package org.zowe.apiml.gateway.security.service.schema;

import com.netflix.appinfo.InstanceInfo;
import com.netflix.zuul.context.RequestContext;
import java.util.Arrays;
import java.util.Date;
import java.util.Optional;
import javax.validation.constraints.NotNull;
import lombok.Generated;
import org.apache.commons.lang3.time.DateUtils;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Component;
import org.zowe.apiml.auth.Authentication;
import org.zowe.apiml.auth.AuthenticationScheme;
import org.zowe.apiml.gateway.security.service.JwtUtils;
import org.zowe.apiml.gateway.security.service.saf.SafIdtAuthException;
import org.zowe.apiml.gateway.security.service.saf.SafIdtException;
import org.zowe.apiml.gateway.security.service.saf.SafIdtProvider;
import org.zowe.apiml.gateway.security.service.schema.source.AuthSchemeException;
import org.zowe.apiml.gateway.security.service.schema.source.AuthSource;
import org.zowe.apiml.gateway.security.service.schema.source.AuthSourceService;
import org.zowe.apiml.passticket.IRRPassTicketGenerationException;
import org.zowe.apiml.passticket.PassTicketService;
import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
import org.zowe.apiml.security.common.token.TokenExpireException;
import org.zowe.apiml.security.common.token.TokenNotValidException;

@Component
/* loaded from: input_file:org/zowe/apiml/gateway/security/service/schema/SafIdtScheme.class */
public class SafIdtScheme implements IAuthenticationScheme {
    private final AuthConfigurationProperties authConfigurationProperties;
    private final AuthSourceService authSourceService;
    private final PassTicketService passTicketService;
    private final SafIdtProvider safIdtProvider;

    @Value("${apiml.security.saf.defaultIdtExpiration:10}")
    int defaultIdtExpiration;

    /* loaded from: input_file:org/zowe/apiml/gateway/security/service/schema/SafIdtScheme$SafIdtCommand.class */
    public class SafIdtCommand extends AuthenticationCommand {
        private static final long serialVersionUID = 8213192949049438897L;
        private final String safIdentityToken;
        private final Long expireAt;
        protected static final String SAF_TOKEN_HEADER = "X-SAF-Token";

        @Override // org.zowe.apiml.gateway.security.service.schema.AuthenticationCommand
        public void apply(InstanceInfo instanceInfo) {
            if (this.safIdentityToken != null) {
                RequestContext currentContext = RequestContext.getCurrentContext();
                currentContext.addZuulRequestHeader(SAF_TOKEN_HEADER, this.safIdentityToken);
                JwtCommand.removeCookie(currentContext, SafIdtScheme.this.authConfigurationProperties.getCookieProperties().getCookieName());
            }
        }

        @Override // org.zowe.apiml.gateway.security.service.schema.AuthenticationCommand
        public boolean isExpired() {
            return this.expireAt != null && System.currentTimeMillis() > this.expireAt.longValue();
        }

        @Override // org.zowe.apiml.gateway.security.service.schema.AuthenticationCommand
        public boolean isRequiredValidSource() {
            return true;
        }

        @Generated
        public SafIdtCommand(String str, Long l) {
            this.safIdentityToken = str;
            this.expireAt = l;
        }

        @Generated
        public String getSafIdentityToken() {
            return this.safIdentityToken;
        }

        @Generated
        public Long getExpireAt() {
            return this.expireAt;
        }
    }

    @Override // org.zowe.apiml.gateway.security.service.schema.IAuthenticationScheme
    public AuthenticationScheme getScheme() {
        return AuthenticationScheme.SAF_IDT;
    }

    @Override // org.zowe.apiml.gateway.security.service.schema.IAuthenticationScheme
    public AuthenticationCommand createCommand(Authentication authentication, AuthSource authSource) {
        if (authSource == null || authSource.getRawSource() == null) {
            throw new AuthSchemeException("org.zowe.apiml.gateway.security.schema.missingAuthentication");
        }
        try {
            AuthSource.Parsed parse = this.authSourceService.parse(authSource);
            if (parse == null) {
                throw new IllegalStateException("Error occurred while parsing authenticationSource");
            }
            String generateSafIdentityToken = generateSafIdentityToken(parse, getApplId(authentication));
            return new SafIdtCommand(generateSafIdentityToken, Long.valueOf(getSafIdtExpiration(generateSafIdentityToken)));
        } catch (TokenNotValidException e) {
            throw new AuthSchemeException("org.zowe.apiml.gateway.security.invalidToken");
        } catch (TokenExpireException e2) {
            throw new AuthSchemeException("org.zowe.apiml.gateway.security.expiredToken");
        }
    }

    @Override // org.zowe.apiml.gateway.security.service.schema.IAuthenticationScheme
    public Optional<AuthSource> getAuthSource() {
        return this.authSourceService.getAuthSourceFromRequest();
    }

    private String getApplId(Authentication authentication) {
        String applid = authentication == null ? null : authentication.getApplid();
        if (applid == null) {
            throw new AuthSchemeException("org.zowe.apiml.gateway.security.scheme.missingApplid");
        }
        return applid;
    }

    private String generateSafIdentityToken(@NotNull AuthSource.Parsed parsed, @NotNull String str) {
        String userId = parsed.getUserId();
        if (userId == null) {
            throw new AuthSchemeException("org.zowe.apiml.gateway.security.schema.x509.mappingFailed");
        }
        char[] charArray = "".toCharArray();
        try {
            try {
                charArray = this.passTicketService.generate(userId, str).toCharArray();
                String generate = this.safIdtProvider.generate(userId, charArray, str);
                Arrays.fill(charArray, (char) 0);
                return generate;
            } catch (SafIdtAuthException | SafIdtException e) {
                throw new AuthSchemeException("org.zowe.apiml.security.idt.failed", e.getMessage());
            } catch (IRRPassTicketGenerationException e2) {
                throw new AuthSchemeException("org.zowe.apiml.security.ticket.generateFailed", e2.getMessage());
            }
        } catch (Throwable th) {
            Arrays.fill(charArray, (char) 0);
            throw th;
        }
    }

    private long getSafIdtExpiration(String str) {
        try {
            Date expiration = JwtUtils.getJwtClaims(str).getExpiration();
            if (expiration == null) {
                expiration = DateUtils.addMinutes(new Date(), this.defaultIdtExpiration);
            }
            return expiration.getTime();
        } catch (TokenExpireException e) {
            throw new AuthSchemeException("org.zowe.apiml.gateway.security.expiredToken");
        } catch (TokenNotValidException e2) {
            throw new AuthSchemeException("org.zowe.apiml.gateway.security.invalidToken");
        }
    }

    @Generated
    public SafIdtScheme(AuthConfigurationProperties authConfigurationProperties, AuthSourceService authSourceService, PassTicketService passTicketService, SafIdtProvider safIdtProvider) {
        this.authConfigurationProperties = authConfigurationProperties;
        this.authSourceService = authSourceService;
        this.passTicketService = passTicketService;
        this.safIdtProvider = safIdtProvider;
    }
}
