package org.summerboot.jexpress.security.auth;

import com.fasterxml.jackson.annotation.JsonIgnore;
import io.jsonwebtoken.JwtParser;
import io.jsonwebtoken.Jwts;
import java.io.File;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
import org.bouncycastle.operator.OperatorCreationException;
import org.summerboot.jexpress.boot.config.BootConfig;
import org.summerboot.jexpress.boot.config.ConfigUtil;
import org.summerboot.jexpress.boot.config.annotation.Config;
import org.summerboot.jexpress.boot.config.annotation.Memo;
import org.summerboot.jexpress.integration.ldap.LdapAgent;
import org.summerboot.jexpress.integration.ldap.LdapSSLConnectionFactory;
import org.summerboot.jexpress.security.EncryptorUtil;
import org.summerboot.jexpress.security.JwtUtil;
import org.summerboot.jexpress.security.auth.RoleMapping;

/* loaded from: input_file:org/summerboot/jexpress/security/auth/AuthConfig.class */
public class AuthConfig extends BootConfig {
    public static final AuthConfig CFG = new AuthConfig();

    @Config(key = "ldap.type.AD", defaultValue = "false", desc = "set it true only when LDAP is implemented by Microsoft Active Directory (AD)\nfalse when use others like Open LDAP, IBM Tivoli, Apache")
    @Memo(title = "1.1 LDAP connection settings")
    private volatile boolean typeAD = false;

    @Config(key = "ldap.host", required = false, desc = "LDAP will be disabled when host is not provided")
    private volatile String ldapHost;

    @Config(key = "ldap.port", required = false, desc = "LDAP 389, LDAP over SSL 636, AD global 3268, AD global voer SSL 3269")
    private volatile int ldapPort;

    @Config(key = "ldap.baseDN")
    private volatile String ldapBaseDN;

    @Config(key = "ldap.bindingUserDN", required = false)
    private volatile String bindingUserDN;

    @Config(key = "ldap.bindingPassword", validate = Config.Validate.Encrypted, required = false)
    @JsonIgnore
    private volatile String bindingPassword;

    @Config(key = "ldap.TenantGroupName", required = false)
    private volatile String ldapTenantGroupName;

    @Config(key = "ldap.ssl.protocol", defaultValue = "TLSv1.3")
    @Memo(title = "1.2 LDAP Client keystore")
    private volatile String ldapTLSProtocol;

    @Config(key = "ldap.ssl.KeyStore", StorePwdKey = "ldap.ssl.KeyStorePwd", AliasKey = "ldap.ssl.KeyAlias", AliasPwdKey = "ldap.ssl.KeyPwd", required = false)
    @JsonIgnore
    private volatile KeyManagerFactory kmf;

    @Config(key = "ldap.ssl.TrustStore", StorePwdKey = "ldap.ssl.TrustStorePwd", required = false)
    @JsonIgnore
    @Memo(title = "1.3 LDAP Client truststore")
    private volatile TrustManagerFactory tmf;
    private volatile Properties ldapConfig;

    @Config(key = "jwt.asymmetric.SigningKeyFile", required = false, desc = "Path to an encrypted RSA private key file in PKCS#8 format with minimal 2048 key size. To generate the keypair manually:\n1. generate keypair: openssl genrsa -des3 -out keypair.pem 4096 \n2. export public key: openssl rsa -in keypair.pem -outform PEM -pubout -out public.pem \n3. export private key: openssl rsa -in keypair.pem -out private_unencrypted.pem -outform PEM \n4. encrypt and convert private key from PKCS#1 to PKCS#8: openssl pkcs8 -topk8 -inform PEM -outform PEM -in private_unencrypted.pem -out private.pem")
    @Memo(title = "2. JWT")
    private volatile File privateKeyFile;

    @Config(key = "jwt.asymmetric.SigningKeyPwd", validate = Config.Validate.Encrypted, required = false, desc = "The password of this private key")
    @JsonIgnore
    private volatile String privateKeyPwd;

    @Config(key = "jwt.asymmetric.ParsingKeyFile", required = false, desc = "Path to the public key file corresponding to this private key")
    private volatile File publicKeyFile;

    @Config(key = "jwt.symmetric.key", validate = Config.Validate.Encrypted, required = false, desc = "HMAC-SHA key for bothe signing and parsing, it will be ignored when asymmetric one is specified.\nUse this command to generate this key: java -jar <app>.jar -jwt <HS256, HS384, HS512>")
    @JsonIgnore
    private volatile String symmetricKey;

    @JsonIgnore
    private volatile Key jwtSigningKey;

    @JsonIgnore
    private volatile JwtParser jwtParser;

    @Config(key = "jwt.ttl.minutes", defaultValue = "1440")
    private volatile int jwtTTLMinutes;

    @Config(key = "jwt.issuer", required = false)
    private volatile String jwtIssuer;

    @Memo(title = "3. Role mapping", desc = "Map the role with user group (no matter the group is defined in LDAP or DB)", format = "roles.<role name>.groups=csv list\nroles.<role name>.users=csv list", example = "the following example maps one group(AppAdmin_Group) and two users(johndoe, janejoe) to a role(AppAdmin)\nroles.AppAdmin.groups=AppAdmin_Group\nroles.AppAdmin.users=johndoe, janejoe")
    private Map<String, RoleMapping> roles;

    public static void main(String[] strArr) {
        System.out.println(generateTemplate(AuthConfig.class));
    }

    @Override // org.summerboot.jexpress.boot.config.JExpressConfig
    public void shutdown() {
    }

    @Override // org.summerboot.jexpress.boot.config.BootConfig
    protected void loadCustomizedConfigs(File file, boolean z, ConfigUtil configUtil, Properties properties) throws NoSuchAlgorithmException, InvalidKeySpecException, IOException, OperatorCreationException, GeneralSecurityException {
        if (this.ldapHost != null) {
            String str = null;
            boolean z2 = this.kmf != null;
            if (z2) {
                LdapSSLConnectionFactory.init(this.kmf == null ? null : this.kmf.getKeyManagers(), this.tmf == null ? null : this.tmf.getTrustManagers(), this.ldapTLSProtocol);
                str = LdapSSLConnectionFactory.class.getName();
            }
            this.ldapConfig = LdapAgent.buildCfg(this.ldapHost, this.ldapPort, z2, str, this.ldapTLSProtocol, this.bindingUserDN, this.bindingPassword);
        }
        if (this.symmetricKey != null) {
            this.jwtSigningKey = JwtUtil.parseSigningKey(this.symmetricKey);
            this.jwtParser = Jwts.parserBuilder().setSigningKey(this.jwtSigningKey).build();
        }
        if (this.privateKeyFile != null) {
            this.jwtSigningKey = EncryptorUtil.loadPrivateKey(this.privateKeyFile, this.privateKeyPwd.toCharArray());
        }
        if (this.publicKeyFile != null) {
            this.jwtParser = Jwts.parserBuilder().setSigningKey(EncryptorUtil.loadPublicKey(EncryptorUtil.KeyFileType.PKCS12, this.publicKeyFile)).build();
        }
        String error = configUtil.getError();
        if (error != null) {
            throw new IllegalArgumentException(error);
        }
        Set keySet = properties.keySet();
        HashMap hashMap = new HashMap();
        keySet.forEach(obj -> {
            String obj = obj.toString();
            if (obj.startsWith("roles.")) {
                String[] split = obj.split("\\.");
                String str2 = split[1];
                RoleMapping.Type valueOf = RoleMapping.Type.valueOf(split[2]);
                RoleMapping roleMapping = (RoleMapping) hashMap.get(str2);
                if (roleMapping == null) {
                    roleMapping = new RoleMapping(str2);
                    hashMap.put(str2, roleMapping);
                }
                roleMapping.add(valueOf, properties.getProperty(obj.toString()));
            }
        });
        this.roles = Map.copyOf(hashMap);
    }

    public String getLdapHost() {
        return this.ldapHost;
    }

    public int getLdapPort() {
        return this.ldapPort;
    }

    public String getLdapBaseDN() {
        return this.ldapBaseDN;
    }

    public String getBindingUserDN() {
        return this.bindingUserDN;
    }

    public String getLdapTenantGroupName() {
        return this.ldapTenantGroupName;
    }

    public String getLdapTLSProtocol() {
        return this.ldapTLSProtocol;
    }

    public boolean isTypeAD() {
        return this.typeAD;
    }

    @JsonIgnore
    public Properties getLdapConfig() {
        return this.ldapConfig;
    }

    @JsonIgnore
    public Key getJwtSigningKey() {
        return this.jwtSigningKey;
    }

    @JsonIgnore
    public JwtParser getJwtParser() {
        return this.jwtParser;
    }

    public String getJwtIssuer() {
        return this.jwtIssuer;
    }

    public int getJwtTTLMinutes() {
        return this.jwtTTLMinutes;
    }

    public RoleMapping getRole(String str) {
        return this.roles.get(str);
    }

    public Map<String, RoleMapping> getRoles() {
        return this.roles;
    }

    public Set<String> getRoleNames() {
        return Set.copyOf(this.roles.keySet());
    }
}
