package com.predic8.membrane.core.interceptor.authentication.xen;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Lists;
import com.predic8.membrane.annot.MCAttribute;
import com.predic8.membrane.annot.MCChildElement;
import com.predic8.membrane.annot.MCElement;
import com.predic8.membrane.core.Router;
import com.predic8.membrane.core.config.security.Blob;
import com.predic8.membrane.core.exchange.Exchange;
import com.predic8.membrane.core.interceptor.AbstractInterceptor;
import com.predic8.membrane.core.interceptor.Interceptor;
import com.predic8.membrane.core.interceptor.Outcome;
import com.predic8.membrane.core.interceptor.authentication.session.UserDataProvider;
import com.predic8.membrane.core.interceptor.authentication.xen.XenCredentialAccessor;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.ConcurrentHashMap;
import org.jose4j.json.JsonUtil;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jwk.RsaJwkGenerator;
import org.jose4j.jwk.Use;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwx.HeaderParameterNames;
import org.jose4j.keys.resolvers.JwksVerificationKeyResolver;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Required;

@MCElement(name = "xenAuthentication")
/* loaded from: input_file:lib/service-proxy-core-4.8.6.jar:com/predic8/membrane/core/interceptor/authentication/xen/XenAuthenticationInterceptor.class */
public class XenAuthenticationInterceptor extends AbstractInterceptor {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) XenAuthenticationInterceptor.class);
    private String user;
    private String password;
    private UserDataProvider userDataProvider;
    private XenSessionManager sessionManager;

    @MCElement(name = "inMemorySessionManager", topLevel = false)
    /* loaded from: input_file:lib/service-proxy-core-4.8.6.jar:com/predic8/membrane/core/interceptor/authentication/xen/XenAuthenticationInterceptor$InMemorySessionManager.class */
    public static class InMemorySessionManager implements XenSessionManager {
        private Map<String, String> ourSessionIds = new ConcurrentHashMap();
        private Map<String, String> xenSessionIds = new ConcurrentHashMap();

        @Override // com.predic8.membrane.core.interceptor.authentication.xen.XenAuthenticationInterceptor.XenSessionManager
        public void init(Router router) throws Exception {
        }

        @Override // com.predic8.membrane.core.interceptor.authentication.xen.XenAuthenticationInterceptor.XenSessionManager
        public String getXenSessionId(String str) {
            return this.ourSessionIds.get(str);
        }

        @Override // com.predic8.membrane.core.interceptor.authentication.xen.XenAuthenticationInterceptor.XenSessionManager
        public String getExistingSessionId(String str) {
            return this.xenSessionIds.get(str);
        }

        @Override // com.predic8.membrane.core.interceptor.authentication.xen.XenAuthenticationInterceptor.XenSessionManager
        public String createSessionId(String str) {
            String uuid = UUID.randomUUID().toString();
            this.xenSessionIds.put(str, uuid);
            this.ourSessionIds.put(uuid, str);
            return uuid;
        }
    }

    @MCElement(name = "jwtSessionManager", topLevel = false, id = "xenAuthentication-jwtSessionManager")
    /* loaded from: input_file:lib/service-proxy-core-4.8.6.jar:com/predic8/membrane/core/interceptor/authentication/xen/XenAuthenticationInterceptor$JwtSessionManager.class */
    public static class JwtSessionManager implements XenSessionManager {
        private String audience;
        private Jwk jwk;
        private RsaJsonWebKey rsaJsonWebKey;
        private final SecureRandom random = new SecureRandom();

        @MCElement(name = HeaderParameterNames.JWK, mixed = true, topLevel = false, id = "xenAuthentication-jwtSessionManager-jwk")
        /* loaded from: input_file:lib/service-proxy-core-4.8.6.jar:com/predic8/membrane/core/interceptor/authentication/xen/XenAuthenticationInterceptor$JwtSessionManager$Jwk.class */
        public static class Jwk extends Blob {
        }

        @Override // com.predic8.membrane.core.interceptor.authentication.xen.XenAuthenticationInterceptor.XenSessionManager
        public void init(Router router) throws Exception {
            String str = this.jwk.get(router.getResolverMap(), router.getBaseLocation());
            if (str == null || str.length() == 0) {
                this.rsaJsonWebKey = generateKey();
            } else {
                this.rsaJsonWebKey = new RsaJsonWebKey(JsonUtil.parseJson(str));
            }
        }

        private RsaJsonWebKey generateKey() throws JoseException {
            RsaJsonWebKey generateJwk = RsaJwkGenerator.generateJwk(2048);
            generateJwk.setKeyId(new BigInteger(130, this.random).toString(32));
            generateJwk.setUse(Use.SIGNATURE);
            generateJwk.setAlgorithm(AlgorithmIdentifiers.RSA_USING_SHA256);
            XenAuthenticationInterceptor.LOG.warn("Using dynamically genererated key, you should write this as <jwtSessionManager ...><jwk>" + generateJwk.toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE) + "</jwk></jwtSessionManager> .");
            return generateJwk;
        }

        @Override // com.predic8.membrane.core.interceptor.authentication.xen.XenAuthenticationInterceptor.XenSessionManager
        public String getXenSessionId(String str) {
            try {
                return new JwtConsumerBuilder().setExpectedAudience(true, this.audience).setVerificationKeyResolver(new JwksVerificationKeyResolver(Lists.newArrayList(new JsonWebKey[]{this.rsaJsonWebKey}))).build().processToClaims(str).getSubject();
            } catch (MalformedClaimException | InvalidJwtException e) {
                throw new RuntimeException(e);
            }
        }

        @Override // com.predic8.membrane.core.interceptor.authentication.xen.XenAuthenticationInterceptor.XenSessionManager
        public String getExistingSessionId(String str) {
            return null;
        }

        @Override // com.predic8.membrane.core.interceptor.authentication.xen.XenAuthenticationInterceptor.XenSessionManager
        public String createSessionId(String str) {
            JwtClaims createClaims = createClaims(str);
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            jsonWebSignature.setPayload(createClaims.toJson());
            jsonWebSignature.setKey(this.rsaJsonWebKey.getPrivateKey());
            jsonWebSignature.setKeyIdHeaderValue(this.rsaJsonWebKey.getKeyId());
            jsonWebSignature.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
            try {
                return jsonWebSignature.getCompactSerialization();
            } catch (JoseException e) {
                throw new RuntimeException(e);
            }
        }

        private JwtClaims createClaims(String str) {
            JwtClaims jwtClaims = new JwtClaims();
            jwtClaims.setSubject(str);
            jwtClaims.setAudience(this.audience);
            jwtClaims.setIssuedAtToNow();
            NumericDate now = NumericDate.now();
            now.addSeconds(86400L);
            jwtClaims.setExpirationTime(now);
            jwtClaims.setNotBeforeMinutesInThePast(2.0f);
            jwtClaims.setClaim("nonce", Long.valueOf(this.random.nextLong()));
            return jwtClaims;
        }

        public String getAudience() {
            return this.audience;
        }

        @MCAttribute
        public void setAudience(String str) {
            this.audience = str;
        }

        public Jwk getJwk() {
            return this.jwk;
        }

        @MCChildElement
        @Required
        public void setJwk(Jwk jwk) {
            this.jwk = jwk;
        }
    }

    /* loaded from: input_file:lib/service-proxy-core-4.8.6.jar:com/predic8/membrane/core/interceptor/authentication/xen/XenAuthenticationInterceptor$XenSessionManager.class */
    public interface XenSessionManager {
        void init(Router router) throws Exception;

        String getXenSessionId(String str);

        String getExistingSessionId(String str);

        String createSessionId(String str);
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public void init(Router router) throws Exception {
        super.init(router);
        this.userDataProvider.init(router);
        this.sessionManager.init(router);
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public Outcome handleRequest(Exchange exchange) throws Exception {
        XenCredentialAccessor.XenLoginData login = new XenCredentialAccessor().getLogin(exchange);
        if (login != null) {
            this.userDataProvider.verify(ImmutableMap.of("username", login.username, "password", login.password));
            login.username = this.user;
            login.password = this.password;
            new XenCredentialAccessor().replaceLogin(exchange, login);
            return Outcome.CONTINUE;
        }
        String xenSessionId = this.sessionManager.getXenSessionId(new XenSessionIdAccessor().getSessionId(exchange, Interceptor.Flow.REQUEST));
        if (xenSessionId == null) {
            throw new RuntimeException("Session not found.");
        }
        new XenSessionIdAccessor().replaceSessionId(exchange, xenSessionId, Interceptor.Flow.REQUEST);
        return Outcome.CONTINUE;
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public Outcome handleResponse(Exchange exchange) throws Exception {
        String sessionId = new XenSessionIdAccessor().getSessionId(exchange, Interceptor.Flow.RESPONSE);
        if (sessionId == null || sessionId.length() == 0) {
            return Outcome.CONTINUE;
        }
        String existingSessionId = this.sessionManager.getExistingSessionId(sessionId);
        if (existingSessionId == null) {
            existingSessionId = this.sessionManager.createSessionId(sessionId);
        }
        new XenSessionIdAccessor().replaceSessionId(exchange, existingSessionId, Interceptor.Flow.RESPONSE);
        return Outcome.CONTINUE;
    }

    public String getUser() {
        return this.user;
    }

    @MCAttribute
    public void setUser(String str) {
        this.user = str;
    }

    public String getPassword() {
        return this.password;
    }

    @MCAttribute
    public void setPassword(String str) {
        this.password = str;
    }

    public UserDataProvider getUserDataProvider() {
        return this.userDataProvider;
    }

    @MCChildElement(order = 10)
    public void setUserDataProvider(UserDataProvider userDataProvider) {
        this.userDataProvider = userDataProvider;
    }

    public XenSessionManager getSessionManager() {
        return this.sessionManager;
    }

    @MCChildElement(order = 20)
    public void setSessionManager(XenSessionManager xenSessionManager) {
        this.sessionManager = xenSessionManager;
    }
}
