package com.predic8.membrane.core.interceptor.session;

import com.bornium.security.oauth2openid.token.IdTokenProvider;
import com.bornium.security.oauth2openid.token.IdTokenVerifier;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.predic8.membrane.annot.MCAttribute;
import com.predic8.membrane.annot.MCChildElement;
import com.predic8.membrane.annot.MCElement;
import com.predic8.membrane.core.Router;
import com.predic8.membrane.core.config.security.Blob;
import com.predic8.membrane.core.exchange.Exchange;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.jose4j.json.JsonUtil;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jwk.RsaJwkGenerator;
import org.jose4j.jwk.Use;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.ReservedClaimNames;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwx.HeaderParameterNames;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@MCElement(name = "jwtSessionManager")
/* loaded from: input_file:WEB-INF/lib/service-proxy-core-4.8.7.jar:com/predic8/membrane/core/interceptor/session/JwtSessionManager.class */
public class JwtSessionManager extends SessionManager {
    private static Logger LOG = LoggerFactory.getLogger((Class<?>) JwtSessionManager.class);
    private Cache<Map, String> jwtCache;
    private RsaJsonWebKey rsaJsonWebKey;
    private Duration validTime;
    private Duration renewalTime;
    IdTokenProvider idTokenProvider;
    IdTokenVerifier idTokenVerifier;
    Jwk jwk;
    private SecureRandom random = new SecureRandom();
    private Duration jwtCacheTime = Duration.ofMinutes(2);
    boolean verbose = false;

    @MCElement(name = HeaderParameterNames.JWK, mixed = true, topLevel = false, id = "jwtSessionManager-jwk")
    /* loaded from: input_file:WEB-INF/lib/service-proxy-core-4.8.7.jar:com/predic8/membrane/core/interceptor/session/JwtSessionManager$Jwk.class */
    public static class Jwk extends Blob {
    }

    @Override // com.predic8.membrane.core.interceptor.session.SessionManager
    public void init(Router router) throws Exception {
        if (this.validTime == null) {
            this.validTime = Duration.ofSeconds(this.expiresAfterSeconds);
        }
        if (this.renewalTime == null) {
            this.renewalTime = this.validTime.dividedBy(3L);
        }
        if (this.jwk == null) {
            this.rsaJsonWebKey = generateKey();
            LOG.warn("jwtSessionManager uses a generated key ('" + this.rsaJsonWebKey.toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE) + "'). Sessions of this instance will not be compatible with sessions of other (e.g. restarted)instances. To solve this, write the JWK into a file and reference it using <jwtSessionManager><jwk location=\"...\">.");
        } else {
            this.rsaJsonWebKey = new RsaJsonWebKey(JsonUtil.parseJson(this.jwk.get(router.getResolverMap(), router.getBaseLocation())));
        }
        this.idTokenProvider = new IdTokenProvider(this.rsaJsonWebKey);
        this.idTokenVerifier = new IdTokenVerifier(this.idTokenProvider.getJwk());
        this.jwtCache = CacheBuilder.newBuilder().expireAfterWrite(this.jwtCacheTime.toMillis(), TimeUnit.MILLISECONDS).build();
    }

    private RsaJsonWebKey generateKey() throws JoseException {
        RsaJsonWebKey generateJwk = RsaJwkGenerator.generateJwk(2048);
        generateJwk.setKeyId(new BigInteger(130, this.random).toString(32));
        generateJwk.setUse(Use.SIGNATURE);
        generateJwk.setAlgorithm(AlgorithmIdentifiers.RSA_USING_SHA256);
        return generateJwk;
    }

    @Override // com.predic8.membrane.core.interceptor.session.SessionManager
    protected Map<String, Object> cookieValueToAttributes(String str) {
        try {
            return (Map) this.idTokenVerifier.createCustomJwtValidator().setSkipSignatureVerification().build().processToClaims(getCookieKey(str)).getClaimsMap().entrySet().stream().collect(Collectors.toMap(entry -> {
                return (String) entry.getKey();
            }, entry2 -> {
                return entry2.getValue();
            }));
        } catch (InvalidJwtException e) {
            this.log.warn("Could not verify cookie: " + str + "\nPossible Reason: Cookie is not signed by and thus not a session of this instance");
            e.printStackTrace();
            return new HashMap();
        }
    }

    private String getCookieKey(String str) {
        return str.split("=")[0].trim();
    }

    @Override // com.predic8.membrane.core.interceptor.session.SessionManager
    protected Map<Session, String> getCookieValues(Session... sessionArr) {
        return (Map) Stream.of((Object[]) sessionArr).collect(Collectors.toMap(session -> {
            return session;
        }, session2 -> {
            return createJwtRepresentation(session2);
        }));
    }

    private String createJwtRepresentation(Session session) {
        try {
            Map filterSession = filterSession(session.get());
            String ifPresent = this.jwtCache.getIfPresent(filterSession);
            if (ifPresent != null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("reusing cookie for: " + filterSession);
                }
                return ifPresent;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("encoding cookie: " + filterSession);
            }
            String createIdTokenNoNullClaims = this.idTokenProvider.createIdTokenNoNullClaims(this.issuer, null, null, this.validTime, null, null, new HashMap(filterSession));
            this.jwtCache.put(filterSession, createIdTokenNoNullClaims);
            return createIdTokenNoNullClaims;
        } catch (JoseException e) {
            throw new RuntimeException("Could not create JWT representation of session", e);
        }
    }

    private Map filterSession(Map<String, Object> map) {
        HashMap hashMap = new HashMap(map);
        Stream.of((Object[]) new String[]{"iss", ReservedClaimNames.EXPIRATION_TIME, ReservedClaimNames.NOT_BEFORE, "iat"}).forEach(str -> {
            hashMap.remove(str);
        });
        return hashMap;
    }

    @Override // com.predic8.membrane.core.interceptor.session.SessionManager
    public List<String> getInvalidCookies(Exchange exchange, String str) {
        return (List) Stream.of((Object[]) getAllCookieKeys(exchange)).map(str2 -> {
            return getCookieKey(str2);
        }).filter(str3 -> {
            try {
                checkJwtWithoutVerifyingSignature(str3);
                return true;
            } catch (InvalidJwtException e) {
                if (!this.verbose) {
                    return false;
                }
                e.printStackTrace();
                return false;
            }
        }).filter(str4 -> {
            return !str4.equals(getKeyOfCookie(str));
        }).map(str5 -> {
            return addValueToCookie(str5);
        }).collect(Collectors.toList());
    }

    @Override // com.predic8.membrane.core.interceptor.session.SessionManager
    protected boolean isValidCookieForThisSessionManager(String str) {
        try {
            String cookieKey = getCookieKey(str);
            checkJwtWithoutVerifyingSignature(cookieKey);
            validateSignatureOfJwt(cookieKey);
            return true;
        } catch (InvalidJwtException e) {
            if (!this.verbose) {
                return false;
            }
            e.printStackTrace();
            return false;
        }
    }

    @Override // com.predic8.membrane.core.interceptor.session.SessionManager
    protected boolean cookieRenewalNeeded(String str) {
        try {
            return Instant.ofEpochSecond(processToClaims(str).getIssuedAt().getValue()).plus((TemporalAmount) this.renewalTime).isBefore(Instant.now());
        } catch (MalformedClaimException e) {
            e.printStackTrace();
            return false;
        } catch (InvalidJwtException e2) {
            e2.printStackTrace();
            return false;
        }
    }

    private JwtClaims validateSignatureOfJwt(String str) throws InvalidJwtException {
        return this.idTokenVerifier.createCustomJwtValidator().setExpectedIssuer(this.issuer).build().processToClaims(str);
    }

    private JwtClaims checkJwtWithoutVerifyingSignature(String str) throws InvalidJwtException {
        return new JwtConsumerBuilder().setSkipSignatureVerification().setExpectedIssuer(this.issuer).setRequireExpirationTime().build().processToClaims(str);
    }

    private JwtClaims processToClaims(String str) throws InvalidJwtException {
        return new JwtConsumerBuilder().setSkipSignatureVerification().build().processToClaims(str);
    }

    private String addValueToCookie(String str) {
        return str + "=true";
    }

    private String getKeyOfCookie(String str) {
        return str.split("=true")[0];
    }

    public Jwk getJwk() {
        return this.jwk;
    }

    @MCChildElement
    public void setJwk(Jwk jwk) {
        this.jwk = jwk;
    }

    public boolean isVerbose() {
        return this.verbose;
    }

    @MCAttribute
    public void setVerbose(boolean z) {
        this.verbose = z;
    }

    public Duration getValidTime() {
        return this.validTime;
    }

    public void setValidTime(Duration duration) {
        this.validTime = duration;
    }

    public Duration getRenewalTime() {
        return this.renewalTime;
    }

    public void setRenewalTime(Duration duration) {
        this.renewalTime = duration;
    }

    public Duration getJwtCacheTime() {
        return this.jwtCacheTime;
    }

    public void setJwtCacheTime(Duration duration) {
        this.jwtCacheTime = duration;
    }
}
