5JSHTKTO354_r9cg2WyQ3nEqJ6YScV3-NfW8xXbiyMr5Xokzn7YpuB9dtby0veEn4w7JHChH5lV2fwrjH2iL6IIOLrND9D_Dxoc3mmLMaie0mTW9-UHGOunk";
    private JwtSessionManager.Jwk jwk;
    private RsaJsonWebKey rsaJsonWebKey;
    private int expirySeconds = 300;
    private int clockSkewSeconds = 120;
    private final ObjectMapper om = new ObjectMapper();

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor
    public void init() {
        super.init();
        try {
            Map parseJson = JsonUtil.parseJson(this.jwk.get(this.router.getResolverMap(), this.router.getBaseLocation()));
            if (Objects.equals(parseJson.get("p"), DEFAULT_PKEY)) {
                log.warn("\n------------------------------------ DEFAULT JWK IN USE! ------------------------------------\n        This key is for demonstration purposes only and UNSAFE for production use.           \n---------------------------------------------------------------------------------------------");
            }
            this.rsaJsonWebKey = new RsaJsonWebKey(parseJson);
        } catch (IOException e) {
            throw new ConfigurationException("Cannot parse JWK", e);
        } catch (JoseException e2) {
            throw new ConfigurationException("Cannot create RSA JSON Web Key", e2);
        }
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public Outcome handleRequest(Exchange exchange) {
        return handleInternal(exchange, Interceptor.Flow.REQUEST);
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public Outcome handleResponse(Exchange exchange) {
        return handleInternal(exchange, Interceptor.Flow.RESPONSE);
    }

    private Outcome handleInternal(Exchange exchange, Interceptor.Flow flow) {
        try {
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            jsonWebSignature.setHeader("typ", "JWT");
            jsonWebSignature.setPayload(prepareJwtPayload(exchange.getMessage(flow)));
            jsonWebSignature.setKey(this.rsaJsonWebKey.getRsaPrivateKey());
            jsonWebSignature.setAlgorithmHeaderValue("RS256");
            jsonWebSignature.setKeyIdHeaderValue(this.rsaJsonWebKey.getKeyId());
            exchange.getMessage(flow).setBodyContent(jsonWebSignature.getCompactSerialization().getBytes());
            return Outcome.CONTINUE;
        } catch (Exception e) {
            log.error("Error during attempt to sign JWT payload", e);
            ProblemDetails.security(this.router.isProduction(), getDisplayName()).addSubSee("crypto").detail("Error during attempt to sign JWT payload.").exception(e).buildAndSetResponse(exchange);
            return Outcome.ABORT;
        }
    }

    private String prepareJwtPayload(Message message) throws IOException {
        ObjectNode readTree = this.om.readTree(message.getBodyAsStream());
        long currentTimeMillis = System.currentTimeMillis() / 1000;
        readTree.put("iat", currentTimeMillis);
        readTree.put("exp", currentTimeMillis + this.expirySeconds);
        readTree.put("nbf", currentTimeMillis - this.clockSkewSeconds);
        return readTree.toString();
    }

    public JwtSessionManager.Jwk getJwk() {
        return this.jwk;
    }

    @MCChildElement
    public void setJwk(JwtSessionManager.Jwk jwk) {
        this.jwk = jwk;
    }

    public int getExpirySeconds() {
        return this.expirySeconds;
    }

    @MCAttribute
    public void setExpirySeconds(int i) {
        this.expirySeconds = i;
    }

    public int getClockSkewSeconds() {
        return this.clockSkewSeconds;
    }

    @MCAttribute
    public void setClockSkewSeconds(int i) {
        this.clockSkewSeconds = i;
    }
}
