package top.dcenter.ums.security.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JOSEObjectType;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.JWSSigner;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.KeyUse;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.nio.charset.StandardCharsets;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.interfaces.RSAPrivateKey;
import java.security.interfaces.RSAPublicKey;
import java.text.ParseException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.data.redis.connection.RedisConnection;
import org.springframework.data.redis.connection.RedisConnectionFactory;
import org.springframework.data.redis.connection.RedisStringCommands;
import org.springframework.data.redis.core.Cursor;
import org.springframework.data.redis.core.ScanOptions;
import org.springframework.data.redis.core.types.Expiration;
import org.springframework.data.redis.serializer.SerializationException;
import org.springframework.lang.NonNull;
import org.springframework.lang.Nullable;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.jwt.JwtException;
import org.springframework.security.oauth2.server.resource.authentication.AbstractOAuth2TokenAuthenticationToken;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
import org.springframework.util.CollectionUtils;
import org.springframework.util.ReflectionUtils;
import org.springframework.util.StringUtils;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletRequestAttributes;
import top.dcenter.ums.security.common.enums.ErrorCodeEnum;
import top.dcenter.ums.security.common.utils.ReflectionUtil;
import top.dcenter.ums.security.core.api.service.UmsUserDetailsService;
import top.dcenter.ums.security.core.mdc.utils.MdcUtil;
import top.dcenter.ums.security.jwt.api.cache.service.JwtCacheTransformService;
import top.dcenter.ums.security.jwt.api.id.service.JwtIdService;
import top.dcenter.ums.security.jwt.claims.service.GenerateClaimsSetService;
import top.dcenter.ums.security.jwt.decoder.UmsNimbusJwtDecoder;
import top.dcenter.ums.security.jwt.enums.JwtCustomClaimNames;
import top.dcenter.ums.security.jwt.enums.JwtRefreshHandlerPolicy;
import top.dcenter.ums.security.jwt.exception.JwtCreateException;
import top.dcenter.ums.security.jwt.exception.JwtExpiredException;
import top.dcenter.ums.security.jwt.exception.JwtInvalidException;
import top.dcenter.ums.security.jwt.exception.MismatchRefreshJwtPolicyException;
import top.dcenter.ums.security.jwt.exception.RefreshTokenInvalidException;
import top.dcenter.ums.security.jwt.exception.SaveRefreshTokenException;
import top.dcenter.ums.security.jwt.properties.BearerTokenProperties;
import top.dcenter.ums.security.jwt.properties.JwtBlacklistProperties;

/* loaded from: input_file:top/dcenter/ums/security/jwt/JwtContext.class */
public final class JwtContext {
    public static final String KEY_ALGORITHM = "RSA";
    public static final int KEY_SIZE = 2048;
    public static final String BEARER = "bearer ";
    public static final String TEMPORARY_JWT_REFRESH_TOKEN = "TEMPORARY_JWT_REFRESH_TOKEN";
    private static final Logger log = LoggerFactory.getLogger(JwtContext.class);
    private static final Method TO_JSON_OBJECT_METHOD = ReflectionUtils.findMethod(JWSHeader.class, "toJSONObject");
    private static volatile JWSSigner signer = null;
    private static volatile String jwsAlgorithm = null;
    private static volatile String kid = null;
    private static volatile Duration timeout = Duration.ofHours(1);
    private static volatile Duration clockSkew = Duration.ofSeconds(0);
    private static volatile JwtRefreshHandlerPolicy refreshHandlerPolicy = null;
    private static volatile BearerTokenProperties bearerToken = null;
    private static volatile RedisConnectionFactory redisConnectionFactory = null;
    private static volatile JwtBlacklistProperties blacklistProperties = null;
    private static volatile JwtIdService jwtIdService = null;
    private static volatile JwtCacheTransformService<?> jwtCacheTransformService = null;
    private static volatile String principalClaimName = null;

    /* loaded from: input_file:top/dcenter/ums/security/jwt/JwtContext$BlacklistType.class */
    public enum BlacklistType {
        NOT_IN_BLACKLIST { // from class: top.dcenter.ums.security.jwt.JwtContext.BlacklistType.1
            @Override // top.dcenter.ums.security.jwt.JwtContext.BlacklistType
            @Nullable
            public String getOneTimeNewJwtValue() {
                return null;
            }

            @Override // top.dcenter.ums.security.jwt.JwtContext.BlacklistType
            @NonNull
            public Boolean isInBlacklist() {
                return false;
            }
        },
        IN_BLACKLIST { // from class: top.dcenter.ums.security.jwt.JwtContext.BlacklistType.2
            @Override // top.dcenter.ums.security.jwt.JwtContext.BlacklistType
            @Nullable
            public String getOneTimeNewJwtValue() {
                return null;
            }

            @Override // top.dcenter.ums.security.jwt.JwtContext.BlacklistType
            @NonNull
            public Boolean isInBlacklist() {
                return true;
            }
        },
        IN_BLACKLIST_AND_HAS_NEW_JWT { // from class: top.dcenter.ums.security.jwt.JwtContext.BlacklistType.3
            @Override // top.dcenter.ums.security.jwt.JwtContext.BlacklistType
            @Nullable
            public String getOneTimeNewJwtValue() {
                try {
                    String str = (String) BlacklistType.JWT_VALUE.get();
                    BlacklistType.JWT_VALUE.remove();
                    return str;
                } catch (Throwable th) {
                    BlacklistType.JWT_VALUE.remove();
                    throw th;
                }
            }

            @Override // top.dcenter.ums.security.jwt.JwtContext.BlacklistType
            @NonNull
            public Boolean isInBlacklist() {
                return true;
            }
        };

        private static final ThreadLocal<String> JWT_VALUE = new ThreadLocal<>();

        @NonNull
        public static BlacklistType getBlacklistType(@Nullable String str) {
            if (!StringUtils.hasText(str)) {
                return NOT_IN_BLACKLIST;
            }
            if (IN_BLACKLIST.name().equals(str)) {
                return IN_BLACKLIST;
            }
            JWT_VALUE.set(str);
            return IN_BLACKLIST_AND_HAS_NEW_JWT;
        }

        @Nullable
        public abstract String getOneTimeNewJwtValue();

        @NonNull
        public abstract Boolean isInBlacklist();
    }

    private JwtContext() {
    }

    public static JWK generateJwk(String str, KeyUse keyUse) throws NoSuchAlgorithmException {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KEY_ALGORITHM);
        keyPairGenerator.initialize(KEY_SIZE);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        return new RSAKey.Builder((RSAPublicKey) generateKeyPair.getPublic()).privateKey((RSAPrivateKey) generateKeyPair.getPrivate()).keyUse(keyUse).keyID(str).build();
    }

    public static JWK generateJwk(KeyPair keyPair, String str, KeyUse keyUse) {
        return new RSAKey.Builder((RSAPublicKey) keyPair.getPublic()).privateKey((RSAPrivateKey) keyPair.getPrivate()).keyUse(keyUse).keyID(str).build();
    }

    @NonNull
    public static Authentication createJwtAndToJwtAuthenticationToken(@NonNull Authentication authentication, @Nullable GenerateClaimsSetService generateClaimsSetService) throws JwtCreateException {
        if (!Objects.nonNull(generateClaimsSetService) || !isSupportCreateJwt(authentication).booleanValue()) {
            return authentication;
        }
        try {
            Jwt jwt = null;
            if (JwtRefreshHandlerPolicy.REFRESH_TOKEN.equals(refreshHandlerPolicy)) {
                jwt = generateRefreshToken(authentication.getName());
            }
            Jwt createJwt = createJwt(generateClaimsSetService.generateClaimsSet(authentication, jwt));
            setBearerTokenAndRefreshTokenToHeader(createJwt, jwt, Boolean.FALSE);
            JwtAuthenticationToken jwtAuthenticationToken = toJwtAuthenticationToken(createJwt, generateClaimsSetService.getJwtAuthenticationConverter(), Boolean.FALSE);
            removeReAuthFlag(authentication.getName());
            return jwtAuthenticationToken;
        } catch (Exception e) {
            log.error(String.format("创建 jwt token 失败: %s", authentication), e);
            throw new JwtCreateException(ErrorCodeEnum.CREATE_JWT_ERROR, MdcUtil.getMdcTraceId());
        }
    }

    @NonNull
    public static Jwt resetJwtExpOfAutoRenewPolicy(@NonNull Jwt jwt, @NonNull UmsNimbusJwtDecoder umsNimbusJwtDecoder, @NonNull JwtRefreshHandlerPolicy jwtRefreshHandlerPolicy) throws ParseException, JOSEException, JwtInvalidException {
        if (!JwtRefreshHandlerPolicy.AUTO_RENEW.equals(jwtRefreshHandlerPolicy)) {
            throw new MismatchRefreshJwtPolicyException(ErrorCodeEnum.REFRESH_JWT_POLICY_MISMATCH, MdcUtil.getMdcTraceId());
        }
        String inBlacklistAndHasNewJwt = inBlacklistAndHasNewJwt(jtiInTheBlacklist(jwt));
        if (inBlacklistAndHasNewJwt != null) {
            Jwt decodeNotValidate = umsNimbusJwtDecoder.decodeNotValidate(removeBearerForJwtTokenString(inBlacklistAndHasNewJwt));
            setBearerTokenAndRefreshTokenToHeader(decodeNotValidate, null, Boolean.FALSE);
            return decodeNotValidate;
        }
        if (Objects.isNull(signer)) {
            throw new JwtInvalidException(ErrorCodeEnum.JWT_INVALID, MdcUtil.getMdcTraceId());
        }
        Map claims = jwt.getClaims();
        claims.put("jti", jwtIdService.generateJtiId());
        Instant now = Instant.now();
        claims.put("exp", now.plusSeconds(timeout.getSeconds()));
        Instant instant = (Instant) claims.get("iat");
        Instant instant2 = (Instant) claims.get("nbf");
        long epochSecond = now.getEpochSecond();
        if (Objects.nonNull(instant)) {
            claims.put("iat", Long.valueOf(epochSecond));
            if (Objects.nonNull(instant2)) {
                claims.put("nbf", Long.valueOf(epochSecond + (instant2.getEpochSecond() - instant.getEpochSecond())));
            }
        }
        claims.entrySet().stream().filter(entry -> {
            return entry.getValue() instanceof Instant;
        }).forEach(entry2 -> {
            entry2.setValue(Long.valueOf(((Instant) entry2.getValue()).getEpochSecond()));
        });
        Jwt createJwt = createJwt(getJwsHeader(), toJwtClaimsSet(claims));
        addBlacklist(jwt, createJwt);
        setBearerTokenAndRefreshTokenToHeader(createJwt, null, Boolean.FALSE);
        return createJwt;
    }

    @NonNull
    public static Jwt generateJwtByRefreshToken(@NonNull String str, @NonNull Boolean bool, @NonNull HttpServletRequest httpServletRequest, @NonNull UmsNimbusJwtDecoder umsNimbusJwtDecoder, @NonNull UmsUserDetailsService umsUserDetailsService, @NonNull GenerateClaimsSetService generateClaimsSetService) throws JwtCreateException, RefreshTokenInvalidException, JwtInvalidException {
        Jwt decodeRefreshTokenOfJwt = umsNimbusJwtDecoder.decodeRefreshTokenOfJwt(removeBearerForJwtTokenString(str));
        String userIdByRefreshToken = getUserIdByRefreshToken(decodeRefreshTokenOfJwt);
        if (!StringUtils.hasText(userIdByRefreshToken)) {
            throw new RefreshTokenInvalidException(ErrorCodeEnum.JWT_REFRESH_TOKEN_INVALID, MdcUtil.getMdcTraceId());
        }
        UserDetails loadUserByUserId = umsUserDetailsService.loadUserByUserId(userIdByRefreshToken);
        Jwt jwt = null;
        Jwt jwtByRequest = getJwtByRequest(httpServletRequest, umsNimbusJwtDecoder);
        if (!bool.booleanValue() && Objects.nonNull(jwtByRequest)) {
            Instant expiresAt = jwtByRequest.getExpiresAt();
            if (Objects.nonNull(expiresAt)) {
                if (!(expiresAt.getEpochSecond() - Instant.now().getEpochSecond() < umsNimbusJwtDecoder.getRemainingRefreshInterval().getSeconds())) {
                    jwt = jwtByRequest;
                }
            }
        }
        if (Objects.isNull(jwt)) {
            try {
                jwt = createJwt(generateClaimsSetService.generateClaimsSet(loadUserByUserId, decodeRefreshTokenOfJwt));
            } catch (JOSEException | ParseException e) {
                log.error(e.getMessage(), e);
                throw new JwtCreateException(ErrorCodeEnum.CREATE_JWT_ERROR, MdcUtil.getMdcTraceId());
            }
        }
        if (!blacklistProperties.getEnable().booleanValue()) {
            toJwtAuthenticationToken(jwt, generateClaimsSetService.getJwtAuthenticationConverter(), Boolean.TRUE);
        }
        if (Objects.nonNull(jwtByRequest) && !Objects.equals(jwt, jwtByRequest)) {
            setOldJwtToBlacklist(str, userIdByRefreshToken, jwtByRequest, jwt);
        }
        setBearerTokenAndRefreshTokenToHeader(jwt, decodeRefreshTokenOfJwt, Boolean.TRUE);
        return jwt;
    }

    @Nullable
    public static String getJwtRefreshTokenFromSession() {
        ServletRequestAttributes currentRequestAttributes = RequestContextHolder.currentRequestAttributes();
        String str = (String) currentRequestAttributes.getAttribute(TEMPORARY_JWT_REFRESH_TOKEN, 1);
        if (Objects.nonNull(str)) {
            currentRequestAttributes.removeAttribute(TEMPORARY_JWT_REFRESH_TOKEN, 1);
        }
        return str;
    }

    @Nullable
    public static Object getTokenInfoFromRedis(@NonNull Jwt jwt) throws SerializationException {
        RedisConnection connection = getConnection();
        Throwable th = null;
        try {
            if (blacklistProperties.getEnable().booleanValue()) {
                return null;
            }
            byte[] bArr = connection.get(getTokenKey(jwt));
            if (Objects.isNull(bArr)) {
                if (connection != null) {
                    if (0 != 0) {
                        try {
                            connection.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        connection.close();
                    }
                }
                return null;
            }
            try {
                Object deserialize = jwtCacheTransformService.deserialize(bArr);
                if (connection != null) {
                    if (0 != 0) {
                        try {
                            connection.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        connection.close();
                    }
                }
                return deserialize;
            } catch (Exception e) {
                log.error(e.getMessage(), e);
                throw e;
            }
        } finally {
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    connection.close();
                }
            }
        }
    }

    @NonNull
    public static Boolean isRefreshJwtByRefreshToken() {
        if (!Objects.isNull(refreshHandlerPolicy) && JwtRefreshHandlerPolicy.REFRESH_TOKEN.equals(refreshHandlerPolicy)) {
            return Boolean.valueOf(StringUtils.hasText((String) RequestContextHolder.currentRequestAttributes().getAttribute(TEMPORARY_JWT_REFRESH_TOKEN, 1)));
        }
        return Boolean.FALSE;
    }

    @Nullable
    public static String inBlacklistAndHasNewJwt(@NonNull BlacklistType blacklistType) throws JwtInvalidException {
        if (blacklistType.isInBlacklist().booleanValue()) {
            return (String) Optional.ofNullable(blacklistType.getOneTimeNewJwtValue()).orElseThrow(() -> {
                return new JwtInvalidException(ErrorCodeEnum.JWT_INVALID, MdcUtil.getMdcTraceId());
            });
        }
        return null;
    }

    @NonNull
    public static BlacklistType jtiInTheBlacklist(@NonNull Jwt jwt) {
        RedisConnection connection = getConnection();
        Throwable th = null;
        try {
            if (blacklistProperties.getEnable().booleanValue()) {
                byte[] bArr = connection.get(getBlacklistKey(jwt.getId()));
                BlacklistType blacklistType = BlacklistType.getBlacklistType(Objects.isNull(bArr) ? null : new String(bArr, StandardCharsets.UTF_8));
                if (connection != null) {
                    if (0 != 0) {
                        try {
                            connection.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        connection.close();
                    }
                }
                return blacklistType;
            }
            Boolean exists = connection.exists(getTokenKey(jwt));
            if (Objects.nonNull(exists) && exists.booleanValue()) {
                BlacklistType blacklistType2 = BlacklistType.NOT_IN_BLACKLIST;
                if (connection != null) {
                    if (0 != 0) {
                        try {
                            connection.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        connection.close();
                    }
                }
                return blacklistType2;
            }
            BlacklistType blacklistType3 = BlacklistType.IN_BLACKLIST;
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    connection.close();
                }
            }
            return blacklistType3;
        } catch (Throwable th5) {
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th6) {
                        th.addSuppressed(th6);
                    }
                } else {
                    connection.close();
                }
            }
            throw th5;
        }
    }

    @NonNull
    public static Boolean isRefreshJwtInTheBlacklist(@NonNull Jwt jwt) {
        RedisConnection connection = getConnection();
        Throwable th = null;
        try {
            if (blacklistProperties.getEnable().booleanValue()) {
                Boolean exists = connection.exists(getBlacklistKey(jwt.getId()));
                Boolean valueOf = Boolean.valueOf(Objects.nonNull(exists) && exists.booleanValue());
                if (connection != null) {
                    if (0 != 0) {
                        try {
                            connection.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        connection.close();
                    }
                }
                return valueOf;
            }
            Boolean exists2 = connection.exists(getRefreshTokenKey(jwt.getClaimAsString(principalClaimName)));
            Boolean valueOf2 = Boolean.valueOf(Objects.isNull(exists2) || !exists2.booleanValue());
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th3) {
                        th.addSuppressed(th3);
                    }
                } else {
                    connection.close();
                }
            }
            return valueOf2;
        } catch (Throwable th4) {
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    connection.close();
                }
            }
            throw th4;
        }
    }

    /* JADX WARN: Type inference failed for: r1v10, types: [byte[], byte[][]] */
    public static void addBlacklistForRefreshToken(@NonNull Jwt jwt) {
        String claimAsString = jwt.getClaimAsString(principalClaimName);
        RedisConnection connection = getConnection();
        Throwable th = null;
        try {
            if (!blacklistProperties.getEnable().booleanValue()) {
                connection.del((byte[][]) new byte[]{getRefreshTokenKey(claimAsString)});
                if (connection != null) {
                    if (0 == 0) {
                        connection.close();
                        return;
                    }
                    try {
                        connection.close();
                        return;
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                        return;
                    }
                }
                return;
            }
            Instant expiresAt = jwt.getExpiresAt();
            if (Objects.isNull(expiresAt)) {
                if (connection != null) {
                    if (0 == 0) {
                        connection.close();
                        return;
                    }
                    try {
                        connection.close();
                        return;
                    } catch (Throwable th3) {
                        th.addSuppressed(th3);
                        return;
                    }
                }
                return;
            }
            Instant now = Instant.now();
            if (expiresAt.isAfter(now.minus((TemporalAmount) clockSkew))) {
                connection.set(getBlacklistKey(jwt.getId()), BlacklistType.IN_BLACKLIST.name().getBytes(StandardCharsets.UTF_8), Expiration.seconds((expiresAt.getEpochSecond() - now.getEpochSecond()) + clockSkew.getSeconds()), RedisStringCommands.SetOption.SET_IF_ABSENT);
            }
            if (connection != null) {
                if (0 == 0) {
                    connection.close();
                    return;
                }
                try {
                    connection.close();
                } catch (Throwable th4) {
                    th.addSuppressed(th4);
                }
            }
        } catch (Throwable th5) {
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th6) {
                        th.addSuppressed(th6);
                    }
                } else {
                    connection.close();
                }
            }
            throw th5;
        }
    }

    public static void addBlacklistForReAuth(@NonNull Jwt jwt) {
        addBlacklist(jwt, BlacklistType.IN_BLACKLIST.name().getBytes(StandardCharsets.UTF_8), Boolean.TRUE);
    }

    private static void addBlacklist(@NonNull Jwt jwt, @NonNull Jwt jwt2) {
        addBlacklist(jwt, jwt2.getTokenValue().getBytes(StandardCharsets.UTF_8), Boolean.FALSE);
    }

    @Nullable
    public static String getRefreshTokenOrBearerToken(@NonNull HttpServletRequest httpServletRequest, @NonNull String str, @NonNull String str2) {
        if (Objects.isNull(bearerToken)) {
            return null;
        }
        return (bearerToken.getAllowFormEncodedBodyParameter().booleanValue() || bearerToken.getAllowUriQueryParameter().booleanValue()) ? httpServletRequest.getParameter(str) : httpServletRequest.getHeader(str2);
    }

    @NonNull
    public static Duration getClockSkew() {
        return clockSkew;
    }

    @Nullable
    public static String getJwtStringIfAllowBodyParameter(@NonNull Authentication authentication) {
        if (Objects.isNull(bearerToken)) {
            return null;
        }
        Boolean allowFormEncodedBodyParameter = bearerToken.getAllowFormEncodedBodyParameter();
        if ((authentication instanceof AbstractOAuth2TokenAuthenticationToken) && allowFormEncodedBodyParameter.booleanValue()) {
            return ((AbstractOAuth2TokenAuthenticationToken) authentication).getToken().getTokenValue();
        }
        return null;
    }

    @Nullable
    public static Long getJwtExpiresInByAuthentication(Authentication authentication) {
        if (!(Objects.isNull(timeout) && Objects.isNull(bearerToken)) && (authentication instanceof AbstractOAuth2TokenAuthenticationToken)) {
            return Long.valueOf(timeout.minusSeconds(1L).getSeconds());
        }
        return null;
    }

    @NonNull
    public static Boolean addReAuthFlag(@NonNull String str) {
        RedisConnection connection = getConnection();
        Throwable th = null;
        try {
            Boolean bool = connection.set(getReAuthKey(str), "1".getBytes(StandardCharsets.UTF_8), Expiration.seconds(blacklistProperties.getRefreshTokenTtl().getSeconds()), RedisStringCommands.SetOption.SET_IF_ABSENT);
            if (!Objects.isNull(bool)) {
                return bool;
            }
            Boolean bool2 = Boolean.FALSE;
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    connection.close();
                }
            }
            return bool2;
        } finally {
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th3) {
                        th.addSuppressed(th3);
                    }
                } else {
                    connection.close();
                }
            }
        }
    }

    @NonNull
    public static Boolean isReAuth(@NonNull String str) {
        RedisConnection connection = getConnection();
        Throwable th = null;
        try {
            Boolean exists = connection.exists(getReAuthKey(str));
            Boolean valueOf = Boolean.valueOf(Objects.nonNull(exists) && exists.booleanValue());
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    connection.close();
                }
            }
            return valueOf;
        } catch (Throwable th3) {
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    connection.close();
                }
            }
            throw th3;
        }
    }

    /* JADX WARN: Type inference failed for: r1v2, types: [byte[], byte[][]] */
    private static void removeReAuthFlag(@NonNull String str) {
        RedisConnection connection = getConnection();
        Throwable th = null;
        try {
            connection.del((byte[][]) new byte[]{getReAuthKey(str), getDelAllTokenInfoInRedisLockKey(str)});
            if (connection != null) {
                if (0 == 0) {
                    connection.close();
                    return;
                }
                try {
                    connection.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    connection.close();
                }
            }
            throw th3;
        }
    }

    private static void saveTokenSessionToRedis(@NonNull Authentication authentication, @NonNull Jwt jwt, @NonNull Boolean bool) {
        if (blacklistProperties.getEnable().booleanValue()) {
            return;
        }
        byte[] serialize = jwtCacheTransformService.serialize(authentication);
        Instant expiresAt = jwt.getExpiresAt();
        if (Objects.isNull(expiresAt)) {
            return;
        }
        if (bool.booleanValue()) {
            SecurityContextHolder.getContext().setAuthentication(authentication);
        }
        Duration ofSeconds = Duration.ofSeconds(expiresAt.getEpochSecond() - Instant.now().getEpochSecond());
        RedisConnection connection = getConnection();
        Throwable th = null;
        try {
            try {
                connection.set(getTokenKey(jwt), serialize, Expiration.from(ofSeconds), RedisStringCommands.SetOption.UPSERT);
                if (connection != null) {
                    if (0 == 0) {
                        connection.close();
                        return;
                    }
                    try {
                        connection.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (connection != null) {
                if (th != null) {
                    try {
                        connection.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    connection.close();
                }
            }
            throw th4;
        }
    }

    /* JADX WARN: Type inference failed for: r1v10, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r1v7, types: [byte[], byte[][]] */
    private static void setOldJwtToBlacklist(@NonNull String str, @NonNull String str2, @NonNull Jwt jwt, @NonNull Jwt jwt2) {
        RedisConnection connection = getConnection();
        Throwable th = null;
        try {
            if (!blacklistProperties.getEnable().booleanValue()) {
                connection.del((byte[][]) new byte[]{getTokenKey(jwt)});
                if (connection != null) {
                    if (0 == 0) {
                        connection.close();
                        return;
                    }
                    try {
                        connection.close();
                        return;
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                        return;
                    }
                }
                return;
            }
            Object claim = jwt.getClaim(principalClaimName);
            if (!Objects.equals(claim, str2)) {
                log.error("oldUserId: {} 与 userIdByRefreshToken: {} 不匹配, refreshToken: {}", new Object[]{claim, str2, str});
                connection.del((byte[][]) new byte[]{getRefreshTokenKey(str2)});
                throw new RefreshTokenInvalidException(ErrorCodeEnum.JWT_REFRESH_TOKEN_INVALID, MdcUtil.getMdcTraceId());
            }
            addBlacklist(jwt, jwt2);
            if (connection != null) {
                if (0 == 0) {
                    connection.close();
                    return;
                }
                try {
                    connection.close();
                } catch (Throwable th3) {
                    th.addSuppressed(th3);
                }
            }
        } catch (Throwable th4) {
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    connection.close();
                }
            }
            throw th4;
        }
    }

    /* JADX WARN: Type inference failed for: r1v14, types: [byte[], byte[][]] */
    /* JADX WARN: Type inference failed for: r1v17, types: [byte[], byte[][]] */
    private static void addBlacklist(@NonNull Jwt jwt, @NonNull byte[] bArr, @NonNull Boolean bool) {
        String claimAsString = jwt.getClaimAsString(principalClaimName);
        boolean z = bool.booleanValue() && JwtRefreshHandlerPolicy.REFRESH_TOKEN.equals(refreshHandlerPolicy);
        RedisConnection connection = getConnection();
        Throwable th = null;
        try {
            if (!blacklistProperties.getEnable().booleanValue()) {
                if (z) {
                    connection.del((byte[][]) new byte[]{getRefreshTokenKey(claimAsString)});
                    delAllTokenInfoInRedisByUserId(claimAsString, connection);
                } else {
                    connection.del((byte[][]) new byte[]{getTokenKey(jwt)});
                }
                if (connection != null) {
                    if (0 == 0) {
                        connection.close();
                        return;
                    }
                    try {
                        connection.close();
                        return;
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                        return;
                    }
                }
                return;
            }
            Instant expiresAt = jwt.getExpiresAt();
            if (Objects.isNull(expiresAt)) {
                if (connection != null) {
                    if (0 == 0) {
                        connection.close();
                        return;
                    }
                    try {
                        connection.close();
                        return;
                    } catch (Throwable th3) {
                        th.addSuppressed(th3);
                        return;
                    }
                }
                return;
            }
            Instant now = Instant.now();
            if (expiresAt.isAfter(now.minus((TemporalAmount) clockSkew))) {
                connection.set(getBlacklistKey(jwt.getId()), bArr, Expiration.seconds((expiresAt.getEpochSecond() - now.getEpochSecond()) + clockSkew.getSeconds()), RedisStringCommands.SetOption.SET_IF_ABSENT);
            }
            if (z) {
                connection.set(getBlacklistKey(jwt.getClaimAsString(JwtCustomClaimNames.REFRESH_TOKEN_JTI.getClaimName())), bArr, Expiration.seconds(blacklistProperties.getRefreshTokenTtl().getSeconds()), RedisStringCommands.SetOption.SET_IF_ABSENT);
            }
            if (connection != null) {
                if (0 == 0) {
                    connection.close();
                    return;
                }
                try {
                    connection.close();
                } catch (Throwable th4) {
                    th.addSuppressed(th4);
                }
            }
        } catch (Throwable th5) {
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th6) {
                        th.addSuppressed(th6);
                    }
                } else {
                    connection.close();
                }
            }
            throw th5;
        }
    }

    /* JADX WARN: Type inference failed for: r1v9, types: [byte[], byte[][]] */
    private static void delAllTokenInfoInRedisByUserId(String str, RedisConnection redisConnection) {
        if (getDelAllTokenInfoInRedisLock(str, redisConnection).booleanValue()) {
            try {
                Cursor scan = redisConnection.scan(ScanOptions.scanOptions().count(1000L).match(blacklistProperties.getTokenInfoPrefix().concat(str).concat(":*")).build());
                Throwable th = null;
                try {
                    try {
                        ArrayList arrayList = new ArrayList();
                        while (scan.hasNext()) {
                            arrayList.add(scan.next());
                        }
                        if (!CollectionUtils.isEmpty(arrayList)) {
                            redisConnection.del((byte[][]) arrayList.toArray(new byte[0][0]));
                        }
                        if (scan != null) {
                            if (0 != 0) {
                                try {
                                    scan.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                scan.close();
                            }
                        }
                    } catch (Throwable th3) {
                        th = th3;
                        throw th3;
                    }
                } finally {
                }
            } catch (IOException e) {
                log.error(e.getMessage(), e);
                redisConnection.del((byte[][]) new byte[]{getDelAllTokenInfoInRedisLockKey(str)});
            }
        }
    }

    @NonNull
    private static byte[] getBlacklistKey(String str) {
        return blacklistProperties.getBlacklistPrefix().concat(str).getBytes(StandardCharsets.UTF_8);
    }

    @NonNull
    private static byte[] getReAuthKey(String str) {
        return blacklistProperties.getReAuthPrefix().concat(str).getBytes(StandardCharsets.UTF_8);
    }

    @NonNull
    private static byte[] getDelAllTokenInfoInRedisLockKey(String str) {
        return blacklistProperties.getReAuthPrefix().concat("LOCK:" + str).getBytes(StandardCharsets.UTF_8);
    }

    @NonNull
    private static Boolean getDelAllTokenInfoInRedisLock(String str, RedisConnection redisConnection) {
        return (Boolean) Optional.ofNullable(redisConnection.setNX(getDelAllTokenInfoInRedisLockKey(str), "1".getBytes(StandardCharsets.UTF_8))).orElse(false);
    }

    @NonNull
    private static byte[] getRefreshTokenKey(String str) {
        return blacklistProperties.getRefreshTokenPrefix().concat(str).getBytes(StandardCharsets.UTF_8);
    }

    @NonNull
    private static byte[] getTokenKey(Jwt jwt) {
        return blacklistProperties.getTokenInfoPrefix().concat(jwt.getClaimAsString(principalClaimName) + ":" + jwt.getId()).getBytes(StandardCharsets.UTF_8);
    }

    private static RedisConnection getConnection() {
        return redisConnectionFactory.getConnection();
    }

    @Nullable
    private static Jwt getJwtByRequest(@NonNull HttpServletRequest httpServletRequest, @NonNull UmsNimbusJwtDecoder umsNimbusJwtDecoder) {
        Jwt jwt;
        String refreshTokenOrBearerToken = getRefreshTokenOrBearerToken(httpServletRequest, bearerToken.getBearerTokenParameterName(), bearerToken.getBearerTokenHeaderName());
        if (!StringUtils.hasText(refreshTokenOrBearerToken)) {
            return null;
        }
        try {
            jwt = umsNimbusJwtDecoder.decodeNotRefreshToken(removeBearerForJwtTokenString(refreshTokenOrBearerToken));
        } catch (Exception e) {
            log.error(e.getMessage(), e);
            jwt = null;
        } catch (JwtException | JwtExpiredException | JwtInvalidException e2) {
            jwt = null;
        }
        return jwt;
    }

    @Nullable
    private static String getUserIdByRefreshToken(@NonNull Jwt jwt) throws JwtInvalidException {
        String claimAsString = jwt.getClaimAsString(principalClaimName);
        RedisConnection connection = getConnection();
        Throwable th = null;
        try {
            if (!blacklistProperties.getEnable().booleanValue()) {
                Boolean exists = connection.exists(getRefreshTokenKey(claimAsString));
                if (Objects.isNull(exists) || !exists.booleanValue()) {
                    return null;
                }
                if (connection != null) {
                    if (0 != 0) {
                        try {
                            connection.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        connection.close();
                    }
                }
                return claimAsString;
            }
            Boolean exists2 = connection.exists(getBlacklistKey(jwt.getId()));
            if (Objects.nonNull(exists2) && exists2.booleanValue()) {
                if (connection != null) {
                    if (0 != 0) {
                        try {
                            connection.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        connection.close();
                    }
                }
                return null;
            }
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    connection.close();
                }
            }
            return claimAsString;
        } finally {
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    connection.close();
                }
            }
        }
    }

    @NonNull
    private static Jwt generateRefreshToken(@NonNull String str) {
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        builder.claim("jti", jwtIdService.generateJtiId());
        builder.claim(principalClaimName, str);
        builder.claim("exp", Long.valueOf(Instant.now().plusSeconds(blacklistProperties.getRefreshTokenTtl().getSeconds()).toEpochMilli()));
        try {
            Jwt createJwt = createJwt(builder.build());
            if (saveRefreshToken(str, createJwt.getTokenValue()).booleanValue()) {
                return createJwt;
            }
            throw new SaveRefreshTokenException(ErrorCodeEnum.SAVE_REFRESH_TOKEN_ERROR, MdcUtil.getMdcTraceId());
        } catch (JOSEException | ParseException e) {
            throw new JwtCreateException(ErrorCodeEnum.CREATE_JWT_ERROR, MdcUtil.getMdcTraceId());
        }
    }

    @NonNull
    private static Boolean saveRefreshToken(@NonNull String str, @NonNull String str2) {
        RedisConnection connection = getConnection();
        Throwable th = null;
        try {
            if (blacklistProperties.getEnable().booleanValue() || !JwtRefreshHandlerPolicy.REFRESH_TOKEN.equals(refreshHandlerPolicy)) {
                if (connection != null) {
                    if (0 != 0) {
                        try {
                            connection.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        connection.close();
                    }
                }
                return true;
            }
            Boolean bool = connection.set(getRefreshTokenKey(str), str2.getBytes(StandardCharsets.UTF_8), Expiration.from(blacklistProperties.getRefreshTokenTtl().minusSeconds(1L)), RedisStringCommands.SetOption.UPSERT);
            if (!Objects.isNull(bool)) {
                return bool;
            }
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th3) {
                        th.addSuppressed(th3);
                    }
                } else {
                    connection.close();
                }
            }
            return false;
        } finally {
            if (connection != null) {
                if (0 != 0) {
                    try {
                        connection.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    connection.close();
                }
            }
        }
    }

    @NonNull
    private static String removeBearerForJwtTokenString(@NonNull String str) {
        return str.startsWith(BEARER) ? str.replaceFirst(BEARER, "") : str;
    }

    private static void setBearerTokenAndRefreshTokenToHeader(@NonNull Jwt jwt, @Nullable Jwt jwt2, @NonNull Boolean bool) {
        ServletRequestAttributes currentRequestAttributes = RequestContextHolder.currentRequestAttributes();
        HttpServletResponse response = currentRequestAttributes.getResponse();
        String str = BEARER + jwt.getTokenValue();
        if (Objects.isNull(response) || Objects.isNull(bearerToken)) {
            throw new IllegalStateException("HttpServletResponse is closed or does not support setting bearer token to header");
        }
        if (Objects.nonNull(jwt2) && JwtRefreshHandlerPolicy.REFRESH_TOKEN.equals(refreshHandlerPolicy)) {
            String refreshTokenHeaderName = bearerToken.getRefreshTokenHeaderName();
            String tokenValue = jwt2.getTokenValue();
            if (!bearerToken.getAllowFormEncodedBodyParameter().booleanValue()) {
                response.setHeader(refreshTokenHeaderName, tokenValue);
            }
            if (bool.booleanValue()) {
                currentRequestAttributes.setAttribute(TEMPORARY_JWT_REFRESH_TOKEN, tokenValue, 1);
            }
        }
        boolean equals = JwtRefreshHandlerPolicy.AUTO_RENEW.equals(refreshHandlerPolicy);
        if (!bearerToken.getAllowFormEncodedBodyParameter().booleanValue() || equals) {
            response.setHeader(bearerToken.getBearerTokenHeaderName(), str);
        }
    }

    @NonNull
    private static Boolean isSupportCreateJwt(@NonNull Authentication authentication) {
        return Boolean.valueOf(Objects.nonNull(signer) && !(authentication instanceof AbstractOAuth2TokenAuthenticationToken));
    }

    @NonNull
    private static JwtAuthenticationToken toJwtAuthenticationToken(@NonNull Jwt jwt, @NonNull JwtAuthenticationConverter jwtAuthenticationConverter, @NonNull Boolean bool) {
        JwtAuthenticationToken convert = jwtAuthenticationConverter.convert(jwt);
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (Objects.nonNull(authentication)) {
            convert.setDetails(authentication.getDetails());
        }
        if (!blacklistProperties.getEnable().booleanValue()) {
            saveTokenSessionToRedis(convert, jwt, bool);
        } else if (bool.booleanValue()) {
            SecurityContextHolder.getContext().setAuthentication(convert);
        }
        return convert;
    }

    @NonNull
    private static JWTClaimsSet toJwtClaimsSet(@NonNull Map<String, Object> map) {
        JWTClaimsSet.Builder builder = new JWTClaimsSet.Builder();
        builder.getClass();
        map.forEach(builder::claim);
        return builder.build();
    }

    @NonNull
    private static Jwt createJwt(@NonNull JWTClaimsSet jWTClaimsSet) throws JOSEException, ParseException {
        Objects.requireNonNull(signer, "JWSSigner 不存在, 不支持创建 JWT 功能");
        return createJwt(getJwsHeader(), jWTClaimsSet);
    }

    @NonNull
    private static Jwt createJwt(@NonNull JWSHeader jWSHeader, @NonNull JWTClaimsSet jWTClaimsSet) throws JOSEException, ParseException {
        Objects.requireNonNull(signer, "signer 不存在, 不支持 JWT 功能");
        SignedJWT signedJWT = new SignedJWT(jWSHeader, jWTClaimsSet);
        signedJWT.sign(signer);
        String serialize = signedJWT.serialize();
        Long longClaim = jWTClaimsSet.getLongClaim("iat");
        Instant instant = null;
        if (Objects.nonNull(longClaim)) {
            instant = Instant.ofEpochSecond(longClaim.longValue());
        }
        try {
            return new Jwt(serialize, instant, Instant.ofEpochSecond(jWTClaimsSet.getLongClaim("exp").longValue()), ReflectionUtil.invokeToJsonObjectMethod(jWSHeader, TO_JSON_OBJECT_METHOD), jWTClaimsSet.getClaims());
        } catch (IllegalAccessException | InvocationTargetException e) {
            throw new JOSEException(e.getMessage());
        }
    }

    @NonNull
    private static JWSHeader getJwsHeader() {
        Objects.requireNonNull(jwsAlgorithm, "未设置 jwsAlgorithm, 不支持 JWT 功能");
        JWSHeader.Builder builder = new JWSHeader.Builder(JWSAlgorithm.parse(jwsAlgorithm));
        builder.type(JOSEObjectType.JWT);
        if (StringUtils.hasText(kid)) {
            builder.keyID(kid);
        }
        return builder.build();
    }
}
