package edu.internet2.middleware.grouper.authentication;

import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.Claim;
import com.auth0.jwt.interfaces.DecodedJWT;
import edu.internet2.middleware.grouper.GrouperSession;
import edu.internet2.middleware.grouper.SubjectFinder;
import edu.internet2.middleware.grouper.ddl.GrouperDdl2_6_1;
import edu.internet2.middleware.grouper.exception.GrouperSessionException;
import edu.internet2.middleware.grouper.misc.GrouperSessionHandler;
import edu.internet2.middleware.grouper.pit.PITPermissionAllView;
import edu.internet2.middleware.grouper.ui.customUi.CustomUiUserQueryConfigBean;
import edu.internet2.middleware.grouper.util.GrouperUtil;
import edu.internet2.middleware.subject.Subject;
import java.util.Date;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.apache.commons.logging.Log;

/* loaded from: input_file:WEB-INF/lib/grouper-4.7.1.jar:edu/internet2/middleware/grouper/authentication/GrouperTrustedJwt.class */
public class GrouperTrustedJwt {
    private static final Log LOG = GrouperUtil.getLog(GrouperTrustedJwt.class);
    private static Pattern bearerTokenPattern = Pattern.compile("^Bearer jwtTrusted_([^_]+)_(.*)$");
    private String bearerTokenHeader = null;
    private GrouperTrustedJwtResult grouperTrustedJwtResult = null;

    public GrouperTrustedJwt assignBearerTokenHeader(String str) {
        this.bearerTokenHeader = str;
        return this;
    }

    public GrouperTrustedJwtResult getGrouperTrustedJwtResult() {
        return this.grouperTrustedJwtResult;
    }

    public void setGrouperTrustedJwtResult(GrouperTrustedJwtResult grouperTrustedJwtResult) {
        this.grouperTrustedJwtResult = grouperTrustedJwtResult;
    }

    public Subject decode() {
        final LinkedHashMap linkedHashMap = new LinkedHashMap();
        long nanoTime = System.nanoTime();
        try {
            if (StringUtils.isBlank(this.bearerTokenHeader)) {
                this.grouperTrustedJwtResult = GrouperTrustedJwtResult.ERROR_MISSING_TOKEN;
                throw new RuntimeException("bearerTokenHeader is required");
            }
            try {
                linkedHashMap.put("bearerTokenHeader", StringUtils.abbreviate(this.bearerTokenHeader, 50));
                Matcher matcher = bearerTokenPattern.matcher(this.bearerTokenHeader);
                if (!matcher.matches()) {
                    this.grouperTrustedJwtResult = GrouperTrustedJwtResult.ERROR_TOKEN_INVALID;
                    throw new RuntimeException("bearerTokenHeader is invalid!");
                }
                String group = matcher.group(1);
                linkedHashMap.put(CustomUiUserQueryConfigBean.FIELD_CONFIG_ID, group);
                final GrouperTrustedJwtConfig retrieveFromConfigOrCache = GrouperTrustedJwtConfig.retrieveFromConfigOrCache(group);
                if (retrieveFromConfigOrCache == null) {
                    throw new RuntimeException("Cant find trusted jwt config: '" + group + "'");
                }
                final DecodedJWT decode = JWT.decode(matcher.group(2));
                linkedHashMap.put("decodeJwt", Boolean.valueOf(decode != null));
                Date expiresAt = decode.getExpiresAt();
                if (expiresAt != null) {
                    linkedHashMap.put("expiresAt", expiresAt);
                    if (expiresAt.getTime() < System.currentTimeMillis()) {
                        linkedHashMap.put("expiredByExpiresAt", true);
                        linkedHashMap.put("tookMs", Long.valueOf((System.nanoTime() - nanoTime) / 1000000));
                        if (linkedHashMap.get("exception") != null) {
                            LOG.error(GrouperUtil.mapToString(linkedHashMap));
                        } else if (LOG.isDebugEnabled()) {
                            LOG.debug(GrouperUtil.mapToString(linkedHashMap));
                        }
                        return null;
                    }
                }
                int expirationSeconds = retrieveFromConfigOrCache.getExpirationSeconds();
                if (expirationSeconds > 0) {
                    linkedHashMap.put("expirationSeconds", Integer.valueOf(expirationSeconds));
                    Date issuedAt = decode.getIssuedAt();
                    linkedHashMap.put("issuedAt", issuedAt);
                    if (issuedAt == null || issuedAt.getTime() + (expirationSeconds * 1000) < System.currentTimeMillis()) {
                        linkedHashMap.put("expiredByExpirationSeconds", true);
                        linkedHashMap.put("tookMs", Long.valueOf((System.nanoTime() - nanoTime) / 1000000));
                        if (linkedHashMap.get("exception") != null) {
                            LOG.error(GrouperUtil.mapToString(linkedHashMap));
                        } else if (LOG.isDebugEnabled()) {
                            LOG.debug(GrouperUtil.mapToString(linkedHashMap));
                        }
                        return null;
                    }
                }
                boolean z = false;
                Iterator<GrouperTrustedJwtConfigKey> it = retrieveFromConfigOrCache.getGrouperTrustedJwtConfigKeys().iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (it.next().verify(decode)) {
                        z = true;
                        break;
                    }
                }
                linkedHashMap.put(GrouperDdl2_6_1.COLUMN_GROUPER_PROV_ZOOM_USER_VERIFIED, Boolean.valueOf(z));
                if (!z) {
                    return null;
                }
                final Set<String> subjectSourceIds = retrieveFromConfigOrCache.getSubjectSourceIds();
                Claim claim = decode.getClaim(PITPermissionAllView.FIELD_SUBJECT_SOURCE_ID);
                if (claim != null && !claim.isNull() && !StringUtils.isBlank(claim.asString())) {
                    subjectSourceIds.clear();
                    subjectSourceIds.add(claim.asString());
                }
                linkedHashMap.put("subjectSourceIds", subjectSourceIds);
                Subject subject = (Subject) GrouperSession.internal_callbackRootGrouperSession(new GrouperSessionHandler() { // from class: edu.internet2.middleware.grouper.authentication.GrouperTrustedJwt.1
                    @Override // edu.internet2.middleware.grouper.misc.GrouperSessionHandler
                    public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
                        Subject subject2 = null;
                        String str = StringUtils.isBlank(retrieveFromConfigOrCache.getSubjectIdType()) ? "subjectId" : null;
                        if (StringUtils.equals(retrieveFromConfigOrCache.getSubjectIdType(), "subjectId") && !StringUtils.isBlank(retrieveFromConfigOrCache.getSubjectIdClaimName())) {
                            str = retrieveFromConfigOrCache.getSubjectIdClaimName();
                        }
                        if (!StringUtils.isBlank(str)) {
                            linkedHashMap.put("subjectIdClaimName", str);
                            Claim claim2 = decode.getClaim(str);
                            if (claim2 != null && !claim2.isNull() && !StringUtils.isBlank(claim2.asString())) {
                                String asString = claim2.asString();
                                linkedHashMap.put("subjectId", asString);
                                subject2 = GrouperUtil.nonNull(subjectSourceIds).size() > 0 ? SubjectFinder.findByIdOrIdentifierOrBothAndSourceIds("subjectId", asString, subjectSourceIds, false) : SubjectFinder.findById(asString, false);
                            }
                        }
                        String str2 = StringUtils.isBlank(retrieveFromConfigOrCache.getSubjectIdType()) ? "subjectIdentifier" : null;
                        if (StringUtils.equals(retrieveFromConfigOrCache.getSubjectIdType(), "subjectIdentifier") && !StringUtils.isBlank(retrieveFromConfigOrCache.getSubjectIdClaimName())) {
                            str2 = retrieveFromConfigOrCache.getSubjectIdClaimName();
                        }
                        if (!StringUtils.isBlank(str2)) {
                            linkedHashMap.put("subjectIdentifierClaimName", str2);
                            Claim claim3 = decode.getClaim(str2);
                            if (claim3 != null && !claim3.isNull() && !StringUtils.isBlank(claim3.asString())) {
                                String asString2 = claim3.asString();
                                linkedHashMap.put("subjectIdentifier", asString2);
                                subject2 = GrouperUtil.nonNull(subjectSourceIds).size() > 0 ? SubjectFinder.findByIdOrIdentifierOrBothAndSourceIds("subjectIdentifier", asString2, subjectSourceIds, false) : SubjectFinder.findByIdentifier(asString2, false);
                            }
                        }
                        String str3 = StringUtils.isBlank(retrieveFromConfigOrCache.getSubjectIdType()) ? "subjectIdOrIdentifier" : null;
                        if (StringUtils.equals(retrieveFromConfigOrCache.getSubjectIdType(), "subjectIdOrIdentifier") && !StringUtils.isBlank(retrieveFromConfigOrCache.getSubjectIdClaimName())) {
                            str3 = retrieveFromConfigOrCache.getSubjectIdClaimName();
                        }
                        if (!StringUtils.isBlank(str3)) {
                            linkedHashMap.put("subjectIdOrIdentifierClaimName", str3);
                            Claim claim4 = decode.getClaim(str3);
                            if (claim4 != null && !claim4.isNull() && !StringUtils.isBlank(claim4.asString())) {
                                String asString3 = claim4.asString();
                                linkedHashMap.put("subjectIdOrIdentifier", asString3);
                                subject2 = GrouperUtil.nonNull(subjectSourceIds).size() > 0 ? SubjectFinder.findByIdOrIdentifierOrBothAndSourceIds("subjectIdOrIdentifier", asString3, subjectSourceIds, false) : SubjectFinder.findByIdOrIdentifier(asString3, false);
                            }
                        }
                        return subject2;
                    }
                });
                linkedHashMap.put("subjectFound", Boolean.valueOf(subject != null));
                linkedHashMap.put("tookMs", Long.valueOf((System.nanoTime() - nanoTime) / 1000000));
                if (linkedHashMap.get("exception") != null) {
                    LOG.error(GrouperUtil.mapToString(linkedHashMap));
                } else if (LOG.isDebugEnabled()) {
                    LOG.debug(GrouperUtil.mapToString(linkedHashMap));
                }
                return subject;
            } catch (Exception e) {
                linkedHashMap.put("exception", ExceptionUtils.getFullStackTrace(e));
                if (e instanceof RuntimeException) {
                    throw ((RuntimeException) e);
                }
                throw new RuntimeException(e);
            }
        } finally {
            linkedHashMap.put("tookMs", Long.valueOf((System.nanoTime() - nanoTime) / 1000000));
            if (linkedHashMap.get("exception") != null) {
                LOG.error(GrouperUtil.mapToString(linkedHashMap));
            } else if (LOG.isDebugEnabled()) {
                LOG.debug(GrouperUtil.mapToString(linkedHashMap));
            }
        }
    }
}
