package org.zowe.apiml.gateway.security.service;

import com.netflix.appinfo.InstanceInfo;
import com.netflix.discovery.EurekaClient;
import com.netflix.discovery.shared.Application;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import java.util.Arrays;
import java.util.Date;
import java.util.Iterator;
import java.util.Optional;
import java.util.UUID;
import javax.annotation.PostConstruct;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import lombok.Generated;
import lombok.NonNull;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.cache.CacheManager;
import org.springframework.cache.annotation.CacheEvict;
import org.springframework.cache.annotation.CachePut;
import org.springframework.cache.annotation.Cacheable;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.EnableAspectJAutoProxy;
import org.springframework.context.annotation.Scope;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.security.authentication.BadCredentialsException;
import org.springframework.stereotype.Service;
import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.RestTemplate;
import org.zowe.apiml.gateway.controllers.AuthController;
import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
import org.zowe.apiml.product.constants.CoreService;
import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
import org.zowe.apiml.security.common.token.QueryResponse;
import org.zowe.apiml.security.common.token.TokenAuthentication;
import org.zowe.apiml.security.common.token.TokenFormatNotValidException;
import org.zowe.apiml.security.common.token.TokenNotValidException;
import org.zowe.apiml.util.CacheUtils;
import org.zowe.apiml.util.EurekaUtils;

@Scope(proxyMode = ScopedProxyMode.TARGET_CLASS)
@EnableAspectJAutoProxy(proxyTargetClass = true)
@Service
/* loaded from: input_file:org/zowe/apiml/gateway/security/service/AuthenticationService.class */
public class AuthenticationService {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(AuthenticationService.class);
    private static final String LTPA_CLAIM_NAME = "ltpa";
    private static final String DOMAIN_CLAIM_NAME = "dom";
    private static final String CACHE_VALIDATION_JWT_TOKEN = "validationJwtToken";
    private static final String CACHE_INVALIDATED_JWT_TOKENS = "invalidatedJwtTokens";
    private final ApplicationContext applicationContext;
    private final AuthConfigurationProperties authConfigurationProperties;
    private final JwtSecurity jwtSecurityInitializer;
    private final ZosmfService zosmfService;
    private final EurekaClient discoveryClient;
    private final RestTemplate restTemplate;
    private final CacheManager cacheManager;
    private final CacheUtils cacheUtils;
    private AuthenticationService meAsProxy;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.zowe.apiml.gateway.security.service.AuthenticationService$1, reason: invalid class name */
    /* loaded from: input_file:org/zowe/apiml/gateway/security/service/AuthenticationService$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$zowe$apiml$security$common$token$QueryResponse$Source = new int[QueryResponse.Source.values().length];

        static {
            try {
                $SwitchMap$org$zowe$apiml$security$common$token$QueryResponse$Source[QueryResponse.Source.ZOWE.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$zowe$apiml$security$common$token$QueryResponse$Source[QueryResponse.Source.ZOSMF.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    @PostConstruct
    public void afterPropertiesSet() {
        this.meAsProxy = (AuthenticationService) this.applicationContext.getBean(AuthenticationService.class);
    }

    public String createJwtToken(String str, String str2, String str3) {
        long currentTimeMillis = System.currentTimeMillis();
        return Jwts.builder().setSubject(str).claim(DOMAIN_CLAIM_NAME, str2).claim(LTPA_CLAIM_NAME, str3).setIssuedAt(new Date(currentTimeMillis)).setExpiration(new Date(calculateExpiration(currentTimeMillis, str))).setIssuer(this.authConfigurationProperties.getTokenProperties().getIssuer()).setId(UUID.randomUUID().toString()).signWith(this.jwtSecurityInitializer.getJwtSecret(), this.jwtSecurityInitializer.getSignatureAlgorithm()).compact();
    }

    @CacheEvict(value = {CACHE_VALIDATION_JWT_TOKEN}, key = "#jwtToken")
    @Cacheable(value = {CACHE_INVALIDATED_JWT_TOKENS}, key = "#jwtToken", condition = "#jwtToken != null")
    public Boolean invalidateJwtToken(String str, boolean z) {
        boolean z2 = false;
        if (z) {
            z2 = invalidateTokenOnAnotherInstance(str);
            if (!z2) {
                return Boolean.FALSE;
            }
        }
        switch (AnonymousClass1.$SwitchMap$org$zowe$apiml$security$common$token$QueryResponse$Source[parseJwtToken(str).getSource().ordinal()]) {
            case 1:
                String ltpaToken = getLtpaToken(str);
                if (ltpaToken != null) {
                    this.zosmfService.invalidate(ZosmfService.TokenType.LTPA, ltpaToken);
                    break;
                }
                break;
            case 2:
                try {
                    this.zosmfService.invalidate(ZosmfService.TokenType.JWT, str);
                    break;
                } catch (BadCredentialsException e) {
                    if (!z2) {
                        throw e;
                    }
                }
                break;
            default:
                throw new TokenFormatNotValidException("Unknown token type.");
        }
        return Boolean.TRUE;
    }

    private boolean invalidateTokenOnAnotherInstance(String str) {
        Application application = this.discoveryClient.getApplication(CoreService.GATEWAY.getServiceId());
        if (application == null) {
            return Boolean.FALSE.booleanValue();
        }
        String instanceId = this.discoveryClient.getApplicationInfoManager().getInfo().getInstanceId();
        for (InstanceInfo instanceInfo : application.getInstances()) {
            if (!StringUtils.equals(instanceId, instanceInfo.getInstanceId())) {
                String str2 = EurekaUtils.getUrl(instanceInfo) + AuthController.CONTROLLER_PATH + "/invalidate/" + str;
                try {
                    this.restTemplate.delete(str2, new Object[0]);
                } catch (HttpClientErrorException e) {
                    log.debug("Problem invalidating token on another instance url " + str2, e);
                }
            }
        }
        return Boolean.TRUE.booleanValue();
    }

    @Cacheable(value = {CACHE_INVALIDATED_JWT_TOKENS}, unless = "true", key = "#jwtToken", condition = "#jwtToken != null")
    public Boolean isInvalidated(String str) {
        return Boolean.FALSE;
    }

    private Claims validateAndParseLocalJwtToken(String str) {
        try {
            return (Claims) Jwts.parserBuilder().setSigningKey(this.jwtSecurityInitializer.getJwtPublicKey()).build().parseClaimsJws(str).getBody();
        } catch (RuntimeException e) {
            throw JwtUtils.handleJwtParserException(e);
        }
    }

    @Cacheable(value = {CACHE_VALIDATION_JWT_TOKEN}, key = "#jwtToken", condition = "#jwtToken != null")
    public TokenAuthentication validateJwtToken(String str) {
        boolean validate;
        QueryResponse parseJwtToken = parseJwtToken(str);
        switch (AnonymousClass1.$SwitchMap$org$zowe$apiml$security$common$token$QueryResponse$Source[parseJwtToken.getSource().ordinal()]) {
            case 1:
                validateAndParseLocalJwtToken(str);
                validate = true;
                break;
            case 2:
                validate = this.zosmfService.validate(str);
                break;
            default:
                throw new TokenNotValidException("Unknown token type.");
        }
        TokenAuthentication tokenAuthentication = new TokenAuthentication(parseJwtToken.getUserId(), str);
        tokenAuthentication.setAuthenticated((!this.meAsProxy.isInvalidated(str).booleanValue()) && validate);
        return tokenAuthentication;
    }

    @CachePut(value = {CACHE_VALIDATION_JWT_TOKEN}, key = "#jwtToken", condition = "#jwtToken != null")
    public TokenAuthentication createTokenAuthentication(String str, String str2) {
        TokenAuthentication tokenAuthentication = new TokenAuthentication(str, str2);
        tokenAuthentication.setAuthenticated(!this.meAsProxy.isInvalidated(str2).booleanValue());
        return tokenAuthentication;
    }

    public boolean distributeInvalidate(String str) {
        InstanceInfo byInstanceId;
        Application application = this.discoveryClient.getApplication(CoreService.GATEWAY.getServiceId());
        if (application == null || (byInstanceId = application.getByInstanceId(str)) == null) {
            return false;
        }
        String str2 = EurekaUtils.getUrl(byInstanceId) + AuthController.CONTROLLER_PATH + "/invalidate/{}";
        Iterator it = this.cacheUtils.getAllRecords(this.cacheManager, CACHE_INVALIDATED_JWT_TOKENS).iterator();
        while (it.hasNext()) {
            this.restTemplate.delete(str2, new Object[]{(String) it.next()});
        }
        return true;
    }

    public TokenAuthentication validateJwtToken(TokenAuthentication tokenAuthentication) {
        if (tokenAuthentication == null) {
            throw new TokenNotValidException("Null token.");
        }
        parseJwtToken(tokenAuthentication.getCredentials());
        return this.meAsProxy.validateJwtToken(tokenAuthentication.getCredentials());
    }

    public QueryResponse parseJwtToken(String str) {
        Claims jwtClaims = JwtUtils.getJwtClaims(str);
        return new QueryResponse((String) jwtClaims.get(DOMAIN_CLAIM_NAME, String.class), jwtClaims.getSubject(), jwtClaims.getIssuedAt(), jwtClaims.getExpiration(), QueryResponse.Source.valueByIssuer(jwtClaims.getIssuer()));
    }

    public String getLtpaTokenWithValidation(String str) {
        return (String) validateAndParseLocalJwtToken(str).get(LTPA_CLAIM_NAME, String.class);
    }

    public String getLtpaToken(String str) {
        return (String) JwtUtils.getJwtClaims(str).get(LTPA_CLAIM_NAME, String.class);
    }

    public Optional<String> getJwtTokenFromRequest(@NonNull HttpServletRequest httpServletRequest) {
        if (httpServletRequest == null) {
            throw new NullPointerException("request is marked non-null but is null");
        }
        Optional<String> jwtTokenFromCookie = getJwtTokenFromCookie(httpServletRequest);
        return jwtTokenFromCookie.isPresent() ? jwtTokenFromCookie : extractJwtTokenFromAuthorizationHeader(httpServletRequest.getHeader("Authorization"));
    }

    private Optional<String> getJwtTokenFromCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        return cookies == null ? Optional.empty() : Arrays.stream(cookies).filter(cookie -> {
            return cookie.getName().equals(this.authConfigurationProperties.getCookieProperties().getCookieName());
        }).filter(cookie2 -> {
            return !cookie2.getValue().isEmpty();
        }).findFirst().map((v0) -> {
            return v0.getValue();
        });
    }

    private Optional<String> extractJwtTokenFromAuthorizationHeader(String str) {
        if (str == null || !str.startsWith("Bearer")) {
            return Optional.empty();
        }
        String trim = str.replaceFirst("Bearer", "").trim();
        return trim.isEmpty() ? Optional.empty() : Optional.of(trim);
    }

    private long calculateExpiration(long j, String str) {
        long expirationInSeconds = j + (this.authConfigurationProperties.getTokenProperties().getExpirationInSeconds() * 1000);
        if (this.authConfigurationProperties.getTokenProperties().getShortTtlUsername() != null && str.equals(this.authConfigurationProperties.getTokenProperties().getShortTtlUsername())) {
            expirationInSeconds = j + (this.authConfigurationProperties.getTokenProperties().getShortTtlExpirationInSeconds() * 1000);
        }
        return expirationInSeconds;
    }

    @Generated
    public AuthenticationService(ApplicationContext applicationContext, AuthConfigurationProperties authConfigurationProperties, JwtSecurity jwtSecurity, ZosmfService zosmfService, EurekaClient eurekaClient, RestTemplate restTemplate, CacheManager cacheManager, CacheUtils cacheUtils) {
        this.applicationContext = applicationContext;
        this.authConfigurationProperties = authConfigurationProperties;
        this.jwtSecurityInitializer = jwtSecurity;
        this.zosmfService = zosmfService;
        this.discoveryClient = eurekaClient;
        this.restTemplate = restTemplate;
        this.cacheManager = cacheManager;
        this.cacheUtils = cacheUtils;
    }
}
