package com.predic8.membrane.core.interceptor.oauth2.tokengenerators;

import com.predic8.membrane.annot.MCAttribute;
import com.predic8.membrane.annot.MCChildElement;
import com.predic8.membrane.annot.MCElement;
import com.predic8.membrane.core.Router;
import com.predic8.membrane.core.config.security.Blob;
import com.predic8.membrane.core.interceptor.session.JwtSessionManager;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Objects;
import java.util.stream.Collectors;
import org.jose4j.json.JsonUtil;
import org.jose4j.jwk.JsonWebKey;
import org.jose4j.jwk.RsaJsonWebKey;
import org.jose4j.jwk.RsaJwkGenerator;
import org.jose4j.jwk.Use;
import org.jose4j.jws.AlgorithmIdentifiers;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.MalformedClaimException;
import org.jose4j.jwt.ReservedClaimNames;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.jwx.HeaderParameterNames;
import org.jose4j.lang.JoseException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@MCElement(name = "bearerJwtToken")
/* loaded from: input_file:WEB-INF/lib/service-proxy-core-5.8.5.jar:com/predic8/membrane/core/interceptor/oauth2/tokengenerators/BearerJwtTokenGenerator.class */
public class BearerJwtTokenGenerator implements TokenGenerator {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) BearerJwtTokenGenerator.class);
    private RsaJsonWebKey rsaJsonWebKey;
    private JwtSessionManager.Jwk jwk;
    private long expiration;
    private final SecureRandom random = new SecureRandom();
    private boolean warningGeneratedKey = true;

    @MCElement(name = HeaderParameterNames.JWK, mixed = true, topLevel = false, id = "bearerJwtToken-jwk")
    /* loaded from: input_file:WEB-INF/lib/service-proxy-core-5.8.5.jar:com/predic8/membrane/core/interceptor/oauth2/tokengenerators/BearerJwtTokenGenerator$Jwk.class */
    public static class Jwk extends Blob {
    }

    @Override // com.predic8.membrane.core.interceptor.oauth2.tokengenerators.TokenGenerator
    public void init(Router router) throws Exception {
        if (this.jwk != null) {
            this.rsaJsonWebKey = new RsaJsonWebKey(JsonUtil.parseJson(this.jwk.get(router.getResolverMap(), router.getBaseLocation())));
            return;
        }
        this.rsaJsonWebKey = generateKey();
        if (this.warningGeneratedKey) {
            LOG.warn("bearerJwtToken uses a generated key ('{}'). Sessions of this instance will not be compatible with sessions of other (e.g. restarted) instances. To solve this, write the JWK into a file and reference it using <bearerJwtToken><jwk location=\"...\">.", this.rsaJsonWebKey.toJson(JsonWebKey.OutputControlLevel.INCLUDE_PRIVATE));
        }
    }

    private RsaJsonWebKey generateKey() throws JoseException {
        RsaJsonWebKey generateJwk = RsaJwkGenerator.generateJwk(2048);
        generateJwk.setKeyId(new BigInteger(130, this.random).toString(32));
        generateJwk.setUse(Use.SIGNATURE);
        generateJwk.setAlgorithm(AlgorithmIdentifiers.RSA_USING_SHA256);
        return generateJwk;
    }

    @Override // com.predic8.membrane.core.interceptor.oauth2.tokengenerators.TokenGenerator
    public String getTokenType() {
        return "Bearer";
    }

    @Override // com.predic8.membrane.core.interceptor.oauth2.tokengenerators.TokenGenerator
    public String getToken(String str, String str2, String str3, Map<String, Object> map) {
        JwtClaims jwtClaims = new JwtClaims();
        jwtClaims.setSubject(str);
        jwtClaims.setClaim("clientId", str2);
        if (this.expiration != 0) {
            jwtClaims.setExpirationTimeMinutesInTheFuture(((float) this.expiration) / 60.0f);
        }
        if (map != null) {
            Objects.requireNonNull(jwtClaims);
            map.forEach(jwtClaims::setClaim);
        }
        JsonWebSignature jsonWebSignature = new JsonWebSignature();
        jsonWebSignature.setPayload(jwtClaims.toJson());
        jsonWebSignature.setKey(this.rsaJsonWebKey.getRsaPrivateKey());
        jsonWebSignature.setAlgorithmHeaderValue(AlgorithmIdentifiers.RSA_USING_SHA256);
        jsonWebSignature.setKeyIdHeaderValue(this.rsaJsonWebKey.getKeyId());
        try {
            return jsonWebSignature.getCompactSerialization();
        } catch (JoseException e) {
            throw new RuntimeException(e);
        }
    }

    public JwtClaims verify(String str) throws InvalidJwtException {
        return new JwtConsumerBuilder().setSkipDefaultAudienceValidation().setVerificationKey(this.rsaJsonWebKey.getPublicKey()).build().processToClaims(str);
    }

    @Override // com.predic8.membrane.core.interceptor.oauth2.tokengenerators.TokenGenerator
    public String getUsername(String str) throws NoSuchElementException {
        try {
            return verify(str).getSubject();
        } catch (MalformedClaimException | InvalidJwtException e) {
            throw new NoSuchElementException(e);
        }
    }

    @Override // com.predic8.membrane.core.interceptor.oauth2.tokengenerators.TokenGenerator
    public Map<String, Object> getAdditionalClaims(String str) throws NoSuchElementException {
        try {
            return (Map) verify(str).getClaimsMap().entrySet().stream().filter(entry -> {
                return !isNormalClaim((String) entry.getKey());
            }).collect(Collectors.toUnmodifiableMap((v0) -> {
                return v0.getKey();
            }, (v0) -> {
                return v0.getValue();
            }));
        } catch (InvalidJwtException e) {
            throw new NoSuchElementException(e);
        }
    }

    private boolean isNormalClaim(String str) {
        return "sub".equals(str) || "clientId".equals(str) || ReservedClaimNames.EXPIRATION_TIME.equals(str);
    }

    @Override // com.predic8.membrane.core.interceptor.oauth2.tokengenerators.TokenGenerator
    public String getClientId(String str) throws NoSuchElementException {
        try {
            return (String) verify(str).getClaimValue("clientId", String.class);
        } catch (MalformedClaimException | InvalidJwtException e) {
            throw new NoSuchElementException(e);
        }
    }

    @Override // com.predic8.membrane.core.interceptor.oauth2.tokengenerators.TokenGenerator
    public void invalidateToken(String str, String str2, String str3) throws NoSuchElementException {
        throw new IllegalStateException();
    }

    @Override // com.predic8.membrane.core.interceptor.oauth2.tokengenerators.TokenGenerator
    public boolean supportsRevocation() {
        return false;
    }

    @Override // com.predic8.membrane.core.interceptor.oauth2.tokengenerators.TokenGenerator
    public long getExpiration() {
        return this.expiration;
    }

    @MCAttribute
    public void setExpiration(long j) {
        this.expiration = j;
    }

    public JwtSessionManager.Jwk getJwk() {
        return this.jwk;
    }

    @MCChildElement
    public void setJwk(JwtSessionManager.Jwk jwk) {
        this.jwk = jwk;
    }

    public boolean isWarningGeneratedKey() {
        return this.warningGeneratedKey;
    }

    public void setWarningGeneratedKey(boolean z) {
        this.warningGeneratedKey = z;
    }

    @Override // com.predic8.membrane.core.interceptor.oauth2.tokengenerators.TokenGenerator
    public String getJwkIfAvailable() {
        return this.rsaJsonWebKey.toJson();
    }
}
