package org.demoiselle.jee.security.jwt.impl;

import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.annotation.Priority;
import javax.enterprise.context.RequestScoped;
import javax.inject.Inject;
import javax.ws.rs.core.Response;
import org.demoiselle.jee.core.api.security.DemoiselleUser;
import org.demoiselle.jee.core.api.security.Token;
import org.demoiselle.jee.core.api.security.TokenManager;
import org.demoiselle.jee.core.api.security.TokenType;
import org.demoiselle.jee.security.exception.DemoiselleSecurityException;
import org.demoiselle.jee.security.message.DemoiselleSecurityJWTMessages;
import org.jose4j.jws.JsonWebSignature;
import org.jose4j.jwt.JwtClaims;
import org.jose4j.jwt.NumericDate;
import org.jose4j.jwt.consumer.InvalidJwtException;
import org.jose4j.jwt.consumer.JwtConsumerBuilder;
import org.jose4j.keys.RsaKeyUtil;
import org.jose4j.lang.JoseException;

@RequestScoped
@Priority(2000)
/* loaded from: input_file:org/demoiselle/jee/security/jwt/impl/TokenManagerImpl.class */
public class TokenManagerImpl implements TokenManager {
    private static PublicKey publicKey;
    private static PrivateKey privateKey;
    private static final Logger logger = Logger.getLogger(TokenManagerImpl.class.getName());

    @Inject
    private Token token;

    @Inject
    private DemoiselleSecurityJWTConfig config;

    @Inject
    private DemoiselleUser loggedUser;

    @Inject
    private DemoiselleSecurityJWTMessages bundle;

    @PostConstruct
    public void init() {
        if (publicKey == null) {
            try {
                if (this.config.getType() == null) {
                    throw new DemoiselleSecurityException(this.bundle.chooseType(), Response.Status.UNAUTHORIZED.getStatusCode());
                }
                if (!this.config.getType().equalsIgnoreCase(this.bundle.slave()) && !this.config.getType().equalsIgnoreCase(this.bundle.master())) {
                    throw new DemoiselleSecurityException(this.bundle.notType(), Response.Status.UNAUTHORIZED.getStatusCode());
                }
                if (this.config.getType().equalsIgnoreCase(this.bundle.slave())) {
                    if (this.config.getPublicKey() == null || this.config.getPublicKey().isEmpty()) {
                        throw new DemoiselleSecurityException(this.bundle.putKey(), Response.Status.UNAUTHORIZED.getStatusCode());
                    }
                    publicKey = getPublic();
                }
                if (this.config.getType().equalsIgnoreCase(this.bundle.master())) {
                    privateKey = getPrivate();
                    publicKey = getPublic();
                }
            } catch (JoseException | NoSuchAlgorithmException | InvalidKeySpecException e) {
                throw new DemoiselleSecurityException(this.bundle.general(), Response.Status.UNAUTHORIZED.getStatusCode(), e);
            }
        }
    }

    public DemoiselleUser getUser() {
        return getUser(null, null);
    }

    public DemoiselleUser getUser(String str, String str2) {
        if (this.token.getKey() == null || this.token.getKey().isEmpty() || !this.token.getType().equals(TokenType.JWT)) {
            return null;
        }
        try {
            JwtConsumerBuilder expectedIssuer = new JwtConsumerBuilder().setRequireExpirationTime().setAllowedClockSkewInSeconds(60).setExpectedIssuer(str != null ? str : this.config.getIssuer());
            String[] strArr = new String[1];
            strArr[0] = str2 != null ? str2 : this.config.getAudience();
            JwtClaims processToClaims = expectedIssuer.setExpectedAudience(strArr).setEvaluationTime(NumericDate.now()).setVerificationKey(publicKey).build().processToClaims(this.token.getKey());
            this.loggedUser.setIdentity((String) processToClaims.getClaimValue("identity"));
            this.loggedUser.setName((String) processToClaims.getClaimValue("name"));
            ((List) processToClaims.getClaimValue("roles")).stream().forEach(str3 -> {
                this.loggedUser.addRole(str3);
            });
            ((Map) processToClaims.getClaimValue("permissions")).entrySet().stream().forEach(entry -> {
                String str4 = (String) entry.getKey();
                ((List) entry.getValue()).stream().forEach(str5 -> {
                    this.loggedUser.addPermission(str4, str5);
                });
            });
            ((Map) processToClaims.getClaimValue("params")).entrySet().stream().forEach(entry2 -> {
                this.loggedUser.addParam((String) entry2.getKey(), (String) entry2.getValue());
            });
            return this.loggedUser;
        } catch (InvalidJwtException e) {
            this.loggedUser = null;
            this.token.setKey((String) null);
            throw new DemoiselleSecurityException(this.bundle.expired(), Response.Status.UNAUTHORIZED.getStatusCode(), e);
        }
    }

    public void setUser(DemoiselleUser demoiselleUser) {
        setUser(demoiselleUser, null, null);
    }

    public void setUser(DemoiselleUser demoiselleUser, String str, String str2) {
        long valueInMillis = NumericDate.now().getValueInMillis() + this.config.getTimetoLiveMilliseconds().longValue();
        try {
            JwtClaims jwtClaims = new JwtClaims();
            jwtClaims.setIssuer(str != null ? str : this.config.getIssuer());
            jwtClaims.setExpirationTime(NumericDate.fromMilliseconds(valueInMillis));
            jwtClaims.setAudience(str2 != null ? str2 : this.config.getAudience());
            jwtClaims.setGeneratedJwtId();
            jwtClaims.setIssuedAtToNow();
            jwtClaims.setNotBeforeMinutesInThePast(1.0f);
            jwtClaims.setClaim("identity", demoiselleUser.getIdentity());
            jwtClaims.setClaim("name", demoiselleUser.getName());
            jwtClaims.setClaim("roles", demoiselleUser.getRoles());
            jwtClaims.setClaim("permissions", demoiselleUser.getPermissions());
            jwtClaims.setClaim("params", demoiselleUser.getParams());
            JsonWebSignature jsonWebSignature = new JsonWebSignature();
            jsonWebSignature.setPayload(jwtClaims.toJson());
            jsonWebSignature.setKey(privateKey);
            jsonWebSignature.setKeyIdHeaderValue("demoiselle-security-jwt");
            jsonWebSignature.setAlgorithmHeaderValue(this.config.getAlgorithmIdentifiers());
            this.token.setKey(jsonWebSignature.getCompactSerialization());
            this.token.setType(TokenType.JWT);
        } catch (JoseException e) {
            throw new DemoiselleSecurityException(this.bundle.general(), Response.Status.UNAUTHORIZED.getStatusCode(), e);
        }
    }

    public boolean validate() {
        return getUser() != null;
    }

    public boolean validate(String str, String str2) {
        return getUser(str, str2) != null;
    }

    private PrivateKey getPrivate() throws NoSuchAlgorithmException, InvalidKeySpecException {
        if (this.config.getPrivateKey() != null) {
            return KeyFactory.getInstance("RSA").generatePrivate(new PKCS8EncodedKeySpec(Base64.getDecoder().decode(this.config.getPrivateKey().replace("-----BEGIN PRIVATE KEY-----", "").replace("-----END PRIVATE KEY-----", ""))));
        }
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048);
        KeyPair genKeyPair = keyPairGenerator.genKeyPair();
        publicKey = genKeyPair.getPublic();
        privateKey = genKeyPair.getPrivate();
        logger.warning("privateKey=" + publicKey.toString());
        logger.warning("publicKey=" + privateKey.toString());
        throw new DemoiselleSecurityException(this.bundle.putKey(), Response.Status.UNAUTHORIZED.getStatusCode());
    }

    private PublicKey getPublic() throws JoseException, InvalidKeySpecException {
        return new RsaKeyUtil().fromPemEncoded(this.config.getPublicKey());
    }

    public void removeUser(DemoiselleUser demoiselleUser) {
        throw new UnsupportedOperationException(this.bundle.notJwt());
    }
}
