package org.zowe.apiml.gateway.controllers;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.ObjectWriter;
import com.netflix.hystrix.contrib.javanica.annotation.HystrixCommand;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import io.swagger.v3.oas.annotations.Operation;
import java.io.IOException;
import java.io.StringWriter;
import java.security.PublicKey;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import lombok.Generated;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.bouncycastle.openssl.PEMParser;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemWriter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.access.prepost.PreAuthorize;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.bind.annotation.DeleteMapping;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestBody;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.bind.annotation.RestController;
import org.zowe.apiml.gateway.security.service.AuthenticationService;
import org.zowe.apiml.gateway.security.service.JwtSecurity;
import org.zowe.apiml.gateway.security.service.zosmf.ZosmfService;
import org.zowe.apiml.gateway.security.webfinger.WebFingerProvider;
import org.zowe.apiml.message.core.MessageService;
import org.zowe.apiml.security.common.token.AccessTokenProvider;
import org.zowe.apiml.security.common.token.OIDCProvider;
import org.zowe.apiml.security.common.token.TokenNotValidException;

@RequestMapping({AuthController.CONTROLLER_PATH})
@RestController
/* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/gateway/controllers/AuthController.class */
public class AuthController {
    private final AuthenticationService authenticationService;
    private final JwtSecurity jwtSecurity;
    private final ZosmfService zosmfService;
    private final MessageService messageService;
    private final AccessTokenProvider tokenProvider;
    private final OIDCProvider oidcProvider;
    private final WebFingerProvider webFingerProvider;
    private static final String TOKEN_KEY = "token";
    public static final String CONTROLLER_PATH = "/gateway/auth";
    public static final String INVALIDATE_PATH = "/invalidate/**";
    public static final String DISTRIBUTE_PATH = "/distribute/**";
    public static final String PUBLIC_KEYS_PATH = "/keys/public";
    public static final String ACCESS_TOKEN_REVOKE = "/access-token/revoke";
    public static final String ACCESS_TOKEN_REVOKE_MULTIPLE = "/access-token/revoke/tokens";
    public static final String ACCESS_TOKEN_VALIDATE = "/access-token/validate";
    public static final String ACCESS_TOKEN_EVICT = "/access-token/evict";
    public static final String ALL_PUBLIC_KEYS_PATH = "/keys/public/all";
    public static final String CURRENT_PUBLIC_KEYS_PATH = "/keys/public/current";
    public static final String OIDC_TOKEN_VALIDATE = "/oidc-token/validate";
    public static final String OIDC_WEBFINGER_PATH = "/oidc/webfinger";

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AuthController.class);
    private static final ObjectWriter writer = new ObjectMapper().writer();

    /* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/gateway/controllers/AuthController$RulesRequestModel.class */
    private static class RulesRequestModel {
        private String serviceId;
        private String userId;
        private long timestamp;

        @Generated
        public RulesRequestModel() {
        }

        @Generated
        public String getServiceId() {
            return this.serviceId;
        }

        @Generated
        public String getUserId() {
            return this.userId;
        }

        @Generated
        public long getTimestamp() {
            return this.timestamp;
        }

        @Generated
        public void setServiceId(String str) {
            this.serviceId = str;
        }

        @Generated
        public void setUserId(String str) {
            this.userId = str;
        }

        @Generated
        public void setTimestamp(long j) {
            this.timestamp = j;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof RulesRequestModel)) {
                return false;
            }
            RulesRequestModel rulesRequestModel = (RulesRequestModel) obj;
            if (!rulesRequestModel.canEqual(this) || getTimestamp() != rulesRequestModel.getTimestamp()) {
                return false;
            }
            String serviceId = getServiceId();
            String serviceId2 = rulesRequestModel.getServiceId();
            if (serviceId == null) {
                if (serviceId2 != null) {
                    return false;
                }
            } else if (!serviceId.equals(serviceId2)) {
                return false;
            }
            String userId = getUserId();
            String userId2 = rulesRequestModel.getUserId();
            return userId == null ? userId2 == null : userId.equals(userId2);
        }

        @Generated
        protected boolean canEqual(Object obj) {
            return obj instanceof RulesRequestModel;
        }

        @Generated
        public int hashCode() {
            long timestamp = getTimestamp();
            int i = (1 * 59) + ((int) ((timestamp >>> 32) ^ timestamp));
            String serviceId = getServiceId();
            int hashCode = (i * 59) + (serviceId == null ? 43 : serviceId.hashCode());
            String userId = getUserId();
            return (hashCode * 59) + (userId == null ? 43 : userId.hashCode());
        }

        @Generated
        public String toString() {
            return "AuthController.RulesRequestModel(serviceId=" + getServiceId() + ", userId=" + getUserId() + ", timestamp=" + getTimestamp() + DefaultExpressionEngine.DEFAULT_INDEX_END;
        }
    }

    /* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/gateway/controllers/AuthController$ValidateRequestModel.class */
    private static class ValidateRequestModel {
        private String token;
        private String serviceId;

        @Generated
        public ValidateRequestModel() {
        }

        @Generated
        public String getToken() {
            return this.token;
        }

        @Generated
        public String getServiceId() {
            return this.serviceId;
        }

        @Generated
        public void setToken(String str) {
            this.token = str;
        }

        @Generated
        public void setServiceId(String str) {
            this.serviceId = str;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof ValidateRequestModel)) {
                return false;
            }
            ValidateRequestModel validateRequestModel = (ValidateRequestModel) obj;
            if (!validateRequestModel.canEqual(this)) {
                return false;
            }
            String token = getToken();
            String token2 = validateRequestModel.getToken();
            if (token == null) {
                if (token2 != null) {
                    return false;
                }
            } else if (!token.equals(token2)) {
                return false;
            }
            String serviceId = getServiceId();
            String serviceId2 = validateRequestModel.getServiceId();
            return serviceId == null ? serviceId2 == null : serviceId.equals(serviceId2);
        }

        @Generated
        protected boolean canEqual(Object obj) {
            return obj instanceof ValidateRequestModel;
        }

        @Generated
        public int hashCode() {
            String token = getToken();
            int hashCode = (1 * 59) + (token == null ? 43 : token.hashCode());
            String serviceId = getServiceId();
            return (hashCode * 59) + (serviceId == null ? 43 : serviceId.hashCode());
        }

        @Generated
        public String toString() {
            return "AuthController.ValidateRequestModel(token=" + getToken() + ", serviceId=" + getServiceId() + DefaultExpressionEngine.DEFAULT_INDEX_END;
        }
    }

    @DeleteMapping(path = {INVALIDATE_PATH})
    @HystrixCommand
    public void invalidateJwtToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String requestURI = httpServletRequest.getRequestURI();
        try {
            httpServletResponse.setStatus(this.authenticationService.invalidateJwtToken(requestURI.substring(requestURI.indexOf("/auth/invalidate/") + "/auth/invalidate/".length()), false).booleanValue() ? 200 : 503);
        } catch (TokenNotValidException e) {
            httpServletResponse.setStatus(400);
        }
    }

    @DeleteMapping(path = {ACCESS_TOKEN_REVOKE})
    @HystrixCommand
    @ResponseBody
    public ResponseEntity<String> revokeAccessToken(@RequestBody Map<String, String> map) throws IOException {
        if (this.tokenProvider.isInvalidated(map.get(TOKEN_KEY))) {
            return new ResponseEntity<>(HttpStatus.UNAUTHORIZED);
        }
        this.tokenProvider.invalidateToken(map.get(TOKEN_KEY));
        return new ResponseEntity<>(HttpStatus.OK);
    }

    @DeleteMapping(path = {ACCESS_TOKEN_REVOKE_MULTIPLE})
    @HystrixCommand
    @ResponseBody
    public ResponseEntity<String> revokeAllUserAccessTokens(@RequestBody(required = false) RulesRequestModel rulesRequestModel) {
        if (SecurityContextHolder.getContext().getAuthentication() == null) {
            return new ResponseEntity<>(HttpStatus.UNAUTHORIZED);
        }
        String obj = SecurityContextHolder.getContext().getAuthentication().getPrincipal().toString();
        long j = 0;
        if (rulesRequestModel != null) {
            j = rulesRequestModel.getTimestamp();
        }
        this.tokenProvider.invalidateAllTokensForUser(obj, j);
        return new ResponseEntity<>(HttpStatus.NO_CONTENT);
    }

    @HystrixCommand
    @PreAuthorize("hasSafServiceResourceAccess('SERVICES', 'READ')")
    @DeleteMapping(path = {"/access-token/revoke/tokens/user"})
    @ResponseBody
    public ResponseEntity<String> revokeAccessTokensForUser(@RequestBody RulesRequestModel rulesRequestModel) throws JsonProcessingException {
        long timestamp = rulesRequestModel.getTimestamp();
        String userId = rulesRequestModel.getUserId();
        if (userId == null) {
            return badRequestForPATInvalidation();
        }
        this.tokenProvider.invalidateAllTokensForUser(userId, timestamp);
        return new ResponseEntity<>(HttpStatus.NO_CONTENT);
    }

    @HystrixCommand
    @PreAuthorize("hasSafServiceResourceAccess('SERVICES', 'READ')")
    @DeleteMapping(path = {"/access-token/revoke/tokens/scope"})
    @ResponseBody
    public ResponseEntity<String> revokeAccessTokensForScope(@RequestBody RulesRequestModel rulesRequestModel) throws JsonProcessingException {
        long timestamp = rulesRequestModel.getTimestamp();
        String serviceId = rulesRequestModel.getServiceId();
        if (serviceId == null) {
            return badRequestForPATInvalidation();
        }
        this.tokenProvider.invalidateAllTokensForService(serviceId, timestamp);
        return new ResponseEntity<>(HttpStatus.NO_CONTENT);
    }

    @HystrixCommand
    @Operation(summary = "Remove invalidated tokens and rules which are not relevant anymore", description = "Will evict all the invalidated tokens which are not relevant anymore")
    @PreAuthorize("hasSafServiceResourceAccess('SERVICES', 'UPDATE')")
    @DeleteMapping({ACCESS_TOKEN_EVICT})
    @ResponseBody
    public ResponseEntity<String> evictNonRelevantTokensAndRules() {
        this.tokenProvider.evictNonRelevantTokensAndRules();
        return new ResponseEntity<>(HttpStatus.NO_CONTENT);
    }

    @PostMapping(path = {ACCESS_TOKEN_VALIDATE})
    @HystrixCommand
    @ResponseBody
    public ResponseEntity<String> validateAccessToken(@RequestBody ValidateRequestModel validateRequestModel) {
        String token = validateRequestModel.getToken();
        return (!this.tokenProvider.isValidForScopes(token, validateRequestModel.getServiceId()) || this.tokenProvider.isInvalidated(token)) ? new ResponseEntity<>(HttpStatus.UNAUTHORIZED) : new ResponseEntity<>(HttpStatus.OK);
    }

    @HystrixCommand
    @GetMapping(path = {DISTRIBUTE_PATH})
    public void distributeInvalidate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String requestURI = httpServletRequest.getRequestURI();
        httpServletResponse.setStatus(this.authenticationService.distributeInvalidate(requestURI.substring(requestURI.indexOf("/auth/distribute/") + "/auth/distribute/".length())) ? 200 : 204);
    }

    @HystrixCommand
    @GetMapping(path = {ALL_PUBLIC_KEYS_PATH})
    @ResponseBody
    public Map<String, Object> getAllPublicKeys() {
        LinkedList linkedList = new LinkedList(this.zosmfService.getPublicKeys().getKeys());
        Optional<JWK> jwkPublicKey = this.jwtSecurity.getJwkPublicKey();
        linkedList.getClass();
        jwkPublicKey.ifPresent((v1) -> {
            r1.add(v1);
        });
        return new JWKSet(linkedList).toJSONObject(true);
    }

    @HystrixCommand
    @GetMapping(path = {CURRENT_PUBLIC_KEYS_PATH})
    @ResponseBody
    public Map<String, Object> getCurrentPublicKeys() {
        LinkedList linkedList = new LinkedList(this.zosmfService.getPublicKeys().getKeys());
        if (linkedList.isEmpty()) {
            Optional<JWK> jwkPublicKey = this.jwtSecurity.getJwkPublicKey();
            linkedList.getClass();
            jwkPublicKey.ifPresent((v1) -> {
                r1.add(v1);
            });
        }
        return new JWKSet(linkedList).toJSONObject(true);
    }

    @HystrixCommand
    @GetMapping(path = {PUBLIC_KEYS_PATH})
    @ResponseBody
    public ResponseEntity<Object> getPublicKeyUsedForSigning() {
        JwtSecurity.JwtProducer actualJwtProducer = this.jwtSecurity.actualJwtProducer();
        JWKSet jWKSet = new JWKSet();
        switch (actualJwtProducer) {
            case ZOSMF:
                jWKSet = this.zosmfService.getPublicKeys();
                break;
            case APIML:
                jWKSet = this.jwtSecurity.getPublicKeyInSet();
                break;
            case UNKNOWN:
                return new ResponseEntity<>(this.messageService.createMessage("org.zowe.apiml.gateway.keys.unknownState", new Object[0]).mapToApiMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
        }
        List<JWK> keys = jWKSet.getKeys();
        if (keys.size() != 1) {
            return new ResponseEntity<>(this.messageService.createMessage("org.zowe.apiml.gateway.keys.wrongAmount", Integer.valueOf(keys.size())).mapToApiMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
        }
        try {
            return new ResponseEntity<>(getPublicKeyAsPem(keys.get(0).toRSAKey().toPublicKey()), HttpStatus.OK);
        } catch (JOSEException | IOException e) {
            return new ResponseEntity<>(this.messageService.createMessage("org.zowe.apiml.gateway.unknown", new Object[0]).mapToApiMessage(), HttpStatus.INTERNAL_SERVER_ERROR);
        }
    }

    @PostMapping(path = {OIDC_TOKEN_VALIDATE})
    @HystrixCommand
    public ResponseEntity<String> validateOIDCToken(@RequestBody ValidateRequestModel validateRequestModel) {
        return this.oidcProvider.isValid(validateRequestModel.getToken()) ? new ResponseEntity<>(HttpStatus.OK) : new ResponseEntity<>(HttpStatus.UNAUTHORIZED);
    }

    @HystrixCommand
    @GetMapping(path = {OIDC_WEBFINGER_PATH})
    @ResponseBody
    public ResponseEntity<Object> getWebFinger(@RequestParam(name = "resource") String str) throws JsonProcessingException {
        if (!this.webFingerProvider.isEnabled()) {
            return ResponseEntity.notFound().build();
        }
        try {
            return ResponseEntity.ok(this.webFingerProvider.getWebFingerConfig(str));
        } catch (IOException e) {
            log.debug("Error while reading webfinger configuration from source.", (Throwable) e);
            return ResponseEntity.internalServerError().body(writer.writeValueAsString(this.messageService.createMessage("org.zowe.apiml.security.oidc.invalidWebfingerConfiguration", new Object[0]).mapToView()));
        }
    }

    private String getPublicKeyAsPem(PublicKey publicKey) throws IOException {
        StringWriter stringWriter = new StringWriter();
        PemWriter pemWriter = new PemWriter(stringWriter);
        pemWriter.writeObject(new PemObject(PEMParser.TYPE_PUBLIC_KEY, publicKey.getEncoded()));
        pemWriter.flush();
        pemWriter.close();
        return stringWriter.toString();
    }

    private ResponseEntity<String> badRequestForPATInvalidation() throws JsonProcessingException {
        return new ResponseEntity<>(writer.writeValueAsString(this.messageService.createMessage("org.zowe.apiml.security.query.invalidRevokeRequestBody", new Object[0]).mapToView()), HttpStatus.BAD_REQUEST);
    }

    @Generated
    public AuthController(AuthenticationService authenticationService, JwtSecurity jwtSecurity, ZosmfService zosmfService, MessageService messageService, AccessTokenProvider accessTokenProvider, OIDCProvider oIDCProvider, WebFingerProvider webFingerProvider) {
        this.authenticationService = authenticationService;
        this.jwtSecurity = jwtSecurity;
        this.zosmfService = zosmfService;
        this.messageService = messageService;
        this.tokenProvider = accessTokenProvider;
        this.oidcProvider = oIDCProvider;
        this.webFingerProvider = webFingerProvider;
    }
}
