package no.difi.move.common.oauth;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.util.Base64;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.security.cert.CertificateEncodingException;
import java.time.Duration;
import java.time.OffsetDateTime;
import java.time.ZoneId;
import java.util.Collections;
import java.util.Date;
import java.util.List;
import java.util.Optional;
import java.util.TimeZone;
import java.util.UUID;
import lombok.Generated;
import no.difi.move.common.cert.KeystoreHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.MediaType;
import org.springframework.http.converter.FormHttpMessageConverter;
import org.springframework.retry.annotation.Backoff;
import org.springframework.retry.annotation.Retryable;
import org.springframework.util.LinkedMultiValueMap;
import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.RestTemplate;
import org.springframework.web.reactive.function.client.WebClient;
import reactor.core.publisher.Mono;
import reactor.util.retry.Retry;

/* loaded from: input_file:no/difi/move/common/oauth/JwtTokenClient.class */
public class JwtTokenClient {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(JwtTokenClient.class);
    public static final TimeZone DEFAULT_TIME_ZONE = TimeZone.getTimeZone("Europe/Oslo");
    public static final ZoneId DEFAULT_ZONE_ID = DEFAULT_TIME_ZONE.toZoneId();
    private final JwtTokenConfig config;
    private final WebClient wc;
    private final JWSHeader jwsHeader;
    private final RSASSASigner signer;

    /* loaded from: input_file:no/difi/move/common/oauth/JwtTokenClient$CertificateEncodingRuntimeException.class */
    public static class CertificateEncodingRuntimeException extends RuntimeException {
        public CertificateEncodingRuntimeException(String str, Throwable th) {
            super(str, th);
        }
    }

    public JwtTokenClient(JwtTokenConfig jwtTokenConfig) {
        this.config = jwtTokenConfig;
        this.wc = WebClient.create(jwtTokenConfig.getTokenUri());
        KeystoreHelper keystoreHelper = new KeystoreHelper(jwtTokenConfig.getKeystore());
        this.jwsHeader = getJwsHeader(keystoreHelper);
        this.signer = getSigner(keystoreHelper);
    }

    private JWSHeader getJwsHeader(KeystoreHelper keystoreHelper) {
        return new JWSHeader.Builder(JWSAlgorithm.RS256).x509CertChain(getCertChain(keystoreHelper)).build();
    }

    private List<Base64> getCertChain(KeystoreHelper keystoreHelper) {
        try {
            return Collections.singletonList(Base64.encode(keystoreHelper.getX509Certificate().getEncoded()));
        } catch (CertificateEncodingException e) {
            log.error("Could not get encoded certificate", e);
            throw new CertificateEncodingRuntimeException("Could not get encoded certificate", e);
        }
    }

    private RSASSASigner getSigner(KeystoreHelper keystoreHelper) {
        RSASSASigner rSASSASigner = new RSASSASigner(keystoreHelper.loadPrivateKey());
        if (keystoreHelper.shouldLockProvider()) {
            rSASSASigner.getJCAContext().setProvider(keystoreHelper.getKeyStore().getProvider());
        }
        return rSASSASigner;
    }

    public Mono<JwtTokenResponse> fetchTokenMono() {
        return fetchTokenMono(new JwtTokenInput());
    }

    public Mono<JwtTokenResponse> fetchTokenMono(JwtTokenInput jwtTokenInput) {
        return this.wc.post().contentType(MediaType.APPLICATION_FORM_URLENCODED).accept(new MediaType[]{MediaType.APPLICATION_JSON}).body(Mono.fromSupplier(() -> {
            LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
            linkedMultiValueMap.add("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");
            linkedMultiValueMap.add("assertion", generateJWT(jwtTokenInput));
            return linkedMultiValueMap;
        }), LinkedMultiValueMap.class).retrieve().onStatus((v0) -> {
            return v0.isError();
        }, clientResponse -> {
            return clientResponse.bodyToMono(String.class).flatMap(str -> {
                return Mono.error(new JwtTokenException("http status: " + clientResponse.statusCode() + ", body: " + str));
            });
        }).bodyToMono(JwtTokenResponse.class).retryWhen(Retry.backoff(Long.MAX_VALUE, Duration.ofSeconds(2L)).maxBackoff(Duration.ofMinutes(1L)).doBeforeRetry(retrySignal -> {
            log.warn("Error connecting to token endpoint, retrying.. " + retrySignal);
        })).doOnNext(jwtTokenResponse -> {
            log.info("Response: {}", jwtTokenResponse.toString());
        }).cache(jwtTokenResponse2 -> {
            return Duration.ofSeconds(jwtTokenResponse2.getExpiresIn().intValue() - 10);
        }, th -> {
            return Duration.ZERO;
        }, () -> {
            return Duration.ZERO;
        });
    }

    @Retryable(value = {HttpClientErrorException.class}, maxAttempts = Integer.MAX_VALUE, backoff = @Backoff(delay = 5000, maxDelay = 3600000, multiplier = 3.0d))
    public JwtTokenResponse fetchToken() {
        return fetchToken(new JwtTokenInput());
    }

    @Retryable(value = {HttpClientErrorException.class}, maxAttempts = Integer.MAX_VALUE, backoff = @Backoff(delay = 5000, maxDelay = 3600000, multiplier = 3.0d))
    public JwtTokenResponse fetchToken(JwtTokenInput jwtTokenInput) {
        RestTemplate restTemplate = new RestTemplate();
        restTemplate.setErrorHandler(new OidcErrorHandler());
        LinkedMultiValueMap linkedMultiValueMap = new LinkedMultiValueMap();
        linkedMultiValueMap.add("grant_type", "urn:ietf:params:oauth:grant-type:jwt-bearer");
        linkedMultiValueMap.add("assertion", generateJWT(jwtTokenInput));
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.setContentType(MediaType.APPLICATION_FORM_URLENCODED);
        HttpEntity httpEntity = new HttpEntity(linkedMultiValueMap, httpHeaders);
        restTemplate.getMessageConverters().add(new FormHttpMessageConverter());
        return (JwtTokenResponse) restTemplate.exchange(this.config.getTokenUri(), HttpMethod.POST, httpEntity, JwtTokenResponse.class, new Object[0]).getBody();
    }

    public String generateJWT() {
        return generateJWT(new JwtTokenInput());
    }

    public String generateJWT(JwtTokenInput jwtTokenInput) {
        JWTClaimsSet.Builder expirationTime = new JWTClaimsSet.Builder().audience((String) Optional.ofNullable(jwtTokenInput.getAudience()).orElse(this.config.getAudience())).issuer((String) Optional.ofNullable(jwtTokenInput.getClientId()).orElse(this.config.getClientId())).claim("scope", getScopeString(jwtTokenInput)).jwtID(UUID.randomUUID().toString()).issueTime(Date.from(OffsetDateTime.now(DEFAULT_ZONE_ID).toInstant())).expirationTime(Date.from(OffsetDateTime.now(DEFAULT_ZONE_ID).toInstant().plusSeconds(120L)));
        Optional.ofNullable(jwtTokenInput.getConsumerOrg()).ifPresent(str -> {
            expirationTime.claim("consumer_org", str);
        });
        SignedJWT signedJWT = new SignedJWT(this.jwsHeader, expirationTime.build());
        try {
            signedJWT.sign(this.signer);
        } catch (JOSEException e) {
            log.error("Error occured during signing of JWT", e);
        }
        String serialize = signedJWT.serialize();
        log.info("Payload: {}", new String(java.util.Base64.getUrlDecoder().decode(serialize.split("\\.")[1])));
        log.debug("SerializedJWT: {}", serialize);
        return serialize;
    }

    private String getScopeString(JwtTokenInput jwtTokenInput) {
        return (String) ((List) Optional.ofNullable(jwtTokenInput.getScopes()).orElse(this.config.getScopes())).stream().reduce((str, str2) -> {
            return str + " " + str2;
        }).orElse("");
    }
}
