package org.zowe.apiml.gateway.security.service;

import com.netflix.discovery.CacheRefreshedEvent;
import com.netflix.discovery.EurekaEvent;
import com.netflix.discovery.EurekaEventListener;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import io.jsonwebtoken.SignatureAlgorithm;
import java.security.Key;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.LinkedList;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import javax.annotation.PostConstruct;
import lombok.Generated;
import org.apache.commons.lang.StringUtils;
import org.awaitility.Awaitility;
import org.awaitility.Duration;
import org.awaitility.core.ConditionFactory;
import org.awaitility.core.ConditionTimeoutException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.zowe.apiml.gateway.discovery.ApimlDiscoveryClient;
import org.zowe.apiml.gateway.security.login.Providers;
import org.zowe.apiml.message.log.ApimlLogger;
import org.zowe.apiml.product.logging.annotations.InjectApimlLogger;
import org.zowe.apiml.security.HttpsConfig;
import org.zowe.apiml.security.HttpsConfigError;
import org.zowe.apiml.security.SecurityUtils;

@Service
/* loaded from: input_file:org/zowe/apiml/gateway/security/service/JwtSecurity.class */
public class JwtSecurity {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(JwtSecurity.class);

    @Value("${server.ssl.keyStore:#{null}}")
    private String keyStore;

    @Value("${server.ssl.keyStorePassword:#{null}}")
    private char[] keyStorePassword;

    @Value("${server.ssl.keyPassword:#{null}}")
    private char[] keyPassword;

    @Value("${server.ssl.keyStoreType:PKCS12}")
    private String keyStoreType;

    @Value("${server.ssl.keyAlias:#{null}}")
    private String keyAlias;

    @Value("${apiml.security.jwtInitializerTimeout:5}")
    private int timeout;
    private SignatureAlgorithm signatureAlgorithm;
    private Key jwtSecret;
    private PublicKey jwtPublicKey;
    private final Providers providers;
    private final ZosmfListener zosmfListener;
    private final List<String> events;

    @InjectApimlLogger
    private ApimlLogger apimlLog;

    /* loaded from: input_file:org/zowe/apiml/gateway/security/service/JwtSecurity$JwtProducer.class */
    public enum JwtProducer {
        ZOSMF,
        APIML,
        UNKNOWN
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/zowe/apiml/gateway/security/service/JwtSecurity$ZosmfListener.class */
    public class ZosmfListener {
        private boolean isZosmfReady;
        private final ApimlDiscoveryClient discoveryClient;
        private final EurekaEventListener zosmfRegisteredListener;

        private ZosmfListener(ApimlDiscoveryClient apimlDiscoveryClient) {
            this.isZosmfReady = false;
            this.zosmfRegisteredListener = new EurekaEventListener() { // from class: org.zowe.apiml.gateway.security.service.JwtSecurity.ZosmfListener.1
                public void onEvent(EurekaEvent eurekaEvent) {
                    if (eurekaEvent instanceof CacheRefreshedEvent) {
                        JwtSecurity.this.events.add("Discovery Service Cache was updated.");
                        JwtSecurity.log.debug("Trying to reach the zOSMF.");
                        if (JwtSecurity.this.providers.isZosmfAvailableAndOnline()) {
                            JwtSecurity.this.events.add("zOSMF is avaiable and online.");
                            JwtSecurity.log.debug("The zOSMF was reached ");
                            ZosmfListener.this.discoveryClient.unregisterEventListener(this);
                            ZosmfListener.this.isZosmfReady = true;
                            try {
                                JwtSecurity.this.validateInitializationAgainstZosmf();
                            } catch (HttpsConfigError e) {
                                JwtSecurity.this.apimlLog.log("org.zowe.apiml.gateway.jwtProducerConfigError", new Object[]{StringUtils.join(JwtSecurity.this.events, "\n")});
                                System.exit(1);
                            }
                        }
                    }
                }
            };
            this.discoveryClient = apimlDiscoveryClient;
        }

        public void register() {
            this.discoveryClient.registerEventListener(this.zosmfRegisteredListener);
        }

        public boolean isZosmfReady() {
            return this.isZosmfReady;
        }

        EurekaEventListener getZosmfRegisteredListener() {
            return this.zosmfRegisteredListener;
        }
    }

    @Autowired
    public JwtSecurity(Providers providers, ApimlDiscoveryClient apimlDiscoveryClient) {
        this.events = new ArrayList();
        this.apimlLog = ApimlLogger.empty();
        this.providers = providers;
        this.zosmfListener = new ZosmfListener(apimlDiscoveryClient);
    }

    public JwtSecurity(Providers providers, String str, String str2, char[] cArr, char[] cArr2, ApimlDiscoveryClient apimlDiscoveryClient) {
        this(providers, apimlDiscoveryClient);
        this.keyStore = str2;
        this.keyStorePassword = cArr;
        this.keyPassword = cArr2;
        this.keyAlias = str;
        this.keyStoreType = "PKCS12";
    }

    void updateStorePaths() {
        if (SecurityUtils.isKeyring(this.keyStore)) {
            this.keyStore = SecurityUtils.formatKeyringUrl(this.keyStore);
            if (this.keyStorePassword == null) {
                this.keyStorePassword = "password".toCharArray();
            }
        }
    }

    @PostConstruct
    public void loadAppropriateJwtKeyOrFail() {
        updateStorePaths();
        JwtProducer actualJwtProducer = actualJwtProducer();
        loadJwtSecret();
        switch (actualJwtProducer) {
            case ZOSMF:
                log.info("zOSMF is used as the JWT producer");
                this.events.add("zOSMF is recognized as authentication provider.");
                validateInitializationAgainstZosmf();
                return;
            case APIML:
                log.info("API ML is used as the JWT producer");
                this.events.add("API ML is recognized as authentication provider.");
                validateJwtSecret();
                return;
            case UNKNOWN:
                log.info("zOSMF is probably used as the JWT producer but isn't available yet.");
                this.events.add("Wait for zOSMF to come online before deciding who provides JWT tokens.");
                validateInitializationWhenZosmfIsAvailable();
                return;
            default:
                log.warn("Unknown error when deciding who is providing the JWT token.");
                return;
        }
    }

    public JwtProducer actualJwtProducer() {
        if (this.providers.isZosfmUsed() && !this.providers.isZosmfConfigurationSetToLtpa()) {
            return this.providers.isZosmfAvailableAndOnline() ? JwtProducer.ZOSMF : JwtProducer.UNKNOWN;
        }
        return JwtProducer.APIML;
    }

    private void loadJwtSecret() {
        this.signatureAlgorithm = SignatureAlgorithm.RS256;
        HttpsConfig currentConfig = currentConfig();
        try {
            this.jwtSecret = SecurityUtils.loadKey(currentConfig);
            this.jwtPublicKey = SecurityUtils.loadPublicKey(currentConfig);
        } catch (HttpsConfigError e) {
            this.apimlLog.log("org.zowe.apiml.gateway.jwtInitConfigError", new Object[]{e.getCode(), e.getMessage()});
        }
    }

    private void validateJwtSecret() {
        if (this.jwtSecret == null || this.jwtPublicKey == null) {
            this.apimlLog.log("org.zowe.apiml.gateway.jwtKeyMissing", new Object[]{this.keyAlias, this.keyStore});
            throw new HttpsConfigError(String.format("Not found '%s' key alias in the keystore '%s'.", this.keyAlias, this.keyStore), HttpsConfigError.ErrorCode.WRONG_KEY_ALIAS, currentConfig());
        }
    }

    private HttpsConfig currentConfig() {
        return HttpsConfig.builder().keyAlias(this.keyAlias).keyStore(this.keyStore).keyPassword(this.keyPassword).keyStorePassword(this.keyStorePassword).keyStoreType(this.keyStoreType).build();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void validateInitializationAgainstZosmf() {
        if (this.providers.zosmfSupportsJwt()) {
            this.events.add("zOSMF is UP and supports JWT");
            log.debug("zOSMF is UP and supports JWT");
        } else {
            this.events.add("API ML is responsible for token generation.");
            log.debug("zOSMF is UP and does not support JWT");
            validateJwtSecret();
        }
    }

    public SignatureAlgorithm getSignatureAlgorithm() {
        return this.signatureAlgorithm;
    }

    public Key getJwtSecret() {
        return this.jwtSecret;
    }

    public PublicKey getJwtPublicKey() {
        return this.jwtPublicKey;
    }

    public JWKSet getPublicKeyInSet() {
        LinkedList linkedList = new LinkedList();
        Optional<JWK> jwkPublicKey = getJwkPublicKey();
        linkedList.getClass();
        jwkPublicKey.ifPresent((v1) -> {
            r1.add(v1);
        });
        return new JWKSet(linkedList);
    }

    public Optional<JWK> getJwkPublicKey() {
        return this.jwtPublicKey == null ? Optional.empty() : Optional.of(new RSAKey.Builder((RSAPublicKey) this.jwtPublicKey).build().toPublicJWK());
    }

    private void validateInitializationWhenZosmfIsAvailable() {
        this.zosmfListener.register();
        new Thread(() -> {
            try {
                this.events.add("Started waiting for zOSMF to be registered and known by the discovery service");
                log.debug("Waiting for zOSMF to be registered and known by the Discovery Service.");
                ConditionFactory pollInterval = Awaitility.await().atMost(new Duration(this.timeout, TimeUnit.MINUTES)).with().pollInterval(Duration.ONE_MINUTE);
                ZosmfListener zosmfListener = this.zosmfListener;
                zosmfListener.getClass();
                pollInterval.until(zosmfListener::isZosmfReady);
            } catch (ConditionTimeoutException e) {
                this.apimlLog.log("org.zowe.apiml.gateway.jwtProducerConfigError", new Object[]{StringUtils.join(this.events, "\n")});
                this.apimlLog.log("org.zowe.apiml.security.zosmfInstanceNotFound", new Object[]{"zOSMF"});
                System.exit(1);
            }
        }).start();
    }

    ZosmfListener getZosmfListener() {
        return this.zosmfListener;
    }
}
