package io.github.sevenparadigms.abac.security.auth.encrypt;

import io.github.sevenparadigms.abac.Constants;
import io.github.sevenparadigms.abac.security.auth.data.RevokeTokenEvent;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.UnsupportedJwtException;
import io.jsonwebtoken.security.SignatureException;
import java.io.ByteArrayInputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.CertificateFactory;
import java.time.LocalDateTime;
import java.time.OffsetDateTime;
import java.time.chrono.ChronoLocalDateTime;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Stream;
import javax.crypto.spec.SecretKeySpec;
import kotlin.Metadata;
import kotlin.Unit;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.Intrinsics;
import kotlin.streams.jdk8.StreamsKt;
import kotlin.text.Charsets;
import kotlin.text.StringsKt;
import org.apache.commons.beanutils.ConvertUtils;
import org.apache.commons.lang3.ObjectUtils;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.sevenparadigms.kotlin.common.ByteArrayExtensionsKt;
import org.sevenparadigms.kotlin.common.JsonExtensionKt;
import org.sevenparadigms.kotlin.common.LogExtensionsKt;
import org.sevenparadigms.kotlin.common.StringExtensionsKt;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.cache.Cache;
import org.springframework.cache.CacheManager;
import org.springframework.context.ApplicationListener;
import org.springframework.data.r2dbc.config.Beans;
import org.springframework.data.r2dbc.repository.cache.CaffeineGuidedCacheManager;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.stereotype.Component;
import reactor.util.function.Tuple5;
import reactor.util.function.Tuples;

/* compiled from: JwtTokenProvider.kt */
@Metadata(mv = {1, 6, 0}, k = 1, xi = 48, d1 = {"��H\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u000e\n\u0002\b\u0005\n\u0002\u0018\u0002\n\u0002\b\r\n\u0002\u0018\u0002\n\u0002\b\u0007\n\u0002\u0010\t\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0018\u0002\n\u0002\b\u0002\n\u0002\u0010\u0002\n\u0002\b\u0003\b\u0017\u0018��2\b\u0012\u0004\u0012\u00020\u00020\u0001B\u0005¢\u0006\u0002\u0010\u0003J\u0010\u0010 \u001a\u00020!2\u0006\u0010\"\u001a\u00020\u0005H\u0016J\u0010\u0010#\u001a\u00020\u00052\u0006\u0010$\u001a\u00020%H\u0016J\u0010\u0010&\u001a\u00020%2\u0006\u0010\"\u001a\u00020\u0005H\u0016J\u0010\u0010'\u001a\u00020(2\u0006\u0010\"\u001a\u00020\u0005H\u0016J\n\u0010)\u001a\u0004\u0018\u00010\u0019H\u0012J\b\u0010*\u001a\u00020+H\u0016J\u0010\u0010,\u001a\u00020+2\u0006\u0010-\u001a\u00020\u0002H\u0016R\u001e\u0010\u0004\u001a\u00020\u00058\u0016@\u0016X\u0097.¢\u0006\u000e\n��\u001a\u0004\b\u0006\u0010\u0007\"\u0004\b\b\u0010\tR\u0010\u0010\n\u001a\u0004\u0018\u00010\u000bX\u0092\u000e¢\u0006\u0002\n��R\u001e\u0010\f\u001a\u00020\u00058\u0016@\u0016X\u0097.¢\u0006\u000e\n��\u001a\u0004\b\r\u0010\u0007\"\u0004\b\u000e\u0010\tR\u001e\u0010\u000f\u001a\u00020\u00058\u0016@\u0016X\u0097.¢\u0006\u000e\n��\u001a\u0004\b\u0010\u0010\u0007\"\u0004\b\u0011\u0010\tR\u001e\u0010\u0012\u001a\u00020\u00058\u0016@\u0016X\u0097.¢\u0006\u000e\n��\u001a\u0004\b\u0013\u0010\u0007\"\u0004\b\u0014\u0010\tR\u001e\u0010\u0015\u001a\u00020\u00058\u0016@\u0016X\u0097.¢\u0006\u000e\n��\u001a\u0004\b\u0016\u0010\u0007\"\u0004\b\u0017\u0010\tR\u0010\u0010\u0018\u001a\u0004\u0018\u00010\u0019X\u0092\u000e¢\u0006\u0002\n��R\u001e\u0010\u001a\u001a\u00020\u00058\u0016@\u0016X\u0097.¢\u0006\u000e\n��\u001a\u0004\b\u001b\u0010\u0007\"\u0004\b\u001c\u0010\tR\u001e\u0010\u001d\u001a\u00020\u00058\u0016@\u0016X\u0097.¢\u0006\u000e\n��\u001a\u0004\b\u001e\u0010\u0007\"\u0004\b\u001f\u0010\t¨\u0006."}, d2 = {"Lio/github/sevenparadigms/abac/security/auth/encrypt/JwtTokenProvider;", "Lorg/springframework/context/ApplicationListener;", "Lio/github/sevenparadigms/abac/security/auth/data/RevokeTokenEvent;", "()V", "algorithm", "", "getAlgorithm", "()Ljava/lang/String;", "setAlgorithm", "(Ljava/lang/String;)V", "cacheManager", "Lorg/springframework/cache/CacheManager;", "expiration", "getExpiration", "setExpiration", "keyPassword", "getKeyPassword", "setKeyPassword", "keyPath", "getKeyPath", "setKeyPath", "keystoreAlias", "getKeystoreAlias", "setKeystoreAlias", "privateKey", "Ljava/security/PrivateKey;", "pubkey", "getPubkey", "setPubkey", "seckey", "getSeckey", "setSeckey", "extractExpire", "", "authorizeKey", "getAuthToken", "authentication", "Lorg/springframework/security/core/Authentication;", "getAuthentication", "getClaims", "Lio/jsonwebtoken/Claims;", "getPrivateKey", "initializeCache", "", "onApplicationEvent", "event", "reactive-spring-abac-security"})
@Component
/* loaded from: input_file:io/github/sevenparadigms/abac/security/auth/encrypt/JwtTokenProvider.class */
public class JwtTokenProvider implements ApplicationListener<RevokeTokenEvent> {

    @Value("${spring.security.jwt.secret:}")
    public String seckey;

    @Value("${spring.security.jwt.public:}")
    public String pubkey;

    @Value("${spring.security.jwt.expiration:}")
    public String expiration;

    @Value("${spring.security.jwt.algorithm:HS512}")
    public String algorithm;

    @Value("${spring.security.jwt.keystore-path:}")
    public String keyPath;

    @Value("${spring.security.jwt.keystore-alias:}")
    public String keystoreAlias;

    @Value("${spring.security.jwt.keystore-password:}")
    public String keyPassword;

    @Nullable
    private PrivateKey privateKey;

    @Nullable
    private CacheManager cacheManager;

    @NotNull
    public String getSeckey() {
        String str = this.seckey;
        if (str != null) {
            return str;
        }
        Intrinsics.throwUninitializedPropertyAccessException("seckey");
        return null;
    }

    public void setSeckey(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "<set-?>");
        this.seckey = str;
    }

    @NotNull
    public String getPubkey() {
        String str = this.pubkey;
        if (str != null) {
            return str;
        }
        Intrinsics.throwUninitializedPropertyAccessException("pubkey");
        return null;
    }

    public void setPubkey(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "<set-?>");
        this.pubkey = str;
    }

    @NotNull
    public String getExpiration() {
        String str = this.expiration;
        if (str != null) {
            return str;
        }
        Intrinsics.throwUninitializedPropertyAccessException("expiration");
        return null;
    }

    public void setExpiration(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "<set-?>");
        this.expiration = str;
    }

    @NotNull
    public String getAlgorithm() {
        String str = this.algorithm;
        if (str != null) {
            return str;
        }
        Intrinsics.throwUninitializedPropertyAccessException("algorithm");
        return null;
    }

    public void setAlgorithm(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "<set-?>");
        this.algorithm = str;
    }

    @NotNull
    public String getKeyPath() {
        String str = this.keyPath;
        if (str != null) {
            return str;
        }
        Intrinsics.throwUninitializedPropertyAccessException("keyPath");
        return null;
    }

    public void setKeyPath(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "<set-?>");
        this.keyPath = str;
    }

    @NotNull
    public String getKeystoreAlias() {
        String str = this.keystoreAlias;
        if (str != null) {
            return str;
        }
        Intrinsics.throwUninitializedPropertyAccessException("keystoreAlias");
        return null;
    }

    public void setKeystoreAlias(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "<set-?>");
        this.keystoreAlias = str;
    }

    @NotNull
    public String getKeyPassword() {
        String str = this.keyPassword;
        if (str != null) {
            return str;
        }
        Intrinsics.throwUninitializedPropertyAccessException("keyPassword");
        return null;
    }

    public void setKeyPassword(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "<set-?>");
        this.keyPassword = str;
    }

    private PrivateKey getPrivateKey() {
        if (this.privateKey != null) {
            return this.privateKey;
        }
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(ByteArrayExtensionsKt.loadResource(getKeyPath()));
        char[] charArray = getKeyPassword().toCharArray();
        Intrinsics.checkNotNullExpressionValue(charArray, "this as java.lang.String).toCharArray()");
        keyStore.load(byteArrayInputStream, charArray);
        char[] charArray2 = getKeyPassword().toCharArray();
        Intrinsics.checkNotNullExpressionValue(charArray2, "this as java.lang.String).toCharArray()");
        KeyStore.Entry entry = keyStore.getEntry(getKeystoreAlias(), new KeyStore.PasswordProtection(charArray2));
        if (entry == null) {
            throw new NullPointerException("null cannot be cast to non-null type java.security.KeyStore.PrivateKeyEntry");
        }
        return ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
    }

    @NotNull
    public String getAuthToken(@NotNull Authentication authentication) {
        Key secretKeySpec;
        Intrinsics.checkNotNullParameter(authentication, "authentication");
        initializeCache();
        JwtBuilder subject = Jwts.builder().setSubject(authentication.getName());
        Stream map = authentication.getAuthorities().stream().map(JwtTokenProvider::m18getAuthToken$lambda0);
        Intrinsics.checkNotNullExpressionValue(map, "authentication.authoriti…am().map { it.authority }");
        JwtBuilder claim = subject.claim(Constants.AUTHORITIES_KEY, StreamsKt.toList(map));
        if (ObjectUtils.isNotEmpty(getKeyPath()) && ObjectUtils.isNotEmpty(getKeyPassword()) && !Intrinsics.areEqual(authentication.getName(), Constants.TEST_USER)) {
            secretKeySpec = getPrivateKey();
        } else {
            byte[] bytes = (getSeckey() + getExpiration()).getBytes(Charsets.UTF_8);
            Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
            secretKeySpec = new SecretKeySpec(bytes, SignatureAlgorithm.valueOf(getAlgorithm()).getJcaName());
        }
        String compact = claim.signWith(secretKeySpec).setExpiration(new Date(new Date().getTime() + (Long.parseLong(getExpiration()) * 1000))).compact();
        CacheManager cacheManager = this.cacheManager;
        Intrinsics.checkNotNull(cacheManager);
        Cache cache = cacheManager.getCache(Constants.JWT_CACHE);
        Intrinsics.checkNotNull(cache);
        Intrinsics.checkNotNullExpressionValue(compact, "authorizeKey");
        cache.put(compact, Tuples.of(authentication.getPrincipal(), authentication.getName(), authentication.getAuthorities(), LocalDateTime.ofEpochSecond(extractExpire(compact), 0, OffsetDateTime.now().getOffset()), false));
        return compact;
    }

    public void initializeCache() {
        if (this.cacheManager == null) {
            CaffeineGuidedCacheManager caffeineGuidedCacheManager = new CaffeineGuidedCacheManager();
            if (ObjectUtils.isNotEmpty(getExpiration())) {
                caffeineGuidedCacheManager.setDefaultExpireAfterAccess(ConvertUtils.convert(Integer.valueOf(Integer.parseInt(getExpiration()) * 1000)));
            } else {
                caffeineGuidedCacheManager.setDefaultExpireAfterAccess("300000");
            }
            Unit unit = Unit.INSTANCE;
            this.cacheManager = (CacheManager) Beans.of(CacheManager.class, caffeineGuidedCacheManager);
            CacheManager cacheManager = this.cacheManager;
            Intrinsics.checkNotNull(cacheManager);
            LogExtensionsKt.info(this, "ABAC Security initialize with cache: " + cacheManager.getClass().getSimpleName(), new Object[0]);
        }
    }

    public void onApplicationEvent(@NotNull RevokeTokenEvent revokeTokenEvent) {
        Intrinsics.checkNotNullParameter(revokeTokenEvent, "event");
        CacheManager cacheManager = this.cacheManager;
        Intrinsics.checkNotNull(cacheManager);
        Cache cache = cacheManager.getCache(Constants.JWT_CACHE);
        Intrinsics.checkNotNull(cache);
        Tuple5 tuple5 = (Tuple5) cache.get(revokeTokenEvent.getToken$reactive_spring_abac_security(), Tuple5.class);
        if (tuple5 != null) {
            cache.put(revokeTokenEvent.getToken$reactive_spring_abac_security(), Tuples.of(tuple5.getT1(), tuple5.getT2(), tuple5.getT3(), tuple5.getT4(), true));
        }
    }

    @NotNull
    public Authentication getAuthentication(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "authorizeKey");
        initializeCache();
        CacheManager cacheManager = this.cacheManager;
        Intrinsics.checkNotNull(cacheManager);
        Cache cache = cacheManager.getCache(Constants.JWT_CACHE);
        Intrinsics.checkNotNull(cache);
        Tuple5 tuple5 = (Tuple5) cache.get(str, Tuple5.class);
        if (tuple5 != null) {
            Object t5 = tuple5.getT5();
            Intrinsics.checkNotNullExpressionValue(t5, "tuple.t5");
            if (((Boolean) t5).booleanValue()) {
                throw new RuntimeException("JWT revoked: " + tuple5.getT4());
            }
            if (LocalDateTime.now().isAfter((ChronoLocalDateTime) tuple5.getT4())) {
                throw new RuntimeException("JWT expired: " + tuple5.getT4());
            }
            return new UsernamePasswordAuthenticationToken(tuple5.getT1(), tuple5.getT2(), (Collection) tuple5.getT3());
        }
        Claims claims = getClaims(str);
        Object obj = claims.get(Constants.AUTHORITIES_KEY, List.class);
        Intrinsics.checkNotNullExpressionValue(obj, "claims.get(AUTHORITIES_KEY, List::class.java)");
        Iterable iterable = (Iterable) obj;
        ArrayList arrayList = new ArrayList(CollectionsKt.collectionSizeOrDefault(iterable, 10));
        Iterator it = iterable.iterator();
        while (it.hasNext()) {
            arrayList.add(new SimpleGrantedAuthority(String.valueOf(it.next())));
        }
        List list = CollectionsKt.toList(arrayList);
        User user = new User(claims.getSubject(), "", list);
        cache.put(str, Tuples.of(user, claims.get(Constants.AUTHORITIES_USER, String.class), list, LocalDateTime.ofEpochSecond(extractExpire(str), 0, OffsetDateTime.now().getOffset()), false));
        return new UsernamePasswordAuthenticationToken(user, claims.get(Constants.AUTHORITIES_USER, String.class), list);
    }

    public long extractExpire(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "authorizeKey");
        byte[] decode = Base64.getUrlDecoder().decode((String) StringsKt.split$default(str, new String[]{"."}, false, 0, 6, (Object) null).get(1));
        Intrinsics.checkNotNullExpressionValue(decode, "decoder.decode(parts[1])");
        return JsonExtensionKt.objectToJson(new String(decode, Charsets.UTF_8)).get(Constants.AUTHORITIES_EXPIRE).longValue();
    }

    @NotNull
    public Claims getClaims(@NotNull String str) {
        PrivateKey privateKey;
        Intrinsics.checkNotNullParameter(str, "authorizeKey");
        try {
            if (ObjectUtils.isEmpty(getKeyPath()) && ObjectUtils.isEmpty(getPubkey()) && ObjectUtils.isNotEmpty(getSeckey())) {
                byte[] bytes = (getSeckey() + getExpiration()).getBytes(Charsets.UTF_8);
                Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
                privateKey = new SecretKeySpec(bytes, SignatureAlgorithm.valueOf(getAlgorithm()).getJcaName());
            } else if (ObjectUtils.isNotEmpty(getPubkey())) {
                privateKey = CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(StringExtensionsKt.remove(getPubkey(), "[\\s\\r\\n\\t]")))).getPublicKey();
            } else {
                if (!ObjectUtils.isNotEmpty(getKeyPath())) {
                    throw new RuntimeException("Property with public key[spring.security.jwt.public] not found");
                }
                privateKey = getPrivateKey();
            }
            Object body = Jwts.parserBuilder().setSigningKey(privateKey).build().parseClaimsJws(str).getBody();
            Intrinsics.checkNotNullExpressionValue(body, "parserBuilder()\n        …imsJws(authorizeKey).body");
            return (Claims) body;
        } catch (IllegalArgumentException e) {
            LogExtensionsKt.error(this, "JWT token compact of handler are invalid trace: {}", new Object[]{e});
            throw new BadCredentialsException("Invalid token");
        } catch (MalformedJwtException e2) {
            LogExtensionsKt.error(this, "Invalid JWT token trace: {}", new Object[]{e2});
            throw new BadCredentialsException("Invalid token");
        } catch (SignatureException e3) {
            LogExtensionsKt.error(this, "Invalid JWT signature trace: {}", new Object[]{e3});
            throw new BadCredentialsException("Invalid token");
        } catch (ExpiredJwtException e4) {
            LogExtensionsKt.error(this, "Expired JWT token trace: {}", new Object[]{e4});
            throw new BadCredentialsException("Invalid token");
        } catch (UnsupportedJwtException e5) {
            LogExtensionsKt.error(this, "Unsupported JWT token trace: {}", new Object[]{e5});
            throw new BadCredentialsException("Invalid token");
        }
    }

    /* renamed from: getAuthToken$lambda-0, reason: not valid java name */
    private static final String m18getAuthToken$lambda0(GrantedAuthority grantedAuthority) {
        return grantedAuthority.getAuthority();
    }
}
