package io.cellery.security.extensions.jwt;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.util.Base64URL;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import io.cellery.security.extensions.exception.CelleryAuthException;
import java.security.interfaces.RSAPrivateKey;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.stream.Collectors;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.wso2.carbon.identity.core.util.IdentityUtil;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.util.OAuth2Util;

/* loaded from: input_file:io/cellery/security/extensions/jwt/CellerySignedJWTBuilder.class */
public class CellerySignedJWTBuilder {
    private static final String TENANT_DOMAIN = "carbon.super";
    private static final int TENANT_ID = -1234;
    private static final String MICRO_GATEWAY_DEFAULT_AUDIENCE_VALUE = "http://io.cellery.apimgt/gateway";
    private static final String CELLERY_STS_ISSUER_CONFIG = "Cellery.STS.Issuer";
    private static final String DEFAULT_ISSUER_VALUE = "https://sts.cellery.io";
    private static final String SCOPE_CLAIM = "scope";
    private static final String KEY_TYPE_CLAIM = "keytype";
    private static final String PRODUCTION_KEY_TYPE = "PRODUCTION";
    private JWSHeader.Builder headerBuilder = new JWSHeader.Builder(JWSAlgorithm.RS256);
    private JWTClaimsSet.Builder claimSetBuilder = new JWTClaimsSet.Builder();
    private long expiryInSeconds = 1200;
    private List<String> audience = new ArrayList();

    public CellerySignedJWTBuilder subject(String str) {
        this.claimSetBuilder.subject(str);
        return this;
    }

    public CellerySignedJWTBuilder claim(String str, Object obj) {
        this.claimSetBuilder.claim(str, obj);
        return this;
    }

    public CellerySignedJWTBuilder claims(Map<String, Object> map) {
        map.forEach((str, obj) -> {
            this.claimSetBuilder.claim(str, obj);
        });
        return this;
    }

    public CellerySignedJWTBuilder scopes(List<String> list) {
        return claim(SCOPE_CLAIM, list);
    }

    public CellerySignedJWTBuilder expiryInSeconds(long j) {
        this.expiryInSeconds = j;
        return this;
    }

    public CellerySignedJWTBuilder audience(List<String> list) {
        this.audience = list;
        return this;
    }

    public CellerySignedJWTBuilder audience(String str) {
        this.audience.add(str);
        return this;
    }

    private JWSHeader buildJWSHeader() throws IdentityOAuth2Exception {
        String thumbPrint = OAuth2Util.getThumbPrint(TENANT_DOMAIN, TENANT_ID);
        this.headerBuilder.keyID(thumbPrint);
        this.headerBuilder.x509CertThumbprint(new Base64URL(thumbPrint));
        return this.headerBuilder.build();
    }

    public String build() throws CelleryAuthException {
        try {
            JWSHeader buildJWSHeader = buildJWSHeader();
            addMandatoryClaims(this.claimSetBuilder);
            SignedJWT signedJWT = new SignedJWT(buildJWSHeader, this.claimSetBuilder.build());
            signedJWT.sign(new RSASSASigner(getRSASigningKey()));
            return signedJWT.serialize();
        } catch (IdentityOAuth2Exception | JOSEException e) {
            throw new CelleryAuthException("Error while generating the signed JWT.", e);
        }
    }

    private void addMandatoryClaims(JWTClaimsSet.Builder builder) {
        Date date = new Date(System.currentTimeMillis());
        Date date2 = new Date(date.getTime() + (this.expiryInSeconds * 1000));
        builder.jwtID(UUID.randomUUID().toString()).issuer(getIssuer()).issueTime(date).expirationTime(date2).audience(getAudience(this.audience)).claim(KEY_TYPE_CLAIM, PRODUCTION_KEY_TYPE);
    }

    private String getIssuer() {
        String property = IdentityUtil.getProperty(CELLERY_STS_ISSUER_CONFIG);
        if (StringUtils.isEmpty(property)) {
            property = DEFAULT_ISSUER_VALUE;
        }
        return property;
    }

    private RSAPrivateKey getRSASigningKey() throws IdentityOAuth2Exception {
        return (RSAPrivateKey) OAuth2Util.getPrivateKey(TENANT_DOMAIN, TENANT_ID);
    }

    private List<String> getAudience(List<String> list) {
        return CollectionUtils.isEmpty(list) ? Collections.singletonList(MICRO_GATEWAY_DEFAULT_AUDIENCE_VALUE) : (List) list.stream().filter(StringUtils::isNotBlank).collect(Collectors.toList());
    }
}
