package net.officefloor.web.jwt;

import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.JavaType;
import com.fasterxml.jackson.databind.ObjectMapper;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.impl.crypto.DefaultJwtSignatureValidator;
import io.jsonwebtoken.io.Decoder;
import java.io.IOException;
import java.io.Serializable;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import net.officefloor.frame.api.build.None;
import net.officefloor.frame.api.clock.Clock;
import net.officefloor.frame.api.function.FlowCallback;
import net.officefloor.frame.internal.structure.ManagedObjectScope;
import net.officefloor.plugin.managedobject.poll.StatePollContext;
import net.officefloor.plugin.managedobject.poll.StatePoller;
import net.officefloor.server.http.HttpException;
import net.officefloor.server.http.HttpStatus;
import net.officefloor.web.jwt.JwtClaimsManagedObjectSource;
import net.officefloor.web.jwt.role.JwtRoleCollector;
import net.officefloor.web.jwt.validate.JwtValidateKey;
import net.officefloor.web.jwt.validate.JwtValidateKeyCollector;
import net.officefloor.web.security.HttpAuthentication;
import net.officefloor.web.security.scheme.HttpAccessControlImpl;
import net.officefloor.web.security.scheme.HttpAuthenticationImpl;
import net.officefloor.web.security.scheme.HttpAuthenticationScheme;
import net.officefloor.web.spi.security.AuthenticateContext;
import net.officefloor.web.spi.security.AuthenticationContext;
import net.officefloor.web.spi.security.ChallengeContext;
import net.officefloor.web.spi.security.HttpSecurity;
import net.officefloor.web.spi.security.HttpSecurityContext;
import net.officefloor.web.spi.security.HttpSecurityExecuteContext;
import net.officefloor.web.spi.security.HttpSecuritySourceContext;
import net.officefloor.web.spi.security.LogoutContext;
import net.officefloor.web.spi.security.RatifyContext;
import net.officefloor.web.spi.security.impl.AbstractHttpSecuritySource;

/* loaded from: input_file:net/officefloor/web/jwt/JwtHttpSecuritySource.class */
public class JwtHttpSecuritySource<C> extends AbstractHttpSecuritySource<HttpAuthentication<Void>, JwtHttpAccessControl<C>, Void, None, Flows> implements HttpSecurity<HttpAuthentication<Void>, JwtHttpAccessControl<C>, Void, None, Flows> {
    public static final String AUTHENTICATION_SCHEME_BEARER = "Bearer";
    public static final String PROPERTY_CLAIMS_CLASS = "claims.class";
    public static final String PROEPRTY_STARTUP_TIMEOUT = "startup.timeout";
    public static final long DEFAULT_STARTUP_TIMEOUT = 1000;
    public static final String PROPERTY_CLOCK_SKEW = "clock.skew";
    public static final long DEFAULT_CLOCK_SKEW = 2;
    private static final String CHALLENGE_ATTRIBUTE_NAME = "challenge.reason";
    private Decoder<String, byte[]> base64UrlDecoder = str -> {
        return Base64.getUrlDecoder().decode(str);
    };
    private Clock<Long> clock;
    private long clockSkew;
    private Class<?> claimsClass;
    private JavaType claimsJavaType;
    private long startupTimeout;
    private StatePoller<JwtValidateKey[], None> jwtValidateKeys;
    private JwtKeysFactoryOverride keysOverride;
    private static ThreadLocal<JwtKeysFactoryOverride> threadLocalKeysOverride = new ThreadLocal<>();
    private static final ObjectMapper mapper = new ObjectMapper();
    private static final JavaType jwtClaimsJavaType = mapper.constructType(JwtClaims.class);
    private static final JavaType jwtHeaderJavaType = mapper.constructType(JwtHeader.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/officefloor/web/jwt/JwtHttpSecuritySource$ChallengeReason.class */
    public enum ChallengeReason {
        NO_JWT,
        INVALID_JWT,
        EXPIRED_JWT
    }

    @FunctionalInterface
    /* loaded from: input_file:net/officefloor/web/jwt/JwtHttpSecuritySource$ContextRunnable.class */
    public interface ContextRunnable<T extends Throwable> {
        void run() throws Throwable;
    }

    /* loaded from: input_file:net/officefloor/web/jwt/JwtHttpSecuritySource$Flows.class */
    public enum Flows {
        RETRIEVE_KEYS,
        RETRIEVE_ROLES,
        NO_JWT,
        INVALID_JWT,
        EXPIRED_JWT
    }

    @JsonIgnoreProperties(ignoreUnknown = true)
    /* loaded from: input_file:net/officefloor/web/jwt/JwtHttpSecuritySource$JwtClaims.class */
    public static class JwtClaims {
        private String sub;
        private Long exp;
        private Long nbf;

        public void setSub(String str) {
            this.sub = str;
        }

        public void setExp(Long l) {
            this.exp = l;
        }

        public void setNbf(Long l) {
            this.nbf = l;
        }
    }

    @JsonIgnoreProperties(ignoreUnknown = true)
    /* loaded from: input_file:net/officefloor/web/jwt/JwtHttpSecuritySource$JwtHeader.class */
    public static class JwtHeader {
        private String alg;

        public void setAlg(String str) {
            this.alg = str;
        }
    }

    /* loaded from: input_file:net/officefloor/web/jwt/JwtHttpSecuritySource$JwtHttpAccessControlImpl.class */
    private class JwtHttpAccessControlImpl extends HttpAccessControlImpl implements JwtHttpAccessControl<C> {
        private static final long serialVersionUID = 1;
        private final C claims;

        public JwtHttpAccessControlImpl(String str, String str2, C c, Set<String> set) {
            super(str, str2, set);
            this.claims = c;
        }

        @Override // net.officefloor.web.jwt.JwtHttpAccessControl
        public C getClaims() {
            return this.claims;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/officefloor/web/jwt/JwtHttpSecuritySource$JwtKeysFactoryOverride.class */
    public static class JwtKeysFactoryOverride {
        private final JwtValidateKeysFactory validateKeysFactory;

        private JwtKeysFactoryOverride(JwtValidateKeysFactory jwtValidateKeysFactory) {
            this.validateKeysFactory = jwtValidateKeysFactory;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:net/officefloor/web/jwt/JwtHttpSecuritySource$JwtRoleCollectorImpl.class */
    public class JwtRoleCollectorImpl implements JwtRoleCollector<C>, FlowCallback {
        private final C claims;
        private final String authenticationScheme;
        private final String principalName;
        private final AuthenticateContext<JwtHttpAccessControl<C>, None, Flows> authenticateContext;
        private volatile boolean isComplete;

        private JwtRoleCollectorImpl(C c, String str, String str2, AuthenticateContext<JwtHttpAccessControl<C>, None, Flows> authenticateContext) {
            this.isComplete = false;
            this.claims = c;
            this.authenticationScheme = str;
            this.principalName = str2;
            this.authenticateContext = authenticateContext;
        }

        @Override // net.officefloor.web.jwt.role.JwtRoleCollector
        public C getClaims() {
            return this.claims;
        }

        @Override // net.officefloor.web.jwt.role.JwtRoleCollector
        public void setRoles(Collection<String> collection) {
            if (this.isComplete) {
                return;
            }
            this.isComplete = true;
            this.authenticateContext.accessControlChange(new JwtHttpAccessControlImpl(this.authenticationScheme, this.principalName, this.claims, new HashSet(collection)), (Throwable) null);
        }

        @Override // net.officefloor.web.jwt.role.JwtRoleCollector
        public void setFailure(Throwable th) {
            if (this.isComplete) {
                return;
            }
            this.isComplete = true;
            this.authenticateContext.accessControlChange((Serializable) null, th);
        }

        public void run(Throwable th) throws Throwable {
            if (this.isComplete) {
                return;
            }
            if (th == null) {
                th = new HttpException(HttpStatus.FORBIDDEN, new IllegalStateException("No roles loaded for JWT claims"));
            }
            this.authenticateContext.accessControlChange((Serializable) null, th);
        }
    }

    /* loaded from: input_file:net/officefloor/web/jwt/JwtHttpSecuritySource$JwtValidateKeyCollectorImpl.class */
    private class JwtValidateKeyCollectorImpl implements JwtValidateKeyCollector {
        private final StatePollContext<JwtValidateKey[]> context;

        private JwtValidateKeyCollectorImpl(StatePollContext<JwtValidateKey[]> statePollContext) {
            this.context = statePollContext;
        }

        @Override // net.officefloor.web.jwt.validate.JwtValidateKeyCollector
        public JwtValidateKey[] getCurrentKeys() {
            return (JwtValidateKey[]) JwtHttpSecuritySource.this.jwtValidateKeys.getStateNow();
        }

        @Override // net.officefloor.web.jwt.validate.JwtValidateKeyCollector
        public void setKeys(JwtValidateKey... jwtValidateKeyArr) {
            ArrayList arrayList = new ArrayList(jwtValidateKeyArr.length);
            for (JwtValidateKey jwtValidateKey : jwtValidateKeyArr) {
                if (jwtValidateKey != null) {
                    arrayList.add(jwtValidateKey);
                }
            }
            this.context.setNextState((JwtValidateKey[]) arrayList.toArray(new JwtValidateKey[arrayList.size()]), -1L, (TimeUnit) null);
        }

        @Override // net.officefloor.web.jwt.validate.JwtValidateKeyCollector
        public void setFailure(Throwable th, long j, TimeUnit timeUnit) {
            this.context.setFailure(th, j, timeUnit);
        }
    }

    @FunctionalInterface
    /* loaded from: input_file:net/officefloor/web/jwt/JwtHttpSecuritySource$JwtValidateKeysFactory.class */
    public interface JwtValidateKeysFactory {
        JwtValidateKey[] createJwtValidateKeys() throws Exception;
    }

    public static <T extends Throwable> void runWithKeys(JwtValidateKeysFactory jwtValidateKeysFactory, ContextRunnable<T> contextRunnable) throws Throwable {
        threadLocalKeysOverride.set(new JwtKeysFactoryOverride(jwtValidateKeysFactory));
        try {
            contextRunnable.run();
            threadLocalKeysOverride.remove();
        } catch (Throwable th) {
            threadLocalKeysOverride.remove();
            throw th;
        }
    }

    protected void loadSpecification(AbstractHttpSecuritySource.SpecificationContext specificationContext) {
        specificationContext.addProperty(PROPERTY_CLAIMS_CLASS, "Claims Class");
    }

    protected void loadMetaData(AbstractHttpSecuritySource.MetaDataContext<HttpAuthentication<Void>, JwtHttpAccessControl<C>, Void, None, Flows> metaDataContext) throws Exception {
        HttpSecuritySourceContext httpSecuritySourceContext = metaDataContext.getHttpSecuritySourceContext();
        this.clock = httpSecuritySourceContext.getClock(l -> {
            return l;
        });
        this.clockSkew = Long.parseLong(httpSecuritySourceContext.getProperty(PROPERTY_CLOCK_SKEW, String.valueOf(2L)));
        this.claimsClass = httpSecuritySourceContext.loadClass(httpSecuritySourceContext.getProperty(PROPERTY_CLAIMS_CLASS));
        this.startupTimeout = Long.parseLong(httpSecuritySourceContext.getProperty(PROEPRTY_STARTUP_TIMEOUT, String.valueOf(1000L)));
        this.claimsJavaType = mapper.constructType(this.claimsClass);
        if (!mapper.canDeserialize(this.claimsJavaType)) {
            throw new IOException("Unable to deserialise " + this.claimsClass.getName() + " to load JWT claims");
        }
        this.keysOverride = threadLocalKeysOverride.get();
        if (this.keysOverride == null || this.keysOverride.validateKeysFactory == null) {
            this.keysOverride = null;
        }
        metaDataContext.setAuthenticationClass(HttpAuthentication.class);
        metaDataContext.setAccessControlClass(JwtHttpAccessControl.class);
        metaDataContext.addFlow(Flows.RETRIEVE_KEYS, JwtValidateKeyCollector.class);
        metaDataContext.addFlow(Flows.RETRIEVE_ROLES, JwtRoleCollector.class);
        metaDataContext.addFlow(Flows.NO_JWT, (Class) null);
        metaDataContext.addFlow(Flows.INVALID_JWT, (Class) null);
        metaDataContext.addFlow(Flows.EXPIRED_JWT, (Class) null);
        httpSecuritySourceContext.addSupportingManagedObject("JWT_CLAIMS", new JwtClaimsManagedObjectSource(this.claimsClass), ManagedObjectScope.THREAD).linkAccessControl(JwtClaimsManagedObjectSource.Dependencies.ACCESS_CONTROL);
    }

    public HttpSecurity<HttpAuthentication<Void>, JwtHttpAccessControl<C>, Void, None, Flows> sourceHttpSecurity(HttpSecurityContext httpSecurityContext) throws HttpException {
        return this;
    }

    public void start(HttpSecurityExecuteContext<Flows> httpSecurityExecuteContext) throws Exception {
        if (this.keysOverride != null) {
            return;
        }
        this.jwtValidateKeys = StatePoller.builder(JwtValidateKey[].class, (statePollContext, flowCallback) -> {
            httpSecurityExecuteContext.registerStartupProcess(Flows.RETRIEVE_KEYS, new JwtValidateKeyCollectorImpl(statePollContext), flowCallback).setConcurrent(true);
        }, (j, statePollContext2, flowCallback2) -> {
            httpSecurityExecuteContext.invokeProcess(Flows.RETRIEVE_KEYS, new JwtValidateKeyCollectorImpl(statePollContext2), j, flowCallback2);
        }).identifier("JWT decode keys").build();
    }

    /* renamed from: createAuthentication, reason: merged with bridge method [inline-methods] */
    public HttpAuthentication<Void> m2createAuthentication(AuthenticationContext<JwtHttpAccessControl<C>, Void> authenticationContext) {
        return new HttpAuthenticationImpl(authenticationContext, (Class) null);
    }

    public boolean ratify(Void r5, RatifyContext<JwtHttpAccessControl<C>> ratifyContext) {
        HttpAuthenticationScheme httpAuthenticationScheme = HttpAuthenticationScheme.getHttpAuthenticationScheme(ratifyContext.getConnection().getRequest());
        if (httpAuthenticationScheme != null && AUTHENTICATION_SCHEME_BEARER.equalsIgnoreCase(httpAuthenticationScheme.getAuthentiationScheme())) {
            return true;
        }
        ratifyContext.getRequestState().setAttribute(ratifyContext.getQualifiedAttributeName(CHALLENGE_ATTRIBUTE_NAME), ChallengeReason.NO_JWT);
        return false;
    }

    public void authenticate(Void r10, AuthenticateContext<JwtHttpAccessControl<C>, None, Flows> authenticateContext) throws HttpException {
        JwtValidateKey[] createJwtValidateKeys;
        if (this.keysOverride != null) {
            try {
                createJwtValidateKeys = this.keysOverride.validateKeysFactory.createJwtValidateKeys();
            } catch (Exception e) {
                authenticateContext.accessControlChange((Serializable) null, new HttpException(HttpStatus.SERVICE_UNAVAILABLE, e));
                return;
            }
        } else {
            try {
                createJwtValidateKeys = (JwtValidateKey[]) this.jwtValidateKeys.getState(this.startupTimeout, TimeUnit.MILLISECONDS);
            } catch (TimeoutException e2) {
                authenticateContext.accessControlChange((Serializable) null, new HttpException(HttpStatus.SERVICE_UNAVAILABLE, new TimeoutException("Server timed out loading JWT keys")));
                return;
            }
        }
        HttpAuthenticationScheme httpAuthenticationScheme = HttpAuthenticationScheme.getHttpAuthenticationScheme(authenticateContext.getConnection().getRequest());
        String parameters = httpAuthenticationScheme.getParameters();
        String[] split = parameters.split("\\.");
        if (split.length != 3) {
            challenge(ChallengeReason.INVALID_JWT, authenticateContext);
            return;
        }
        String str = split[0];
        String str2 = split[1];
        String str3 = split[2];
        byte[] bArr = (byte[]) this.base64UrlDecoder.decode(str2);
        try {
            JwtClaims jwtClaims = (JwtClaims) mapper.readValue(bArr, jwtClaimsJavaType);
            long longValue = ((Long) this.clock.getTime()).longValue();
            if (jwtClaims.nbf != null && jwtClaims.nbf.longValue() > longValue + this.clockSkew) {
                challenge(ChallengeReason.INVALID_JWT, authenticateContext);
                return;
            }
            if (jwtClaims.exp != null && jwtClaims.exp.longValue() < longValue - this.clockSkew) {
                challenge(ChallengeReason.EXPIRED_JWT, authenticateContext);
                return;
            }
            try {
                JwtHeader jwtHeader = (JwtHeader) mapper.readValue((byte[]) this.base64UrlDecoder.decode(str), jwtHeaderJavaType);
                if (jwtHeader.alg == null) {
                    challenge(ChallengeReason.INVALID_JWT, authenticateContext);
                    return;
                }
                SignatureAlgorithm valueOf = SignatureAlgorithm.valueOf(jwtHeader.alg);
                if (valueOf == null || valueOf == SignatureAlgorithm.NONE) {
                    challenge(ChallengeReason.INVALID_JWT, authenticateContext);
                    return;
                }
                String substring = parameters.substring(0, str.length() + ".".length() + str2.length());
                boolean z = false;
                JwtValidateKey[] jwtValidateKeyArr = createJwtValidateKeys;
                int length = jwtValidateKeyArr.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    JwtValidateKey jwtValidateKey = jwtValidateKeyArr[i];
                    if (jwtValidateKey.getStartTime() <= longValue + this.clockSkew && jwtValidateKey.getExpireTime() >= longValue - this.clockSkew) {
                        try {
                            if (new DefaultJwtSignatureValidator(valueOf, jwtValidateKey.getKey(), this.base64UrlDecoder).isValid(substring, str3)) {
                                z = true;
                                break;
                            }
                        } catch (Exception e3) {
                        }
                    }
                    i++;
                }
                if (!z) {
                    challenge(ChallengeReason.INVALID_JWT, authenticateContext);
                    return;
                }
                try {
                    JwtRoleCollectorImpl jwtRoleCollectorImpl = new JwtRoleCollectorImpl(mapper.readValue(bArr, this.claimsJavaType), httpAuthenticationScheme.getAuthentiationScheme(), jwtClaims.sub, authenticateContext);
                    authenticateContext.doFlow(Flows.RETRIEVE_ROLES, jwtRoleCollectorImpl, jwtRoleCollectorImpl);
                } catch (IOException e4) {
                    challenge(ChallengeReason.INVALID_JWT, authenticateContext);
                }
            } catch (IOException e5) {
                challenge(ChallengeReason.INVALID_JWT, authenticateContext);
            }
        } catch (IOException e6) {
            challenge(ChallengeReason.INVALID_JWT, authenticateContext);
        }
    }

    private void challenge(ChallengeReason challengeReason, AuthenticateContext<JwtHttpAccessControl<C>, None, Flows> authenticateContext) {
        authenticateContext.getRequestState().setAttribute(authenticateContext.getQualifiedAttributeName(CHALLENGE_ATTRIBUTE_NAME), challengeReason);
    }

    public void challenge(ChallengeContext<None, Flows> challengeContext) throws HttpException {
        challengeContext.getConnection().getResponse().setStatus(HttpStatus.UNAUTHORIZED);
        switch ((ChallengeReason) challengeContext.getRequestState().getAttribute(challengeContext.getQualifiedAttributeName(CHALLENGE_ATTRIBUTE_NAME))) {
            case NO_JWT:
                challengeContext.doFlow(Flows.NO_JWT, (Object) null, (FlowCallback) null);
                return;
            case INVALID_JWT:
                challengeContext.doFlow(Flows.INVALID_JWT, (Object) null, (FlowCallback) null);
                return;
            case EXPIRED_JWT:
                challengeContext.doFlow(Flows.EXPIRED_JWT, (Object) null, (FlowCallback) null);
                return;
            default:
                return;
        }
    }

    public void logout(LogoutContext<None, Flows> logoutContext) throws HttpException {
    }

    static {
        if (!mapper.canDeserialize(jwtClaimsJavaType)) {
            throw new IllegalStateException("Unable to deserialize " + JwtClaims.class.getSimpleName());
        }
        if (!mapper.canDeserialize(jwtHeaderJavaType)) {
            throw new IllegalStateException("Unable to deserialize " + JwtHeader.class.getSimpleName());
        }
        mapper.configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
    }
}
