package io.github.sevenparadigms.abac.security.auth.encrypt;

import io.github.sevenparadigms.abac.Constants;
import io.github.sevenparadigms.abac.configuration.JwtProperties;
import io.github.sevenparadigms.abac.security.auth.data.RevokeTokenEvent;
import io.github.sevenparadigms.abac.security.support.JwtCache;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.JwtBuilder;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.SignatureException;
import io.jsonwebtoken.UnsupportedJwtException;
import java.io.ByteArrayInputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Stream;
import javax.crypto.spec.SecretKeySpec;
import kotlin.Metadata;
import kotlin.collections.CollectionsKt;
import kotlin.jvm.internal.Intrinsics;
import kotlin.streams.jdk8.StreamsKt;
import kotlin.text.Charsets;
import org.apache.commons.codec.digest.MurmurHash2;
import org.apache.commons.lang3.ObjectUtils;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.sevenparadigms.kotlin.common.ByteArrayExtensionsKt;
import org.sevenparadigms.kotlin.common.LogExtensionsKt;
import org.sevenparadigms.kotlin.common.StringExtensionsKt;
import org.springframework.context.ApplicationListener;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.stereotype.Component;
import reactor.util.function.Tuple3;

/* compiled from: JwtTokenProvider.kt */
@Metadata(mv = {1, 6, 0}, k = 1, xi = 48, d1 = {"��:\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n\u0002\u0018\u0002\n��\n\u0002\u0018\u0002\n\u0002\b\u0004\n\u0002\u0018\u0002\n��\n\u0002\u0010\u000e\n��\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0018\u0002\n\u0002\b\u0003\n\u0002\u0010\u0002\n\u0002\b\u0002\b\u0017\u0018��2\b\u0012\u0004\u0012\u00020\u00020\u0001B\r\u0012\u0006\u0010\u0003\u001a\u00020\u0004¢\u0006\u0002\u0010\u0005J\u0010\u0010\n\u001a\u00020\u000b2\u0006\u0010\f\u001a\u00020\rH\u0016J\u0010\u0010\u000e\u001a\u00020\r2\u0006\u0010\u000f\u001a\u00020\u000bH\u0016J\u0010\u0010\u0010\u001a\u00020\u00112\u0006\u0010\u000f\u001a\u00020\u000bH\u0016J\n\u0010\u0012\u001a\u0004\u0018\u00010\tH\u0012J\u0010\u0010\u0013\u001a\u00020\u000b2\u0006\u0010\u000f\u001a\u00020\u000bH\u0016J\u0010\u0010\u0014\u001a\u00020\u00152\u0006\u0010\u0016\u001a\u00020\u0002H\u0016R\u0014\u0010\u0003\u001a\u00020\u0004X\u0096\u0004¢\u0006\b\n��\u001a\u0004\b\u0006\u0010\u0007R\u0010\u0010\b\u001a\u0004\u0018\u00010\tX\u0092\u000e¢\u0006\u0002\n��¨\u0006\u0017"}, d2 = {"Lio/github/sevenparadigms/abac/security/auth/encrypt/JwtTokenProvider;", "Lorg/springframework/context/ApplicationListener;", "Lio/github/sevenparadigms/abac/security/auth/data/RevokeTokenEvent;", Constants.JWT_CACHE, "Lio/github/sevenparadigms/abac/configuration/JwtProperties;", "(Lio/github/sevenparadigms/abac/configuration/JwtProperties;)V", "getJwt", "()Lio/github/sevenparadigms/abac/configuration/JwtProperties;", "privateKey", "Ljava/security/PrivateKey;", "getAuthToken", "", "authentication", "Lorg/springframework/security/core/Authentication;", "getAuthentication", "authorizeKey", "getJwtClaims", "Lio/jsonwebtoken/Claims;", "getPrivateKey", "getRefreshToken", "onApplicationEvent", "", "event", "reactive-spring-abac-security"})
@Component
/* loaded from: input_file:io/github/sevenparadigms/abac/security/auth/encrypt/JwtTokenProvider.class */
public class JwtTokenProvider implements ApplicationListener<RevokeTokenEvent> {

    @NotNull
    private final JwtProperties jwt;

    @Nullable
    private PrivateKey privateKey;

    public JwtTokenProvider(@NotNull JwtProperties jwtProperties) {
        Intrinsics.checkNotNullParameter(jwtProperties, Constants.JWT_CACHE);
        this.jwt = jwtProperties;
    }

    @NotNull
    public JwtProperties getJwt() {
        return this.jwt;
    }

    private PrivateKey getPrivateKey() {
        if (this.privateKey != null) {
            return this.privateKey;
        }
        KeyStore keyStore = KeyStore.getInstance(getJwt().getKeystoreType());
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(ByteArrayExtensionsKt.loadResource(getJwt().getKeystorePath()));
        char[] charArray = getJwt().getKeystorePassword().toCharArray();
        Intrinsics.checkNotNullExpressionValue(charArray, "this as java.lang.String).toCharArray()");
        keyStore.load(byteArrayInputStream, charArray);
        char[] charArray2 = getJwt().getKeystorePassword().toCharArray();
        Intrinsics.checkNotNullExpressionValue(charArray2, "this as java.lang.String).toCharArray()");
        KeyStore.Entry entry = keyStore.getEntry(getJwt().getKeystoreAlias(), new KeyStore.PasswordProtection(charArray2));
        if (entry == null) {
            throw new NullPointerException("null cannot be cast to non-null type java.security.KeyStore.PrivateKeyEntry");
        }
        return ((KeyStore.PrivateKeyEntry) entry).getPrivateKey();
    }

    @NotNull
    public String getAuthToken(@NotNull Authentication authentication) {
        Key secretKeySpec;
        Intrinsics.checkNotNullParameter(authentication, "authentication");
        Date date = new Date(new Date().getTime() + (getJwt().getExpiration() * 1000));
        JwtBuilder subject = Jwts.builder().setSubject(authentication.getName());
        Stream map = authentication.getAuthorities().stream().map(JwtTokenProvider::m18getAuthToken$lambda0);
        Intrinsics.checkNotNullExpressionValue(map, "authentication.authoriti…am().map { it.authority }");
        JwtBuilder claim = subject.claim(Constants.ROLES_KEY, StreamsKt.toList(map));
        if (ObjectUtils.isNotEmpty(getJwt().getKeystorePath()) && ObjectUtils.isNotEmpty(getJwt().getKeystorePassword()) && !Intrinsics.areEqual(authentication.getName(), Constants.TEST_USER)) {
            secretKeySpec = getPrivateKey();
        } else {
            byte[] bytes = (getJwt().getSecretKey() + getJwt().getExpiration()).getBytes(Charsets.UTF_8);
            Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
            secretKeySpec = new SecretKeySpec(bytes, SignatureAlgorithm.valueOf(getJwt().getSignatureAlgorithm()).getJcaName());
        }
        String compact = claim.signWith(secretKeySpec).setExpiration(new Date(new Date().getTime() + (getJwt().getExpiration() * 1000))).compact();
        JwtCache jwtCache = JwtCache.INSTANCE;
        Intrinsics.checkNotNullExpressionValue(compact, "authorizeKey");
        Object principal = authentication.getPrincipal();
        Intrinsics.checkNotNullExpressionValue(principal, "authentication.principal");
        JwtCache.put$default(jwtCache, compact, principal, date, false, 8, (Object) null);
        return compact;
    }

    @NotNull
    public String getRefreshToken(@NotNull String str) {
        Key secretKeySpec;
        Intrinsics.checkNotNullParameter(str, "authorizeKey");
        long hash64 = MurmurHash2.hash64(str);
        Date date = new Date(new Date().getTime() + (getJwt().getExpiration() * 1000));
        JwtBuilder subject = Jwts.builder().setSubject(String.valueOf(hash64));
        if (ObjectUtils.isNotEmpty(getJwt().getKeystorePath()) && ObjectUtils.isNotEmpty(getJwt().getKeystorePassword())) {
            secretKeySpec = getPrivateKey();
        } else {
            byte[] bytes = (getJwt().getSecretKey() + getJwt().getExpiration()).getBytes(Charsets.UTF_8);
            Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
            secretKeySpec = new SecretKeySpec(bytes, SignatureAlgorithm.valueOf(getJwt().getSignatureAlgorithm()).getJcaName());
        }
        String compact = subject.signWith(secretKeySpec).setExpiration(date).compact();
        JwtCache jwtCache = JwtCache.INSTANCE;
        Intrinsics.checkNotNullExpressionValue(compact, "refreshKey");
        jwtCache.putRefresh(compact, hash64, date);
        return compact;
    }

    public void onApplicationEvent(@NotNull RevokeTokenEvent revokeTokenEvent) {
        Tuple3<User, Date, Boolean> tuple3;
        Intrinsics.checkNotNullParameter(revokeTokenEvent, "event");
        if (revokeTokenEvent.getToken$reactive_spring_abac_security() == null) {
            JwtCache jwtCache = JwtCache.INSTANCE;
            Long hash$reactive_spring_abac_security = revokeTokenEvent.getHash$reactive_spring_abac_security();
            Intrinsics.checkNotNull(hash$reactive_spring_abac_security);
            tuple3 = jwtCache.get(hash$reactive_spring_abac_security.longValue());
        } else {
            tuple3 = JwtCache.INSTANCE.get(revokeTokenEvent.getToken$reactive_spring_abac_security());
        }
        Tuple3<User, Date, Boolean> tuple32 = tuple3;
        if (tuple32 != null) {
            if (revokeTokenEvent.getToken$reactive_spring_abac_security() != null) {
                JwtCache jwtCache2 = JwtCache.INSTANCE;
                String token$reactive_spring_abac_security = revokeTokenEvent.getToken$reactive_spring_abac_security();
                Object t1 = tuple32.getT1();
                Intrinsics.checkNotNullExpressionValue(t1, "cacheContext.t1");
                Object t2 = tuple32.getT2();
                Intrinsics.checkNotNullExpressionValue(t2, "cacheContext.t2");
                jwtCache2.put(token$reactive_spring_abac_security, t1, (Date) t2, true);
                return;
            }
            JwtCache jwtCache3 = JwtCache.INSTANCE;
            Long hash$reactive_spring_abac_security2 = revokeTokenEvent.getHash$reactive_spring_abac_security();
            Intrinsics.checkNotNull(hash$reactive_spring_abac_security2);
            long longValue = hash$reactive_spring_abac_security2.longValue();
            Object t12 = tuple32.getT1();
            Intrinsics.checkNotNullExpressionValue(t12, "cacheContext.t1");
            Object t22 = tuple32.getT2();
            Intrinsics.checkNotNullExpressionValue(t22, "cacheContext.t2");
            jwtCache3.put(longValue, t12, (Date) t22, true);
        }
    }

    @NotNull
    public Authentication getAuthentication(@NotNull String str) {
        Intrinsics.checkNotNullParameter(str, "authorizeKey");
        Tuple3<User, Date, Boolean> tuple3 = JwtCache.INSTANCE.get(str);
        if (tuple3 != null) {
            if (new Date().after((Date) tuple3.getT2())) {
                LogExtensionsKt.error(this, "Expired JWT token: " + str, new Object[0]);
                throw new BadCredentialsException("Invalid token");
            }
            Object t3 = tuple3.getT3();
            Intrinsics.checkNotNullExpressionValue(t3, "cacheContext.t3");
            if (!((Boolean) t3).booleanValue()) {
                return new UsernamePasswordAuthenticationToken(tuple3.getT1(), (Object) null, ((User) tuple3.getT1()).getAuthorities());
            }
            LogExtensionsKt.error(this, "Revoked JWT token: " + str, new Object[0]);
            throw new BadCredentialsException("Invalid token");
        }
        Claims jwtClaims = getJwtClaims(str);
        Object obj = jwtClaims.get(Constants.ROLES_KEY, List.class);
        Intrinsics.checkNotNullExpressionValue(obj, "claims.get(ROLES_KEY, List::class.java)");
        Iterable iterable = (Iterable) obj;
        ArrayList arrayList = new ArrayList(CollectionsKt.collectionSizeOrDefault(iterable, 10));
        Iterator it = iterable.iterator();
        while (it.hasNext()) {
            arrayList.add(new SimpleGrantedAuthority(String.valueOf(it.next())));
        }
        User user = new User(jwtClaims.getSubject(), "", CollectionsKt.toList(arrayList));
        JwtCache jwtCache = JwtCache.INSTANCE;
        Date expiration = jwtClaims.getExpiration();
        Intrinsics.checkNotNullExpressionValue(expiration, "claims.expiration");
        JwtCache.put$default(jwtCache, str, (Object) user, expiration, false, 8, (Object) null);
        return new UsernamePasswordAuthenticationToken(user, (Object) null, user.getAuthorities());
    }

    @NotNull
    public Claims getJwtClaims(@NotNull String str) {
        PrivateKey privateKey;
        Intrinsics.checkNotNullParameter(str, "authorizeKey");
        try {
            if (ObjectUtils.isEmpty(getJwt().getKeystorePath()) && ObjectUtils.isEmpty(getJwt().getPublicKey()) && ObjectUtils.isNotEmpty(getJwt().getSecretKey())) {
                byte[] bytes = (getJwt().getSecretKey() + getJwt().getExpiration()).getBytes(Charsets.UTF_8);
                Intrinsics.checkNotNullExpressionValue(bytes, "this as java.lang.String).getBytes(charset)");
                privateKey = new SecretKeySpec(bytes, SignatureAlgorithm.valueOf(getJwt().getSignatureAlgorithm()).getJcaName());
            } else if (ObjectUtils.isNotEmpty(getJwt().getPublicKey())) {
                privateKey = CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getDecoder().decode(StringExtensionsKt.remove(getJwt().getPublicKey(), "[\\s\\r\\n\\t]")))).getPublicKey();
            } else {
                if (!ObjectUtils.isNotEmpty(getJwt().getKeystorePath())) {
                    throw new RuntimeException("Property with public key not found");
                }
                privateKey = getPrivateKey();
            }
            Object body = Jwts.parserBuilder().setSigningKey(privateKey).build().parseClaimsJws(str).getBody();
            Intrinsics.checkNotNullExpressionValue(body, "parserBuilder()\n        …imsJws(authorizeKey).body");
            return (Claims) body;
        } catch (ExpiredJwtException e) {
            LogExtensionsKt.error(this, "Expired JWT token trace: {}", new Object[]{e});
            throw new BadCredentialsException("Invalid token");
        } catch (MalformedJwtException e2) {
            LogExtensionsKt.error(this, "Invalid JWT token trace: {}", new Object[]{e2});
            throw new BadCredentialsException("Invalid token");
        } catch (UnsupportedJwtException e3) {
            LogExtensionsKt.error(this, "Unsupported JWT token trace: {}", new Object[]{e3});
            throw new BadCredentialsException("Invalid token");
        } catch (SignatureException e4) {
            LogExtensionsKt.error(this, "Invalid JWT signature trace: {}", new Object[]{e4});
            throw new BadCredentialsException("Invalid token");
        } catch (IllegalArgumentException e5) {
            LogExtensionsKt.error(this, "JWT token compact of handler are invalid trace: {}", new Object[]{e5});
            throw new BadCredentialsException("Invalid token");
        }
    }

    /* renamed from: getAuthToken$lambda-0, reason: not valid java name */
    private static final String m18getAuthToken$lambda0(GrantedAuthority grantedAuthority) {
        return grantedAuthority.getAuthority();
    }
}
