package org.mycore.frontend.jersey;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTCreator;
import com.auth0.jwt.algorithms.Algorithm;
import com.fasterxml.jackson.core.JsonFactory;
import com.fasterxml.jackson.core.JsonGenerator;
import java.io.File;
import java.io.IOException;
import java.io.StringWriter;
import java.nio.file.Files;
import java.nio.file.StandardOpenOption;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Date;
import java.util.Objects;
import java.util.stream.Stream;
import javax.servlet.ServletContext;
import javax.ws.rs.core.Response;
import org.apache.logging.log4j.LogManager;
import org.mycore.common.MCRUserInformation;
import org.mycore.common.config.MCRConfiguration2;
import org.mycore.common.config.MCRConfigurationDir;
import org.mycore.common.config.MCRConfigurationException;
import org.mycore.common.events.MCRStartupHandler;
import org.mycore.datamodel.metadata.MCRMetaDefault;

/* loaded from: input_file:org/mycore/frontend/jersey/MCRJWTUtil.class */
public class MCRJWTUtil implements MCRStartupHandler.AutoExecutable {
    public static final String JWT_CLAIM_ROLES = "mcr:roles";
    public static final String JWT_CLAIM_IP = "mcr:ip";
    public static final String JWT_USER_ATTRIBUTE_PREFIX = "mcr:ua:";
    private static final JsonFactory JSON_FACTORY = new JsonFactory();
    private static final String ROLES_PROPERTY = "MCR.Rest.JWT.Roles";
    private static Algorithm SHARED_SECRET;

    public static JWTCreator.Builder getJWTBuilder(MCRUserInformation mCRUserInformation, String... strArr) {
        Stream stream = (Stream) MCRConfiguration2.getOrThrow(ROLES_PROPERTY, MCRConfiguration2::splitValue);
        Objects.requireNonNull(mCRUserInformation);
        JWTCreator.Builder withClaim = JWT.create().withIssuedAt(new Date()).withSubject(mCRUserInformation.getUserID()).withArrayClaim(JWT_CLAIM_ROLES, (String[]) stream.filter(mCRUserInformation::isUserInRole).toArray(i -> {
            return new String[i];
        })).withClaim("email", mCRUserInformation.getUserAttribute(MCRUserInformation.ATT_EMAIL)).withClaim("name", mCRUserInformation.getUserAttribute(MCRUserInformation.ATT_REAL_NAME));
        if (strArr != null) {
            for (String str : strArr) {
                String userAttribute = mCRUserInformation.getUserAttribute(str);
                if (userAttribute != null) {
                    withClaim.withClaim("mcr:ua:" + str, userAttribute);
                }
            }
        }
        return withClaim;
    }

    public static Algorithm getJWTAlgorithm() {
        return SHARED_SECRET;
    }

    public static Response getJWTLoginSuccessResponse(String str) throws IOException {
        StringWriter stringWriter = new StringWriter();
        try {
            JsonGenerator createGenerator = JSON_FACTORY.createGenerator(stringWriter);
            createGenerator.writeStartObject();
            createGenerator.writeBooleanField("login_success", true);
            createGenerator.writeStringField("access_token", str);
            createGenerator.writeStringField("token_type", "Bearer");
            createGenerator.writeEndObject();
            createGenerator.flush();
            createGenerator.close();
            Response build = Response.status(Response.Status.OK).header("Authorization", "Bearer " + str).entity(stringWriter.toString()).build();
            stringWriter.close();
            return build;
        } catch (Throwable th) {
            try {
                stringWriter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public static Response getJWTRenewSuccessResponse(String str) throws IOException {
        StringWriter stringWriter = new StringWriter();
        try {
            JsonGenerator createGenerator = JSON_FACTORY.createGenerator(stringWriter);
            createGenerator.writeStartObject();
            createGenerator.writeBooleanField("executed", true);
            createGenerator.writeStringField("access_token", str);
            createGenerator.writeStringField("token_type", "Bearer");
            createGenerator.writeEndObject();
            createGenerator.flush();
            createGenerator.close();
            Response build = Response.status(Response.Status.OK).header("Authorization", "Bearer " + str).entity(stringWriter.toString()).build();
            stringWriter.close();
            return build;
        } catch (Throwable th) {
            try {
                stringWriter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public static Response getJWTLoginErrorResponse(String str) throws IOException {
        StringWriter stringWriter = new StringWriter();
        try {
            JsonGenerator createGenerator = JSON_FACTORY.createGenerator(stringWriter);
            createGenerator.writeStartObject();
            createGenerator.writeBooleanField("login_success", false);
            createGenerator.writeStringField("error", "login_failed");
            createGenerator.writeStringField("error_description", str);
            createGenerator.writeEndObject();
            createGenerator.flush();
            createGenerator.close();
            Response build = Response.status(Response.Status.FORBIDDEN).entity(stringWriter.toString()).build();
            stringWriter.close();
            return build;
        } catch (Throwable th) {
            try {
                stringWriter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Override // org.mycore.common.events.MCRStartupHandler.AutoExecutable
    public String getName() {
        return "JSON WebToken Services";
    }

    @Override // org.mycore.common.events.MCRStartupHandler.AutoExecutable
    public int getPriority() {
        return 0;
    }

    @Override // org.mycore.common.events.MCRStartupHandler.AutoExecutable
    public void startUp(ServletContext servletContext) {
        byte[] readAllBytes;
        if (servletContext != null) {
            File configFile = MCRConfigurationDir.getConfigFile("jwt.secret");
            if (configFile.isFile()) {
                try {
                    readAllBytes = Files.readAllBytes(configFile.toPath());
                } catch (IOException e) {
                    throw new MCRConfigurationException("Could not create shared secret in file: " + configFile.getAbsolutePath(), e);
                }
            } else {
                readAllBytes = new byte[MCRMetaDefault.DEFAULT_STRING_LENGTH];
                try {
                    LogManager.getLogger().warn("Creating shared secret file ({}) for JSON Web Token. This may take a while. Please wait...", configFile);
                    SecureRandom.getInstanceStrong().nextBytes(readAllBytes);
                    Files.write(configFile.toPath(), readAllBytes, StandardOpenOption.CREATE_NEW);
                } catch (IOException | NoSuchAlgorithmException e2) {
                    throw new MCRConfigurationException("Could not create shared secret in file: " + configFile.getAbsolutePath(), e2);
                }
            }
            SHARED_SECRET = Algorithm.HMAC512(readAllBytes);
        }
    }
}
