package org.zowe.apiml.gateway.security.service;

import com.netflix.discovery.CacheRefreshedEvent;
import com.netflix.discovery.EurekaEvent;
import com.netflix.discovery.EurekaEventListener;
import com.nimbusds.jose.jwk.JWK;
import com.nimbusds.jose.jwk.RSAKey;
import io.jsonwebtoken.SignatureAlgorithm;
import java.security.Key;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.interfaces.RSAPublicKey;
import java.security.spec.InvalidKeySpecException;
import java.util.Optional;
import javax.annotation.PostConstruct;
import lombok.Generated;
import org.awaitility.Awaitility;
import org.awaitility.Duration;
import org.awaitility.core.ConditionFactory;
import org.awaitility.core.ConditionTimeoutException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.zowe.apiml.gateway.discovery.ApimlDiscoveryClient;
import org.zowe.apiml.gateway.security.login.Providers;
import org.zowe.apiml.message.log.ApimlLogger;
import org.zowe.apiml.product.logging.annotations.InjectApimlLogger;
import org.zowe.apiml.security.HttpsConfig;
import org.zowe.apiml.security.HttpsConfigError;
import org.zowe.apiml.security.SecurityUtils;

@Service
/* loaded from: input_file:org/zowe/apiml/gateway/security/service/JwtSecurityInitializer.class */
public class JwtSecurityInitializer {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(JwtSecurityInitializer.class);

    @Value("${server.ssl.keyStore:#{null}}")
    private String keyStore;

    @Value("${server.ssl.keyStorePassword:#{null}}")
    private char[] keyStorePassword;

    @Value("${server.ssl.keyPassword:#{null}}")
    private char[] keyPassword;

    @Value("${server.ssl.keyStoreType:PKCS12}")
    private String keyStoreType;

    @Value("${apiml.security.auth.jwtKeyAlias:}")
    private String keyAlias;

    @Value("${server.attls.enabled:false}")
    private boolean isAttlsEnabled;
    private SignatureAlgorithm signatureAlgorithm;
    private Key jwtSecret;
    private PublicKey jwtPublicKey;
    private final Providers providers;
    private final ZosmfListener zosmfListener;

    @InjectApimlLogger
    private ApimlLogger apimlLog;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/zowe/apiml/gateway/security/service/JwtSecurityInitializer$ZosmfListener.class */
    public class ZosmfListener {
        private boolean isZosmfReady;
        private final ApimlDiscoveryClient discoveryClient;
        private final EurekaEventListener zosmfRegisteredListener;

        private ZosmfListener(ApimlDiscoveryClient apimlDiscoveryClient) {
            this.isZosmfReady = false;
            this.zosmfRegisteredListener = new EurekaEventListener() { // from class: org.zowe.apiml.gateway.security.service.JwtSecurityInitializer.ZosmfListener.1
                public void onEvent(EurekaEvent eurekaEvent) {
                    if ((eurekaEvent instanceof CacheRefreshedEvent) && JwtSecurityInitializer.this.providers.isZosmfAvailableAndOnline()) {
                        ZosmfListener.this.discoveryClient.unregisterEventListener(this);
                        ZosmfListener.this.isZosmfReady = true;
                        try {
                            JwtSecurityInitializer.this.validateInitializationAgainstZosmf();
                        } catch (HttpsConfigError e) {
                            System.exit(1);
                        }
                    }
                }
            };
            this.discoveryClient = apimlDiscoveryClient;
        }

        public void register() {
            this.discoveryClient.registerEventListener(this.zosmfRegisteredListener);
        }

        public boolean isZosmfReady() {
            return this.isZosmfReady;
        }

        EurekaEventListener getZosmfRegisteredListener() {
            return this.zosmfRegisteredListener;
        }
    }

    @Autowired
    public JwtSecurityInitializer(Providers providers, ApimlDiscoveryClient apimlDiscoveryClient) {
        this.apimlLog = ApimlLogger.empty();
        this.providers = providers;
        this.zosmfListener = new ZosmfListener(apimlDiscoveryClient);
    }

    public JwtSecurityInitializer(Providers providers, String str, String str2, char[] cArr, char[] cArr2, ApimlDiscoveryClient apimlDiscoveryClient) {
        this(providers, apimlDiscoveryClient);
        this.keyStore = str2;
        this.keyStorePassword = cArr;
        this.keyPassword = cArr2;
        this.keyAlias = str;
        this.keyStoreType = "PKCS12";
    }

    @PostConstruct
    public void init() {
        loadJwtSecret();
        if (!this.providers.isZosfmUsed()) {
            log.debug("zOSMF isn't used as the Authentication provider");
            validateJwtSecret();
            return;
        }
        log.debug("zOSMF is used as authentication provider");
        if (this.providers.isZosmfConfigurationSetToLtpa()) {
            log.debug("Configuration indicates zOSMF supports LTPA token");
            validateJwtSecret();
        } else if (this.providers.isZosmfAvailableAndOnline()) {
            validateInitializationAgainstZosmf();
        } else {
            validateInitializationWhenZosmfIsAvailable();
        }
    }

    private void validateInitializationWhenZosmfIsAvailable() {
        this.zosmfListener.register();
        new Thread(() -> {
            try {
                ConditionFactory pollInterval = Awaitility.await().atMost(Duration.FIVE_MINUTES).with().pollInterval(Duration.ONE_MINUTE);
                ZosmfListener zosmfListener = this.zosmfListener;
                zosmfListener.getClass();
                pollInterval.until(zosmfListener::isZosmfReady);
            } catch (ConditionTimeoutException e) {
                this.apimlLog.log("org.zowe.apiml.security.zosmfInstanceNotFound", new Object[]{"zOSMF"});
                System.exit(1);
            }
        }).start();
    }

    private void loadJwtSecret() {
        this.signatureAlgorithm = SignatureAlgorithm.RS256;
        if (this.isAttlsEnabled) {
            log.debug("Loading JWTSecret from environment (AT-TLS)");
            loadJwtSecretFromEnv();
        } else {
            log.debug("Loading JWTSecret from TLS configuration");
            loadJwtSecretFromTlsConfig();
        }
    }

    private void loadJwtSecretFromEnv() {
        try {
            this.jwtSecret = SecurityUtils.readPemPrivateKey();
            this.jwtPublicKey = SecurityUtils.readPemPublicKey();
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            this.apimlLog.log("org.zowe.apiml.gateway.jwtInitConfigError", new Object[]{"", e.getMessage()});
        }
    }

    private void loadJwtSecretFromTlsConfig() {
        HttpsConfig build = HttpsConfig.builder().keyAlias(this.keyAlias).keyStore(this.keyStore).keyPassword(this.keyPassword).keyStorePassword(this.keyStorePassword).keyStoreType(this.keyStoreType).build();
        try {
            this.jwtSecret = SecurityUtils.loadKey(build);
            this.jwtPublicKey = SecurityUtils.loadPublicKey(build);
        } catch (HttpsConfigError e) {
            this.apimlLog.log("org.zowe.apiml.gateway.jwtInitConfigError", new Object[]{e.getCode(), e.getMessage()});
        }
    }

    private void validateJwtSecret() {
        if (this.jwtSecret == null || this.jwtPublicKey == null) {
            this.apimlLog.log("org.zowe.apiml.gateway.jwtKeyMissing", new Object[]{this.keyAlias, this.keyStore});
            throw new HttpsConfigError(String.format("Not found '%s' key alias in the keystore '%s'.", this.keyAlias, this.keyStore), HttpsConfigError.ErrorCode.WRONG_KEY_ALIAS, HttpsConfig.builder().keyAlias(this.keyAlias).keyStore(this.keyStore).keyPassword(this.keyPassword).keyStorePassword(this.keyStorePassword).keyStoreType(this.keyStoreType).build());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void validateInitializationAgainstZosmf() {
        if (this.providers.zosmfSupportsJwt()) {
            log.debug("zOSMF is UP and supports JWT");
        } else {
            log.debug("zOSMF is UP and does not support JWT");
            validateJwtSecret();
        }
    }

    public SignatureAlgorithm getSignatureAlgorithm() {
        return this.signatureAlgorithm;
    }

    public Key getJwtSecret() {
        return this.jwtSecret;
    }

    public PublicKey getJwtPublicKey() {
        return this.jwtPublicKey;
    }

    public Optional<JWK> getJwkPublicKey() {
        return this.jwtPublicKey == null ? Optional.empty() : Optional.of(new RSAKey.Builder((RSAPublicKey) this.jwtPublicKey).build().toPublicJWK());
    }

    ZosmfListener getZosmfListener() {
        return this.zosmfListener;
    }
}
