package pl.edu.icm.unity.rest.jwt.endpoint;

import com.nimbusds.jose.JOSEException;
import com.nimbusds.jwt.JWTClaimsSet;
import eu.emi.security.authn.x509.X509Credential;
import java.nio.charset.StandardCharsets;
import java.text.ParseException;
import java.util.Date;
import java.util.UUID;
import javax.ws.rs.BadRequestException;
import javax.ws.rs.ClientErrorException;
import javax.ws.rs.GET;
import javax.ws.rs.InternalServerErrorException;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Response;
import org.apache.logging.log4j.Logger;
import pl.edu.icm.unity.base.utils.Log;
import pl.edu.icm.unity.engine.api.EntityManagement;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.engine.api.authn.InvocationContext;
import pl.edu.icm.unity.engine.api.token.TokensManagement;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.rest.jwt.JWTAuthenticationProperties;
import pl.edu.icm.unity.rest.jwt.JWTUtils;
import pl.edu.icm.unity.types.basic.EntityParam;
import pl.edu.icm.unity.types.basic.Identity;

/* loaded from: input_file:pl/edu/icm/unity/rest/jwt/endpoint/JWTManagement.class */
public class JWTManagement {
    private static final Logger log = Log.getLogger("unity.server.rest", JWTManagement.class);
    public static final String JWT_TOKEN_ID = "simpleJWT";
    private TokensManagement tokensMan;
    private EntityManagement identitiesMan;
    private PKIManagement pkiManagement;
    private String audience;
    private String issuer;
    private JWTAuthenticationProperties config;

    public JWTManagement(TokensManagement tokensManagement, PKIManagement pKIManagement, EntityManagement entityManagement, String str, String str2, JWTAuthenticationProperties jWTAuthenticationProperties) {
        this.tokensMan = tokensManagement;
        this.pkiManagement = pKIManagement;
        this.identitiesMan = entityManagement;
        this.issuer = str2;
        this.audience = str2 + "#" + str;
        this.config = jWTAuthenticationProperties;
    }

    @GET
    @Produces({"application/jwt"})
    @Path("/token")
    public String generate() {
        return generate(getCurrentEntity());
    }

    public String generate(EntityParam entityParam) {
        return generateCommon(getCredential(), getClientsPersistentId(entityParam), entityParam);
    }

    @POST
    @Produces({"application/jwt"})
    @Path("/refreshToken")
    public String refresh(String str) {
        X509Credential credential = getCredential();
        JWTClaimsSet parseAndValidate = parseAndValidate(str, credential);
        EntityParam currentEntity = getCurrentEntity();
        String clientsPersistentIdValidating = getClientsPersistentIdValidating(currentEntity, parseAndValidate.getSubject());
        try {
            this.tokensMan.getTokenById(JWT_TOKEN_ID, parseAndValidate.getJWTID());
            return generateCommon(credential, clientsPersistentIdValidating, currentEntity);
        } catch (IllegalArgumentException e) {
            throw new ClientErrorException(Response.Status.GONE);
        }
    }

    @POST
    @Path("/invalidateToken")
    public void invalidate(String str) {
        JWTClaimsSet parseAndValidate = parseAndValidate(str, getCredential());
        getClientsPersistentIdValidating(getCurrentEntity(), parseAndValidate.getSubject());
        try {
            this.tokensMan.removeToken(JWT_TOKEN_ID, parseAndValidate.getJWTID());
        } catch (IllegalArgumentException e) {
            throw new ClientErrorException(Response.Status.GONE);
        }
    }

    private String generateCommon(X509Credential x509Credential, String str, EntityParam entityParam) {
        Date date = new Date();
        Date date2 = new Date(date.getTime() + (1000 * this.config.getIntValue(JWTAuthenticationProperties.TOKEN_TTL).intValue()));
        String uuid = UUID.randomUUID().toString();
        try {
            String generate = JWTUtils.generate(x509Credential, str, this.issuer, this.audience, date2, uuid);
            try {
                this.tokensMan.addToken(JWT_TOKEN_ID, uuid, entityParam, generate.getBytes(StandardCharsets.UTF_8), date, date2);
                return generate;
            } catch (Exception e) {
                log.error("Can't persist the generated JWT", e);
                throw new InternalServerErrorException();
            }
        } catch (Exception e2) {
            log.error("Can't generate JWT", e2);
            throw new InternalServerErrorException();
        }
    }

    private EntityParam getCurrentEntity() {
        return new EntityParam(Long.valueOf(InvocationContext.getCurrent().getLoginSession().getEntityId()));
    }

    private String getClientsPersistentIdValidating(EntityParam entityParam, String str) {
        String clientsPersistentId = getClientsPersistentId(entityParam);
        if (clientsPersistentId.equals(str)) {
            return clientsPersistentId;
        }
        log.warn("Client with persistent id " + clientsPersistentId + " is trying to manipulate JWT of " + str);
        throw new ClientErrorException(Response.Status.FORBIDDEN);
    }

    private X509Credential getCredential() {
        try {
            return this.pkiManagement.getCredential(this.config.getValue(JWTAuthenticationProperties.SIGNING_CREDENTIAL));
        } catch (EngineException e) {
            log.error("Can not load credential configured to sign JWTs", e);
            throw new InternalServerErrorException();
        }
    }

    private JWTClaimsSet parseAndValidate(String str, X509Credential x509Credential) {
        try {
            return JWTUtils.parseAndValidate(str, x509Credential);
        } catch (ParseException | JOSEException e) {
            log.debug("Received invalid JWT to be refreshed", e);
            throw new BadRequestException(e);
        }
    }

    private String getClientsPersistentId(EntityParam entityParam) {
        try {
            for (Identity identity : this.identitiesMan.getEntity(entityParam, (String) null, true, "/").getIdentities()) {
                if ("persistent".equals(identity.getTypeId())) {
                    return identity.getValue();
                }
            }
            log.fatal("Authenticated client has no persistent identity, entity id is " + entityParam.getEntityId());
            throw new InternalServerErrorException();
        } catch (EngineException e) {
            log.error("Can't resolve entities of the authenticated client, entity id is " + entityParam.getEntityId(), e);
            throw new InternalServerErrorException();
        }
    }
}
