package edu.internet2.middleware.grouper.authentication;

import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;
import edu.internet2.middleware.grouper.GrouperSession;
import edu.internet2.middleware.grouper.MemberFinder;
import edu.internet2.middleware.grouper.authentication.GrouperPassword;
import edu.internet2.middleware.grouper.cfg.GrouperConfig;
import edu.internet2.middleware.grouper.ddl.GrouperDdl2_6_1;
import edu.internet2.middleware.grouper.exception.GrouperSessionException;
import edu.internet2.middleware.grouper.misc.GrouperDAOFactory;
import edu.internet2.middleware.grouper.misc.GrouperSessionHandler;
import edu.internet2.middleware.grouper.util.GrouperUtil;
import edu.internet2.middleware.grouperClient.collections.MultiKey;
import edu.internet2.middleware.grouperClient.util.ExpirableCache;
import edu.internet2.middleware.subject.Subject;
import java.util.Date;
import java.util.LinkedHashMap;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.lang.exception.ExceptionUtils;
import org.apache.commons.logging.Log;

/* loaded from: input_file:WEB-INF/lib/grouper-5.7.1.jar:edu/internet2/middleware/grouper/authentication/GrouperPublicPrivateKeyJwt.class */
public class GrouperPublicPrivateKeyJwt {
    private String bearerTokenHeader = null;
    private GrouperTrustedJwtResult grouperTrustedJwtResult = null;
    private static ExpirableCache<MultiKey, GrouperPassword> grouperPasswordCache = new ExpirableCache<>(1);
    private static ExpirableCache<String, Subject> memberIdToSubjectCache = new ExpirableCache<>(1);
    private static final Log LOG = GrouperUtil.getLog(GrouperPublicPrivateKeyJwt.class);
    private static Pattern bearerTokenPattern = Pattern.compile("^Bearer jwtUser_([^_]+)_(.*)$");

    public static void clearCache() {
        grouperPasswordCache.clear();
        memberIdToSubjectCache.clear();
    }

    public GrouperPublicPrivateKeyJwt assignBearerTokenHeader(String str) {
        this.bearerTokenHeader = str;
        return this;
    }

    public GrouperTrustedJwtResult getGrouperTrustedJwtResult() {
        return this.grouperTrustedJwtResult;
    }

    public void setGrouperTrustedJwtResult(GrouperTrustedJwtResult grouperTrustedJwtResult) {
        this.grouperTrustedJwtResult = grouperTrustedJwtResult;
    }

    public Subject decode(String str) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        long nanoTime = System.nanoTime();
        long currentTimeMillis = System.currentTimeMillis();
        if (StringUtils.isBlank(this.bearerTokenHeader)) {
            this.grouperTrustedJwtResult = GrouperTrustedJwtResult.ERROR_MISSING_TOKEN;
            throw new RuntimeException("bearerTokenHeader is required");
        }
        GrouperPasswordRecentlyUsed grouperPasswordRecentlyUsed = new GrouperPasswordRecentlyUsed();
        grouperPasswordRecentlyUsed.setAttemptMillis(Long.valueOf(currentTimeMillis));
        try {
            try {
                linkedHashMap.put("bearerTokenHeader", StringUtils.abbreviate(this.bearerTokenHeader, 50));
                Matcher matcher = bearerTokenPattern.matcher(this.bearerTokenHeader);
                if (!matcher.matches()) {
                    this.grouperTrustedJwtResult = GrouperTrustedJwtResult.ERROR_TOKEN_INVALID;
                    throw new RuntimeException("bearerTokenHeader is invalid!");
                }
                final String str2 = new String(new Base64().decode(matcher.group(1).getBytes("UTF-8")));
                MultiKey multiKey = new MultiKey(str2, GrouperPassword.Application.WS.name());
                GrouperPassword grouperPassword = grouperPasswordCache.get(multiKey);
                if (grouperPassword == null) {
                    grouperPassword = GrouperDAOFactory.getFactory().getGrouperPassword().findByUsernameApplication(str2, GrouperPassword.Application.WS.name());
                    if (grouperPassword != null) {
                        grouperPasswordCache.put(multiKey, grouperPassword);
                    }
                }
                Subject subject = memberIdToSubjectCache.get(str2);
                if (subject == null) {
                    subject = (Subject) GrouperSession.internal_callbackRootGrouperSession(new GrouperSessionHandler() { // from class: edu.internet2.middleware.grouper.authentication.GrouperPublicPrivateKeyJwt.1
                        @Override // edu.internet2.middleware.grouper.misc.GrouperSessionHandler
                        public Object callback(GrouperSession grouperSession) throws GrouperSessionException {
                            return MemberFinder.findByUuid(grouperSession, str2, true).getSubject();
                        }
                    });
                    memberIdToSubjectCache.put(str2, subject);
                }
                if (grouperPassword == null) {
                    throw new RuntimeException("Can't find public key for member id '" + str2 + "'");
                }
                grouperPasswordRecentlyUsed.setGrouperPasswordId(grouperPassword.getId());
                grouperPasswordRecentlyUsed.setIpAddress(str);
                if (grouperPassword.getExpiresMillis() != null && grouperPassword.getExpiresMillis().longValue() < System.currentTimeMillis()) {
                    linkedHashMap.put("expiredByExpiresAt", true);
                    grouperPasswordRecentlyUsed.setStatus('F');
                    if (StringUtils.isNotBlank(grouperPasswordRecentlyUsed.getGrouperPasswordId())) {
                        GrouperDAOFactory.getFactory().getGrouperPasswordRecentlyUsed().saveOrUpdate(grouperPasswordRecentlyUsed);
                    }
                    linkedHashMap.put("tookMs", Long.valueOf((System.nanoTime() - nanoTime) / 1000000));
                    if (linkedHashMap.get("exception") != null) {
                        LOG.error(GrouperUtil.mapToString(linkedHashMap));
                    } else if (LOG.isDebugEnabled()) {
                        LOG.debug(GrouperUtil.mapToString(linkedHashMap));
                    }
                    return null;
                }
                if (StringUtils.isNotBlank(grouperPassword.getAllowedFromCidrs()) && !GrouperUtil.ipOnNetworks(str, grouperPassword.getAllowedFromCidrs())) {
                    linkedHashMap.put("isIpAllowed", false);
                    grouperPasswordRecentlyUsed.setStatus('F');
                    if (StringUtils.isNotBlank(grouperPasswordRecentlyUsed.getGrouperPasswordId())) {
                        GrouperDAOFactory.getFactory().getGrouperPasswordRecentlyUsed().saveOrUpdate(grouperPasswordRecentlyUsed);
                    }
                    linkedHashMap.put("tookMs", Long.valueOf((System.nanoTime() - nanoTime) / 1000000));
                    if (linkedHashMap.get("exception") != null) {
                        LOG.error(GrouperUtil.mapToString(linkedHashMap));
                    } else if (LOG.isDebugEnabled()) {
                        LOG.debug(GrouperUtil.mapToString(linkedHashMap));
                    }
                    return null;
                }
                DecodedJWT decode = JWT.decode(matcher.group(2));
                linkedHashMap.put("decodeJwt", Boolean.valueOf(decode != null));
                Date expiresAt = decode.getExpiresAt();
                if (expiresAt != null) {
                    linkedHashMap.put("expiresAt", expiresAt);
                    if (expiresAt.getTime() < System.currentTimeMillis()) {
                        linkedHashMap.put("expiredByExpiresAt", true);
                        grouperPasswordRecentlyUsed.setStatus('F');
                        if (StringUtils.isNotBlank(grouperPasswordRecentlyUsed.getGrouperPasswordId())) {
                            GrouperDAOFactory.getFactory().getGrouperPasswordRecentlyUsed().saveOrUpdate(grouperPasswordRecentlyUsed);
                        }
                        linkedHashMap.put("tookMs", Long.valueOf((System.nanoTime() - nanoTime) / 1000000));
                        if (linkedHashMap.get("exception") != null) {
                            LOG.error(GrouperUtil.mapToString(linkedHashMap));
                        } else if (LOG.isDebugEnabled()) {
                            LOG.debug(GrouperUtil.mapToString(linkedHashMap));
                        }
                        return null;
                    }
                }
                int propertyValueInt = GrouperConfig.retrieveConfig().propertyValueInt("grouper.selfService.jwt.maxValidTimeInSeconds", 600);
                Date issuedAt = decode.getIssuedAt();
                linkedHashMap.put("issuedAt", issuedAt);
                if (issuedAt == null || issuedAt.getTime() + (propertyValueInt * 1000) < System.currentTimeMillis()) {
                    linkedHashMap.put("expiredByMaxValidTimeInSeconds", true);
                    grouperPasswordRecentlyUsed.setStatus('F');
                    if (StringUtils.isNotBlank(grouperPasswordRecentlyUsed.getGrouperPasswordId())) {
                        GrouperDAOFactory.getFactory().getGrouperPasswordRecentlyUsed().saveOrUpdate(grouperPasswordRecentlyUsed);
                    }
                    linkedHashMap.put("tookMs", Long.valueOf((System.nanoTime() - nanoTime) / 1000000));
                    if (linkedHashMap.get("exception") != null) {
                        LOG.error(GrouperUtil.mapToString(linkedHashMap));
                    } else if (LOG.isDebugEnabled()) {
                        LOG.debug(GrouperUtil.mapToString(linkedHashMap));
                    }
                    return null;
                }
                boolean verify = grouperPassword.verify(decode);
                linkedHashMap.put(GrouperDdl2_6_1.COLUMN_GROUPER_PROV_ZOOM_USER_VERIFIED, Boolean.valueOf(verify));
                if (!verify) {
                    grouperPasswordRecentlyUsed.setStatus('F');
                    if (StringUtils.isNotBlank(grouperPasswordRecentlyUsed.getGrouperPasswordId())) {
                        GrouperDAOFactory.getFactory().getGrouperPasswordRecentlyUsed().saveOrUpdate(grouperPasswordRecentlyUsed);
                    }
                    linkedHashMap.put("tookMs", Long.valueOf((System.nanoTime() - nanoTime) / 1000000));
                    if (linkedHashMap.get("exception") != null) {
                        LOG.error(GrouperUtil.mapToString(linkedHashMap));
                    } else if (LOG.isDebugEnabled()) {
                        LOG.debug(GrouperUtil.mapToString(linkedHashMap));
                    }
                    return null;
                }
                grouperPasswordRecentlyUsed.setStatus('S');
                Subject subject2 = subject;
                if (StringUtils.isNotBlank(grouperPasswordRecentlyUsed.getGrouperPasswordId())) {
                    GrouperDAOFactory.getFactory().getGrouperPasswordRecentlyUsed().saveOrUpdate(grouperPasswordRecentlyUsed);
                }
                linkedHashMap.put("tookMs", Long.valueOf((System.nanoTime() - nanoTime) / 1000000));
                if (linkedHashMap.get("exception") != null) {
                    LOG.error(GrouperUtil.mapToString(linkedHashMap));
                } else if (LOG.isDebugEnabled()) {
                    LOG.debug(GrouperUtil.mapToString(linkedHashMap));
                }
                return subject2;
            } catch (Exception e) {
                linkedHashMap.put("exception", ExceptionUtils.getFullStackTrace(e));
                grouperPasswordRecentlyUsed.setStatus('E');
                if (e instanceof RuntimeException) {
                    throw ((RuntimeException) e);
                }
                throw new RuntimeException(e);
            }
        } catch (Throwable th) {
            if (StringUtils.isNotBlank(grouperPasswordRecentlyUsed.getGrouperPasswordId())) {
                GrouperDAOFactory.getFactory().getGrouperPasswordRecentlyUsed().saveOrUpdate(grouperPasswordRecentlyUsed);
            }
            linkedHashMap.put("tookMs", Long.valueOf((System.nanoTime() - nanoTime) / 1000000));
            if (linkedHashMap.get("exception") != null) {
                LOG.error(GrouperUtil.mapToString(linkedHashMap));
            } else if (LOG.isDebugEnabled()) {
                LOG.debug(GrouperUtil.mapToString(linkedHashMap));
            }
            throw th;
        }
    }
}
