package org.zowe.apiml.gateway.security.service.token;

import com.fasterxml.jackson.databind.ObjectMapper;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Clock;
import io.jsonwebtoken.JwtException;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.io.Decoders;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.charset.StandardCharsets;
import java.security.Key;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPublicKeySpec;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.annotation.PostConstruct;
import lombok.Generated;
import lombok.NonNull;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.util.EntityUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
import org.springframework.retry.annotation.Retryable;
import org.springframework.stereotype.Service;
import org.zowe.apiml.message.core.MessageType;
import org.zowe.apiml.message.log.ApimlLogger;
import org.zowe.apiml.product.logging.annotations.InjectApimlLogger;
import org.zowe.apiml.security.common.token.OIDCProvider;
import org.zowe.apiml.security.common.token.TokenNotValidException;

@ConditionalOnProperty(value = {"apiml.security.oidc.enabled"}, havingValue = "true")
@Service
/* loaded from: input_file:org/zowe/apiml/gateway/security/service/token/OIDCTokenProvider.class */
public class OIDCTokenProvider implements OIDCProvider {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(OIDCTokenProvider.class);

    @Value("${apiml.security.oidc.registry:}")
    String registry;

    @Value("${apiml.security.oidc.clientId:}")
    String clientId;

    @Value("${apiml.security.oidc.clientSecret:}")
    String clientSecret;

    @Value("${apiml.security.oidc.jwks.uri}")
    private String jwksUri;

    @Value("${apiml.security.oidc.jwks.refreshInternalHours:1}")
    private int jwkRefreshInterval;

    @NonNull
    @Autowired
    @Qualifier("secureHttpClientWithoutKeystore")
    private final CloseableHttpClient httpClient;

    @Autowired
    private final Clock clock;

    @Autowired
    @Qualifier("oidcMapper")
    private final ObjectMapper mapper;

    @InjectApimlLogger
    protected final ApimlLogger logger = ApimlLogger.empty();
    private Map<String, Key> jwks = new ConcurrentHashMap();

    @PostConstruct
    public void afterPropertiesSet() {
        fetchJwksUrls();
        Executors.newSingleThreadScheduledExecutor(runnable -> {
            return new Thread("OIDC JWK Refresh");
        }).scheduleAtFixedRate(this::fetchJwksUrls, this.jwkRefreshInterval, this.jwkRefreshInterval, TimeUnit.HOURS);
    }

    @Retryable
    void fetchJwksUrls() {
        if (StringUtils.isBlank(this.jwksUri)) {
            log.debug("OIDC JWK URI not provided, JWK refresh not performed");
            return;
        }
        log.debug("Refreshing JWK endpoints {}", this.jwksUri);
        try {
            CloseableHttpResponse execute = this.httpClient.execute(new HttpGet(this.jwksUri + "?client_id=" + this.clientId));
            int statusCode = execute.getStatusLine() != null ? execute.getStatusLine().getStatusCode() : 0;
            HttpEntity entity = execute.getEntity();
            String entityUtils = entity != null ? EntityUtils.toString(entity, StandardCharsets.UTF_8) : "";
            if (statusCode != 200 || entityUtils.isEmpty()) {
                log.error("Failed to obtain JWKs from URI {}. Unexpected response: {}, response text: {}", new Object[]{this.jwksUri, Integer.valueOf(statusCode), entityUtils});
            } else {
                this.jwks.clear();
                this.jwks.putAll(processKeys((JwkKeys) this.mapper.readValue(entityUtils, JwkKeys.class)));
            }
        } catch (IOException | IllegalStateException e) {
            log.error("Error processing response from URI {}", this.jwksUri, e.getMessage());
        }
    }

    private Map<String, Key> processKeys(JwkKeys jwkKeys) {
        return (Map) jwkKeys.getKeys().stream().filter(key -> {
            return "sig".equals(key.getUse());
        }).filter(key2 -> {
            return "RSA".equals(key2.getKty());
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKid();
        }, key3 -> {
            try {
                return KeyFactory.getInstance("RSA").generatePublic(new RSAPublicKeySpec(base64ToBigInteger(key3.getN()), base64ToBigInteger(key3.getE())));
            } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
                throw new IllegalStateException("Failed to parse public key");
            }
        }));
    }

    private BigInteger base64ToBigInteger(String str) {
        return new BigInteger(1, (byte[]) Decoders.BASE64URL.decode(str));
    }

    public boolean isValid(String str) {
        if (StringUtils.isBlank(str)) {
            log.debug("No token has been provided.");
            return false;
        }
        String keyId = getKeyId(str);
        this.logger.log(MessageType.DEBUG, "Token signed by key {}", new Object[]{keyId});
        return ((Boolean) Optional.ofNullable(this.jwks.get(keyId)).map(key -> {
            return validate(str, key);
        }).map(claims -> {
            return Boolean.valueOf((claims == null || claims.isEmpty()) ? false : true);
        }).orElse(false)).booleanValue();
    }

    private String getKeyId(String str) {
        try {
            return String.valueOf(Jwts.parserBuilder().setClock(this.clock).build().parseClaimsJwt(str.substring(0, str.lastIndexOf(46) + 1)).getHeader().get("kid"));
        } catch (JwtException e) {
            log.error("OIDC Token is not valid: {}", e.getMessage());
            return "";
        }
    }

    private Claims validate(String str, Key key) {
        try {
            return (Claims) Jwts.parserBuilder().setSigningKey(key).setClock(this.clock).build().parseClaimsJws(str).getBody();
        } catch (TokenNotValidException | JwtException e) {
            log.debug("OIDC Token is not valid: {}", e.getMessage());
            return null;
        }
    }

    @Generated
    public OIDCTokenProvider(@NonNull @Qualifier("secureHttpClientWithoutKeystore") CloseableHttpClient closeableHttpClient, Clock clock, @Qualifier("oidcMapper") ObjectMapper objectMapper) {
        if (closeableHttpClient == null) {
            throw new NullPointerException("httpClient is marked non-null but is null");
        }
        this.httpClient = closeableHttpClient;
        this.clock = clock;
        this.mapper = objectMapper;
    }
}
