package tigase.http;

import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.time.Instant;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.crypto.Mac;
import javax.crypto.spec.SecretKeySpec;
import javax.naming.AuthenticationException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import tigase.auth.credentials.Credentials;
import tigase.db.AuthRepository;
import tigase.db.TigaseDBException;
import tigase.db.UserExistsException;
import tigase.db.UserNotFoundException;
import tigase.db.UserRepository;
import tigase.http.AuthProvider;
import tigase.http.json.JsonParser;
import tigase.http.json.JsonSerializer;
import tigase.kernel.beans.Bean;
import tigase.kernel.beans.Initializable;
import tigase.kernel.beans.Inject;
import tigase.util.Base64;
import tigase.util.stringprep.TigaseStringprepException;
import tigase.xmpp.jid.BareJID;
import tigase.xmpp.jid.JID;

@Bean(name = "authProvider", parent = HttpMessageReceiver.class, active = true, exportable = true)
/* loaded from: input_file:tigase/http/AuthProviderImpl.class */
public class AuthProviderImpl implements AuthProvider, Initializable {
    private static final String JWT_SECRET_KEY = "jwtSecretKey";

    @Inject(nullAllowed = true)
    private UserRepository userRepository;

    @Inject(nullAllowed = true)
    private AuthRepository authRepository;

    @Inject(bean = "service")
    private HttpMessageReceiver receiver;
    private SecretKeySpec secretKey;
    private final JsonSerializer jsonSerializer = new JsonSerializer();

    public void initialize() {
        if (this.userRepository != null) {
            BareJID bareJIDInstanceNS = BareJID.bareJIDInstanceNS(this.receiver.getName());
            try {
                try {
                    if (!this.userRepository.userExists(bareJIDInstanceNS)) {
                        this.userRepository.addUser(bareJIDInstanceNS);
                    }
                } catch (Throwable th) {
                    throw new RuntimeException("Failed to generate and store secret key!", th);
                }
            } catch (UserExistsException unused) {
            }
            String data = this.userRepository.getData(bareJIDInstanceNS, JWT_SECRET_KEY);
            if (data == null) {
                byte[] bArr = new byte[32];
                new SecureRandom().nextBytes(bArr);
                String encode = Base64.encode(bArr);
                data = this.userRepository.getData(bareJIDInstanceNS, JWT_SECRET_KEY);
                if (data == null) {
                    this.userRepository.setData(bareJIDInstanceNS, JWT_SECRET_KEY, encode);
                    Thread.sleep(500L);
                    data = this.userRepository.getData(bareJIDInstanceNS, JWT_SECRET_KEY);
                }
            }
            this.secretKey = new SecretKeySpec(Base64.decode(data), "HmacSHA256");
        }
    }

    @Override // tigase.http.AuthProvider
    public boolean isAdmin(BareJID bareJID) {
        return this.receiver.isAdmin(JID.jidInstance(bareJID));
    }

    @Override // tigase.http.AuthProvider
    public List<String> getRoles(BareJID bareJID) {
        List<String> roles = super.getRoles(bareJID);
        try {
            String[] dataList = this.userRepository.getDataList(bareJID, "roles", "roles");
            if (dataList != null) {
                roles.addAll(Arrays.asList(dataList));
            }
            return roles;
        } catch (TigaseDBException e) {
            throw new RuntimeException("Failed to load user " + bareJID + " roles", e);
        }
    }

    /* JADX WARN: Type inference failed for: r5v2, types: [java.time.ZonedDateTime] */
    @Override // tigase.http.AuthProvider
    public String generateToken(AuthProvider.JWTPayload jWTPayload) throws NoSuchAlgorithmException, InvalidKeyException {
        String str = String.valueOf(Base64.encode(this.jsonSerializer.serialize(Map.of("alg", "HS256", "typ", "JWT")).getBytes(StandardCharsets.UTF_8))) + "." + Base64.encode(this.jsonSerializer.serialize(Map.of("sub", jWTPayload.subject().toString(), "iss", jWTPayload.issuer(), "exp", Long.valueOf(jWTPayload.expireAt().atZone(ZoneId.of("UTC")).toInstant().toEpochMilli()))).getBytes(StandardCharsets.UTF_8));
        return String.valueOf(str) + "." + calculateTokenSignature(str);
    }

    private String calculateTokenSignature(String str) throws InvalidKeyException, NoSuchAlgorithmException {
        Mac mac = Mac.getInstance("HmacSHA256");
        mac.init(this.secretKey);
        return Base64.encode(mac.doFinal(str.getBytes(StandardCharsets.UTF_8)));
    }

    /* JADX WARN: Type inference failed for: r0v31, types: [java.time.LocalDateTime] */
    @Override // tigase.http.AuthProvider
    public AuthProvider.JWTPayload parseToken(String str) throws AuthenticationException {
        String[] split = str.split("\\.");
        if (split.length != 3) {
            throw new AuthenticationException("Incorrect JWT token");
        }
        try {
            Map map = (Map) JsonParser.parseJson(Base64.decode(split[0]));
            if (!"HS256".equals(map.get("alg")) || !"JWT".equals(map.get("typ")) || !split[2].equals(calculateTokenSignature(String.valueOf(split[0]) + "." + split[1]))) {
                throw new AuthenticationException("Incorrect JWT token");
            }
            Map map2 = (Map) JsonParser.parseJson(Base64.decode(split[1]));
            ?? localDateTime = Instant.ofEpochMilli(((Number) map2.get("exp")).longValue()).atZone(ZoneId.of("UTC")).toLocalDateTime();
            if (localDateTime.isBefore(LocalDateTime.now())) {
                throw new AuthenticationException("JWT token is expired");
            }
            return new AuthProvider.JWTPayload(BareJID.bareJIDInstance((String) map2.get("sub")), (String) map2.get("iss"), localDateTime);
        } catch (AuthenticationException e) {
            throw e;
        }
    }

    @Override // tigase.http.AuthProvider
    public void refreshJwtToken(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthProvider.JWTPayload jWTPayload = (AuthProvider.JWTPayload) httpServletRequest.getAttribute("refreshJwtToken");
        if (jWTPayload != null) {
            try {
                System.out.println("refreshing JWT token for " + jWTPayload.subject());
                setAuthenticationCookie(httpServletResponse, new AuthProvider.JWTPayload(jWTPayload.subject(), jWTPayload.issuer(), LocalDateTime.now().plusMinutes(15L)), httpServletRequest.getServerName(), httpServletRequest.getContextPath());
            } catch (Throwable unused) {
            }
        }
    }

    @Override // tigase.http.AuthProvider
    public AuthProvider.JWTPayload authenticateWithCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (cookie.getName().equals("jwtToken")) {
                try {
                    AuthProvider.JWTPayload parseToken = parseToken(cookie.getValue());
                    if (parseToken != null && parseToken.expireAt().isBefore(LocalDateTime.now().plusMinutes(5L))) {
                        httpServletRequest.setAttribute("refreshJwtToken", parseToken);
                    }
                    return parseToken;
                } catch (AuthenticationException unused) {
                }
            }
        }
        return null;
    }

    @Override // tigase.http.AuthProvider
    public void setAuthenticationCookie(HttpServletResponse httpServletResponse, AuthProvider.JWTPayload jWTPayload, String str, String str2) throws NoSuchAlgorithmException, InvalidKeyException {
        setAuthCookie(httpServletResponse, str, str2, generateToken(jWTPayload), jWTPayload.expireAt());
    }

    @Override // tigase.http.AuthProvider
    public void resetAuthenticationCookie(HttpServletResponse httpServletResponse, String str, String str2) {
        setAuthCookie(httpServletResponse, str, str2, "", LocalDateTime.now().minusDays(1L));
    }

    /* JADX WARN: Type inference failed for: r0v12, types: [java.time.ZonedDateTime] */
    private void setAuthCookie(HttpServletResponse httpServletResponse, String str, String str2, String str3, LocalDateTime localDateTime) {
        StringBuilder append = new StringBuilder("jwtToken").append("=").append(str3);
        append.append("; ").append("Domain=").append(str).append("; Path=").append(str2);
        httpServletResponse.setHeader("Set-Cookie", append.append("; ").append("Expires=").append(localDateTime.atZone(ZoneId.of("GMT")).format(DateTimeFormatter.ofPattern("EEE, dd MMM yyyy HH:mm:ss zzz"))).toString());
    }

    @Override // tigase.http.AuthProvider
    public boolean checkCredentials(String str, String str2) throws TigaseStringprepException, TigaseDBException {
        if (this.authRepository == null) {
            return false;
        }
        try {
            Credentials credentials = this.authRepository.getCredentials(BareJID.bareJIDInstance(str), "default");
            if (credentials == null) {
                return false;
            }
            return ((Boolean) Optional.ofNullable(credentials.getFirst()).map(entry -> {
                return Boolean.valueOf(entry.verifyPlainPassword(str2));
            }).orElse(false)).booleanValue();
        } catch (UserNotFoundException unused) {
            return false;
        }
    }
}
