package org.restheart.security.tokens;

import com.auth0.jwt.JWT;
import com.auth0.jwt.JWTCreator;
import com.auth0.jwt.JWTVerifier;
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.interfaces.DecodedJWT;
import com.google.common.collect.Sets;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.Credential;
import io.undertow.security.idm.PasswordCredential;
import io.undertow.server.HttpServerExchange;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Arrays;
import java.util.Date;
import java.util.Map;
import java.util.Set;
import org.restheart.cache.Cache;
import org.restheart.cache.CacheFactory;
import org.restheart.cache.LoadingCache;
import org.restheart.configuration.ConfigurationException;
import org.restheart.exchange.Request;
import org.restheart.plugins.ConfigurablePlugin;
import org.restheart.plugins.Inject;
import org.restheart.plugins.OnInit;
import org.restheart.plugins.RegisterPlugin;
import org.restheart.plugins.security.TokenManager;
import org.restheart.security.BaseAccount;
import org.restheart.security.PwdCredentialAccount;
import org.restheart.utils.URLUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RegisterPlugin(name = "jwtTokenManager", description = "issues and verifies auth tokens in a cluster compatible way", enabledByDefault = false)
/* loaded from: input_file:org/restheart/security/tokens/JwtTokenManager.class */
public class JwtTokenManager implements TokenManager {
    private static final Logger LOGGER = LoggerFactory.getLogger(JwtTokenManager.class);
    private LoadingCache<ComparableAccount, Token> jwtCache;
    private JWTVerifier verifier;
    private JWTCreator.Builder creator;
    private Algorithm algo;
    private static final int MAX_CACHE_SIZE = 1000;

    @Inject("config")
    Map<String, Object> config;
    private String srvURI = "/tokens";
    private int ttl = 15;
    private String issuer = "restheart.com";
    private boolean enabled = false;

    @OnInit
    public void init() throws ConfigurationException {
        this.enabled = true;
        this.srvURI = (String) ConfigurablePlugin.argValue(this.config, "srv-uri");
        this.ttl = ((Integer) ConfigurablePlugin.argValue(this.config, "ttl")).intValue();
        if (this.ttl < 1) {
            this.enabled = false;
            throw new ConfigurationException("TTL minimum value is 1 minute");
        }
        this.algo = Algorithm.HMAC256((String) ConfigurablePlugin.argValue(this.config, "key"));
        this.issuer = (String) ConfigurablePlugin.argValue(this.config, "issuer");
        this.jwtCache = CacheFactory.createLocalLoadingCache(1000L, Cache.EXPIRE_POLICY.AFTER_WRITE, ((this.ttl * MAX_CACHE_SIZE) * 60) - 500, comparableAccount -> {
            return newToken(comparableAccount.wrapped);
        });
        try {
            this.verifier = JWT.require(this.algo).withIssuer(this.issuer).build();
            this.creator = JWT.create().withIssuer(this.issuer);
        } catch (Throwable th) {
            this.enabled = false;
            LOGGER.error("error", th);
            throw new ConfigurationException("error ");
        }
    }

    public Account verify(Account account) {
        if (this.enabled) {
            return account;
        }
        return null;
    }

    public Account verify(String str, Credential credential) {
        if (!this.enabled || str == null || !(credential instanceof PasswordCredential)) {
            return null;
        }
        char[] password = ((PasswordCredential) credential).getPassword();
        ComparableAccount comparableAccount = new ComparableAccount(new BaseAccount(str, (Set) null));
        if (this.jwtCache.get(comparableAccount) != null && this.jwtCache.get(comparableAccount).isPresent() && Arrays.equals(password, ((Token) this.jwtCache.get(comparableAccount).get()).raw)) {
            LOGGER.debug("jwt token in cache");
            return new PwdCredentialAccount(str, password, Sets.newHashSet(((Token) this.jwtCache.get(comparableAccount).get()).roles));
        }
        LOGGER.trace("jwt token not in cache, let's verify it");
        try {
            DecodedJWT verify = this.verifier.verify(new String(password));
            if (!str.equals(verify.getSubject())) {
                LOGGER.warn("invalid token from user {}, not matching id in token, was {}", str, verify.getSubject());
                return null;
            }
            String[] strArr = (String[]) verify.getClaim("roles").asArray(String.class);
            LOGGER.trace("******************** valid token from user {}", str);
            return new PwdCredentialAccount(str, password, Sets.newHashSet(strArr));
        } catch (Throwable th) {
            LOGGER.debug("expired or invalid token from user {}, {}", str, th.getMessage());
            return null;
        }
    }

    public Account verify(Credential credential) {
        return null;
    }

    public PasswordCredential get(Account account) {
        if (!this.enabled || account == null || account.getPrincipal() == null || account.getPrincipal().getName() == null) {
            return null;
        }
        return new PwdCredentialAccount(account.getPrincipal().getName(), ((Token) this.jwtCache.getLoading(new ComparableAccount(account)).get()).raw, Sets.newTreeSet(account.getRoles())).getCredentials();
    }

    private Token newToken(Account account) {
        Date from = Date.from(Instant.now().plus(this.ttl, (TemporalUnit) ChronoUnit.MINUTES));
        return new Token(this.creator.withSubject(account.getPrincipal().getName()).withExpiresAt(from).withIssuer(this.issuer).withArrayClaim("roles", (String[]) account.getRoles().toArray(new String[account.getRoles().size()])).sign(this.algo).toCharArray(), from, (String[]) account.getRoles().toArray(new String[0]));
    }

    public void invalidate(Account account) {
        if (this.enabled) {
            this.jwtCache.invalidate(new ComparableAccount(account));
        }
    }

    public void update(Account account) {
        if (this.enabled) {
            ComparableAccount comparableAccount = new ComparableAccount(account);
            this.jwtCache.put(comparableAccount, (Token) this.jwtCache.getLoading(comparableAccount).get());
        }
    }

    public void injectTokenHeaders(HttpServerExchange httpServerExchange, PasswordCredential passwordCredential) {
        if (this.enabled) {
            Request of = Request.of(httpServerExchange);
            if (of.getAuthenticatedAccount() == null || of.getAuthenticatedAccount().getPrincipal() == null || of.getAuthenticatedAccount().getPrincipal().getName() == null) {
                return;
            }
            Account authenticatedAccount = of.getAuthenticatedAccount();
            ComparableAccount comparableAccount = new ComparableAccount(authenticatedAccount);
            httpServerExchange.getResponseHeaders().add(AUTH_TOKEN_LOCATION_HEADER, URLUtils.removeTrailingSlashes(this.srvURI).concat("/").concat(of.getAuthenticatedAccount().getPrincipal().getName()));
            if (httpServerExchange.getQueryParameters().containsKey("renew-auth-token")) {
                Token newToken = newToken(authenticatedAccount);
                this.jwtCache.put(comparableAccount, newToken);
                httpServerExchange.getResponseHeaders().add(AUTH_TOKEN_HEADER, new String(newToken.raw));
                httpServerExchange.getResponseHeaders().add(AUTH_TOKEN_VALID_HEADER, newToken.getDateAsString());
                return;
            }
            if (this.jwtCache.get(comparableAccount) != null) {
                Token token = (Token) this.jwtCache.get(comparableAccount).get();
                httpServerExchange.getResponseHeaders().add(AUTH_TOKEN_HEADER, new String(token.raw));
                httpServerExchange.getResponseHeaders().add(AUTH_TOKEN_VALID_HEADER, token.getDateAsString());
            }
        }
    }
}
