package org.zowe.apiml.zaas.security.service.token;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import lombok.Generated;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.stereotype.Service;
import org.zowe.apiml.models.AccessTokenContainer;
import org.zowe.apiml.security.common.token.AccessTokenProvider;
import org.zowe.apiml.security.common.token.QueryResponse;
import org.zowe.apiml.zaas.cache.CachingServiceClient;
import org.zowe.apiml.zaas.cache.CachingServiceClientException;
import org.zowe.apiml.zaas.security.service.AuthenticationService;

@Service
/* loaded from: input_file:org/zowe/apiml/zaas/security/service/token/ApimlAccessTokenProvider.class */
public class ApimlAccessTokenProvider implements AccessTokenProvider {

    @Generated
    private static final Logger log = LoggerFactory.getLogger(ApimlAccessTokenProvider.class);
    static final String INVALID_TOKENS_KEY = "invalidTokens";
    static final String INVALID_USERS_KEY = "invalidUsers";
    static final String INVALID_SCOPES_KEY = "invalidScopes";
    private final CachingServiceClient cachingServiceClient;
    private final AuthenticationService authenticationService;

    @Qualifier("oidcJwkMapper")
    private final ObjectMapper objectMapper;
    private byte[] salt;

    public void invalidateToken(String str) throws CachingServiceClientException, JsonProcessingException {
        String hash = getHash(str);
        QueryResponse parseJwtWithSignature = this.authenticationService.parseJwtWithSignature(str);
        AccessTokenContainer accessTokenContainer = new AccessTokenContainer();
        accessTokenContainer.setTokenValue(hash);
        accessTokenContainer.setIssuedAt(LocalDateTime.ofInstant(parseJwtWithSignature.getCreation().toInstant(), ZoneId.systemDefault()));
        accessTokenContainer.setExpiresAt(LocalDateTime.ofInstant(parseJwtWithSignature.getExpiration().toInstant(), ZoneId.systemDefault()));
        this.cachingServiceClient.appendList(INVALID_TOKENS_KEY, new CachingServiceClient.KeyValue(hash, this.objectMapper.writeValueAsString(accessTokenContainer)));
    }

    public void invalidateAllTokensForUser(String str, long j) throws CachingServiceClientException {
        String hash = getHash(str);
        if (j == 0) {
            j = System.currentTimeMillis();
        }
        log.debug("hashedUserId {}, timestamp {}", hash, Long.valueOf(j));
        this.cachingServiceClient.appendList(INVALID_USERS_KEY, new CachingServiceClient.KeyValue(hash, Long.toString(j)));
    }

    public void invalidateAllTokensForService(String str, long j) throws CachingServiceClientException {
        String hash = getHash(str);
        if (j == 0) {
            j = System.currentTimeMillis();
        }
        log.debug("serviceIdHash {}, timestamp {}", hash, Long.valueOf(j));
        this.cachingServiceClient.appendList(INVALID_SCOPES_KEY, new CachingServiceClient.KeyValue(hash, Long.toString(j)));
    }

    public boolean isInvalidated(String str) throws CachingServiceClientException {
        QueryResponse parseJwtWithSignature = this.authenticationService.parseJwtWithSignature(str);
        String hash = getHash(str);
        String hash2 = getHash(parseJwtWithSignature.getUserId());
        List<String> list = parseJwtWithSignature.getScopes().stream().map(this::getHash).toList();
        Map<String, Map<String, String>> readAllMaps = this.cachingServiceClient.readAllMaps();
        if (readAllMaps == null || readAllMaps.isEmpty()) {
            return false;
        }
        Map<String, String> map = readAllMaps.get(INVALID_TOKENS_KEY);
        Map<String, String> map2 = readAllMaps.get(INVALID_USERS_KEY);
        Map<String, String> map3 = readAllMaps.get(INVALID_SCOPES_KEY);
        Optional<Boolean> checkInvalidToken = checkInvalidToken(map, hash);
        if (checkInvalidToken.isEmpty()) {
            checkInvalidToken = checkRule(map2, hash2, parseJwtWithSignature);
        }
        for (String str2 : list) {
            if (!checkInvalidToken.isEmpty()) {
                break;
            }
            checkInvalidToken = checkRule(map3, str2, parseJwtWithSignature);
        }
        if (checkInvalidToken.isPresent()) {
            return checkInvalidToken.get().booleanValue();
        }
        return false;
    }

    private Optional<Boolean> checkInvalidToken(Map<String, String> map, String str) {
        if (map != null && !map.isEmpty() && map.containsKey(str)) {
            try {
                return Optional.of(Boolean.valueOf(((AccessTokenContainer) this.objectMapper.readValue(map.get(str), AccessTokenContainer.class)) != null));
            } catch (JsonProcessingException e) {
                log.error("Not able to parse invalidToken json value.", e);
            }
        }
        return Optional.empty();
    }

    private Optional<Boolean> checkRule(Map<String, String> map, String str, QueryResponse queryResponse) {
        if (map != null && !map.isEmpty() && map.containsKey(str)) {
            try {
                if (queryResponse.getCreation().getTime() <= Long.parseLong(map.get(str))) {
                    return Optional.of(true);
                }
            } catch (NumberFormatException e) {
                log.error("Not able to convert timestamp value to number.", e);
            }
        }
        return Optional.empty();
    }

    public void evictNonRelevantTokensAndRules() {
        this.cachingServiceClient.evictTokens(INVALID_TOKENS_KEY);
        this.cachingServiceClient.evictRules(INVALID_USERS_KEY);
        this.cachingServiceClient.evictRules(INVALID_SCOPES_KEY);
    }

    public String getHash(String str) throws CachingServiceClientException {
        return getSecurePassword(str, getSalt());
    }

    private String initializeSalt() throws CachingServiceClientException {
        String str;
        try {
            str = this.cachingServiceClient.read("salt").getValue();
        } catch (CachingServiceClientException e) {
            byte[] generateSalt = generateSalt();
            storeSalt(generateSalt);
            str = new String(generateSalt);
        }
        return str;
    }

    public String getToken(String str, int i, Set<String> set) {
        int min = Math.min(i, 90);
        if (min <= 0) {
            min = 90;
        }
        return this.authenticationService.createLongLivedJwtToken(str, min, set);
    }

    public boolean isValidForScopes(String str, String str2) {
        QueryResponse parseJwtWithSignature;
        if (str2 == null || (parseJwtWithSignature = this.authenticationService.parseJwtWithSignature(str)) == null || parseJwtWithSignature.getScopes() == null) {
            return false;
        }
        return parseJwtWithSignature.getScopes().contains(str2.toLowerCase());
    }

    public byte[] getSalt() throws CachingServiceClientException {
        if (this.salt != null) {
            return this.salt;
        }
        this.salt = initializeSalt().getBytes();
        return this.salt;
    }

    private void storeSalt(byte[] bArr) throws CachingServiceClientException {
        this.cachingServiceClient.create(new CachingServiceClient.KeyValue("salt", new String(bArr)));
    }

    public static byte[] generateSalt() {
        byte[] bArr = new byte[16];
        new SecureRandom().nextBytes(bArr);
        return bArr;
    }

    public static String getSecurePassword(String str, byte[] bArr) {
        String str2 = null;
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("SHA-512");
            messageDigest.update(bArr);
            byte[] digest = messageDigest.digest(str.getBytes(StandardCharsets.UTF_8));
            StringBuilder sb = new StringBuilder();
            for (byte b : digest) {
                sb.append(Integer.toString((b & 255) + 256, 16).substring(1));
            }
            str2 = sb.toString();
        } catch (NoSuchAlgorithmException e) {
            log.error("Could not generate hash", e);
        }
        return str2;
    }

    @Generated
    public ApimlAccessTokenProvider(CachingServiceClient cachingServiceClient, AuthenticationService authenticationService, @Qualifier("oidcJwkMapper") ObjectMapper objectMapper) {
        this.cachingServiceClient = cachingServiceClient;
        this.authenticationService = authenticationService;
        this.objectMapper = objectMapper;
    }
}
