package org.zowe.apiml.gateway.security.service.zosmf;

import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.netflix.discovery.DiscoveryClient;
import com.nimbusds.jose.jwk.JWKSet;
import java.text.ParseException;
import java.util.EnumMap;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.annotation.PostConstruct;
import lombok.Generated;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.cache.annotation.Cacheable;
import org.springframework.context.ApplicationContext;
import org.springframework.context.annotation.EnableAspectJAutoProxy;
import org.springframework.context.annotation.Primary;
import org.springframework.context.annotation.Scope;
import org.springframework.context.annotation.ScopedProxyMode;
import org.springframework.http.HttpEntity;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.retry.annotation.Backoff;
import org.springframework.retry.annotation.Retryable;
import org.springframework.security.authentication.AuthenticationServiceException;
import org.springframework.security.core.Authentication;
import org.springframework.stereotype.Service;
import org.springframework.util.MultiValueMap;
import org.springframework.web.client.HttpClientErrorException;
import org.springframework.web.client.HttpServerErrorException;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestTemplate;
import org.zowe.apiml.gateway.security.service.zosmf.TokenValidationRequest;
import org.zowe.apiml.security.common.config.AuthConfigurationProperties;
import org.zowe.apiml.security.common.error.ServiceNotAccessibleException;
import org.zowe.apiml.security.common.token.TokenNotValidException;

@EnableAspectJAutoProxy(proxyTargetClass = true)
@Service
@Scope(proxyMode = ScopedProxyMode.TARGET_CLASS)
@Primary
/* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/gateway/security/service/zosmf/ZosmfService.class */
public class ZosmfService extends AbstractZosmfService {

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ZosmfService.class);
    private static final String CACHE_INVALIDATED_JWT_TOKENS = "invalidatedJwtTokens";
    private final ApplicationContext applicationContext;
    private final List<TokenValidationStrategy> tokenValidationStrategy;
    private ZosmfService meAsProxy;

    /* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/gateway/security/service/zosmf/ZosmfService$AuthenticationResponse.class */
    public static class AuthenticationResponse {
        private String domain;
        private final Map<TokenType, String> tokens;

        @Generated
        public String getDomain() {
            return this.domain;
        }

        @Generated
        public Map<TokenType, String> getTokens() {
            return this.tokens;
        }

        @Generated
        public void setDomain(String str) {
            this.domain = str;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof AuthenticationResponse)) {
                return false;
            }
            AuthenticationResponse authenticationResponse = (AuthenticationResponse) obj;
            if (!authenticationResponse.canEqual(this)) {
                return false;
            }
            String domain = getDomain();
            String domain2 = authenticationResponse.getDomain();
            if (domain == null) {
                if (domain2 != null) {
                    return false;
                }
            } else if (!domain.equals(domain2)) {
                return false;
            }
            Map<TokenType, String> tokens = getTokens();
            Map<TokenType, String> tokens2 = authenticationResponse.getTokens();
            return tokens == null ? tokens2 == null : tokens.equals(tokens2);
        }

        @Generated
        protected boolean canEqual(Object obj) {
            return obj instanceof AuthenticationResponse;
        }

        @Generated
        public int hashCode() {
            String domain = getDomain();
            int hashCode = (1 * 59) + (domain == null ? 43 : domain.hashCode());
            Map<TokenType, String> tokens = getTokens();
            return (hashCode * 59) + (tokens == null ? 43 : tokens.hashCode());
        }

        @Generated
        public String toString() {
            return "ZosmfService.AuthenticationResponse(domain=" + getDomain() + ", tokens=" + getTokens() + DefaultExpressionEngine.DEFAULT_INDEX_END;
        }

        @Generated
        public AuthenticationResponse(String str, Map<TokenType, String> map) {
            this.domain = str;
            this.tokens = map;
        }

        @Generated
        public AuthenticationResponse(Map<TokenType, String> map) {
            this.tokens = map;
        }
    }

    /* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/gateway/security/service/zosmf/ZosmfService$TokenType.class */
    public enum TokenType {
        JWT("jwtToken"),
        LTPA("LtpaToken2");

        private final String cookieName;

        @Generated
        TokenType(String str) {
            this.cookieName = str;
        }

        @Generated
        public String getCookieName() {
            return this.cookieName;
        }
    }

    @JsonIgnoreProperties(ignoreUnknown = true)
    /* loaded from: input_file:BOOT-INF/classes/org/zowe/apiml/gateway/security/service/zosmf/ZosmfService$ZosmfInfo.class */
    public static class ZosmfInfo {

        @JsonProperty("zosmf_version")
        private int version;

        @JsonProperty("zosmf_full_version")
        private String fullVersion;

        @JsonProperty("zosmf_saf_realm")
        private String safRealm;

        @Generated
        public ZosmfInfo() {
        }

        @Generated
        public int getVersion() {
            return this.version;
        }

        @Generated
        public String getFullVersion() {
            return this.fullVersion;
        }

        @Generated
        public String getSafRealm() {
            return this.safRealm;
        }

        @JsonProperty("zosmf_version")
        @Generated
        public void setVersion(int i) {
            this.version = i;
        }

        @JsonProperty("zosmf_full_version")
        @Generated
        public void setFullVersion(String str) {
            this.fullVersion = str;
        }

        @JsonProperty("zosmf_saf_realm")
        @Generated
        public void setSafRealm(String str) {
            this.safRealm = str;
        }

        @Generated
        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof ZosmfInfo)) {
                return false;
            }
            ZosmfInfo zosmfInfo = (ZosmfInfo) obj;
            if (!zosmfInfo.canEqual(this) || getVersion() != zosmfInfo.getVersion()) {
                return false;
            }
            String fullVersion = getFullVersion();
            String fullVersion2 = zosmfInfo.getFullVersion();
            if (fullVersion == null) {
                if (fullVersion2 != null) {
                    return false;
                }
            } else if (!fullVersion.equals(fullVersion2)) {
                return false;
            }
            String safRealm = getSafRealm();
            String safRealm2 = zosmfInfo.getSafRealm();
            return safRealm == null ? safRealm2 == null : safRealm.equals(safRealm2);
        }

        @Generated
        protected boolean canEqual(Object obj) {
            return obj instanceof ZosmfInfo;
        }

        @Generated
        public int hashCode() {
            int version = (1 * 59) + getVersion();
            String fullVersion = getFullVersion();
            int hashCode = (version * 59) + (fullVersion == null ? 43 : fullVersion.hashCode());
            String safRealm = getSafRealm();
            return (hashCode * 59) + (safRealm == null ? 43 : safRealm.hashCode());
        }

        @Generated
        public String toString() {
            return "ZosmfService.ZosmfInfo(version=" + getVersion() + ", fullVersion=" + getFullVersion() + ", safRealm=" + getSafRealm() + DefaultExpressionEngine.DEFAULT_INDEX_END;
        }
    }

    public ZosmfService(AuthConfigurationProperties authConfigurationProperties, DiscoveryClient discoveryClient, @Qualifier("restTemplateWithoutKeystore") RestTemplate restTemplate, ObjectMapper objectMapper, ApplicationContext applicationContext, List<TokenValidationStrategy> list) {
        super(authConfigurationProperties, discoveryClient, restTemplate, objectMapper);
        this.applicationContext = applicationContext;
        this.tokenValidationStrategy = list;
    }

    @PostConstruct
    public void afterPropertiesSet() {
        this.meAsProxy = (ZosmfService) this.applicationContext.getBean(ZosmfService.class);
    }

    @Retryable(value = {TokenNotValidException.class}, maxAttempts = 2, backoff = @Backoff(1500))
    public AuthenticationResponse authenticate(Authentication authentication) {
        AuthenticationResponse issueAuthenticationRequest;
        if (loginEndpointExists()) {
            issueAuthenticationRequest = issueAuthenticationRequest(authentication, getURI(getZosmfServiceId()) + "/zosmf/services/authenticate", HttpMethod.POST);
            if (this.meAsProxy.isInvalidated(issueAuthenticationRequest.getTokens().get(TokenType.JWT)).booleanValue()) {
                invalidate(TokenType.LTPA, issueAuthenticationRequest.getTokens().get(TokenType.LTPA));
                throw new TokenNotValidException("Invalid token returned from zosmf");
            }
        } else {
            String str = getURI(getZosmfServiceId()) + "/zosmf/info";
            issueAuthenticationRequest = issueAuthenticationRequest(authentication, str, HttpMethod.GET);
            issueAuthenticationRequest.setDomain(this.meAsProxy.getZosmfRealm(str));
        }
        return issueAuthenticationRequest;
    }

    @Cacheable(value = {CACHE_INVALIDATED_JWT_TOKENS}, unless = "true", key = "#jwtToken", condition = "#jwtToken != null")
    public Boolean isInvalidated(String str) {
        return Boolean.FALSE;
    }

    /* JADX WARN: Multi-variable type inference failed */
    @Cacheable({"zosmfInfo"})
    public String getZosmfRealm(String str) {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("X-CSRF-ZOSMF-HEADER", "");
        try {
            ZosmfInfo zosmfInfo = (ZosmfInfo) this.restTemplateWithoutKeystore.exchange(str, HttpMethod.GET, new HttpEntity<>((MultiValueMap<String, String>) httpHeaders), ZosmfInfo.class, new Object[0]).getBody();
            if (zosmfInfo != null && !StringUtils.isEmpty(zosmfInfo.getSafRealm())) {
                return zosmfInfo.getSafRealm();
            }
            this.apimlLog.log("apiml.security.zosmfDomainIsEmpty", "zosmf_saf_realm");
            throw new AuthenticationServiceException("z/OSMF domain cannot be read.");
        } catch (RuntimeException e) {
            throw handleExceptionOnCall(str, e);
        }
    }

    public boolean isAccessible() {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("X-CSRF-ZOSMF-HEADER", "");
        String str = getURI(getZosmfServiceId()) + "/zosmf/info";
        log.debug("Verifying zOSMF accessibility on info endpoint: {}", str);
        try {
            return this.restTemplateWithoutKeystore.exchange(str, HttpMethod.GET, new HttpEntity<>((MultiValueMap<String, String>) httpHeaders), ZosmfInfo.class, new Object[0]).getStatusCode() == HttpStatus.OK;
        } catch (RestClientException e) {
            log.debug("zOSMF isn't accessible on URI: {}", str);
            return false;
        }
    }

    protected AuthenticationResponse issueAuthenticationRequest(Authentication authentication, String str, HttpMethod httpMethod) {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("Authorization", getAuthenticationValue(authentication));
        httpHeaders.add("X-CSRF-ZOSMF-HEADER", "");
        try {
            return getAuthenticationResponse(this.restTemplateWithoutKeystore.exchange(str, httpMethod, new HttpEntity<>(null, httpHeaders), String.class, new Object[0]));
        } catch (RuntimeException e) {
            throw handleExceptionOnCall(str, e);
        }
    }

    @Cacheable(value = {"zosmfAuthenticationEndpoint"}, key = "#httpMethod.name()")
    public boolean authenticationEndpointExists(HttpMethod httpMethod, HttpHeaders httpHeaders) {
        try {
            this.restTemplateWithoutKeystore.exchange(getURI(getZosmfServiceId()) + "/zosmf/services/authenticate", httpMethod, new HttpEntity<>(null, httpHeaders), String.class, new Object[0]);
            return false;
        } catch (HttpClientErrorException e) {
            if (HttpStatus.UNAUTHORIZED.equals(e.getStatusCode())) {
                return true;
            }
            if (HttpStatus.NOT_FOUND.equals(e.getStatusCode())) {
                log.warn("The check of z/OSMF JWT authentication endpoint has failed, ensure APAR PH12143 (https://www.ibm.com/support/pages/apar/PH12143) fix has been applied. Using z/OSMF info endpoint as backup.");
                return false;
            }
            log.warn("z/OSMF authentication endpoint with HTTP method " + httpMethod.name() + " has failed with status code: " + e.getStatusCode(), (Throwable) e);
            return false;
        } catch (HttpServerErrorException e2) {
            log.warn("z/OSMF internal error", (Throwable) e2);
            return false;
        }
    }

    @Cacheable({"zosmfJwtEndpoint"})
    public boolean jwtEndpointExists(HttpHeaders httpHeaders) {
        try {
            this.restTemplateWithoutKeystore.exchange(getURI(getZosmfServiceId()) + this.authConfigurationProperties.getZosmf().getJwtEndpoint(), HttpMethod.GET, new HttpEntity<>(null, httpHeaders), String.class, new Object[0]);
            return false;
        } catch (HttpClientErrorException e) {
            if (HttpStatus.UNAUTHORIZED.equals(e.getStatusCode())) {
                return true;
            }
            if (HttpStatus.NOT_FOUND.equals(e.getStatusCode())) {
                log.warn("The check of z/OSMF JWT builder endpoint has failed");
                return false;
            }
            log.warn("z/OSMF JWT builder endpoint with HTTP method GET has failed with status code: " + e.getStatusCode(), (Throwable) e);
            return false;
        } catch (HttpServerErrorException e2) {
            log.warn("z/OSMF internal error", (Throwable) e2);
            return false;
        }
    }

    public boolean loginEndpointExists() {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("X-CSRF-ZOSMF-HEADER", "");
        httpHeaders.add("Authorization", "Basic Og==");
        return this.meAsProxy.authenticationEndpointExists(HttpMethod.POST, httpHeaders);
    }

    public boolean logoutEndpointExists() {
        return this.meAsProxy.authenticationEndpointExists(HttpMethod.DELETE, null);
    }

    public boolean jwtBuilderEndpointExists() {
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("X-CSRF-ZOSMF-HEADER", "");
        httpHeaders.add("Authorization", "Basic Og==");
        return this.meAsProxy.jwtEndpointExists(httpHeaders);
    }

    public boolean validate(String str) {
        log.debug("ZosmfService validating token: ....{}", StringUtils.right(str, 15));
        TokenValidationRequest tokenValidationRequest = new TokenValidationRequest(TokenType.JWT, str, getURI(getZosmfServiceId()), getEndpointMap());
        for (TokenValidationStrategy tokenValidationStrategy : this.tokenValidationStrategy) {
            log.debug("Trying to validate token with strategy: {}", tokenValidationStrategy.toString());
            try {
                tokenValidationStrategy.validate(tokenValidationRequest);
            } catch (RuntimeException e) {
                log.debug("Exception during token validation:", (Throwable) e);
            }
            if (requestValidationIsDecided(tokenValidationRequest)) {
                log.debug("Token validity has been successfully determined: {}", tokenValidationRequest.getAuthenticated());
                break;
            }
            continue;
        }
        log.debug("Token validation strategies exhausted, final validation status: {}", tokenValidationRequest.getAuthenticated());
        return requestIsAuthenticated(tokenValidationRequest);
    }

    private boolean requestIsAuthenticated(TokenValidationRequest tokenValidationRequest) {
        return TokenValidationRequest.STATUS.AUTHENTICATED.equals(tokenValidationRequest.getAuthenticated());
    }

    private boolean requestValidationIsDecided(TokenValidationRequest tokenValidationRequest) {
        return !TokenValidationRequest.STATUS.UNKNOWN.equals(tokenValidationRequest.getAuthenticated());
    }

    public Map<String, Boolean> getEndpointMap() {
        HashMap hashMap = new HashMap();
        hashMap.put(getURI(getZosmfServiceId()) + "/zosmf/services/authenticate", Boolean.valueOf(loginEndpointExists()));
        return hashMap;
    }

    public void invalidate(TokenType tokenType, String str) {
        if (!logoutEndpointExists()) {
            log.warn("The request to invalidate an auth token was unsuccessful, z/OSMF invalidate endpoint not available");
            return;
        }
        String str2 = getURI(getZosmfServiceId()) + "/zosmf/services/authenticate";
        HttpHeaders httpHeaders = new HttpHeaders();
        httpHeaders.add("X-CSRF-ZOSMF-HEADER", "");
        httpHeaders.add("Cookie", tokenType.getCookieName() + "=" + str);
        try {
            ResponseEntity exchange = this.restTemplateWithoutKeystore.exchange(str2, HttpMethod.DELETE, new HttpEntity<>(null, httpHeaders), String.class, new Object[0]);
            if (exchange.getStatusCode().is2xxSuccessful()) {
                return;
            }
            this.apimlLog.log("org.zowe.apiml.security.serviceUnavailable", str2, Integer.valueOf(exchange.getStatusCodeValue()));
            throw new ServiceNotAccessibleException("Could not get an access to z/OSMF service.");
        } catch (RuntimeException e) {
            throw handleExceptionOnCall(str2, e);
        }
    }

    protected AuthenticationResponse getAuthenticationResponse(ResponseEntity<String> responseEntity) {
        List<String> list = responseEntity.getHeaders().get((Object) "Set-Cookie");
        EnumMap enumMap = new EnumMap(TokenType.class);
        if (list != null) {
            for (TokenType tokenType : TokenType.values()) {
                String readTokenFromCookie = readTokenFromCookie(list, tokenType.getCookieName());
                if (readTokenFromCookie != null) {
                    enumMap.put((EnumMap) tokenType, (TokenType) readTokenFromCookie);
                }
            }
        }
        return new AuthenticationResponse(enumMap);
    }

    public JWKSet getPublicKeys() {
        try {
            return JWKSet.parse((String) this.restTemplateWithoutKeystore.getForObject(getURI(getZosmfServiceId()) + this.authConfigurationProperties.getZosmf().getJwtEndpoint(), String.class, new Object[0]));
        } catch (ParseException e) {
            log.debug("Invalid format of public keys from z/OSMF", (Throwable) e);
            return new JWKSet();
        } catch (HttpClientErrorException.NotFound e2) {
            log.debug("Cannot get public keys from z/OSMF", (Throwable) e2);
            return new JWKSet();
        }
    }
}
