package biz.devstack.springframework.boot.config.security;

import biz.devstack.springframework.boot.exception.RestException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import jakarta.annotation.PostConstruct;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.Date;
import java.util.List;
import java.util.UUID;
import java.util.stream.Collectors;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.context.SecurityContextHolder;

/* loaded from: input_file:biz/devstack/springframework/boot/config/security/TokenService.class */
public abstract class TokenService {
    private static final String CLAIM_ROLE = "role";
    private static final Integer RSA_KEY_SIZE = 2048;
    private RSAPublicKey rsaPublicKey;
    private RSAPrivateKey rsaPrivateKey;

    @Value("${app.jwt.publicKey}")
    private String publicKey;

    @Value("${app.jwt.privateKey}")
    private String privateKey;

    @Value("${app.jwt.issuer:https://devstack.biz}")
    private String issuer;

    @Value("${app.jwt.expirationTime:86400}")
    private Long expirationTime;

    @PostConstruct
    public void init() {
        this.rsaPublicKey = parseRSAPublicKey(this.publicKey);
        this.rsaPrivateKey = parseRSAPrivateKey(this.privateKey);
    }

    public String createToken(String str, String str2) {
        try {
            RSASSASigner rSASSASigner = new RSASSASigner(this.rsaPrivateKey);
            JWTClaimsSet.Builder expirationTime = new JWTClaimsSet.Builder().subject(str).issuer(this.issuer).expirationTime(new Date(new Date().getTime() + (this.expirationTime.longValue() * 1000)));
            expirationTime.claim(CLAIM_ROLE, str2);
            SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(UUID.randomUUID().toString()).build(), expirationTime.build());
            signedJWT.sign(rSASSASigner);
            return signedJWT.serialize();
        } catch (Exception e) {
            throw RestException.internalServerError(e.toString());
        }
    }

    public UsernamePasswordAuthenticationToken verifyToken(String str) {
        try {
            SignedJWT parse = SignedJWT.parse(str);
            if (!parse.verify(new RSASSAVerifier(this.rsaPublicKey))) {
                throw RestException.forbidden();
            }
            JWTClaimsSet jWTClaimsSet = parse.getJWTClaimsSet();
            if (StringUtils.isEmpty(jWTClaimsSet.getSubject())) {
                throw RestException.badRequest("Subject is invalid!");
            }
            if (StringUtils.isEmpty(jWTClaimsSet.getIssuer()) || !jWTClaimsSet.getIssuer().equals(this.issuer)) {
                throw RestException.badRequest("Issuer is invalid!");
            }
            if (!(jWTClaimsSet.getClaim(CLAIM_ROLE) instanceof String)) {
                throw RestException.badRequest("Role is invalid!");
            }
            if (jWTClaimsSet.getExpirationTime().before(new Date())) {
                throw RestException.badRequest("Token is expired!");
            }
            return new UsernamePasswordAuthenticationToken(jWTClaimsSet.getSubject(), "N/A", (List) getAuthorities(jWTClaimsSet.getClaim(CLAIM_ROLE).toString()).stream().map(SimpleGrantedAuthority::new).collect(Collectors.toList()));
        } catch (Exception e) {
            throw RestException.badRequest("Failed to verify token!");
        }
    }

    public String getAuthenticationPrincipal(boolean z) {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if ((authentication instanceof UsernamePasswordAuthenticationToken) && authentication.getPrincipal() != null) {
            return authentication.getPrincipal().toString();
        }
        if (z) {
            throw RestException.unauthorized();
        }
        return null;
    }

    protected List<String> getAuthorities(String str) {
        return List.of(str);
    }

    public static String[] generateRSAKeyPair() {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
            keyPairGenerator.initialize(RSA_KEY_SIZE.intValue());
            KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
            return new String[]{Base64.encodeBase64String(generateKeyPair.getPublic().getEncoded()), Base64.encodeBase64String(generateKeyPair.getPrivate().getEncoded())};
        } catch (NoSuchAlgorithmException e) {
            throw new RuntimeException(e.getMessage());
        }
    }

    public static RSAPublicKey parseRSAPublicKey(String str) {
        try {
            return (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.decodeBase64(str)));
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage());
        }
    }

    public static RSAPrivateKey parseRSAPrivateKey(String str) {
        try {
            return (RSAPrivateKey) KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(Base64.decodeBase64(str)));
        } catch (Exception e) {
            throw new RuntimeException(e.getMessage());
        }
    }
}
