package org.eclipse.dirigible.oauth.utils;

import com.auth0.jwt.HeaderParams;
import com.auth0.jwt.JWT;
import com.auth0.jwt.RegisteredClaims;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.Verification;
import com.google.gson.annotations.SerializedName;
import com.sap.db.util.RsaOaep;
import java.io.IOException;
import java.math.BigInteger;
import java.security.GeneralSecurityException;
import java.security.KeyFactory;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.RSAPublicKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.Date;
import java.util.List;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.codec.binary.Base64;
import org.eclipse.dirigible.commons.api.helpers.GsonHelper;
import org.eclipse.dirigible.commons.config.Configuration;
import org.eclipse.dirigible.oauth.OAuthService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/dirigible-security-oauth-7.2.0.jar:org/eclipse/dirigible/oauth/utils/JwtUtils.class */
public class JwtUtils {
    private static final String AUTHORIZATION_HEADER = "Authorization";
    private static final String AUTHORIZATION_HEADER_VALUE_BEARER = "Bearer ";
    private static final String JWT_COOKIE_NAME = "jwt-cookie";
    private static final String JWT_SESSION_NAME = "jwt-session";
    private static final String JWT_SPLIT_TOKEN = "\\.";
    private static final int JWT_HEADER = 0;
    private static final int JWT_BODY = 1;
    private static final int JWT_SIGNATURE = 2;
    private static final String SCOPE_SEPARATOR = ".";
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) JwtUtils.class);
    private static final Base64 BASE64 = new Base64(true);

    /* loaded from: input_file:WEB-INF/lib/dirigible-security-oauth-7.2.0.jar:org/eclipse/dirigible/oauth/utils/JwtUtils$CognitoJwtClaim.class */
    public static class CognitoJwtClaim extends JwtClaim {
        private String scope;

        @SerializedName("cognito:groups")
        private List<String> cognitoGroups;
        private String username;

        @Override // org.eclipse.dirigible.oauth.utils.JwtUtils.JwtClaim
        public List<String> getScope() {
            ArrayList arrayList = new ArrayList(this.cognitoGroups);
            if (this.scope != null) {
                arrayList.add(this.scope);
            }
            return arrayList;
        }

        @Override // org.eclipse.dirigible.oauth.utils.JwtUtils.JwtClaim
        public String getUserName() {
            return this.username;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/dirigible-security-oauth-7.2.0.jar:org/eclipse/dirigible/oauth/utils/JwtUtils$JwtClaim.class */
    public static abstract class JwtClaim {

        @SerializedName(RegisteredClaims.JWT_ID)
        private String id;

        @SerializedName("given_name")
        private String givenName;

        @SerializedName("family_name")
        private String familyName;

        @SerializedName(OAuthUtils.PARAM_CLIENT_ID)
        private String clientId;

        @SerializedName(OAuthUtils.PARAM_GRANT_TYPE)
        private String grantType;

        @SerializedName("user_id")
        private String userId;

        @SerializedName("email")
        private String email;

        @SerializedName("auth_time")
        private long authTime;

        @SerializedName(RegisteredClaims.ISSUED_AT)
        private long issuedAt;

        @SerializedName(RegisteredClaims.EXPIRES_AT)
        private long expirantionTime;

        @SerializedName(RegisteredClaims.ISSUER)
        private String issuer;

        @SerializedName(RegisteredClaims.AUDIENCE)
        private List<String> audience;

        public String getId() {
            return this.id;
        }

        public String getGivenName() {
            return this.givenName;
        }

        public String getFamilyName() {
            return this.familyName;
        }

        public abstract List<String> getScope();

        public String getClientId() {
            return this.clientId;
        }

        public String getGrantType() {
            return this.grantType;
        }

        public String getUserId() {
            return this.userId;
        }

        public abstract String getUserName();

        public String getEmail() {
            return this.email;
        }

        public long getAuthTime() {
            return this.authTime;
        }

        public long getIssuedAt() {
            return this.issuedAt;
        }

        public long getExpirantionTime() {
            return this.expirantionTime;
        }

        public String getIssuer() {
            return this.issuer;
        }

        public List<String> getAudience() {
            return this.audience;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/dirigible-security-oauth-7.2.0.jar:org/eclipse/dirigible/oauth/utils/JwtUtils$JwtHeader.class */
    public static class JwtHeader {

        @SerializedName(HeaderParams.TYPE)
        private String type;

        @SerializedName(HeaderParams.ALGORITHM)
        private String algorithm;

        @SerializedName(HeaderParams.KEY_ID)
        private String keyId;

        @SerializedName("jku")
        private String jwkSetUrl;

        public String getType() {
            return this.type;
        }

        public void setType(String str) {
            this.type = str;
        }

        public String getAlgorithm() {
            return this.algorithm;
        }

        public void setAlgorithm(String str) {
            this.algorithm = str;
        }

        public String getKeyId() {
            return this.keyId;
        }

        public void setKeyId(String str) {
            this.keyId = str;
        }

        public String getJwkSetUrl() {
            return this.jwkSetUrl;
        }

        public void setJwkSetUrl(String str) {
            this.jwkSetUrl = str;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/dirigible-security-oauth-7.2.0.jar:org/eclipse/dirigible/oauth/utils/JwtUtils$XsuaaJwtClaim.class */
    public static class XsuaaJwtClaim extends JwtClaim {
        private List<String> scope;

        @SerializedName("user_name")
        private String userName;

        @Override // org.eclipse.dirigible.oauth.utils.JwtUtils.JwtClaim
        public List<String> getScope() {
            return this.scope;
        }

        @Override // org.eclipse.dirigible.oauth.utils.JwtUtils.JwtClaim
        public String getUserName() {
            return this.userName;
        }
    }

    public static boolean isInRole(ServletRequest servletRequest, String str) {
        List<String> scope = getClaim(getJwt(servletRequest)).getScope();
        return scope.contains(getScope(str)) || scope.contains(str);
    }

    public static String getScope(String str) {
        return OAuthUtils.getOAuthApplicationName() + "." + str;
    }

    public static String getJwt(ServletRequest servletRequest) {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String jwtFromCookie = getJwtFromCookie(httpServletRequest);
        if (jwtFromCookie == null) {
            jwtFromCookie = getJwtFromHeader(httpServletRequest);
        }
        return jwtFromCookie;
    }

    private static String getJwtFromCookie(HttpServletRequest httpServletRequest) {
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        int i = 0;
        while (true) {
            if (cookies == null || i >= cookies.length) {
                break;
            }
            if (cookies[i].getName().equals(JWT_COOKIE_NAME)) {
                str = cookies[i].getValue();
                break;
            }
            i++;
        }
        return str;
    }

    private static String getJwtFromHeader(HttpServletRequest httpServletRequest) {
        String str = null;
        String header = httpServletRequest.getHeader("Authorization");
        if (header != null && header.toLowerCase().startsWith(AUTHORIZATION_HEADER_VALUE_BEARER.toLowerCase())) {
            String substring = header.substring(AUTHORIZATION_HEADER_VALUE_BEARER.length());
            if (isValidJwt(httpServletRequest, substring)) {
                str = substring;
            }
        }
        return str;
    }

    public static void setJwt(ServletResponse servletResponse, String str) {
        ((HttpServletResponse) servletResponse).addCookie(createJwtCookie(str));
    }

    private static Cookie createJwtCookie(String str) {
        Cookie cookie = new Cookie(JWT_COOKIE_NAME, str);
        cookie.setPath("/");
        return cookie;
    }

    public static JwtHeader getHeader(String str) {
        String token = getToken(str, 0);
        if (token != null) {
            return (JwtHeader) GsonHelper.fromJson(token, JwtHeader.class);
        }
        return null;
    }

    public static JwtClaim getClaim(String str) {
        String token = getToken(str, 1);
        if (token != null) {
            try {
                return (JwtClaim) GsonHelper.fromJson(token, XsuaaJwtClaim.class);
            } catch (Exception e) {
                try {
                    return (JwtClaim) GsonHelper.fromJson(token, CognitoJwtClaim.class);
                } catch (Exception e2) {
                }
            }
        }
        throw new IllegalStateException("Unable to parse JWT, it is neither XSUAA nor Cognito compliant token.");
    }

    public static String getSignature(String str) {
        return getToken(str, 2, false);
    }

    private static String getToken(String str, int i) {
        return getToken(str, i, true);
    }

    private static String getToken(String str, int i, boolean z) {
        if (str == null) {
            return null;
        }
        String str2 = str.split(JWT_SPLIT_TOKEN)[i];
        return z ? new String(BASE64.decode(str2)) : str2;
    }

    public static boolean isValidJwt(ServletRequest servletRequest, String str) {
        boolean z = true;
        String sessionToken = getSessionToken(servletRequest);
        if (sessionToken == null || !sessionToken.equals(str)) {
            try {
                verifyJwt(str);
                setSessionToken(servletRequest, str);
            } catch (Exception e) {
                z = false;
                removeSessionToken(servletRequest);
                if (logger.isErrorEnabled()) {
                    logger.error(e.getMessage(), (Throwable) e);
                }
            }
        }
        return z;
    }

    public static void verifyJwt(String str) throws IOException, GeneralSecurityException {
        Verification acceptExpiresAt = JWT.require(Algorithm.RSA256(getPublicKeyFromString(OAuthUtils.getOAuthVerificationKey()), null)).acceptLeeway(1L).acceptExpiresAt(5L);
        if (Boolean.parseBoolean(Configuration.get(OAuthService.DIRIGIBLE_OAUTH_CHECK_AUDIENCE_ENABLED, Boolean.TRUE.toString()))) {
            acceptExpiresAt.withAudience(OAuthUtils.getOAuthClientId());
        }
        if (Boolean.parseBoolean(Configuration.get(OAuthService.DIRIGIBLE_OAUTH_CHECK_ISSUER_ENABLED, Boolean.TRUE.toString()))) {
            acceptExpiresAt.withIssuer(OAuthUtils.getOAuthTokenUrl(), OAuthUtils.getOAuthIssuer());
        }
        acceptExpiresAt.build().verify(str);
    }

    public static boolean isExpiredJwt(ServletRequest servletRequest, String str) {
        boolean z = new Date().getTime() >= (getClaim(str).getExpirantionTime() - 60) * 1000;
        if (z) {
            removeSessionToken(servletRequest);
        }
        return z;
    }

    private static String getSessionToken(ServletRequest servletRequest) {
        String str = null;
        HttpSession session = ((HttpServletRequest) servletRequest).getSession();
        if (session != null) {
            str = (String) session.getAttribute(JWT_SESSION_NAME);
        }
        return str;
    }

    private static void setSessionToken(ServletRequest servletRequest, String str) {
        HttpSession session = ((HttpServletRequest) servletRequest).getSession();
        if (session != null) {
            session.setAttribute(JWT_SESSION_NAME, str);
        }
    }

    private static void removeSessionToken(ServletRequest servletRequest) {
        HttpSession session = ((HttpServletRequest) servletRequest).getSession();
        if (session != null) {
            session.removeAttribute(JWT_SESSION_NAME);
        }
    }

    private static RSAPublicKey getPublicKeyFromString(String str) throws IOException, GeneralSecurityException {
        KeyFactory keyFactory = KeyFactory.getInstance(RsaOaep.JAVA_ALGORITHM_NAME);
        String replace = str.replace("\n", "").replace("-----BEGIN PUBLIC KEY-----", "").replace("-----END PUBLIC KEY-----", "");
        String str2 = Configuration.get(OAuthService.DIRIGIBLE_OAUTH_VERIFICATION_KEY_EXPONENT);
        return str2 != null ? (RSAPublicKey) keyFactory.generatePublic(new RSAPublicKeySpec(new BigInteger(1, BASE64.decode(replace)), new BigInteger(1, BASE64.decode(str2)))) : (RSAPublicKey) keyFactory.generatePublic(new X509EncodedKeySpec(BASE64.decode(replace)));
    }
}
