package net.bingosoft.oss.ssoclient.spi;

import java.security.KeyFactory;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.X509EncodedKeySpec;
import java.util.HashMap;
import java.util.Map;
import net.bingosoft.oss.ssoclient.SSOConfig;
import net.bingosoft.oss.ssoclient.SSOUtils;
import net.bingosoft.oss.ssoclient.exception.HttpException;
import net.bingosoft.oss.ssoclient.exception.InvalidCodeException;
import net.bingosoft.oss.ssoclient.exception.InvalidTokenException;
import net.bingosoft.oss.ssoclient.exception.TokenExpiredException;
import net.bingosoft.oss.ssoclient.internal.Base64;
import net.bingosoft.oss.ssoclient.internal.HttpClient;
import net.bingosoft.oss.ssoclient.internal.JSON;
import net.bingosoft.oss.ssoclient.internal.JWT;
import net.bingosoft.oss.ssoclient.internal.Strings;
import net.bingosoft.oss.ssoclient.model.AccessToken;
import net.bingosoft.oss.ssoclient.model.Authentication;

/* loaded from: input_file:net/bingosoft/oss/ssoclient/spi/TokenProviderImpl.class */
public class TokenProviderImpl implements TokenProvider {
    private final SSOConfig config;
    private RSAPublicKey publicKey;

    public TokenProviderImpl(SSOConfig sSOConfig) {
        this.config = sSOConfig;
        refreshPublicKey();
    }

    @Override // net.bingosoft.oss.ssoclient.spi.TokenProvider
    public Authentication verifyJwtAccessToken(String str) throws InvalidTokenException {
        Map<String, Object> verify = JWT.verify(str, this.publicKey);
        if (null == verify) {
            verify = retryVerify(str);
            if (null == verify) {
                throw new InvalidTokenException("Incorrect token : " + str);
            }
        }
        Authentication createAuthcFromMap = createAuthcFromMap(verify);
        if (createAuthcFromMap.isExpired()) {
            throw new TokenExpiredException(str);
        }
        return createAuthcFromMap;
    }

    @Override // net.bingosoft.oss.ssoclient.spi.TokenProvider
    public Authentication verifyIdToken(String str) throws InvalidTokenException, TokenExpiredException {
        Map<String, Object> verify = JWT.verify(str, this.config.getClientSecret());
        if (null == verify) {
            throw new InvalidTokenException("Incorrect token : " + str);
        }
        Authentication createAuthcFromIdTokenMap = createAuthcFromIdTokenMap(verify);
        if (createAuthcFromIdTokenMap.isExpired()) {
            throw new TokenExpiredException(str);
        }
        return createAuthcFromIdTokenMap;
    }

    @Override // net.bingosoft.oss.ssoclient.spi.TokenProvider
    public Authentication verifyBearerAccessToken(String str) throws InvalidTokenException, TokenExpiredException {
        if (Strings.isEmpty(this.config.getResourceName())) {
            throw new IllegalStateException("resource name must not be null or empty");
        }
        String tokenInfoEndpointUrl = this.config.getTokenInfoEndpointUrl();
        HashMap hashMap = new HashMap();
        hashMap.put("access_token", str);
        hashMap.put("resource", this.config.getResourceName());
        HashMap hashMap2 = new HashMap();
        hashMap2.put(SSOUtils.AUTHORIZATION_HEADER, SSOUtils.encodeBasicAuthorizationHeader(this.config.getClientId(), this.config.getClientSecret()));
        try {
            Map<String, Object> decodeToMap = JSON.decodeToMap(HttpClient.post(tokenInfoEndpointUrl, hashMap, hashMap2));
            if (decodeToMap.containsKey("error")) {
                throw new InvalidTokenException(decodeToMap.get("error") + ":" + decodeToMap.get("error_description"));
            }
            Authentication authentication = new Authentication();
            authentication.setUserId((String) decodeToMap.remove("user_id"));
            authentication.setClientId((String) decodeToMap.remove("client_id"));
            authentication.setUsername((String) decodeToMap.remove("username"));
            authentication.setScope((String) decodeToMap.remove("scope"));
            String nullOrToString = Strings.nullOrToString(decodeToMap.remove("expires_in"));
            if (null == nullOrToString) {
                nullOrToString = "0";
            }
            authentication.setExpires((System.currentTimeMillis() / 1000) + Integer.parseInt(nullOrToString));
            if (authentication.isExpired()) {
                throw new TokenExpiredException("token is expired:" + str);
            }
            return authentication;
        } catch (HttpException e) {
            if (e.getMessage().contains("invalid_token")) {
                throw new InvalidTokenException("error in obtain access token:[http code:" + e.getCode() + "] " + e.getMessage(), e);
            }
            throw e;
        }
    }

    @Override // net.bingosoft.oss.ssoclient.spi.TokenProvider
    public AccessToken obtainAccessTokenByAuthzCode(String str) throws InvalidCodeException, TokenExpiredException {
        HashMap hashMap = new HashMap();
        hashMap.put("grant_type", "authorization_code");
        hashMap.put("code", str);
        hashMap.put("redirect_uri", Base64.urlEncode(this.config.getRedirectUri()));
        try {
            try {
                Map<String, Object> decodeToMap = JSON.decodeToMap(HttpClient.post(this.config.getTokenEndpointUrl(), hashMap, createAuthorizationHeader()));
                AccessToken createAccessTokenFromMap = createAccessTokenFromMap(decodeToMap);
                if (null == createAccessTokenFromMap.getAccessToken() || createAccessTokenFromMap.getAccessToken().isEmpty()) {
                    throw new InvalidCodeException("invalid authorization code[" + str + "]:" + decodeToMap.get("error") + "\n" + decodeToMap.get("error_description"));
                }
                if (createAccessTokenFromMap.isExpired()) {
                    throw new TokenExpiredException("access token obtain by authorization code " + str + " is expired!");
                }
                return createAccessTokenFromMap;
            } catch (Exception e) {
                throw new RuntimeException("parse json error", e);
            }
        } catch (HttpException e2) {
            if (e2.getMessage().contains("invalid_grant")) {
                throw new InvalidCodeException("error in obtain access token:[http code:" + e2.getCode() + "] " + e2.getMessage(), e2);
            }
            throw e2;
        }
    }

    @Override // net.bingosoft.oss.ssoclient.spi.TokenProvider
    public AccessToken obtainAccessTokenByClientCredentials() {
        HashMap hashMap = new HashMap();
        hashMap.put("grant_type", "client_credentials");
        try {
            Map<String, Object> decodeToMap = JSON.decodeToMap(HttpClient.post(this.config.getTokenEndpointUrl(), hashMap, createAuthorizationHeader()));
            AccessToken createAccessTokenFromMap = createAccessTokenFromMap(decodeToMap);
            if (null == createAccessTokenFromMap.getAccessToken() || createAccessTokenFromMap.getAccessToken().isEmpty()) {
                throw new RuntimeException(decodeToMap.get("error") + ":" + decodeToMap.get("error_description"));
            }
            if (createAccessTokenFromMap.isExpired()) {
                throw new TokenExpiredException("access token obtain by client secret is expired!");
            }
            return createAccessTokenFromMap;
        } catch (Exception e) {
            throw new RuntimeException("parse json error", e);
        }
    }

    @Override // net.bingosoft.oss.ssoclient.spi.TokenProvider
    public AccessToken obtainAccessTokenByClientCredentialsWithJwtToken(String str) throws InvalidTokenException, TokenExpiredException {
        verifyJwtAccessToken(str);
        return obtainAccessTokenByTokenClientCredentials(str);
    }

    @Override // net.bingosoft.oss.ssoclient.spi.TokenProvider
    public AccessToken obtainAccessTokenByClientCredentialsWithBearerToken(String str) throws InvalidTokenException, TokenExpiredException {
        return obtainAccessTokenByTokenClientCredentials(str);
    }

    protected AccessToken obtainAccessTokenByTokenClientCredentials(String str) throws TokenExpiredException {
        HashMap hashMap = new HashMap();
        hashMap.put("grant_type", "token_client_credentials");
        hashMap.put("access_token", str);
        try {
            Map<String, Object> decodeToMap = JSON.decodeToMap(HttpClient.post(this.config.getTokenEndpointUrl(), hashMap, createAuthorizationHeader()));
            if (decodeToMap.containsKey("error")) {
                throw new InvalidTokenException("invalid token:" + decodeToMap.get("error_description"));
            }
            AccessToken createAccessTokenFromMap = createAccessTokenFromMap(decodeToMap);
            if (createAccessTokenFromMap.isExpired()) {
                throw new TokenExpiredException("access token obtain by token p client credentials is expired!");
            }
            return createAccessTokenFromMap;
        } catch (Exception e) {
            throw new RuntimeException("parse json error", e);
        }
    }

    protected Map<String, Object> retryVerify(String str) {
        refreshPublicKey();
        return JWT.verify(str, this.publicKey);
    }

    protected void refreshPublicKey() {
        this.publicKey = decodePublicKey(HttpClient.get(this.config.getPublicKeyEndpointUrl()));
    }

    private static RSAPublicKey decodePublicKey(String str) {
        try {
            return (RSAPublicKey) KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.mimeDecode(str)));
        } catch (Exception e) {
            throw new RuntimeException("Decode public key error", e);
        }
    }

    protected Authentication createAuthcFromMap(Map<String, Object> map) {
        Authentication authentication = new Authentication();
        authentication.setUserId((String) map.remove("user_id"));
        authentication.setUsername((String) map.remove("username"));
        authentication.setClientId((String) map.remove("client_id"));
        authentication.setScope((String) map.remove("scope"));
        String nullOrToString = Strings.nullOrToString(map.remove("exp"));
        authentication.setExpires(nullOrToString == null ? 0L : Long.parseLong(nullOrToString));
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            authentication.setAttribute(entry.getKey(), entry.getValue());
        }
        return authentication;
    }

    protected Authentication createAuthcFromIdTokenMap(Map<String, Object> map) {
        Authentication authentication = new Authentication();
        authentication.setUserId((String) map.remove("sub"));
        authentication.setUsername((String) map.remove("login_name"));
        authentication.setClientId((String) map.remove("aud"));
        authentication.setScope((String) map.remove("scope"));
        String nullOrToString = Strings.nullOrToString(map.remove("exp"));
        authentication.setExpires(nullOrToString == null ? 0L : Long.parseLong(nullOrToString));
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            authentication.setAttribute(entry.getKey(), entry.getValue());
        }
        return authentication;
    }

    protected AccessToken createAccessTokenFromMap(Map<String, Object> map) {
        AccessToken accessToken = new AccessToken();
        accessToken.setAccessToken((String) map.remove("access_token"));
        accessToken.setRefreshToken((String) map.remove("refresh_token"));
        accessToken.setTokenType((String) map.remove("token_type"));
        String nullOrToString = Strings.nullOrToString(map.remove("expires_in"));
        accessToken.setExpiresInFromNow(nullOrToString == null ? 0 : Integer.parseInt(nullOrToString));
        return accessToken;
    }

    protected Map<String, String> createAuthorizationHeader() {
        HashMap hashMap = new HashMap();
        hashMap.put(SSOUtils.AUTHORIZATION_HEADER, SSOUtils.encodeBasicAuthorizationHeader(this.config.getClientId(), this.config.getClientSecret()));
        return hashMap;
    }
}
